Request for feedback: Security log

Forum for alternative clients, mods & discussions on the same.

Request for feedback: Security log

Postby loftar » Thu Aug 18, 2022 2:21 pm

From time to time, I get requests from people to look up whether other people have been logging in on their account, and I'd like to enable them to do so without having go through me. I can't seem to find the thread, but a while ago, I asked publicly if people would feel comfortable with a "security log" section under the account profile, and somewhat understandably many were not comfortable with IP addresses being "visible".

I've been mulling over it at low intensity since then, and eventually came up with a way to obfuscate IP addresses in a way that should be less controversial, but still useful for trying to figure out what's been happening. To post a concrete example, and also to demonstrate how I think this information should be insensitive enough to share publicly, here's what the log would look like for my account:
seclog.png
seclog.png (1.59 MiB) Viewed 1380 times

As can be seen, IP addresses themselves are "tokenized", but in the Address Table at the bottom of the page, you can still see country information, and information about shared bytes in the addresses. The reason shared bytes can be important is because it can allow you to see (or at least guess) whether two addresses come from the same ISP, for instance. Specifically, the "shared prefix" images work such that, if the color of a box changes from one row to the next, that means that the corresponding byte in the address is different between those two addresses (the table is sorted such that addresses with shared prefixes are next to one another in it). In the example table, then, that means that addresses 5 and 6 share their first two bytes, which is also true between addresses 0, 2 and 4.

In addition to the actions that can be seen on my account, the log also contains records of changed passwords and changed e-mail addresses (without the actual e-mail addresses being visible).

What do you think? Is this something I should actually add to the website?
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 8926
Joined: Fri Apr 03, 2009 7:05 am

Re: Request for feedback: Security log

Postby ubersheva » Thu Aug 18, 2022 2:46 pm

Yes, this can be useful.
Also why would you log in from Kazakhstan?
ubersheva
 
Posts: 67
Joined: Thu Apr 15, 2010 8:13 am

Re: Request for feedback: Security log

Postby shubla » Thu Aug 18, 2022 2:48 pm

loftar wrote:and information about shared bytes in the addresses. The reason shared bytes can be important is because it can allow you to see (or at least guess) whether two addresses come from the same ISP, for instance. Specifically, the "shared prefix" images work such that, if the color of a box changes from one row to the next, that means that the corresponding byte in the address is different between those two addresses (the table is sorted such that addresses with shared prefixes are next to one another in it). In the example table, then, that means that addresses 5 and 6 share their first two bytes, which is also true between addresses 0, 2 and 4.

So some rich man who has money to acquire bunch of ip addresses can easily figure out all bytes of my ip?

Good idea but slightly overengineered maybe.
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Re: Request for feedback: Security log

Postby loftar » Thu Aug 18, 2022 2:49 pm

ubersheva wrote:Also why would you log in from Kazakhstan?

Well, let's just say that's an example of why the log can be useful. ^^

shubla wrote:Good idea but slightly overengineered maybe.

Any better ideas?
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 8926
Joined: Fri Apr 03, 2009 7:05 am

Re: Request for feedback: Security log

Postby APXEOLOG » Thu Aug 18, 2022 9:38 pm

I don't think anyone will care about exact IP. It doesn't mean anything nowdays. Just display country code insteaed of the "Address %d" and remove the Address section
W10 Meme Plot | W9 Mantis Garden | W8 Core | W7 Ofir | W6 the City of Dis | W5 Vitterstad | W4 A.D. | W3 Mirniy
jorb wrote:All your characters will be deleted, and I will level every village any one of them were ever members of.
User avatar
APXEOLOG
 
Posts: 1267
Joined: Fri Apr 23, 2010 7:58 am
Location: Somewhere on Earth

Re: Request for feedback: Security log

Postby Archiplex » Thu Aug 18, 2022 10:05 pm

Out of curiosity, why would it be controversial to expose the exact IP's?

It'd mean account sharers would know each other's IP, though given they're already trusting each other to share an account I don't think that matters too much. Otherwise, no real downside to bad actors getting their IP's shown anyways?
the proliferation of automation is the rot of this game, with the next worst thing being the filth that plays it (you, probably.)

W7 - Hermit
W8 - Co-LS of R'lyeh, Owner of the Hermitarium Knowledge Group
W9 - LS of Niflheim
W11 - Hermitage (named Niflheim)
W12 - Hermit -> some rando ass village i forgot the name of that i joined
W10,13-15 - N/A
User avatar
Archiplex
 
Posts: 1260
Joined: Thu Apr 10, 2014 6:28 am
Location: In the midst of the stars and skies

Re: Request for feedback: Security log

Postby loftar » Thu Aug 18, 2022 11:08 pm

Archiplex wrote:Out of curiosity, why would it be controversial to expose the exact IP's?

Ordinarily I'd agree with you that it's not a big deal, but in this particular case I want to hide it for the same reason I'm not showing the e-mail address of the account, namely that, if someone does manage to illegitimately gain access to someone else's account, then it's probably not unlike that that would be the kind of person who might go further and use the same password on the e-mail account itself, or start running exploit scanners against the victim's router, and so on.
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 8926
Joined: Fri Apr 03, 2009 7:05 am

Re: Request for feedback: Security log

Postby displaced » Fri Aug 19, 2022 7:10 am

cool, but why not just implement 2FA? (if there is a concern for safety)
displaced
 
Posts: 121
Joined: Wed Feb 12, 2014 12:09 am

Re: Request for feedback: Security log

Postby noindyfikator » Fri Aug 19, 2022 8:33 am

displaced wrote:cool, but why not just implement 2FA? (if there is a concern for safety)


that would be so good
W3 - W10 - Hermit / small plots with spruces
W11 - The Friend Zone
W12 - KoA aka Kingdom of Ashes
W13 - Monke
W14 - Alpaca Farm aka Animal Planet
W15 - Whatever Bay - The Greatest Siege Defense Victory in Haven History - https://www.youtube.com/watch?v=KhyUveSeZ0Q
User avatar
noindyfikator
 
Posts: 827
Joined: Fri Jul 15, 2011 11:10 am

Re: Request for feedback: Security log

Postby shubla » Fri Aug 19, 2022 8:51 am

displaced wrote:cool, but why not just implement 2FA? (if there is a concern for safety)

Why not indeed.
Only disadvantage I see is when people lose their 2FA tokens and didn't take up the recovery codes.
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Next

Return to The Wizards' Tower

Who is online

Users browsing this forum: Naylok and 8 guests