Cool Reward

Announcements about major changes in Haven & Hearth.

Re: Cool Reward

Postby Raephire » Sat Oct 31, 2009 11:53 pm

Who is this person you mention, loftar?
User avatar
Raephire
 
Posts: 648
Joined: Wed Jun 10, 2009 3:34 pm

Re: Cool Reward

Postby Vanigo » Sun Nov 01, 2009 2:11 am

loftar wrote:I can at least assure you that the access was limited to the forum and the forum alone.

Yeah, except that he apparently had access to everyone's passwords, presumably including yours and the real Jorb's, and we all know that we use the same password for the forum and the game. Not that I think he did anything with them, of course; just pointing this out.
Vanigo
 
Posts: 146
Joined: Mon Jun 22, 2009 1:03 am

Re: Cool Reward

Postby Delamore » Sun Nov 01, 2009 2:21 am

Vanigo wrote:
loftar wrote:I can at least assure you that the access was limited to the forum and the forum alone.

Yeah, except that he apparently had access to everyone's passwords, presumably including yours and the real Jorb's, and we all know that we use the same password for the forum and the game. Not that I think he did anything with them, of course; just pointing this out.

I had access to no ones password, I had the ability to change them as an admin account has and the bug applied to any account so I just registered Joker with an uppercase J
User avatar
Delamore
 
Posts: 1212
Joined: Mon Jul 13, 2009 9:11 am

Re: Cool Reward

Postby Jackard » Sun Nov 01, 2009 2:23 am

Vanigo wrote:
loftar wrote:I can at least assure you that the access was limited to the forum and the forum alone.

Yeah, except that he apparently had access to everyone's passwords, presumably including yours and the real Jorb's, and we all know that we use the same password for the forum and the game. Not that I think he did anything with them, of course; just pointing this out.

you've... never been the adminstrator of a forum, have you
User avatar
Jackard
 
Posts: 8849
Joined: Sun Jul 12, 2009 6:07 am
Location: fucking curios how do they work

Re: Cool Reward

Postby sabinati » Sun Nov 01, 2009 3:25 am

not everyone like forums and much as you and i, jackard
User avatar
sabinati
 
Posts: 15497
Joined: Mon Jul 13, 2009 4:25 am
Location: View active topics

Re: Cool Reward

Postby warrri » Sun Nov 01, 2009 4:50 am

He got the passwords, if only the encryption would be reversible :(
The world I love The tears I drop To be part of The wave can't stop
Ever wonder if it's all for you
The world I love The trains I hop To be part of The wave can't stop
Come and tell me when it's time to
User avatar
warrri
 
Posts: 1033
Joined: Fri Aug 28, 2009 5:55 pm

Re: Cool Reward

Postby Krantarin » Sun Nov 01, 2009 5:14 am

Don't worry loftar, you've always been my favorite... WAIT! I can't say that! I can't bring the wrath of jorb down upon me!! Loftar protect me! :o
A Lurker from the days when Laketown was on the frontier and Bottleneck was the military superpower.
User avatar
Krantarin
 
Posts: 362
Joined: Tue Jun 02, 2009 4:29 am

Re: Cool Reward

Postby Delamore » Sun Nov 01, 2009 5:20 am

warrri wrote:He got the passwords, if only the encryption would be reversible :(

If only you would stop talking about things you have no idea of.
User avatar
Delamore
 
Posts: 1212
Joined: Mon Jul 13, 2009 9:11 am

Re: Cool Reward

Postby loftar » Sun Nov 01, 2009 6:57 am

Vanigo wrote:Yeah, except that he apparently had access to everyone's passwords, presumably including yours and the real Jorb's, and we all know that we use the same password for the forum and the game. Not that I think he did anything with them, of course; just pointing this out.

Don't worry. He did not have access to the passwords, and even though he says he could change peoples' passwords, that's just what the forum tells him -- I haven't "removed" the build-in functionality of phpBB to change the passwords in the forum database, which has no bearing whatsoever. The passwords in the forum database are never used, even by the forum itself, because I've replaced its authentication mechanism.

EDIT: I guess I can take the opportunity to expand a bit on the handling of passwords, sessions and accounts, for people in doubt.
* I've written a system of my own that stores information about users, including an SHA256 hash of their password. SHA256 has, in my knowledge, no known exploits. It should be admitted that the passwords are not salted, which can be considered a weakness in case the entire database would be leaked (which it has not been), and I am considering fixing it by salting the hash with the name of each account.
* There are exactly two places where the passwords are visible in plaintext. One is in the client, when you type it in. The client, however, hashes the password before sending it to the authentication server, and even the hash is sent over SSL. The other is when the password is transmitted over HTTP, which I don't like, but there isn't a thing in the world I can do about it. HTML forms work that way, after all.
* The most ugly aspect of the system is the forum integration, but AFAIK it should be secure. There are, in total, three different sessions in effect. One is the session for my own pages (the ones in /portal), which are written using mod_python and use its session handler, and the /portal pages authenticate users against the info stored in my account server. They also create a site-global session that covers both /portal and /forum, and only contains the authenticated username. The phpBB authentication module I've written picks that up and does an auto-login into phpBB. PhpBB then keeps its own session after that. Since I use my own authentication module, phpBB's conception of passwords is not used. At all. The "change password" function in the forum is, thus, entirely ineffective.
* Login against the game server uses a temporary authentication cookie, which is generated in one of two ways: Either by the authentication server (to which the client connects when you use its login screen) or by the web pages, which generate a cookie when you use the "Play" button in the top menu. In the latter case, the cookie is part of the JNLP file you get. The cookie is discarded once used to log in one time, or after a rather short lifetime (30 seconds when generated by the auth server, 5 minutes when generated by the web pages (to allow time for downloading the client)).
* When you click to "remember me" in the client, the client doesn't actually save your password. Rather, it asks the auth server for an extended-life cookie, which is generated anew every time you choose to do so and stored in the account. That cookie, in turn, is used in place of the password hash on subsequent logins to generate the temporary login cookies. Obviously, that means only one computer can remember you at one time, which is a security feature I am quite content with.
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 8926
Joined: Fri Apr 03, 2009 7:05 am

Re: Cool Reward

Postby g1real » Sun Nov 01, 2009 9:01 pm

Safe enough loftar.

Especially comparing it with some things.

For example, rumors went that heroes of newerth (over 30k players online at a time) had all account info stored in a silly txt file, raw.
loftar: The inner chaos of the Jorbian mind is hard to conceal. :)
jorb: It's called creative license. You know, that thing you seem to want to apply to logic, grammar and coherence? :)
User avatar
g1real
 
Posts: 881
Joined: Sun Aug 09, 2009 10:30 am
Location: You are now breathing manually.

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: No registered users and 3 guests