Tremulous Forum
Community => Servers => Topic started by: Rawr on March 16, 2007, 05:13:25 am
-
Today on |SST| Tremulous, at approximately 6:30PM PST. SST Tremulous's admins were compremised due to a GUID harvester. Most likely the ones from the S11.info server. The admin's guid, (magic) has been changed. Both the abuser, most likely suspected to be Pol, his subnet has been banned. As for magic, he was also banned, but later unbanned.
-
so should we ban this 5 year old kid on other servers as well?
-
and his ip is...
-
Was magic using cl_guidServerUniq?
-
lies keep your crap to yourself
you banned me and I didnt even connect to your server
-
lies keep your crap to yourself
you banned me and I didnt even connect to your server
You shut the fuck up. I got banned as well, and I am one of the council memebers.
The sst problem has been solved.
-
lies keep your crap to yourself
you banned me and I didnt even connect to your server
You shut the fuck up. I got banned as well, and I am one of the council memebers.
The sst problem has been solved.
what council ....?!%&$
I only believe in jedi council
-
Most likely the ones from the S11.info server
...most likely suspected to be Pol...
On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.
-
I cant find my shoes
should I blame pol for using my guid to take my shoes?
-
I cant find my shoes
should I blame pol for using my guid to take my shoes?
No, that was me.
-
lol @ drama over SST..
But I agree, it's a terrible problem, the GUID Theft and is really really lame.
-
Most likely the ones from the S11.info server
...most likely suspected to be Pol...
On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.
Pol, and no one else (AFAIK), has been accused of GUID theft in the past, so it's natural to blame him for anything related to stoled identities in the Tremulous admin world. The conclusive proof is that he !setlevel'd people to gain access to their GUID's, I'm sure that there's more evidence out there but StarGate SG1's on and I don't want to miss too much. I'll edit with more evidence eventually.
-
Pol, and no one else (AFAIK), has been accused of GUID theft in the past, so it's natural to blame him for anything related to stoled identities in the Tremulous admin world. The conclusive proof is that he !setlevel'd people to gain access to their GUID's, I'm sure that there's more evidence out there but StarGate SG1's on and I don't want to miss too much. I'll edit with more evidence eventually.
Which is pretty stupid to do since the GUID will end up in the server logs IIRC. And if not, it is very easy to build a modified server that will silently dump all GUIDs in a file.
-
they are in the game.log of every server...
a simple grep will be enough to get them.
Until a read-only var is always 100% read-only there is no way in hell that this will not be repeated.
Considering the fact that there are so many modified clients already out there, it is safe to say that guids to identify any player are obsolete.
Fall back to rcon or use the old ssh to control your servers.
But whatever you do, DO NOT use the guid you have admin-privs with on any server to play on another server.
Or to put it in a shorter form:
USE YOUR FUCKING BRAIN FOR ONCE
[/size]
-
Most likely the ones from the S11.info server
...most likely suspected to be Pol...
On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.
As I remember, you, benmaching, taught/told/showed Pol how to Fake GUID's.
-
How about this :
1) use tjw's client (with GUID) to connect to servers where you are an admin.
2) use the original client (without GUID) to connect to normal servers.
Caveman is right. The GUID is available to everyone with filesystem access to the server's system. Maybe the next possible fix is to make tjw's client send guid manually by the player himself. But this is not really foolproof.
-
Or use the latest tjw backport with a new GUID system that sends a different GUID depending on the server IP:Port.
-
AFAIK, Polly, Benmachine, AoD and TTO are the only clans/people who know how to do this, though I doubt any of the clans would do that.
-
AFAIK, Polly, Benmachine, AoD and TTO are the only clans/people who know how to do this, though I doubt any of the clans would do that.
Come on, stealing GUIDs is ( was ) so TRIVIAL for a server admin there's bound to be many more players who know how to do that.
-
Smokey, your are dead wrong.
Just because some don't do it, does not mean they don't know how it is done.
-
As I remember, you, benmaching, taught/told/showed Pol how to Fake GUID's.
Yes, I've admitted this, and I regret it. What's your point?
And I agree with Stof that once you know it can be done, it's not hard to work out how (the thought had never occurred to me until Pol reported someone with an anomalous GUID connecting to s11, and I wondered how they got it). The fact that a GUID was stolen tells you nothing, therefore, about who did it.
Smokey, not only am I pretty sure that list is incomplete (Risujin knows how, vcxzet probably does) I'm also pretty sure your faith in clan members is misplaced. Yes, you may try to keep everyone in line and kick out malicious members, but some are always going to sneak in - the exact same applies to the tremulous community at large.
Caveman, I don't think read-only vars will ever stay read-only in an open-source game. The only way to evade problems like these is to make the authentication system non-transferable, so that what authenticates you to one server will not authenticate you to another. Tjw has provided exactly that so in time as this system is adopted, GUID theft will become much more difficult and security shall be restored. The only downside to this is that moving a server from one IP to another effectively makes the admin blocks in admin.dat useless. It's pretty much the only way to be sure, though.
-
AFAIK, Polly, Benmachine, AoD and TTO are the only clans/people who know how to do this, though I doubt any of the clans would do that.
Come on, stealing GUIDs is ( was ) so TRIVIAL for a server admin there's bound to be many more players who know how to do that.
+1
-
I knew how to steal GUIDs within about 5 minutes of running my own server. Every GUID appears fully in the console log every time someone connects. It's TRIVIAL for anyone with access to the server console or logs to pull every GUID they want. No !setlevel-ing is required.
I don't know how to spoof GUIDs, but if I wanted to I could probably find out from scratch in about 10 minutes. If it's really simple, it might take less time than that. (If it's really complicated it might take longer to implement.) Pretty much anyone who makes patches or custom game.qvms has the knowledge to figure out how to spoof GUIDS. Most of us just don't care.
-
I don't know how the whole guid thing works, but wouldn't it make sense for the server to not !setlevel admins until they entered a simple challenge and response password that correspons to their GUID?
I mean, if you had to have both a GUID and a password, it would make moot the point of GUID spoofing ... then you'd have to worry about people trying to brute force the PW's, but at least that's easier to identify/deal with. Plus you're not just auto setleveling guids without any sort of ident process.
-
Ben, the guid-auth that is now in place is nothing more than a dirty work around .)
As long as authing does not require the user to enter some data ony he/she knows, and given the open-source nature, nothing else will ever be secure.
And Hell yess! A cvar-unlocker is also available atm... *sigh*
-
So with the unique GUID's thing, would you still have all the GUID's on your qkey if you dump the qkey into another installation of trem?
-
raytray, yes.
unique-guid is computed from the server-ip and your qkey.
-
You can defend Pol all you want, but he's been branded with the accusations already, and I doubt that there's many in the community that seriously don't believe that it was him that was doing it. Maybe not in this particular case, but in the first cases that arose, there's little question in the majority's mind that it was him.
There's "innocent until proven guilty", but there's also something called "reasonable doubt". The latter being the point that should be reached before a juror in a trial can reasonably cast a vote of guilty. I think everyone has reached that point of reasonable doubt.
-
Ehrm that is "innocent until proven guilty, beyond a reasonable doubt".
It might have been the channel biach, yes. And I think so too, but it was not proven as I already said in the other thread .)
I am not defending him, if you thought so, you are mistaken.
I just want hard evidence so the "reasonable doubt" can be laid aside.
And as for this scare-hype with the faked-guids, I'll dare say that all that have a least bit of knowhow of the client can do it.
So ask yourself ppl "Have you updated to the last client of TJW? Have you enabled the unique guid?", if not, stop whining that you brainfucked got bent over and start using brain v0.5.
-
I've got brain v. 1.1.0
Hoping to get v1.2 when it comes out!
And yes, a password-protect feature along with GUID system would be a welcome surprise in the next release. Don't know exactly how it would be implemented, but hey... that's what devs are for 8)
-
I don't know how the whole guid thing works, but wouldn't it make sense for the server to not !setlevel admins until they entered a simple challenge and response password that correspons to their GUID?
I mean, if you had to have both a GUID and a password, it would make moot the point of GUID spoofing ... then you'd have to worry about people trying to brute force the PW's, but at least that's easier to identify/deal with. Plus you're not just auto setleveling guids without any sort of ident process.
And yes, a password-protect feature along with GUID system would be a welcome surprise in the next release. Don't know exactly how it would be implemented, but hey... that's what devs are for 8)
I'm working on a patch for such a feature ATM. As soon as I'm done with it, I'll post the URL in this or a new (matching) thread.
-
oh yea.. it was compromised.. again.. damn DLL injectors..
-
oh yea.. it was compromised.. again.. damn DLL injectors..
What? Can you please give a less descriptive explanation of what you are talking about? How exactly can a DLL injector steal GUIDS? What DLL injector? WTF?
Many admins consider this to be an important topic, if you have something to add, then add important and complete info, if not, then STFU.
-
DLL-Injector does the same in Windows as "preload" does in Linux.
So whatever the instructions, they will be executed. Even though I strongly doubt that the available DLL will grab the guid and send it to the creator, it IS possible.
-
heh, it is pretty easy to do anyway. no way to make anything secure in an opensource game. rcon FTW :P
dodo
-
Caveman, my point is that stating that a theoretical possibility exists, but giving absolutely no information other than that, is pointless and not helpful. I would assume that if someone knows of a dll injector that loads a lib which steals guids that the name of the dll is known, or the name in that instance, or the program used...
Hell, a link to someone discussing it would even be a step in the right direction.
-
How exactly can a DLL injector steal GUIDS?
Strange I thought I did understand your question of _how_ it would be possible.
I guess I need to go back to school and re-learn reading.
-
I am sorry that the rest of us are not as eloquent or precise in our questions as you.
Edit: I'll make my request more concise.
Please provide more info.
-
raytray, yes.
unique-guid is computed from the server-ip and your qkey.
What about servers being run off a dynamic IP on DSL or Cable? I know of at least a handful of such servers (including my own). Sure, the IP may not change often, but when it does all admins would be lost (except LAN admins that connect directly). And I personally can't afford a static IP nor renting a server right now, so this would screw me big time! Perhaps give servers GUID's too (of course then the server GUID's could be spoofed). I really think the best way would be some sort of digital signature setup where the identity of both server and client are established, it shouldn't rely on IP address.
-
Just don't run a server off a cheapo setup.
The price you pay for energy, bandwidth and the nerves needed you'll get a good offer at a local housing near you.
-
Just don't run a server off a cheapo setup.
The price you pay for energy, bandwidth and the nerves needed you'll get a good offer at a local housing near you.
I knew that answer was coming, even after I specified its not an option for me.
1 - One very rough estimate I found puts power costs at an estimated $10.80/month (Stanford Folding@Home project (http://folding.stanford.edu/faq.html#misc.power)).
2 - My DSL costs about $15-$20/month, but we were paying that already so there is no additional cost in bandwidth. I just decided to use the loads of spare upstream bandwidth for my server (which isn't even heavily trafficked). And the amount of bandwidth used by the server during a full game is at most 50%.
3 - Nerves? The only thing getting on my nerves is the fact that some "genius" security solution is going to screw my ability to have admins on my server. Other than this, my server has been quite a Zen garden for me.
So my server costs roughly $11/month to run. I have Tremulous, Apache (with all the trimmings), MySQL and PosgreSQL with no limits (other than my HD size :D ) , SSH, Subversion, and anything else I could possibly want. I have complete control. I have also calculated my total available bandwidth to be about 3GB/month if data transfer is occurring 24/7. Though my upstream doesn't allow for large immediate spikes in traffic.
Hosting plans I found start at $15-$20/month and that is only Tremulous. This one game host I found also offers 1GB web hosting + MySQL with "unlimited" bandwidth for an added $8/month, which comes to a total of $28/month. But this is narrowly focused on gaming.
If I want to match the features and control I have on my own server I would need to lease a dedicated server. And those seem to be starting at a minimum $100/month.
So wise guy, I'm saving money. Please don't screw the budget admins who are stuck with dynamic IP addresses. There are better solutions for the GUID problem out there.
-
On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.
i know 2 ppls that does... 1 ppl that u know taught that second but i wont say names cuz they re my friends
-
Hmm lets start stealing guids! beware, i might be administrating your server when you get back next time o/