Author Topic: GUID's Compremised Again (Read 20184 times)

Rawr · « **on:** March 16, 2007, 05:13:25 am »

Today on |SST| Tremulous, at approximately 6:30PM PST. SST Tremulous's admins were compremised due to a GUID harvester. Most likely the ones from the S11.info server. The admin's guid, (magic) has been changed. Both the abuser, most likely suspected to be Pol, his subnet has been banned. As for magic, he was also banned, but later unbanned.

DieFamilyGuy · « **Reply #1 on:** March 16, 2007, 05:23:50 am »

so should we ban this 5 year old kid on other servers as well?

n00b pl0x · « **Reply #2 on:** March 16, 2007, 06:00:53 am »

and his ip is...

David · « **Reply #3 on:** March 16, 2007, 09:44:58 am »

Was magic using cl_guidServerUniq?

biotxc · « **Reply #4 on:** March 16, 2007, 10:19:54 am »

lies keep your crap to yourself
you banned me and I didnt even connect to your server

Rawr · « **Reply #5 on:** March 16, 2007, 03:02:44 pm »

Quote from: "biotxc"

lies keep your crap to yourself
you banned me and I didnt even connect to your server

You shut the fuck up. I got banned as well, and I am one of the council memebers.

The sst problem has been solved.

biotxc · « **Reply #6 on:** March 16, 2007, 03:05:51 pm »

Quote from: "bazuka_poo"

Quote from: "biotxc"
lies keep your crap to yourself
you banned me and I didnt even connect to your server

You shut the fuck up. I got banned as well, and I am one of the council memebers.

The sst problem has been solved.

what council ....?!%&$
I only believe in jedi council

benmachine · « **Reply #7 on:** March 16, 2007, 07:14:09 pm »

Quote from: "bazuka_poo"

Most likely the ones from the S11.info server

...most likely suspected to be Pol...

On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.

biotxc · « **Reply #8 on:** March 16, 2007, 07:36:39 pm »

I cant find my shoes
should I blame pol for using my guid to take my shoes?

David · « **Reply #9 on:** March 16, 2007, 07:47:36 pm »

Quote from: "biotxc"

I cant find my shoes
should I blame pol for using my guid to take my shoes?

No, that was me.

Smokey · « **Reply #10 on:** March 16, 2007, 08:57:08 pm »

lol @ drama over SST..

But I agree, it's a terrible problem, the GUID Theft and is really really lame.

Plague Bringer · « **Reply #11 on:** March 17, 2007, 01:06:37 am »

Quote from: "benmachine"

Quote from: "bazuka_poo"
Most likely the ones from the S11.info server

...most likely suspected to be Pol...

On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.

Pol, and no one else (AFAIK), has been accused of GUID theft in the past, so it's natural to blame him for anything related to stoled identities in the Tremulous admin world. The conclusive proof is that he !setlevel'd people to gain access to their GUID's, I'm sure that there's more evidence out there but StarGate SG1's on and I don't want to miss too much. I'll edit with more evidence eventually.

Stof · « **Reply #12 on:** March 17, 2007, 01:08:10 am »

Quote from: "Plague Bringer"

Pol, and no one else (AFAIK), has been accused of GUID theft in the past, so it's natural to blame him for anything related to stoled identities in the Tremulous admin world. The conclusive proof is that he !setlevel'd people to gain access to their GUID's, I'm sure that there's more evidence out there but StarGate SG1's on and I don't want to miss too much. I'll edit with more evidence eventually.

Which is pretty stupid to do since the GUID will end up in the server logs IIRC. And if not, it is very easy to build a modified server that will silently dump all GUIDs in a file.

Caveman · « **Reply #13 on:** March 17, 2007, 01:45:32 am »

they are in the game.log of every server...
a simple grep will be enough to get them.

Until a read-only var is always 100% read-only there is no way in hell that this will not be repeated.
Considering the fact that there are so many modified clients already out there, it is safe to say that guids to identify any player are obsolete.
Fall back to rcon or use the old ssh to control your servers.

But whatever you do, DO NOT use the guid you have admin-privs with on any server to play on another server.

Or to put it in a shorter form:

USE YOUR FUCKING BRAIN FOR ONCE
[/size]

Rawr · « **Reply #14 on:** March 17, 2007, 05:40:18 am »

Quote from: "benmachine"

Quote from: "bazuka_poo"
Most likely the ones from the S11.info server

...most likely suspected to be Pol...

On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.

As I remember, you, benmaching, taught/told/showed Pol how to Fake GUID's.

sleekslacker · « **Reply #15 on:** March 17, 2007, 05:51:47 am »

How about this :

1) use tjw's client (with GUID) to connect to servers where you are an admin.

2) use the original client (without GUID) to connect to normal servers.

Caveman is right. The GUID is available to everyone with filesystem access to the server's system. Maybe the next possible fix is to make tjw's client send guid manually by the player himself. But this is not really foolproof.

Stof · « **Reply #16 on:** March 17, 2007, 02:12:15 pm »

Or use the latest tjw backport with a new GUID system that sends a different GUID depending on the server IP:Port.

Smokey · « **Reply #17 on:** March 17, 2007, 03:59:26 pm »

AFAIK, Polly, Benmachine, AoD and TTO are the only clans/people who know how to do this, though I doubt any of the clans would do that.

Stof · « **Reply #18 on:** March 17, 2007, 04:37:35 pm »

Quote from: "Smokey"

AFAIK, Polly, Benmachine, AoD and TTO are the only clans/people who know how to do this, though I doubt any of the clans would do that.

Come on, stealing GUIDs is ( was ) so TRIVIAL for a server admin there's bound to be many more players who know how to do that.

Caveman · « **Reply #19 on:** March 17, 2007, 05:42:21 pm »

Smokey, your are dead wrong.
Just because some don't do it, does not mean they don't know how it is done.

benmachine · « **Reply #20 on:** March 17, 2007, 06:41:42 pm »

Quote from: "bazuka_poo"

As I remember, you, benmaching, taught/told/showed Pol how to Fake GUID's.

Yes, I've admitted this, and I regret it. What's your point?
And I agree with Stof that once you know it can be done, it's not hard to work out how (the thought had never occurred to me until Pol reported someone with an anomalous GUID connecting to s11, and I wondered how they got it). The fact that a GUID was stolen tells you nothing, therefore, about who did it.
Smokey, not only am I pretty sure that list is incomplete (Risujin knows how, vcxzet probably does) I'm also pretty sure your faith in clan members is misplaced. Yes, you may try to keep everyone in line and kick out malicious members, but some are always going to sneak in - the exact same applies to the tremulous community at large.

Caveman, I don't think read-only vars will ever stay read-only in an open-source game. The only way to evade problems like these is to make the authentication system non-transferable, so that what authenticates you to one server will not authenticate you to another. Tjw has provided exactly that so in time as this system is adopted, GUID theft will become much more difficult and security shall be restored. The only downside to this is that moving a server from one IP to another effectively makes the admin blocks in admin.dat useless. It's pretty much the only way to be sure, though.

janev · « **Reply #21 on:** March 17, 2007, 06:43:58 pm »

Quote from: "Stof"

Quote from: "Smokey"
AFAIK, Polly, Benmachine, AoD and TTO are the only clans/people who know how to do this, though I doubt any of the clans would do that.

Come on, stealing GUIDs is ( was ) so TRIVIAL for a server admin there's bound to be many more players who know how to do that.

+1

FooBar · « **Reply #22 on:** March 17, 2007, 06:54:47 pm »

I knew how to steal GUIDs within about 5 minutes of running my own server. Every GUID appears fully in the console log every time someone connects. It's TRIVIAL for anyone with access to the server console or logs to pull every GUID they want. No !setlevel-ing is required.

I don't know how to spoof GUIDs, but if I wanted to I could probably find out from scratch in about 10 minutes. If it's really simple, it might take less time than that. (If it's really complicated it might take longer to implement.) Pretty much anyone who makes patches or custom game.qvms has the knowledge to figure out how to spoof GUIDS. Most of us just don't care.

rdizzle · « **Reply #23 on:** March 17, 2007, 07:17:53 pm »

I don't know how the whole guid thing works, but wouldn't it make sense for the server to not !setlevel admins until they entered a simple challenge and response password that correspons to their GUID?

I mean, if you had to have both a GUID and a password, it would make moot the point of GUID spoofing ... then you'd have to worry about people trying to brute force the PW's, but at least that's easier to identify/deal with. Plus you're not just auto setleveling guids without any sort of ident process.

Caveman · « **Reply #24 on:** March 17, 2007, 07:22:28 pm »

Ben, the guid-auth that is now in place is nothing more than a dirty work around .)

As long as authing does not require the user to enter some data ony he/she knows, and given the open-source nature, nothing else will ever be secure.

And Hell yess! A cvar-unlocker is also available atm... *sigh*

Raytray · « **Reply #25 on:** March 17, 2007, 07:51:01 pm »

So with the unique GUID's thing, would you still have all the GUID's on your qkey if you dump the qkey into another installation of trem?

Caveman · « **Reply #26 on:** March 17, 2007, 07:56:25 pm »

raytray, yes.
unique-guid is computed from the server-ip and your qkey.

Seffylight · « **Reply #27 on:** March 18, 2007, 12:57:07 am »

You can defend Pol all you want, but he's been branded with the accusations already, and I doubt that there's many in the community that seriously don't believe that it was him that was doing it. Maybe not in this particular case, but in the first cases that arose, there's little question in the majority's mind that it was him.

There's "innocent until proven guilty", but there's also something called "reasonable doubt". The latter being the point that should be reached before a juror in a trial can reasonably cast a vote of guilty. I think everyone has reached that point of reasonable doubt.

Caveman · « **Reply #28 on:** March 18, 2007, 01:33:12 am »

Ehrm that is "innocent until proven guilty, beyond a reasonable doubt".
It might have been the channel biach, yes. And I think so too, but it was not proven as I already said in the other thread .)

I am not defending him, if you thought so, you are mistaken.
I just want hard evidence so the "reasonable doubt" can be laid aside.

And as for this scare-hype with the faked-guids, I'll dare say that all that have a least bit of knowhow of the client can do it.
So ask yourself ppl "Have you updated to the last client of TJW? Have you enabled the unique guid?", if not, stop whining that you brainfucked got bent over and start using brain v0.5.

Patriotpie · « **Reply #29 on:** March 18, 2007, 03:01:19 am »

I've got brain v. 1.1.0
Hoping to get v1.2 when it comes out!

And yes, a password-protect feature along with GUID system would be a welcome surprise in the next release. Don't know exactly how it would be implemented, but hey... that's what devs are for

News:

Author Topic: GUID's Compremised Again (Read 20184 times)

biotxc

biotxc

biotxc

Caveman

Caveman

Caveman

Caveman

Caveman