GUID's Compremised Again

[CU|CUdyin]

I don't know how the whole guid thing works, but wouldn't it make sense for the server to not !setlevel admins until they entered a simple challenge and response password that correspons to their GUID?

I mean, if you had to have both a GUID and a password, it would make moot the point of GUID spoofing ... then you'd have to worry about people trying to brute force the PW's, but at least that's easier to identify/deal with.  Plus you're not just auto setleveling guids without any sort of ident process.

And yes, a password-protect feature along with GUID system would be a welcome surprise in the next release. Don't know exactly how it would be implemented, but hey... that's what devs are for  

I'm working on a patch for such a feature ATM. As soon as I'm done with it, I'll post the URL in this or a new (matching) thread.

[popupman]

oh yea.. it was compromised.. again.. damn DLL injectors..

[tuple]

oh yea.. it was compromised.. again.. damn DLL injectors..

What?  Can you please give a less descriptive explanation of what you are talking about?  How exactly can a DLL injector steal GUIDS?  What DLL injector?  WTF?

Many admins consider this to be an important topic, if you have something to add, then add important and complete info, if not, then STFU.

[Caveman]

DLL-Injector does the same in Windows as "preload" does in Linux.
So whatever the instructions, they will be executed. Even though I strongly doubt that the available DLL will grab the guid and send it to the creator, it IS possible.

[dodo1122]

heh, it is pretty easy to do anyway. no way to make anything secure in an opensource game. rcon FTW


dodo

[tuple]

Caveman, my point is that stating that a theoretical possibility exists, but giving absolutely no information other than that, is pointless and not helpful.  I would assume that if someone knows of a dll injector that loads a lib which steals guids that the name of the dll is known, or the name in that instance, or the program used...

Hell, a link to someone discussing it would even be a step in the right direction.

[Caveman]

How exactly can a DLL injector steal GUIDS?

Strange I thought I did understand your question of _how_ it would be possible.
I guess I need to go back to school and re-learn reading.

[tuple]

I am sorry that the rest of us are not as eloquent or precise in our questions as you.

Edit:  I'll make my request more concise.
Please provide more info.

[LinuxManMikeC]

raytray, yes.
unique-guid is computed from the server-ip and your qkey.

What about servers being run off a dynamic IP on DSL or Cable?  I know of at least a handful of such servers (including my own).  Sure, the IP may not change often, but when it does all admins would be lost (except LAN admins that connect directly).  And I personally can't afford a static IP nor renting a server right now, so this would screw me big time!  Perhaps give servers GUID's too (of course then the server GUID's could be spoofed).  I really think the best way would be some sort of digital signature setup where the identity of both server and client are established, it shouldn't rely on IP address.

[Caveman]

Just don't run a server off a cheapo setup.
The price you pay for energy, bandwidth and the nerves needed you'll get a good offer at a local housing near you.

[LinuxManMikeC]

Just don't run a server off a cheapo setup.
The price you pay for energy, bandwidth and the nerves needed you'll get a good offer at a local housing near you.

I knew that answer was coming, even after I specified its not an option for me.

1 - One very rough estimate I found puts power costs at an estimated $10.80/month (Stanford Folding@Home project).
2 - My DSL costs about $15-$20/month, but we were paying that already so there is no additional cost in bandwidth.  I just decided to use the loads of spare upstream bandwidth for my server (which isn't even heavily trafficked).  And the amount of bandwidth used by the server during a full game is at most 50%.
3 - Nerves?  The only thing getting on my nerves is the fact that some "genius" security solution is going to screw my ability to have admins on my server.  Other than this, my server has been quite a Zen garden for me.

So my server costs roughly $11/month to run.  I have Tremulous, Apache (with all the trimmings), MySQL and PosgreSQL with no limits (other than my HD size ) , SSH, Subversion, and anything else I could possibly want.  I have complete control.  I have also calculated my total available bandwidth to be about 3GB/month if data transfer is occurring 24/7.  Though my upstream doesn't allow for large immediate spikes in traffic.

Hosting plans I found start at $15-$20/month and that is only Tremulous.  This one game host I found also offers 1GB web hosting + MySQL with "unlimited" bandwidth for an added $8/month, which comes to a total of $28/month.  But this is narrowly focused on gaming.

If I want to match the features and control I have on my own server I would need to lease a dedicated server.  And those seem to be starting at a minimum $100/month.

So wise guy, I'm saving money.  Please don't screw the budget admins who are stuck with dynamic IP addresses.  There are better solutions for the GUID problem out there.

[Sage]

On what basis, may I ask? More than just they know how, please... so do I, and I know for a fact that at least one other person does. And I'm yet still to see a conclusive link between Pol and any GUID thefts, let alone this one.

i know 2 ppls that does... 1 ppl that u know taught that second but i wont say names cuz they re my friends

[Somethief]

Hmm lets start stealing guids! beware, i might be administrating your server when you get back next time o/