Author Topic: About the GUID  (Read 5161 times)

Flower

  • Posts: 94
  • Turrets: +3/-0
About the GUID
« on: August 23, 2007, 09:42:35 pm »
I'd like to know why the GUID is not unique for each server you join. It's not hard to copy a GUID of someone else.

Example:

You own your server. When somebody join, you can see on the console his complete GUID. If you figure a way to replace your and send it to a server when you join, it's easy to get his admin (if he is) and be a turd. I already heard some guy from S11 did it and I'm pretty sure it's not hard.

By using a using a unique GUID for each server, you are sure that nobody around can take your GUID and go on another server with it because it's different for each server.
img]http://rm3d.free.fr/flower.jpg[/img]
I'm a Flower, wanna smell my pistil?

Survivor

  • Posts: 1660
  • Turrets: +164/-159
About the GUID
« Reply #1 on: August 23, 2007, 09:52:30 pm »
Server unique guids can already be enabled.
I’m busy. I’ll ignore you later.

n00b pl0x

  • Posts: 2412
  • Turrets: +55/-168
About the GUID
« Reply #2 on: August 23, 2007, 10:07:47 pm »
how am to do that
will sort out my sig, or I will get banned.

HOW DO I SORTED SIG?

Nux

  • Posts: 1778
  • Turrets: +258/-69
Re: About the GUID
« Reply #3 on: August 23, 2007, 10:55:13 pm »
Quote from: "Flower"
By using a using a unique GUID for each server, you are sure that nobody around can take your GUID and go on another server with it because it's different for each server.


Of course, that doesn't stop them from spoofing your guid for that server and any others they see you on, individually.

Patriotpie

  • Posts: 85
  • Turrets: +9/-15
About the GUID
« Reply #4 on: August 23, 2007, 11:35:35 pm »
get TJW's newest client, cl_guidserveruniq 1

Flower

  • Posts: 94
  • Turrets: +3/-0
About the GUID
« Reply #5 on: August 24, 2007, 03:23:03 am »
Most of the server have this option on?
img]http://rm3d.free.fr/flower.jpg[/img]
I'm a Flower, wanna smell my pistil?

kevlarman

  • Posts: 2737
  • Turrets: +291/-295
About the GUID
« Reply #6 on: August 24, 2007, 03:32:18 am »
Quote from: "Flower"
Most of the server have this option on?
it's a client option... it prepends the server ip and the server port (separated by a colon) to the qkey before taking the md5sum.
Quote from: Asvarox link=topic=8622.msg169333#msg169333
Ok let's plan it out. Asva, you are nub, go sit on rets, I will build, you two go feed like hell, you go pwn their asses, and everyone else camp in the hallway, roger?
the dretch bites.
-----
|..d| #
|.@.-##
-----

Vector_Matt

  • Posts: 732
  • Turrets: +2/-1
Re: About the GUID
« Reply #7 on: August 24, 2007, 02:45:20 pm »
Quote from: "Nux"
Quote from: "Flower"
By using a using a unique GUID for each server, you are sure that nobody around can take your GUID and go on another server with it because it's different for each server.


Of course, that doesn't stop them from spoofing your guid for that server and any others they see you on, individually.
The way guid's operate could be changed.

The client would send a string to the server, the server would remember that guid, but in /!listplayers it would only show the checksum of that guid.

This would make it nearly impossible to steal a guid, as only the server operator can see the entire guid. Everyone else just see the checksum. (It would be possible to try every guid combination untill you found the one with the checksum that a person had, but it would take a long time.)(Someone could also start a fake server just to gather guid's, but most of us don't go onto servers we don't know of, or get good ping on.)

This also has the desirable side effect of making it hard to make a fake guid that displays as ***l33t*** or some such thing.

Caveman

  • Guest
About the GUID
« Reply #8 on: August 24, 2007, 02:56:04 pm »
it's not about !listplayers, where only some digits are shown. ATM !listplayers is absolutly useless to harvest guids.

Matt, please read up on what you are talking about .)

Vector_Matt

  • Posts: 732
  • Turrets: +2/-1
About the GUID
« Reply #9 on: August 24, 2007, 04:23:44 pm »
Quote from: "Caveman"
Matt, please read up on what you are talking about .)
I actually can't seem to find info about it. I googled and checked tjw's site. I found nothing about it.
Do you know of a good place to get information on it?

Caveman

  • Guest
About the GUID
« Reply #10 on: August 24, 2007, 04:28:18 pm »
If none of the usual links/sites work, try the source. or head on over to a server check the guids from the log with what !listplayers gives you.

Flower

  • Posts: 94
  • Turrets: +3/-0
About the GUID
« Reply #11 on: August 25, 2007, 03:05:38 am »
The only person that can steal the GUIDs is the server admins. You get the full 32 bytes string when you are an admin. It's also easy to change, but I won't explain it. And now that I know that the unique GUID is client side, I'll set it up and it'll be ok.
img]http://rm3d.free.fr/flower.jpg[/img]
I'm a Flower, wanna smell my pistil?

Eeeew Spiders

  • Posts: 213
  • Turrets: +13/-7
About the GUID
« Reply #12 on: August 25, 2007, 04:18:20 am »
Quote from: "Flower"
The only person that can steal the GUIDs is the server admins.....


If you wanted to make GUID completely save, a solution could be that the GUID is only send by the client to a global GUID validator server somewhere, and that that GUID validator server just tells the server who it is (e.g. just sends the md5 checksum to the tremulous server).
This way the tremulous server would never receive any GUIDS and it couldnt be spoofed.
However, since GUIDS can now only be compromised locally on one server (due to cl_guidserveruniq) it doesn't seem to be worth the effort.