| 00:25.28 | *** join/#bzflag Pimpinella (~frank@gondolin.pimpi.org) |
| 01:42.33 | *** join/#bzflag bulletmark (~bulletmar@ppp118-211-213-19.lns20.bne7.internode.on.net) |
| 03:25.04 | *** join/#bzflag ruskie (ruskie@sourcemage/mage/ruskie) |
| 04:59.11 | *** join/#bzflag bulletmark (~bulletmar@ppp118-211-213-19.lns20.bne7.internode.on.net) |
| 07:25.39 | *** join/#bzflag mats3 (32317d0a@gateway/web/freenode/ip.50.49.125.10) |
| 11:11.41 | *** join/#bzflag Pimpinella (~frank@gondolin.pimpi.org) |
| 11:36.31 | *** join/#bzflag catay (~smertens@valyria.catay.be) |
| 13:53.14 | *** join/#bzflag mdskpr (~quassel@li59-174.members.linode.com) |
| 14:43.25 | *** join/#bzflag mdskpr (~quassel@li59-174.members.linode.com) |
| 15:19.43 | *** join/#bzflag trepan (~trepan@s72-38-252-50.static.datacom.cgocable.net) |
| 16:22.26 | *** join/#bzflag JeffM (~JeffM@12.167.61.2) |
| 16:56.27 | *** join/#bzflag MentalHacker (uid39563@gateway/web/irccloud.com/x-fgkpngjvhysrnuiu) |
| 16:58.14 | *** part/#bzflag MentalHacker (uid39563@gateway/web/irccloud.com/x-fgkpngjvhysrnuiu) |
| 16:58.18 | *** join/#bzflag MentalHacker (uid39563@gateway/web/irccloud.com/x-fgkpngjvhysrnuiu) |
| 17:29.50 | *** join/#bzflag trepan (~trepan@s72-38-252-50.static.datacom.cgocable.net) |
| 17:35.49 | *** join/#bzflag Admirarch (~Athelthra@mrush.mth.abdn.ac.uk) |
| 17:46.26 | *** join/#bzflag JeffM (~JeffM@107-209-61-105.lightspeed.irvnca.sbcglobal.net) |
| 17:57.19 | *** join/#bzflag Admirarch (~Athelthra@mrush.mth.abdn.ac.uk) |
| 18:12.16 | WarPig | DR hacker claims if you type '/password' (no argument) after someone uses /password with the correct pass, you will gain admin privs. He demonstrated it to be true. There's another (big) one for your buglist. |
| 18:20.47 | *** join/#bzflag TimRiker (~TimRiker@bzflag/projectlead/TimRiker) |
| 18:20.47 | *** mode/#bzflag [+o TimRiker] by ChanServ |
| 18:23.05 | *** join/#bzflag khonkhortisan (~Khonkhort@c-71-227-239-229.hsd1.wa.comcast.net) |
| 19:58.32 | blast007 | WarPig: already known and was mentioned to all server owners or week or so ago.. if they've failed to take action, well.... |
| 19:58.50 | blast007 | owners a week* |
| 19:59.53 | JeffM | short passwords for the loss |
| 20:00.18 | blast007 | yeah, the issue on Linux only affects passwords less than 6 characters in length |
| 20:00.36 | blast007 | or I should say, in the Linux situations we tested |
| 20:00.52 | JeffM | what about all those windows server |
| 20:00.55 | JeffM | oh wait.. |
| 20:01.00 | JeffM | nevermind |
| 20:01.53 | blast007 | I couldn't duplicate it on Windows, at least when attached to a debugger - but that may mask the issue as it's a bug where we're reading a char* starting past the null |
| 20:02.48 | JeffM | probably |
| 20:02.51 | JeffM | it's not a big deal |
| 20:02.55 | JeffM | windows is not a good server OS |
| 20:03.15 | blast007 | the guy is now threatening to attack individual players based on the IP data he scraped from the password exploit |
| 20:03.22 | JeffM | heh |
| 20:03.41 | JeffM | because this is war right? |
| 20:03.46 | blast007 | I guess |
| 20:03.52 | JeffM | he totaly wants to shut down a game with 20 players.... |
| 20:04.05 | JeffM | then that girl will finaly notice him |
| 20:04.11 | blast007 | lol |
| 20:04.12 | JeffM | or boy, who am I to judge |
| 20:05.55 | JeffM | must mean he's out of bugs to help us find |
| 20:06.07 | JeffM | so he has to move to silly threats |
| 20:06.17 | blast007 | he's always been about the threats |
| 20:06.37 | blast007 | made threats of DDoS attacks on bzflag.org quite some time ago |
| 20:06.48 | JeffM | any followup on them? |
| 20:06.59 | blast007 | I think I saw a packet or two |
| 20:07.04 | blast007 | :P |
| 20:07.06 | JeffM | heh |
| 20:07.13 | blast007 | but no, probably not |
| 20:07.16 | blast007 | hard to say really though |
| 20:07.22 | JeffM | "That's not a knife.. this is a knife" |
| 20:08.01 | blast007 | we may have been on a VPS or the old server at that time, so an attack could have been easily confused with "normal operation" |
| 20:08.14 | JeffM | heh |
| 20:08.32 | blast007 | it's be a bit more obvious now if we're under a real attack ;) |
| 20:09.31 | blast007 | heck, before this server, we had to stagger the joins for the riker cup, otherwise auth would fail |
| 20:09.39 | JeffM | heh |
| 20:10.23 | blast007 | funny how much better a system works when you're not a gig into your swap file |
| 20:10.24 | JeffM | well at least he helped find some bugs |
| 20:10.39 | JeffM | wonder if that machine is still running |
| 20:10.43 | WarPig | Silver lining ftw. :D |
| 20:11.13 | JeffM | it's not really a silver lining, the game is so low trafic that a single person can't put that much of a dent in it |
| 20:11.18 | blast007 | WarPig: or gold plated turd ;) |
| 20:11.28 | WarPig | heh |
| 20:11.28 | JeffM | and since he was so vocal it just meant that people would look into the issues |
| 20:11.38 | JeffM | it's the only logical outcome of his actions |
| 20:11.54 | WarPig | whatta maroon |
| 20:11.55 | blast007 | that, and he keeps telling us how he does them |
| 20:12.13 | JeffM | maybe he wants to see the game fixed and this is the only way he can get it |
| 20:12.20 | JeffM | he's the batman of bzflag |
| 20:12.47 | WarPig | There is an admin message when someone gains elevated privs by way of /password, isn' |
| 20:12.51 | WarPig | t there? |
| 20:12.53 | blast007 | yes |
| 20:13.20 | blast007 | the workaround is literally to just remove the password from the config for now... |
| 20:13.42 | WarPig | I presume once they have the privs, they become unbannable by other admins? |
| 20:14.12 | blast007 | maybe? I can't remember if that was a thing, or if it's still a thing |
| 20:14.51 | blast007 | at one point at least it had some special meaning, but I was thinking we removed that at one point.. could have been in the 2.1/2.99.x codebase though |
| 20:29.21 | JeffM | with auth I can't really see the need for /password |
| 20:29.31 | JeffM | have a plugin that does it for the people with local servers |
| 20:30.04 | JeffM | then that plugin has to be enabled and can be configured to do IP range checks too |
| 20:46.29 | blast007 | one of the owners said "Unfortunately local authentication has been dropped from bzfs long ago and global authentication cannot handle multiple logins well, so you don't have much choice. I'll see what I can do." |
| 20:46.54 | blast007 | didn't understand what they meant by the global auth part so I had asked for clarification |
| 20:47.24 | JeffM | huh? |
| 20:47.41 | JeffM | like you want to join your game twice using the same credentials? |
| 20:47.47 | blast007 | no idea... |
| 20:47.55 | JeffM | yeah that sounds odd |
| 20:48.03 | JeffM | local auth can be implemented in a plug-in |
| 20:48.11 | JeffM | thats WHY we removed it |
| 20:48.17 | JeffM | that and it's lame |
| 20:48.34 | blast007 | the only thing I could think was joining multiple bzadmin clients at once across multiple servers and having the token get overwritten.. but that's easy to work around if that's the issue |
| 20:49.41 | JeffM | ahh yeah not joining and authing in order |
| 20:49.45 | blast007 | I think the only issue we've had with auth since it moved to this server was when namecheap's DNS provider got DDoSed |
| 20:50.00 | JeffM | authenticating a bzadmin client is exactly what a plugin should do |
| 20:50.20 | blast007 | bzadmin shouldn't even exist anymore ;) |
| 20:50.24 | JeffM | yes |
| 20:50.32 | blast007 | kill it for 2.6 and finish a web plugin |
| 20:50.33 | JeffM | but if it does, make it auth over a plugin |
| 20:50.37 | JeffM | and IP range lock it |
| 20:50.52 | JeffM | kill it for 2.4 and finish the web plugin |
| 20:50.56 | blast007 | heh |
| 20:50.58 | JeffM | it is not tied to proto |
| 20:51.02 | blast007 | but then people won't upgrade ;) |
| 20:51.12 | blast007 | do it at a point when they have to |
| 20:51.17 | JeffM | make the 2.4 server auto upgrade |
| 20:51.32 | blast007 | then they won't upgrade to the auto-updating bzfs |
| 20:51.37 | JeffM | well if you pull bzadmin for 2.6 they won't upgrade for that reason |
| 20:51.50 | JeffM | stealth it in |
| 20:52.04 | blast007 | there's no incentive to upgrade to a new major release than a minor one |
| 20:52.38 | blast007 | er, sorry, there's MORE inceitive |
| 20:52.50 | JeffM | just say that it has iOS admin support :) |
| 20:54.09 | blast007 | the only reason for -passwd these days is in case of the rare event that auth goes down or for a local test server |
| 20:54.37 | blast007 | and if auth is down and some troublemaker is on.. just shut down the server.. it's a game, it's not running grandma's life support machine.. |
| 20:55.36 | JeffM | the 5 people will understand |
| 21:11.00 | *** join/#bzflag thrakattak (cz3141@gateway/shell/devio.us/x-mjmjxasxwoefdwur) |
| 21:12.10 | *** join/#bzflag TimRiker (~TimRiker@bzflag/projectlead/TimRiker) |
| 21:12.10 | *** mode/#bzflag [+o TimRiker] by ChanServ |
| 22:56.06 | *** join/#bzflag circa7 (~steve@cpe-75-83-222-82.socal.res.rr.com) |