Passwords and other concerns

Please discuss issues concerning the Ducati League here. This is the liaison between league players and the league council.
Post Reply
Mr_Molez
Private First Class
Private First Class
Posts: 26
Joined: Mon Nov 08, 2004 5:16 am

Passwords and other concerns

Post by Mr_Molez » Sat Sep 09, 2006 7:26 am

NOTICE: This thread was originally posted here, and moved to a private forum, as it dealt with a possilble security issue. It has been determined that the mentioned security risk does not exist, and the DLB thinks that the thread should be public. The original post follows ... (Ducati League Board)

I disagree, never have i known somebody not apart of the league and not apart of the ducati match servers to ever see the msg. I do find it annoying as a ducati league player to see the admsg atleast 3 times every time I play.

I think there needs to be a balance between the players fun and advertising the league. The admsg works great on the public ports and I hope more public ports use this admsg aswell but sadly they dont Sad

it distracts me greatly to see the message, I love the idea however of advertising the league, because I think it is a great league (dispite the few ducati admins that abuse their powers by boycotting players, distributing login information and login names and login passwords, age, specific player locations and other personal information. some of these such admins that abuse their powers are Admirarch, tokimi and orange
Im not sure how but admirarch gave me the passwords to login to some ducati players accounts, im not sure if he got them by looking into the ducati league code or requested they change their password of anything, but he got the passwords and told them me. I was pretty shocked that he would give me those passwords, Im not sure how he see's me at the moment maybe he thought i would spam those accounts or post offensive material from those accounts, but what ever his reason he gave me those account passwords) I hope my passwords are not given out in such a way, but I will be talking to menotume about this. Because I certainly don't want my password given out because I use my password for other things also.

I hope you have a think about the admsg or spawn list idea, it is just a suggestion I would like feedback on, I'm really not sure if its the best
idea for ducati as a whole or not.

Thanks alot

quantum dot
Private First Class
Private First Class
Posts: 1287
Joined: Sun May 16, 2004 10:19 pm
Location: Spain
Contact:

Post by quantum dot » Sat Sep 09, 2006 12:45 pm

this story about passwds sounds pretty weird to me.

1) i doubt there is a single admin who give passwds as you say

2) To my knowledge admir cannot look at passwds, not edit or look the code or data bases or either bzbb nor ducati, not gu league sites. In fact, no one can actually see passwds so that these can be passed to you. Passwds should be encripted so, at most, there are a few (very few) people who can access the encripted file, not the pass as such. No one can actually extract a pass form that file.

In summary, admir cannot edit a passwd in ducati site (he is not site admin and referees cant edit passwds), and even IF he had the access to the passwd file he would NOT be able to read it.

So if this story is true, yes, you need to talk to a site admin.

qd
Last edited by quantum dot on Sat Sep 09, 2006 3:11 pm, edited 1 time in total.

User avatar
[dmp]
Captain
Captain
Posts: 282
Joined: Mon Dec 09, 2002 3:20 pm
Location: CPH, Denmark
Contact:

Post by [dmp] » Sat Sep 09, 2006 3:03 pm

I can only confirm what quantum dot says. The site dosnt store your password anywhere, but calculates a hash from that password, and that hash is stored in the database. Now, when you log in, it calculates a hash of the password you enter, and compares it to the stored hash. As a password will always yield the same hash, the two hashes will be the same, if the passwords are. Thereby allowing us to authenticate without storing the passwords. And no, you cannot reverse the process, so having the hash wont help you. But this is technicalities :)

So its impossible to view the passwords as text, due to how the code works currently.

To get the password, they need to either modify the code - but I've checked. The code havnt been modified since my last upgrade.

Also, as qdot says, Admir (as a ref), Orange and Tokimi (as Ducati Admins) does not have the access to change other players password. So this also rules out the possibility, that they have been changing passwords. And even if they had, the account owner would notice it rather quickly.

So, if they have the password(s), they have gotten it from another source than the ducati website/database (eg: its their own accounts, they have been told what the password are, the password have been exposed somewhere..).

But that will be easier to check with some more info - to one of the siteadmins.

And using different password for each site dosnt hurt - even if its a pain. :)
I don't need huge pictures here.

User avatar
menotume
Major General
Major General
Posts: 232
Joined: Tue Jul 01, 2003 7:48 pm
Location: SE Pennsylvania, USA
Contact:

Post by menotume » Tue Sep 12, 2006 4:15 pm

Indeed, there is virtually no way Admirarch (or anyone else) could determine a player's password. A few people COULD change a player's password (Chestal, [dmp] and myself).

I would like to adress another issue here. There has been talk about server admins abusing their power by looking at player's IPs to see who they are. Personally, i do this a lot, especially if I see someone with an unknown callsign who is scoring well. Often, this is a quick easy way to determine if I should be concerned about a possible cheater. Sometimes, I even privately message the person, letting them know that I know who they are. But, I do NOT tell anyone else who they are, with the possible exception of another admin who may ask 'who is so-and-so', if that admin also has the ability to determine who it is, but this is rare.

So, my question is this ... Is this a violation of someone's right to privacy?

I don't think so. Server administrators have every right in my opinion to know who the players are. Many times, we get pms from players saying "Who is so-and-so, I think they're cheating". This is a somewhat natural reaction if they see some one who they don't know who is playing well. I do think that the admins should not tell anyone else who an aliased player is, just to give them a bit of 'privacy' in case they just want to play without being bothered with talking to people (I know how that is:)

Side note: A player's specific location can NOT be determined from an IP, without a legal warrant. A traceroute can sometimes show a player's general location (like a state in the US). IF anyone is concerned about this, they should consider disconnecting their internet, as an IP can been determined virtually anywhere you go. If anyone knows how to determine a person's age, sex, or any other personal information from an IP, I'd sure like to know about that :)

Side note #2: I would be interested in anyone's comments about people playing alised in general. Is it a good idea for players to alias themselves? Is this a violations to OTHER players right to privacy? I mean, the aliased player knows who everyone else is, but they don't know who he/she is. Should all Ducati servers be reg-only?
Last edited by menotume on Tue Sep 12, 2006 5:07 pm, edited 1 time in total.

quantum dot
Private First Class
Private First Class
Posts: 1287
Joined: Sun May 16, 2004 10:19 pm
Location: Spain
Contact:

Post by quantum dot » Tue Sep 12, 2006 4:52 pm

I concur with menotume and, as I already explained publicly the day this thread was created, insist that passwords simply canot be given away as Molez enfatically claims.

Also, I am often asked about the identity of "unknown" good players :"who is so-and-so" and I have never revealed the identity of an aliased player to anyone, never. Not even have given a bit of a hint about it. Not to mention giving IP info. pfff.

I must add that from my experience I have never seen or being aware of any admin giving any of these either identity, passwords or IPs to anyone, but other fellow admins who asked for some specific reason. Not in any serious servers officially associated with ducati, GU or pillbox.

I would also like, or, I should say, strongly request Mr_Molez to explain his acusations in full detail to any of these: menotume, dmp, Chestal, or JeffM.

Making these kind of public accusations helps little to the the accuser's cause, whatever that cause would be.
Last edited by quantum dot on Tue Sep 12, 2006 9:33 pm, edited 1 time in total.

User avatar
JeffM
Staff Sergeant
Staff Sergeant
Posts: 5173
Joined: Fri Dec 13, 2002 4:11 am
Location: https://discord.gg/NN9uAvx
Contact:

Post by JeffM » Tue Sep 12, 2006 5:17 pm

Ok, just so everybody knows.

I split and moved this post when it first came up. Nobody on the DLC, or DLB, or whatever it's called now did anything to protect anyone from anything.

I split it because it was a seperate new topic that molez snuck into an existing thread. New topics go in new threads, simple as that. I moved it because if it was a REAL security threat it needed to be evaluated, and not have info about it out there for people to exploit. So it was moved to the admin fourm for evaluation.

It turned out to not be any real security threat, just some people seem to have a beef against some other people. Had it been a real security problem, it would have been discovered, fixed, and the a public message posted telling the people what happened, and what they would have to do ( change passwords or what not ).

Those of you who thought this was some sort of conspiracy or "censorship", get over yourselves.

In the future if somone has a security concern it is always best to privately contact the adminstrators of the system. If it's bzbb, that would be Learner, DTRemenak, or myself. If it's the leauge site then that would be the leauge admins. You can always come onto IRC and ask who you should speak to, we'll be glad to help you and and figure out what is going on. Security concerns are big deals, and require imediate action, and should not be left to "when somone reads a post".

pyr0
Private First Class
Private First Class
Posts: 144
Joined: Wed Jul 13, 2005 5:08 pm

Post by pyr0 » Tue Sep 12, 2006 9:31 pm

I dont know much about this or trading passwords, cracking them, and everything else talked about. Not sure what Mr_Molez is speaking of in any way. One thing I can say is that theres no such thing as impossible. Maybe someone with access to the code has a small snippet they add in when they want to grab a password.

I can say, a basic admin cant touch passwords in the way claimed. They need code or database access. Either a SSH, FTP, File manager of sorts, or for SQL, just a simple MySQL Navigator run with the database info on a SQL server that isnt secured as well as it should be (Blocking non local connections).

No matter how the password is grabbed, although important, i have no way to know the settings up for Ducti or any other place around here since I dont like to tempt fate, that much, in hopes of learning something new. On the other hand, no password, hashed or not, is secure. A rainbow table could easily tap quite a long list of passwords, with ease. To give an example, not too long ago I was bored out of my mind, installed a couple things, and one was a Rainbow Table password cracker. So I decided to have some fun, tempted it with the 20 or so passwords I can remember using over the years. It cracked through 9 out of 10 with ease. Even my current one, which i kind of expected anyways. Most were found in less then 5 seconds, some took a minute to locate.

If it is a security issue in any fasion that isnt code related, it needs to be looked at in a different manner. Maybe SQL is allowing connections from outside (one look at the code for webleague, i knew where the sql info was, no readme, nothing, and that was with 2 minutes of code access). maybe someone had just that short instant of access they needed to get the right information and then go from there. Maybe they have access to a phpmyadmin somewhere on the server where the user is a bit more priv.'d then should be.

anything possible
-pyr0

User avatar
menotume
Major General
Major General
Posts: 232
Joined: Tue Jul 01, 2003 7:48 pm
Location: SE Pennsylvania, USA
Contact:

Post by menotume » Tue Sep 12, 2006 11:28 pm

Of course, that would require ssh shell access, AND permissions to access the webleague code directory. FTP, http file managers and phpmyadmin are not available at the server.

That would limit the number of people with access significantly, basically the 3 site admins who would have access to directly change a password anyway. SQL access is NOT allowed remotely (and, if it was, you would need the DB name, username and password anyway, see: need shell access).

AFTER aquiring an MD5 hashed password (shell access required), it could be run through a cracker to come up with a list of words that could produce the hash. To do this remotely (no shell access), would be VIRTUALLY impossible, as each of billions of combinations would have to be tried remotely. I don't know the numbers offhand, but I suspect it would take a remote computer years to achieve - and we would see it in the 'BadLogin' admin function, as I am sure pyr0 is aware of.

Sure, anything is possible. But, if you think you can crack passwords at the Ducati league site and maybe send a bzmail or make a post as someone else, why don't you use those skills to crack a bank or military site.

I DO think we are missing the point here though. Think about it.

mistake
Private First Class
Private First Class
Posts: 124
Joined: Wed Jun 15, 2005 12:12 am

Post by mistake » Wed Sep 13, 2006 11:40 am

I think I know what Admir did. He probably has many secret accounts on the site, and delivered the passwords of exactly these accounts :wink:

But serious.
To understand what really happened more specifica about the case should be given. The few information given by Molez leaves everybody clueless about what we are talking about. he should give more clues, or otherwise there is not much that can be discussed, the MD5 mechanism used in the webleague is as good as secure and can be excluded as source of the passwords. Other possibilities still remains:

- About a year ago I think the bzbb site was hacked, somebody gained access and modified some posts etc, sure you all remember.
Very likely however this did not give the hacker access to the passwords in clear text.

- Another source for passwords is any old password file of a server of the pre-global times. For people that have the same password everywhere, this is ofcourse a problem, which is also exactly why the developers moved to global registration (I think probably one of the most important new feature in 2.0.x, yay for devs).

So, though there are other ways of getting to these passwords, it puzzles my why Admir would do so such a thing. Is he also Mr. BZBB cracker? A Server Owner with a criminal mind? Is he Dr. Marbuse? Maybe even the secret coder behind all the cheats. Very unlikely.

Maybe it would help describing the context in which this all happened.

____________________

About IP lookup. When not using a very dynamic IP range, going under alias I don't expect that my identity is 100% save. It should be, and no admin should tell anybody who can't see IP's about someones real nick.
But would anybody really rely on that? And how important is this, all in all we obscure one imaginary identity with another identity.

But, these things happen. i also know of a couple of cases where players that should not, had gotten fragments of server logs. Its bad, and i hate to see it happen in the future. But they can happen, and if you find out, talk about it, and hope that these things will not happen again.
Sometimes the regulating powers also need to learn about borders and rights and can make mistakes in the process.
mistake

Admirarch
Private First Class
Private First Class
Posts: 33
Joined: Sat Sep 11, 2004 9:06 am
Location: Seeking lost whimsy

Post by Admirarch » Wed Sep 13, 2006 12:08 pm

To the best of my knowledge my transmission of passwords has been limited to the following:

Giving the password to the globally registered account "get dub active!" to a couple of players so that they can use it if they want to.
Accidentally leaving my own password in when sending my config file to a teammate (Sorry jh, it's changed now so you can't, alas, impersonate me).

If I have unwittingly managed to give any player passwords or if somebody may have done so whilst impersonating me I would, of course, be very interested in finding out.

Post Reply