PDA

View Full Version : Security increase for Administration of Playerworlds


zell12
01-12-2004, 09:50 PM
Here is the way I see it, I said it before last year:

The accounts with level 4 rights (Manager Accounts) have an option added to them so that if they try to change the server options, folder configuration, rights of other accounts(default rights, manager can add more), etc...
This should add better security incase someone with a ip mask gets ahold of your account. :)

When you click the server options buttion, as an example, you can edit whatever you like. When you click apply/ok, it asks you for your password. If you enter an invaild password, it ask syou again. 3 bad passwords will result in your account being disabled, and mabey even an email sent to the pwa or one of the other managers. ;)

-Ramirez-
01-12-2004, 10:43 PM
That would be extremely annoying.

Milkdude99
01-12-2004, 10:53 PM
It's a nice idea in theory but not really practical..

zell12
01-12-2004, 11:16 PM
It is practical with some amendments. And it would be a bugger, yes, but would you rather lose everything because someone found your account information? A 64/128-bit encryption password should be enough to protect someone on a game like "graal" ;)

-Ramirez-
01-12-2004, 11:32 PM
Originally posted by zell12
but would you rather lose everything because someone found your account information?
It has yet to happen, so I'm fine. Besides, strict IP ranges make things like that far less likely. Stefan could add hostname checking instead of IP checking to make it even better.

zell12
01-13-2004, 01:12 AM
The ips, even hostnames (changed to an ip) can be spoofed, or masked, by programs. So you are only safe really, if they don't have your password.

xManiamaNx
01-13-2004, 01:25 AM
Unless the password it asks for when changing the stuff is different from the account password, it's not really going to do any good. If somebody got hold of your account and got on RC with it, theres a 90% chance they'll know your account password.

zell12
01-13-2004, 02:06 AM
I know that, I was just hoping you guys would too. :rolleyes:

-Ramirez-
01-13-2004, 02:09 AM
Originally posted by zell12
The ips, even hostnames (changed to an ip) can be spoofed, or masked, by programs.
Show me one of these programs. I would love to see this work for myself. I've heard about them, sure, but never seen one used.

HoudiniMan
01-13-2004, 02:16 AM
If somebody was really going to go to the trouble to spoof their IP address, i think getting your account password would be pretty easy. IP ranges are very VERY good protection against people who have gotten your password, but if they can bypass it then it's not like it's a top secret project you're working on.

Make regular back-ups as always and set your IP range as strictly as possible and you'll be fine.

zell12
01-13-2004, 02:20 AM
Well, ip ranges are not as secure as you think. It is like buying a lock from the dollar store, putting it on a PollyPocket chest, and stuffing a $1000 in it and leaving it on the side of a street.

Python523
01-13-2004, 02:48 AM
Originally posted by zell12
Well, ip ranges are not as secure as you think. It is like buying a lock from the dollar store, putting it on a PollyPocket chest, and stuffing a $1000 in it and leaving it on the side of a street.

No.
Unless you had access to the computer the actual IP address is assigned to, you can't do it with TCP.

zell12
01-13-2004, 03:12 AM
Jagen, people send you a trojan, they get your pass. Someone spoofs your ip, they have your account.

Python523
01-13-2004, 03:14 AM
Originally posted by zell12
Jagen, people send you a trojan, they get your pass. Someone spoofs your ip, they have your account.

Did you purposely ignore my post? You cannot mearly 'spoof' an IP, it is a lot more complex than that. Even if you did manage to convince a server you were a different IP, RC uses a TCP socket, the socket would try to open with the spoofed IP, therefore you wouldn't get any return data.

zell12
01-13-2004, 04:38 AM
I'll explain this later, because Fl1p did it on Mithica. :/

Thought
01-13-2004, 05:05 AM
'Fl1p' more likely used a proxy or something like that. Jagen is right, you cannot use spoofed IPs to an advantage.

zell12
01-13-2004, 05:55 AM
You can change your ip to anything you want. How hard is that to understand?

Thought
01-13-2004, 06:07 AM
Originally posted by zell12
You can change your ip to anything you want.Incorrect.
Originally posted by zell12
How hard is that to understand?Really hard! As uncle RFC 793 says it isn't possible. :D

Python523
01-13-2004, 07:16 AM
Originally posted by zell12
You can change your ip to anything you want. How hard is that to understand?

You are wrong, Rick and I are right.
Originally posted by zell12
How hard is that to understand?

Plus the fact that Rick specializes in sockets/packets in his Comp Science carrear, and even if I'm wrong that it's his specialty, he has a pretty damn good understanding of them.

Kristi
01-14-2004, 10:31 AM
Originally posted by Python523


You are wrong, Rick and I are right.


Plus the fact that Rick specializes in sockets/packets in his Comp Science carrear, and even if I'm wrong that it's his specialty, he has a pretty damn good understanding of them.

I'd imangine the term "pretty damn good" is still an understatement ::thumbs up to rick::

To put it simply mr Zell, think of the TCP connection as a physical pipe running from one tank to another. If you sent a request with a spoofed ip saying HEY GIVE ME A PIPE, its going to think said address requested it, and try to make the connection with that address, instead of you. Even if it was a successful connection, you would be outside that pipe.

unless you actually owned an ip with the needed range or proxied it (ie found some server with that range willing to route your packets), it IS impossible.

And in my opinion, anyone who pays for a server and puts it at such a stupid risk by letting a lvl 4 rc be owned without the password/ip being really protected is a fool, and it would be a tough lesson that they need. Its not graalonlines responisbly to make up for your lack of responsibility.