Looking up players based on an account UUID is a gaping security hole?

What do you call the fact that the Vault has no security? >.>

No security huh? Then how is it a Vault? It's like Superman's Fortess off Solitude in the movies, if you can just walk in because it's designed like it's made out of linkin logs then it's not a fortess.

Sorry just trying to inject some humor

_________________


Thelonius "Prof" Higginsbottom

member of the Guild of Calamitous Intent

"I invented the term the Bevin Generation do I get a spot in Mystlore?"

I suppose it was naive of us to believe that Cyan could & would maintain a safe & secure main trunk and that player-created content (including fixes) would only be added after being tested elsewhere.... but, without licenses for legitimate shards, that doesn't even seem to be part of their plan. I'm beginning to understand some of the frustrations expressed on these forums in recent months.

_________________
OpenUru.org Minkata Test Shard is
OU-Minkata Shard Testers Guide (in laymen's terms)

Just some information.

I think it would be best if people remembered that some people in this community used to run the game servers in Until Uru. A lot of things were learned by doing that and a few people still have all that information. The information has not changed much from then til now.

However, most of that info that has been deemed dangerous has been kept locked away for a long time, and some of it should remain that way. No matter how good the intentions, using player info publicly is wrong.

_________________
BAD is as good as BAD can be.

Visit our new site!

SOUP!

Something to think about...

Players on an account being found this way is only one small thing... They can also find your KI notes, pictures, age progress, when your character was created and when you last logged in. And with the vault in it's current state it wouldn't be that hard to go in and change all that information.

_________________

Yep. I've said as such... I'm not that surprised at times, I guess Cyan never really thought about us reverse-engineering the protocol and going from there. The way they're handling user ages and the like is more than indicative of that. Not surprised either.. they make games, they make worlds, it's what they do. Not this stuff.


Of course, as I said, pandora's box, genie in the bottle, etc etc. No matter how long we've known this, the fact that it's doable has now been fully public. Although I knew it would happen from the point I first bumped into OHBot. What gets me though is just how much control over the vault the client has in this game.. I guess Cyan didn't expect a lot of people playing either, where they could moderate what went on. Unfortunately we seem to have a lot of dedicated people here who can and will dig the thing apart and rebuild it happily, in a true example of the hacker ethos. (and to anyone who thinks I'm saying it's bad, you have no idea what I'm talking about). The biggest problem then is what happens when people who *aren't* of good intentions get at it.

But I also realize I'm coming late to the party.. and these discussions I was reading months before were about this stuff and not in a hypothetical sense. Hm.


Out of curiosity, how secure IS the vault? Is it easy to find/change details associated to another player, or does it involve getting privelaged access to the database at some level? Or can anyone using the libraries go and mess with stuff of another avatar now?



Well, you know now why Cyan hasn't said anything about this. They're in panic and decision mode, because it's come up, and worse I doubt things have changed in MQO either. How doable would it be to just slap a good encryption to the protocol and make it so unless you could crack the key you'd be unable to get at anything? Would it even help anymore? Or do we need a full redesign this time to add locks to the doors so to speak?

_________________
You know, I wish we would learn Atrus loved the 1812 overture, and in turn we had a copy for our relto.
That's right, a canon canen cannon!

MOULa KI: #00027582
Welcome back all!

JWPlatt Is On Your Ignore List.

Just because you can, doesn't mean you should.

_________________
Caution: Objects in mirror are dumber than they appear.

Gondar wrote:

Out of curiosity, how secure IS the vault? Is it easy to find/change details associated to another player, or does it involve getting privelaged access to the database at some level? Or can anyone using the libraries go and mess with stuff of another avatar now?

Well, you know now why Cyan hasn't said anything about this. They're in panic and decision mode, because it's come up, and worse I doubt things have changed in MQO either. How doable would it be to just slap a good encryption to the protocol and make it so unless you could crack the key you'd be unable to get at anything? Would it even help anymore? Or do we need a full redesign this time to add locks to the doors so to speak?

The network protocol is encrypted, the keys are in the UruExplorer.exe file. Once you have the keys, you can establish an encrypted connection. You just have to watch what the client sends, and then emulate that. We have external KI chat working, we know how to connect to the servers and send messages.

As far as Vault privileges... Once you are connected to the AuthSrv, have signed in with your account, and set an active player by KI number, you have all vault privileges. There is no permissions system, anyone who is signed in can change any node in the Vault.

As a note, Cyan has been informed of these sorts of issues as we were writing code for prpl-uruki.

Heaven wrote:

Just because you can, doesn't mean you should.

I agree (for the most part), but that won't stop people who want to cause trouble.
I say "for the most part" because if it is handled carefully, the potential for fan storylines becomes huge. Uploading KI images of fan Ages, or charts of an IC experiment are highly useful for keeping people interested in the game.

Woooh. Wow. Full access? Uhm. Wow. I mean, really.


I.. wow. Gimme a minute to get the full scope of this. Holy cripes.


Yeah, I admit I'm behind the times and probably a bit doomsaying about stuff that's old, but really.. while the techniques aren't new and are known by now, I personally figured for instance that you could get at a few of your access and everything doable was vault-side and had to be worked in, hence vault manager as a tool (not that I know how it works which is probably part of my ignorance on this). I figured a client would be able to get at the stuff relating to the avatar it was using and nothing more, and that the client wouldn't try because it couldn't do it.

Now I find out the ability of the game, and realize that we've had so long without anything going on because people either haven't fully released findings or the game just hasn't been big enough to be noticed in some level. If WoW had had this going on you can BET there'd be things.. but WoW has a grind and a reason to do that sort of stuff. SL in turn has an actual cash economy at some level (which I personally think is colossally stupid but that's neither here nor there).

Well. Huh. In that case I guess Cyan isn't in panic mode, they've been wondering what to do the whole time. Wow.


Out of curiosity, why haven't some of these things been published until suddenly all now? Was it all known and ready during MOUL but nothing done because they had cash going and you were quietly looking into the game? And now being free you're slowly releasing publish-worthy versions of pre-made code? Because I can't help but notice how many of these little things have come out in a few months already, implying it was all there.


Huh. You think you know a game...

_________________
You know, I wish we would learn Atrus loved the 1812 overture, and in turn we had a copy for our relto.
That's right, a canon canen cannon!

MOULa KI: #00027582
Welcome back all!

During MOUL, we were still mostly interested in PotS for Age Creation, so aside from keeping up with the PRP file changes, we didn't care about network stuff.
We looked at it a bit when MOUL shut down, for the possibility of Alcugs-like servers, but didn't make much progress/didn'tput a lot of effort into it.

Things are only being "released" now so to speak because prpl-uruki is making progress. libHSPlasmaNet was only written in the months after MOULa opened, once we knew we'd need it for to handle chat. The AuthClient code has been publicly available since February 23rd.

Now, as "fun" as it might sound, we want this fixed. Many of us ran UU shards and know that one mistake can kill the entire Vault, and we do not want to see that happen. Yesterday I discovered that my "set avatar offline when disconnecting" code actually deleted the avatar from the Vault. Oops, guess I start a new player. It is important that something be done to make sure I (or anyone else) couldn't accidentally delete someone else's player.
It would also be great if we had a test server where the Vault could easily be reset with no hard feelings.

Last edited by Paradox on Tue May 04, 2010 8:07 am; edited 1 time in total

JWPlatt Is On Your Ignore List.

Gondar wrote:

Woooh. Wow. Full access? Uhm. Wow. I mean, really.


I.. wow. Gimme a minute to get the full scope of this. Holy cripes.


Yeah, I admit I'm behind the times and probably a bit doomsaying about stuff that's old, but really.. while the techniques aren't new and are known by now, I personally figured for instance that you could get at a few of your access and everything doable was vault-side and had to be worked in, hence vault manager as a tool (not that I know how it works which is probably part of my ignorance on this). I figured a client would be able to get at the stuff relating to the avatar it was using and nothing more, and that the client wouldn't try because it couldn't do it.

Now I find out the ability of the game, and realize that we've had so long without anything going on because people either haven't fully released findings or the game just hasn't been big enough to be noticed in some level. If WoW had had this going on you can BET there'd be things.. but WoW has a grind and a reason to do that sort of stuff. SL in turn has an actual cash economy at some level (which I personally think is colossally stupid but that's neither here nor there).

Well. Huh. In that case I guess Cyan isn't in panic mode, they've been wondering what to do the whole time. Wow.


Out of curiosity, why haven't some of these things been published until suddenly all now? Was it all known and ready during MOUL but nothing done because they had cash going and you were quietly looking into the game? And now being free you're slowly releasing publish-worthy versions of pre-made code? Because I can't help but notice how many of these little things have come out in a few months already, implying it was all there.


Huh. You think you know a game...

I think you misunderstand some things. It's not easy to crack the encryption and access the vault. It's easy to some, but these people are few and far between within the community. Sure a skilled programmer, from outside the community, wouldn't have to much trouble, but then why would they bother?

How to decode the encryption isn't released. It's shared knowledge to those who wish to use it, and know who to ask, but it's not sitting on a web page for anyone to jot down and hack into Cyan's server in under an hour.

What Tagh had done, was wrong, in my opinion. As Heaven stated, "Just because you can doesn't mean you should." I feel that presenting any information form a persons Uid is wrong and when Until Uru was running it was always an agreement between all of the admins of the shards that no game information should be released publicly about anyone. I feel strongly that that idea should remain respected as Open Source continues.

If someone is doing something wrong, you can inform Cyan just as easily as posting publicly peoples info. The advantage to contacting Cyan is they can handle it without causing this type of unneeded controversy.

_________________
BAD is as good as BAD can be.

Visit our new site!

SOUP!

Seriously, guys.. What about the GOOD things these people have done, eh?

Like.. I dunno...

*FIX* the kahlo pub memorial?

Teach RAWA some things about the vault? How to do things?

Oh, sorry, these people are completely irredeemable, I forgot.

Well get this, these people are probably the best people you could hope for. They actually give a flying freck-a-roonie about this game. And they're doing their darnedest to protect things, by the by. If people who actually wanted to harm Uru, to "kill uru" were doing this? Uru would be Deader than Dead. Its a fairly good sign that these guys are on /our/ side, innit? Because we wouldn't be able to play right now, if they weren't.

In the older versions of Uru, at least it pretended to have permissions. So, yeah. As much as they'd like, I'm pretty sure the ball is in Cyan's court to fix this stuff. At least, until open source happens.

You people screaming about how horrible these people are, should be ashamed.

EDIT: Note, I do not speak for these people, but damn, I respect them.

I respect those people but I don't agree with publishing the names of all the avatars someone has.

Unless of course this person gave permission for it, or this person is the one who posts them...

_________________
It's a video game...