451

I will not be connecting to any server that either you or Ivin control. Both of you are people who I personally would never trust to have my IP adress and things. If ivin can really hack passwords and crap, or if you can, or both, That's one more reason to stay away from this game.  This is one that i'll never be playing unless I know the person who is running the server. And given that Ivin removed custom servers I don't think that's going to happen.

I am the blind jedi, I use the force to see. I am the only blind jedi.

Thumbs up

452

first of all, the password files are encripted. While is likely that Ivan has the key, he can get the password but i have not control over it

R.I.P Melinda Cook.

Thumbs up

453

Its not that hard to actually get anyone's IP address really these days. Can I get the password for your account Yes I can, but that's pretty much with in itself. I know how to decrypt the password because, well, I wrote the code to log in. Would I? No, unless you requested the password to your account.

Ivan

Thumbs up

454 (edited by Lucas1853 2017-11-14 19:55:53)

It doesn't really matter if anyone gets your IP. It's easy to get IP. What you should really be worrying about is passwords, especially if they are encrypted, not hashed. I'm not an expert on the matter, but I'd really recommend hashing the passwords, not encrypting them with a key that can be seen in the code. What if someone you didn't trust got access to your server and code and decrypted the password files with the key? When they are hashed, it's harder for script kitties to get at them because it's not as simple as running the string_decrypt function on the file contents.
Edit: See this: https://nakedsecurity.sophos.com/2013/1 … ds-safely/
Edit 2: Ivan, why are you directly accessing user passwords in the first place? If someone forgets their password, have something automated to change it. When you forget your twitter password, a twitter representative doesn't decrypt your password and send it to you in an e-mail.

Sincerely,
Lucas.
Visit my website at: http://lucasspace.x10.mx

Thumbs up

455

I don't get it why the hell people are so damn sensitive about others finding out their IP addresses. The IP address was never meant to be, has never been, is not, and will never be private. It was meant to be public and will remain that way. It is meant as a method of identifying your computer on a network. If you don't want people finding out your IP address, leave the damn internet -- entirely -- and don't ever come back. No matter what you do -- use a VPN, a secret router, etc. -- people will always find out your IP address.
@453: Are you insane or something? You never, ever encrypt a password with a static key. Hell, you should never, ever encrypt anything with a static key, but no one will ever listen to that one. The point is that you should hash a password with SHA512, Blake SP2, or something else even more secure, and salt it as well. But never encrypt userdata with a key that you can get. That just makes people distrust you even more because they know that you have the key, all the time, and can access their private data without them ever knowing about it. As 454 said, use an automated process that's securely encrypted in all ends to change the password, and ensure that even you, yourself, can never get the key, or manage to de-salt the information. If you have the decryption key then that defeats the entire point of security.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up +1

456

I absolutely don't know why some persons simply get so afrade when someone knows the single bit of hacking. I am not saying that you shouldn't fiel completely safe on the net, more over I have all reddy seen a hacking incident, want say what server or what game, but let me just say that he was not just able to log in as a dev, he was even able to hide his ip, even we weren't able to found out his computer id.
But back on topic, only thing that you can find out from somebody's ip is there location, and the tool in bgt by Sam wasn't very acurat the last time I checked it. Anyway, you don't expect a 17 year old guy coming at your house just because what. You are playing his game? owe my.

Aleksandar
My search criteria on audiogames will never be the age of the developer, what ever someone else may say.
If you wish to contact me, please do it by email or any other way in my profile.
And, give me a thumbs up, that keep me motivated to do stuf, even if I cant do any stuf.

Thumbs up

457

Agreed with biggun.  guys,  can we please stop freaking out about security?  That’s not what this topic is here for.

Thumbs up

458

Not just that, but hacking is not easy, and if your actually focused on security is one of your primary motives when making your game, the likelihood of a gamer fully managing to breach every security measure is not very high. It'll always be there.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

459

agree with hashing everything you can. That is the way i handle my passwords, the ones i have a say in, and even more so now with people whispering of how ivan might try to hack my VPS Its what ever. I never tamper with userdata on my servers, and that is how it will always be. I will never touch anything in the chars foler or players foler or what ever the thing calls them. If someone forgets there pass i won't look at there password, tell them to make a new account, give them back there old inv and that is that remove the old folder of there user and done. charlie knows how i handle my servers, so does big gun and i am sure many others

R.I.P Melinda Cook.

Thumbs up

460 (edited by blink_wizard 2017-11-17 04:22:02)

First of all, the old server is discontinued so I shouldn't trust it because it won't get the security update. I'm working on an e-mail reset system so you can request a reset code for your password. I'm also working on hashing your key, so its harder to view the password. Players who have forgotten their password can no longer request a password, they will have to change it and create a new one. As for the other point Mr. Ernie wrote, once I was on TK and he was talking about giving themselves items after me killing the /give command by editing their inventory .usr files. On another note I have spent about 2 hours recoding a lot of the server's problems when it comes to BGT runtime errors. Iw ill admit I'm not so great at fixing them, but its a work in progress.

Ivan

Thumbs up