RE: Sartax destroying TWC ?Ok, so a few years ago GUID stealing was very popul

1. RE: Sartax destroying TWC ?
2. Ok, so a few years ago GUID stealing was very popular and we had to deal with people abusing the fact that all admin commands are tied to
3. the GUID. Back then there were two things we did to deal with that.
4.  
5. 1. We removed all sensitive commands from all levels (including 999). For some parts, I think, this is still the case today, and we always
6. discourage people from using @all without any constraints. Because people liked to wreck our user and level databases, so we simply removed
7. all those commands, so they were available via RCON only.
8.  
9. 2. We taught people to conceal their GUIDs. The thing is that people can only 'steal' your GUID, if they know it. There are a few ways of
10. obtaining the GUID, but for most parts it's possible to prevent people from finding out about your GUID. First of all, every server you
11. visit will know your GUID. If you can't trust the server owner (be it malicious activity, or simply incompetence), you shouldn't visit the
12. server with the GUID that you use in TWC. Then !userinfo and !finger (if I am not mistaken) will show the complete GUID. That is why some
13. years ago we removed those commands from the lower levels to prevent any leaking of GUIDs. The last thing, and this is what appears to have
14. happenened here, is if someone manages to get a copy of the user.db, because that one obviously contains all GUIDs. It's actually close to
15. impossible to prevent the last thing, because - over time - there will be several people having access to the server files (i.e. supremes).
16. So that was a few years ago, before we developed the authenticator that is supposed to prevent this from happening. While it doesn't actually
17. prevent GUID stealing, it mitigates the risk as it prevents the offender from using any !commands. That is the theory, and that is what appeared
18. to be working flawlessly for quite some time now.
19.  
20. Apparently, the hackers (I refrain from naming them, because I don't actually know any of them and dislike accusations that I cannot provide proof for)
21. managed to obtain a copy of the QMM plugin that implements the authentication process. It was reverse-engineered and they found a way to bypass the
22. authenticator in such a way that they can freely use commands with stolen GUIDs.
23.  
24. Now there are two possibilities that came to my mind. They either managed to find a way to make the authenticator think that they are in fact authorized
25. to use !commands. This implies that they found a way to completely bypass the authentication process.
26. The second option would be that they found out how to prevent the authenticator from suppressing their commands even though they are not authenticated.
27. Either way, I won't be able to look out for the problem in my source code until I get back by the end of this week.
28.  
29. So for now there are two things options:
30. 1. Go on like this for now (i.e. let some people have RCON, set everybody level 0)
31. 2. Let all high admins generate new etkeys, and prevent anyone from getting ahold of those (see above).
32.  
33. Ideally, I will find the problem and manage to fix it. At that point I could restore the user.db to reset all levels and XP (remember to make a backup of your old etkey, if you change it, so you can go back to your old GUID as well).
34. As a final note I'd like to make very clear that I do not want anybody to try to go for any retaliation. This is not the level that we deal with our problems on. No matter the cause, if anybody is found to hack other clans in the name of TWC (or any other) we will remove that person from the clan, as we have always done. We don't endorse or support such actions.
35. If you have any other questions regarding this feel free to ask.
36. (I might add another post later today or tomorrow to address the other problem "trying to destroy TWC").
37.  
38. -- Ligustah