I heard on psinet yesterday that Jamus had to ban Bob from psinet because he broke in and, disguised as Chica, started silencing folks.

Fill us in Bob?

Why disguised as Chica?
Nice one for hacking Psinet though. That's hot.

Chica is a mod for psinet, who has the ability to silence.

I didn't realize psinet had mods. That system was so new to me.

HHHAHAHAHAHHAHAHAHAHAHHAAHAH

:sleep:

:(

What can I say? I got caught long after the act, and now I'm force uninstalled and living with it.

...

I don't use PsiNet, I was a mod when I did use it but I stopped using it months ago.

That's why I logged in as you. You told me you didn't.

ROFL. I thought it was weird when you asked me about me about not being logged on.

Yeah, I was looking for a leftover mod that wouldn't be logging into PsiNet. All the other ones were active users.

[OOC]-Jarod-UL: "I'm really upset, actually. I had to ban bobmuhthol."
[OOC]-Breosaighit: "why?"
[OOC]-Varule: "why ya ban bob?"
[OOC]-Shaelun: "... I hope you aren't asking me if you're eligible for bash.org, lol; no clue"
[OOC]-Jarod-UL: "I caught him hacking. Again."
[OOC]-Varule: "lol"
[OOC]-Breosaighit: "hacking what? the psinet server?"
[OOC]-Jarod-UL: "The third time's the charm, you know?"
[OOC]-Varule: "he try to deny it?"
[OOC]-Breosaighit: "what was he tryinf to do?"
[OOC]-Midgar: "Hacking, or "hacking" lol"
[OOC]-Jarod-UL: "Yeah, he was posing as chica and silencing people."
[OOC]-Varule: "what is a chica?"
[OOC]-Breosaighit: "i've been coughing and wheezing and hacking all morning :)"
[OOC]-Jarod-UL: "Probably more "hacking," Midgar, but the distinction stands."
[OOC]-Jarod-UL: "Chica was one of the moderators of OOC"
[OOC]-Breosaighit: "aw, that's kinda funny, but it still sucks"
[OOC]-Varule: "i woulda assumed he wasy trying to steal the code"
[OOC]-Shaelun: "I honestly wonder why he did that. I mean, it's not like he stood to gain anything... oh well. Probably just didn't think it through that far"
[OOC]-Midgar: "I just got into my friend's account with my mad hax0rz.........I mean their acc. name/password."
[OOC]-Radamanthys: "they leave it stored on yer system, or something?"
[OOC]-Radamanthys: ":-D"
[OOC]-Midgar: "Next I will attempt to hack this pr0n site with my parent's credit card."
[OOC]-Shaelun: "Dude, you have no clue how much shit I got when I was banned for that. I'm really sorry I was so nasty when you made that joke in reference to me, Midgar, lol..."
[OOC]-Varule: "banned for what?"
[OOC]-Midgar: "Well, I had no idea you'd actually be accused of it"
[OOC]-Midgar: "been*"
[OOC]-Shaelun: "Oh, I was... a little too loose-lipped about sharing information while trying to research how to make Lich work with PsiNet. Frankly, I was just plain stupid; I mean if I had known then what I know now, I wouldn't have had to ask -- but I was still learning. Ciel misunderstood and thought I meant PsiNet harm. So I was banned"
[OOC]-Jarod-UL: "It was largely a misunderstanding."
[OOC]-Wrexem: "Clerics in illistim?"
[OOC]-Jarod-UL: "I wish I could say the same about Bob."
[OOC]-Midgar: "My uncle hacked my email once...with my security question answer."
[OOC]-Jarod-UL: "I asked him, "How, exactly, did you think I would react when I found out?""
[OOC]-Jarod-UL: "And he says, "I honestly didn't think you'd find out.""
[OOC]-Ragonik: "What did Bob do?"
[OOC]-Varule: "lol"
[OOC]-Midgar: "Damn you mother's maiden name!!!"
[OOC]-Endorian: "well, he did it to himself, jaro"
[OOC]-Varule: "bob is a cocky one"
[OOC]-Varule: "i know i would probably quit playing once psinet dies"
[OOC]-Jarod-UL: "I REALLY like Bob, is the worst of it, lol"
[OOC]-Shaelun: "Bob is just plain weird. I mean he's so quick to chew someone out if he can't imagine what their basis for an opinion is, yet he's such a... nice, guy..."


And then the conversation changed direction and either I missed any convo afterwards or there was none of note.

You know, I get the sense from Jarod's conversation we should all be pissed about this, but I'm laughing.

-M

Let me simply say, for the record, as much as Bob likes dying pin-worn containers puce, the person he silenced deserved it so fucking hard that it's *scary* ...

- The Termite

At least I did someone a civil service with my hack.

Who was it that you silenced?

Atreau.

You should have been given a medal.

I banned him from OOC on October 21 for vulgar and incessant derogatory remarks against homosexuals. He was unbanned later that day.

On November 20, I was banned from PsiNet permanently.

At least send Jamus a log-file of the diarrhea he was spewing prior to your necessary silencing of him. I dunno :thumbsdown:

Awww, Bob was canned on my birthday.

was it a specific IP ban? I thought there was ways around that, at least using IP masking or at being on with an alternate character.

I'm sure there's a way around it, and I'm betting Bob knows a way but is being quiet as a mouse so he wont let on that he's not as banned as Jamus would like for him to be.

Hopefully it's an entry buried in the registry somewhere that would be difficult to find/remove. But who knows.

Or wait, isn't it linked to logon id?

[Edited on 11-22-2005 by Wezas]

ROFL... like he only silenced one person...

Let's be serious.

<< I'm sure there's a way around it, and I'm betting Bob knows a way but is being quiet as a mouse so he wont let on that he's not as banned as Jamus would like for him to be. >>

The same way he logged on as Chica, is the same way he can overcome the ban.

Heck, I could logon to PsiNet named as Jumiliojo if I felt like it, or just make up some name and logon to PsiNet making it think that I'm a Gemstone character.

Anyone can check how PsiNet works just by using a program like Etherdetect, and you can see that it is just plain text, entirely unsecure. You can make PsiNet believe you're anyone you want, just using plain text. You can use telnet, the most basic of basic internet programs to logon to PsiNet and tell it that you're a new Gemstone character named Joey, and because it's entirely unsecure and just uses plain text, it will believe you and won't resist your connection in anyway.

Having such an unsecure network with so many people logged onto it is rather irresponsible, and while Jamus can be greatful the worst anyone did was logon as an old mod and silence people, he should be warned that the security risks he poses to all his clients are far greater.

Third time is what Jamus said...fuck him ..he deserves to be banned. Doesn't matter who he silenced. Jamus was kind to keep giving him chances.....He blew it. He proved himself unworthy of trust. That is all.

love how jamus 'caught him' a month later..

I hope this is taken as purely a statement of information, as opposed to a moral judgement one way or another, because that's how I mean it -- nothing more than a pointing-out of fact: PsiNet was semi-recently (within the past couple of months) updated to use key files, and also no longer works off of plain-text.

Jamus has not detailed his method, nor do I think he should (there's a difference between responsible disclosure of a program and its weaknesses, and just plain begging for somebody to come along and break your program). Also, bear in mind I've spoken to him only briefly about the matter, but I get the impression it's very secure now and uses a written-from-scratch method of encrypting data so that the issue Kranar raised is no longer a concern.

I'm in no way involved with PsiNet or its development, but I thought the info was worth stating all the same.

Eh If Bob silenced Atreau he should be given an award for public service. Not blocked from Psinet.

I can understand Jamus' reasoning, but still Bob did something good.

[Edited on 11-22-2005 by Viridian]

<<Third time is what Jamus said...fuck him ..he deserves to be banned. Doesn't matter who he silenced. Jamus was kind to keep giving him chances.....He blew it. He proved himself unworthy of trust. That is all.>>

You truly have no place in this discussion. If your entire post's base is "is what Jamus said," keep it to yourself or speak to Jamus about it.

<<ROFL... like he only silenced one person...

Let's be serious.>>

I silenced/unsilenced a few people. I banned/unbanned Atreau.

<<Hopefully it's an entry buried in the registry somewhere that would be difficult to find/remove. But who knows.>>

I'm not going to help people overcome Jamus' security, but I will say that it's not as difficult to find as you would think. Or at all.

<<was it a specific IP ban? I thought there was ways around that, at least using IP masking or at being on with an alternate character.

I'm sure there's a way around it, and I'm betting Bob knows a way but is being quiet as a mouse so he wont let on that he's not as banned as Jamus would like for him to be.>>

It's a character ban. Anyone who logs in as Bobmuhthol will have PsiNet automatically force uninstalled. If it was an IP ban, it would be just about the easiest thing ever to overcome.

I have not since reinstalled PsiNet and I do not plan to do so while under the effect of a ban. I do absolutely know how to bypass the ban, as I've clearly shown by hacking PsiNet on numerous occasions. I'm simply not doing it anymore, though, so don't expect to see me around.

<<but I get the impression it's very secure now and uses a written-from-scratch method of encrypting data so that the issue Kranar raised is no longer a concern.>>

The issue Kranar raised is very much a concern: you can log in as anyone, provided they do not have a key or you are in possession of it.

<<Or wait, isn't it linked to logon id?>>

Again, character. It's pretty impossible to force uninstall someone based on their PsiNet account. I won't detail why.

<<At least send Jamus a log-file of the diarrhea he was spewing prior to your necessary silencing of him. I dunno>>

I didn't hack Chica so I could ban Atreau. I hacked Chica so I could be Chica and have mod abilities. I'm not going to justify it to the person I hacked by saying I did him a favor, but I will remind him that I never leave any damage.

Sorry, dunno how to do the quotation bit (hooray, this is my 100th post... no wonder I'm clueless, eh), but by Bob:

"The issue Kranar raised is very much a concern: you can log in as anyone, provided they do not have a key or you are in possession of it."

Now we're friends Bob, you know I enjoy your personality, but... I deliberately avoided saying that. It's a little more info than is necessary to point out, ya know.

There is no way, no way at all, to allow a player to link to PsiNet without some sort of PsiNet-exclusive "signup" business, and *not* have this be an issue. I spend most of my time pondering things, and I cannot think of a single way (not one that doesn't involve intrusive tracking of stuff like hardware ID -- BTW, fuck Microsoft, lol).

The encryption I was referring to is a randomly-generated 'key'. It's something like SSL (Secure Socket Layer), I *think*, but again, I spoke only briefly to Jamus about it...

The basic idea is you connect to a computer, randomly generate an encryption cypher, pass that to the remote computer, and then both computers use that to encrypt/decrypt any data they send/receive. With an encryption cypher of any decent length, it's virtually impossible to decode the data unless you have the cypher that was used to encrypt it (it's possible, but a desktop-level computer would probably still be working on it when you died at the age of 120).

That's my impression of its security, and I just don't know of any way to make something more secure than that (not saying there isn't one, but I'm unaware of it).

It's also free software, don't forget, so... shrug

<<It's a little more info than is necessary to point out, ya know.>>

It's the epitome of why I was banned. Under normal conditions, it's not something I would announce. These are not normal conditions.

<<There is no way, no way at all, to allow a player to link to PsiNet without some sort of PsiNet-exclusive "signup" business, and *not* have this be an issue.>>

Unfortunately, you're right.

<<The encryption I was referring to is a randomly-generated 'key'.>>

Which ends up being a plain-text file that need only be accessed once to gain entry to a PsiNet account. It's about as useful as a user-defined password that's saved onto someone's hard drive, and whoever wants it knows exactly what path to look for. It's very unlikely that someone would hack another person for their PsiNet key, but the possibility is there. Additionally, it's possible to impersonate someone who is logged into PsiNet in the communication aspect of the program. That's something Jamus could definitely fix if he had to.

I think you are handling it in a pretty responsible way, Bob. Ironic that even Jamus didn't want to ban you though ;)

<< There is no way, no way at all, to allow a player to link to PsiNet without some sort of PsiNet-exclusive "signup" business, and *not* have this be an issue. I spend most of my time pondering things, and I cannot think of a single way (not one that doesn't involve intrusive tracking of stuff like hardware ID -- BTW, fuck Microsoft, lol). >>

That's not true at all. The SSLv3 is a standard internet security protocol. It is the most commonly used protocol for doing simple things like logging onto a website, to very private things like sending out credit card information.

The details on how SSLv3 works are public, well researched, and well known and absolutely anyone can read about every single detail they want to know about it. There are so many APIs that implement the SSLv3 protocol, the C/C++ one being available at www.openssl.com, Java has an implementation of SSL as part of it's standard library, and so does Python with it's networking library.

The poorest form of security is secrecy. The SSLv3 protocol is secure because even though everyone knows how it works, what it does, and how it's implemented, it is still the most secure form of network encryption available.

Trying to keep a system secure by keeping it secret is nothing more than a recipe for disaster. That is why open source software has time and time again proven to be more secure and robust than closed source.

Anyhow... if PsiNet is made in C or C++, then Jamus should head over to www.openssl.com and begin taking the security of his network very seriously. If it's in Java... which is naturally a far more secure language for network development, then the following site details the implementation of the SSLSocket that comes part of the standard Java Platform:

http://java.sun.com/j2se/1.4.2/docs/api/javax/net/ssl/SSLSocket.html

Otherwise, he can continue using bootleg security measures and trying to keep them a secret, and then throw a huge fit when a GameMaster warns Simu customers that PsiNet is an unsecure system and to be very careful when using it.

[Edited on 11-23-2005 by Kranar]

I apologize if my statement was ambiguous, I said 'key' because I didn't expect most people to have any clue what an encryption cypher is. I didn't mean the actual PsiNet key file.

I also agree completely that secrecy is the worst security measure there is. And since I'm apparently wrong about PsiNet's data encryption, disregard most of what my post said. I guess I got the wrong impression from talking to him: I didn't mean to spread misinformation, sorry.

One bit of your response is of particular interest to me though, Kranar, not only since I'm running a chat server now, but also just because I've given it thought and can't think of a way to do it (one of these days my curiosity is going to kill me): how do you distinguish between a valid character name that is indeed a player in the game, and someone who just makes up a character name and sends the server the information?

What I meant is that I don't know of any way to allow a player to link initially, generate their key, pass that to the client on their computer (so that their name is safe and can't be stolen by someone)... and still not require someone to "signup" to use the server and somehow verify that the name they provided does indeed exist...?

A link to the basic concept would be enough, if you have one handy; I don't like asking people to spend their time teaching me unless it's something they enjoy doing, so really anything that would give me enough to be able to google it or something would be great.

There is no need to store a unique key for every character and then force every character to have this key to logon to PsiNet.

All PsiNet needs to ensure that it is as secure as the most secure websites on the internet, is to use SSLv3 or TLS 1.0. It can continue to exist as it existed before, without the need for a character key or any other bootleg hack. All SSLv3 will do is sit as middleman between the TCP protocol and the PsiNet protocol, so you don't even need to do much to change the program in the first place.

SSLv3 handles how to safely and securely send over all the authentication and certification it needs to establish a robust connection. And while sure... technically some wild maniac could hack it, to date it has proven to be secure enough for even online casino's to use it, and casinos always use the most advanced forms of security.

http://www.openssl.org for details on how the SSLv3 protocol works, and it's not like this is some crazy thing to use and implement. It's crazy if you want to learn how it works and how it's programmed, but if you just want to use it to secure your network, it's as easy as any other network progamming. All you do is instead of using a normal SOCKET ala WinSock or UnixSocket style, you use an SSLSocket. Instead of using the unsecure read/write functions, you use the SSL versions of them. You could convert a sever from being entirely unencrypted, to using SSL over a weekend just by going through your code and doing a Find/Replace on all network related functions.

This stuff has been available for years, and I suppose you can say I am peeved that when awhile ago a GM warned of how unsecure PsiNet was, instead of Jamus taking the time to prove that GM wrong and resolve the security issues, Jamus threw a huge hissyfit, logged into Gemstone and demanded to speak to that GM mano-a-mano.

I guess programming into PsiNet ways to worship himself and make himself feel like a God was more important than finding ways to secure his network and the people who use it.

[Edited on 11-23-2005 by Kranar]

So some of what Kranar just said might help someone in obtaining a lost key rather than wait 8 weeks?

Interesting.

<<So some of what Kranar just said might help someone in obtaining a lost key rather than wait 8 weeks?>>

I know nothing about security, but what Kranar is proposing eliminates the need for keys whatsoever.

Originally posted by Bobmuhthol
Atreau.

Bob... you're my hero!

Uhh... I don't know... how to respond to this without bordering on what I'd call "irresponsible divulging of information."

... no, I just can't think of a way to explain what I meant without blatantly explaining how someone would actually do it.

I didn't mean to imply one way or another that Jamus has acted rightfully or wrongfully.

.......

You know what, screw it: how can the server know that you're a real player using the software to connect, instead of some guy typing away at a virtual console using netcat or telnet or whatever? SSL doesn't solve that problem, does it? I'm reading it, but so far I don't see anything except reliable data-encryption at the kernel level... forgive me if I'm wrong and just haven't come across the info yet, but that does nothing to verify that you didn't give it a fake name to encrypt...?

<< You know what, screw it: how can the server know that you're a real player using the software to connect, instead of some guy typing away at a virtual console using netcat or telnet or whatever? SSL doesn't solve that problem, does it? >>

SSL/TLS does solve it. If you, or anyone on the face of this planet are genious enough to sit at a keyboard, open up, telnet, and can somehow encrypt 128-bit encryption keys, you belong with the NSA.

The idea is this... first allow SSL to establish a safe and secure connection between the server and the client. Once this encrypted connection is established, let the client send over what character he plays. Let's just say I want to connect to PsiNet as the character Kranar...

The unsecured way is to just find out how PsiNet's protocol works, and then open up telnet, and emulate this procedure using the keyboard or with the assistance of another program. Then when it comes time to tell PsiNet who you are, you just type in your name. That's how easy PsiNet used to be to impersonate someone else. It has changed with this new character code system but the principle remains the same.

Under a secure SSL/TLS system... first you establish the secure connection. That's stage one, if that connection can't be authenticated (because you're not connecting using the PsiNet client for example and instead trying to connect using Telnet or some PsiNet emulator), then the connection terminates right then and there.

Once the secure connection is made, then you can ask for any kind of information you need, character name, the game you play (Gemstone, UL, whatever). The information is no longer being sent in raw form, it's no longer being sent in a form that someone can simulate using Telnet or some other program. The information is being encrypted using a very secure means. You can't claim to be Kranar or Jamus or Chica because in order to make that claim you must first have gone through SSL's authentication/certification process which verified that you are using the PsiNet client and has verified that all information being sent back and forth is correct/secure.

No more need for character codes, no more need for trying to keep how your program works a secret. You can openly state that PsiNet uses the most advanced form of internet security, that you're as secure using PsiNet as you are playing on PartyPoker.com, and all information that is sent back and forth will remaim private.

I'm not so sure that it will prevent my hack. It's not sending information to PsiNet, per se, rather intercepting the connection, substituting the name, and PsiNet reads that name as the Simu character string. Again, I know nothing about security or data transfer, and this could be absolutely incorrect. I am using PsiNet when I hack PsiNet. As far as I know, PsiNet 'reads' the information that's supposed to be sent from Simu in a login instead of it being sent to the PsiNet server directly. Changing the string that PsiNet reads subsequently changes your PsiNet login name. It seems like it would be able to bypass SSL simply because of the way PsiNet was written.

[Edited on 11-23-2005 by Bobmuhthol]

<< It's not sending information to PsiNet, per se, rather intercepting the connection, substituting the name, and PsiNet reads that name as the Simu character string. >>

That's because PsiNet reads it as raw text, it just reads a plain name like Kranar, or Bobmuhthol, and if you wanted to, you could change it to read Jack or John, or Chica, heh.

But with SSL or any other encryption for that matter, if you tell it your name is John, Jack, or Chica, well that's not any form of encrypted information and so the PsiNet client would think that it's garbage and not even recognize it. In order to trick the PsiNet client, you would have to change the name from from Chica, to what Chica would be in encrypted form... say something like "#@!$@#d", of course, since it's encrypted using a 128-bit key, there's no way to know what the name Chica looks like encrypted, or what any name for that matter looks like.

Keep in mind, it's not just the PsiNet server that would require this new type of encryption, the client needs it as well for it to be effective. If you did know how the encryption works on the client, then when you did do your interception, you could send in the encoded name of anyone you wanted. But just substituting one person's name with another won't work. Of course, figuring out how the name Kranar, or Bobmuthol looks like in encrypted form using SSL is virtually impossible, infact it is estimated that using brute-force techniques on some of the fastest computers today would take atleast 2 years to crack such a scheme.

[Edited on 11-23-2005 by Kranar]

That makes sense. Encryption wins, I guess.

It would be nearly impossible to fake out the SSL connection, and if you could do that, you'd be much better off spending your time taking on e-commerce sites.

I think it's rather funny when you consider that Jamus has downplayed security concerns with Psinet for awhile now only to ban Bob for hacking it, if you even want to call it hacking. It's more like withdrawing money from someone else's bank account without showing any ID.

... I still can't see how this would work unless Simutronics also supported the encryption. I mean, the... well the details aren't important.

Obviously I could be wrong, but... I don't see how encrypting the data between a chat server and the chat client has any influence whatsoever on what the chat client is told by the Simutronics server (unless the Simutronics server also supported encryption).

At this point, I have to admit I don't agree, but I'll be the first to admit I don't know everything, so... gonna research it more.

The Simutronics server has no involvement in this.

The PsiNet client determines who the character is, it can use what it intercepts from the Simu server if it wants, or it can peek at the WizardFE/StormFront's address space to get that information, or it can use whatever means it wants to, to get the name of the character.

If it realizes that the character is "Kranar" or "John" or "Bobmuhthol" then it right away encrypts that name into something that probably looks like "@#$@#$@#TR" and then sends it to the PsiNet server which properly decodes it into the proper name.

No human being could possibly take a name like "Kranar" and encrypt it using SSLs scheme, no human being or even a human being with the assistance of a computer program will know how to take a normal name like "Kranar" and encrypt it into something that is understandable by the SSL protocol. If someone could, like it was said, they're better off hacking casinos and milking them of their cash.

So the point is, PsiNet can get the name initially in plain text anyway it wants to, but when it sends it off to the PsiNet server, it will go to it encrypted, and encrypted in such a way that no human being could possibly encode/simulate.

I guess it begs the question ... Can SSL encrypt a scheme so difficult to under than even SSL itself can not understand it?

I'm trying really hard not to sound accusative or come off as being rude, but I really think you're missing what I've been getting at (or trying to get at, anyway). Again, my apologies if I'm the one who's mistaken... but what I'm saying is, what needs its security enhanced is that initial detecting of the plain-text name, and I'm unaware of any method of doing that.

It does no good to encrypt the data with the chat server (PsiNet's name keeps coming up, so I guess I'll just use that for the sake of example). No sensitive information is sent. I mean, use any advanced cutting-edge hi-tech encryption method you want... if the name you encrypt is a simple string that can be altered mid-transit, it does no good whatsoever.

The issue is reliably authenticating that the plain-text name detected by the local PsiNet client, is indeed valid (that is to say, not manipulated or 'hacked').

Without server-side support on the part of Simutronics, I don't think it's possible. The name is sent in plain, unencrypted text.

[Edited on 11-23-2005 by Shaelun]

Originally posted by Kranar
of course, since it's encrypted using a 128-bit key, there's no way to know what the name Chica looks like encrypted, or what any name for that matter looks like.Couldn't someone find a name just by guessing though? Certainly getting a mod's name by chance would require an unfeasible amount of time, but wouldn't guessing ANY name's encrypted form not take all that long, and therefore be used to circumvent a ban? I mean, there are only so many characters that can be used and a GS name only has to be 3 characters long, right? It would only require a cursory "find XYZ" to identify the circumventer of course, but assuming one was behaving, one would never be checked up on to begin with.

Or does "128-bit encryption" mean that every input is changed to a string of pseudo/randomly generated 128 characters?

My only question is who is varule that doesn't know chica the happy hobit bouncy etc etc puff. ?

by hobit i meant hobbit

<<The PsiNet client determines who the character is, it can use what it intercepts from the Simu server if it wants, or it can peek at the WizardFE/StormFront's address space to get that information, or it can use whatever means it wants to, to get the name of the character.

If it realizes that the character is "Kranar" or "John" or "Bobmuhthol" then it right away encrypts that name into something that probably looks like "@#$@#$@#TR" and then sends it to the PsiNet server which properly decodes it into the proper name.>>


This is where I'm a bit skeptic as to the true security of this method. You say that PsiNet could use the name sent from the Simu server, encrypt it, send the encrypted key to the PsiNet server to be decrypted and displayed accordingly. My hack doesn't tell the PsiNet server that I'm Chica. It intercepts the connection and changes Simu's character name string so that the PsiNet, when reading Simu's string, actually reads my substitution. The PsiNet client, under an encryption system, would simply read the name I substitute for Simu's true string and proceed to encrypt that and send it to the PsiNet server for decryption. I'm not connecting to the PsiNet server via a Telnet or other connectivity client when I hack it: I'm fooling the PsiNet client when I log in so that it thinks the string "Bobmuhthol" is really the string "Chica" and then sends that name to the server for login.

<< Or does "128-bit encryption" mean that every input is changed to a string of pseudo/randomly generated 128 characters? >>

Every single input is a string of encrypted 128-bit characters. It's not like you can just type in some garbage like "@#RFDAQD@#" and just by luck it ends up being someone's name. It's also not a 1-1 function, so that "Alf" becomes "XXX", simple encryption that just mangles letters is known as a cipher text, and they're ghetto. Real encryption does everything from mangling letters, rearranging whole sections of data, inserting redundancy/garbage into data, and also makes sure that the binary representation of the encrypted data satisfies a linear equation (often known as a parity check). So the name "Kranar" could end up being 2 characters long, or 50 characters long.

<< Without server-side support on the part of Simutronics, I don't think it's possible. The name is sent in plain, unencrypted text. >>

Why not? Why not just check EXACTLY what Simutronics sends as the character name by looking at the TCP packet sent by the server, and verifying that it did come from the server? Why not just check exactly what the WizardFE or Stormfront have as the name of the character by doing some simple memory peeks (the Win32 API function ReadProcessMemory allows you to read the memory of another process and so you can easily use it to see who the WizardFE has as being logged into the game)? Why not do both to have 2 layers of authentication?

This initial authentication of the character is the easiest thing to implement to be honest. I had no idea this was what you were referring to, as I must say, this shouldn't even have ever been a problem. The problem I was referring to is how to ensure that information to the PsiNet server is coming from the PsiNet client, which is the real security threat, and using encryption solves that.

Just knowing who the character logged into the game is... that's the simple stuff.

[Edited on 11-23-2005 by Kranar]

Ahh, so it has been a matter of miscommunication after all. Now I'm following you... that's exactly what I was after, a method of defending against Bob's particular exploit.

Thanks for the lead, Kranar :)

First off, Varule is retarded.

Secondly yay Bob for banning one of the biggest tools in the game.

Thirdly, Jamus is far too forgiving. For God's sake he let Rhett back on, and pretty much anyone else he may have banned. Not saying you're coming back Bob, but then Jamus does have a streak of hypocrisy when it comes to enforcing stuff. He gets anal about the homosexuality slights, then lets dipshits like Atreau get away with it. Go figure.

I think Kranar/Shaelun should create a new OOC style chat.

Both of them did. Neither of them are as popular.

Shame they can't create a way to tune into Psinets OOC channel.

Actually, they could.

Edit: What I meant was it's possible. Not plausible, because it would be more or less illegal/hacking/bad.

[Edited on 11-24-2005 by Bobmuhthol]

<< I think Kranar/Shaelun should create a new OOC style chat. >>

I've said before that as it is, PC-Net is pretty much dead. While I have technically worked on it, until the day comes when PC-Net is able to support both WoW and GS players simultaneously, I don't intend to make another release of it.

As Bobmuhthol said, PC-Net wasn't popular at all, the most we had logged onto it at once was 12. If PC-Net is to get popular, it needs to offer connectively to a far wider range of players across multiple games. It's definitely a goal that can be acheieved, but until it is acheived, PC-Net will remain closed.

Well, since it was brought up, I guess I might as well point out that LichNet is open to anyone who wants to use it. Except Maliku, Psighs, and Sixbits. Not because I find them unacceptable as individuals, but because I don't care for the atmosphere that's created by people who are so quick to judge and insult others.

There are only about 4-7 of us that use it regularly, and interestingly enough, it maxed out at about 12 people one day too.

I run it just because I have it... I've said it many times before, but I'll say it again because I really don't want people to get the wrong idea: I'm not trying to replace PsiNet, nor do I want to. Anytime I'm logged into the game, I'm on both OOC and LichNet.

My little chat thing really is a blatant clone of PsiNet, and it was meant to be a blatant clone of it, since originally I wrote it as a temporary replacement until PsiNet was back up. But since there are a few people who still want to use it, I've just kept running it, and if anyone else wants to use it... feel free.

Originally posted by Shaelun
Well, since it was brought up, I guess I might as well point out that LichNet is open to anyone who wants to use it. Except Maliku, Psighs, and Sixbits.

If Bob was on that list I'd switch today. Though the banter back and forth about hacking and God knows what has been interesting, The subject of the thread was Bob hacked into psinet again. Once again proving himself untrustworthy. In my opinion jamus made a point that he will not tolorate someone fucking with his psinet. Makes me feel alot safer using it. Bob made the point he never leaves damage..give me a fucking break. That's suppose to mean something? If Bob is unbanned I will definately uninstall psinet.

Originally posted by Tova
Makes me feel alot safer using it.Kranar is very good at making complicated things easy to understand, so I don't know how you managed to read this thread and have that response.

Furthermore, what Jamus has done increases the difficulty of Bob hacking Psinet from "trivial" to "infinitesimal". The only thing stopping Bob from re-hacking is Bob.

Seriously, how could you have read this thread and drawn these conclusions?

<<Once again proving himself untrustworthy. In my opinion jamus made a point that he will not tolorate someone fucking with his psinet. Makes me feel alot safer using it.>>

Then you do not have a brain. Anyone can do what I did, and I didn't affect anyone's life over it. I'm glad that while PsiNet is good times, being banned means I have absolutely no contact with douche bags like you.

<<Bob made the point he never leaves damage..give me a fucking break. That's suppose to mean something? If Bob is unbanned I will definately uninstall psinet.>>

1. I don't.
2. It does mean something: I got in, and then I got out. It's far less violation than doing what I could have potentially done (ie. hostile takeover of PsiNet using Jamus' account, disabling it until he fixed every problem I could have caused, which would take a long time to do).
3. Nobody fucking cares that you don't like me. You know nothing about what you're saying.

Not having PsiNet installed is terrible. I NEED MY SPELLSHORTS, HEALING MACROS, ALIASES, AND MOVEAHEAD DAMNIT.

Won't lichnet give you those, Bob? Shaelun said it's a clone of PsiNet, so I'd think it would be a good alternative for you.

Bob Haxzored Psinet, he is l33t

Knowing Bob, I'd suspect that he was just trying to show Jamus what COULD be done...in his own, sometimes questionable, way. I really doubt that he had any intent to do damage. That's just not Bob's style, really.

Originally posted by HarmNone
Knowing Bob, I'd suspect that he was just trying to show Jamus what COULD be done...in his own, sometimes questionable, way. I really doubt that he had any intent to do damage. That's just not Bob's style, really.
I agree that Bob seems to not intentionally damage, but even he understands why he was banned and should also understand peripheral discontent from that as well.

It's like taking a loaded gun and waving at people and then when they complain saying, "But I didn't shoot you." It may be true, but it also doesn't make people feel more comfortable.

Agreed, Skirm. Bob seems to have taken this banning with aplomb, so I'm sure he understands why it happened. One really can't blame Jamus. He can't allow people to hack into PsiNet randomly, even if no damage is done.

Originally posted by HarmNone
He can't allow people to hack into PsiNet randomly, even if no damage is done.Ironically enough, this is exactly what he does by banning Bob and not doing all that SSL stuff Kranar posted about.

You may well be right, Latrinsorm. By doing what he did, Bob showed Jamus that PsiNet is vulnerable. As I said, that's what it appeared to me that Bob was trying to do. Now, what Jamus does to rectify that situation is up to him.

That said, it still doesn't make what Bob did acceptable, and it doesn't mitigate Jamus' right to ban Bob for doing so. You might have done things differently. I might have done things differently. However, Jamus' reaction was not out of line, in my opinion.

<<Won't lichnet give you those, Bob? Shaelun said it's a clone of PsiNet, so I'd think it would be a good alternative for you.>>

I use Lich. LichNet is the clone of PsiNet's OOC channel. Lich itself hasn't been developed nearly as much, but it does have better scripting. That scripting doesn't give me the PsiNet luxuries I'm used to, though.

<<It's like taking a loaded gun and waving at people and then when they complain saying, "But I didn't shoot you." It may be true, but it also doesn't make people feel more comfortable.>>

It isn't like that at all. A loaded gun is potential. I didn't potentially hack PsiNet, I did hack PsiNet.

It also was supposed to go unnoticed. Jamus is well aware of the possibility of my hack. That became clear when I hacked his inactive administrative account. His solution, implemented solely because of hacking, was to make PsiNet keys. His solution was, more or less, a quick way to prevent him from being hacked while disregarding the other users. In order to prevent a PsiNet hack on a name, that character must have already had a key assigned to them on a different computer. Jamus never set his key on the GS character Jamus because his account was inactive -- I promptly hacked him after he challenged me, claiming it was virtually unhackable. He set a specific key for the name Jamus afterward. If someone has not logged into PsiNet since keys were implemented, the name is absolutely free to be used by a hacker. This is what I did to Chica, knowing (from having hacked Jamus and looking at the list of OOC mods) that she was a mod. She doesn't use PsiNet anyway, but if she did, she would not be able to log in until the key resets because I logged in as her on PsiNet. The key system is very much flawed and also allows for impersonation. I can be *anyone* on chat channels or in mails or PsiNet locating someone, etc. This derives from an error in the way names are parsed by PsiNet (which is understandable considering such names do not exist in GemStone and PsiNet is a client for GemStone characters). Jamus should know all of this, and he really should have fixed it before it got to this point.

Jamus' philosophy once was that since he didn't play GemStone, and his scripting engine would revolutionize GS scripting, he would release it because it wouldn't affect or bother him. I've struggled with such a philosophy since my permanent, force uninstall ban. If I know how to hack PsiNet, and I'm not part of it anymore, what's stopping me from releasing the information and tools necessary to cause mayhem regarding the PsiNet server? Or, better yet, what's stopping me from simply overriding his force uninstall, hacking him again, and going on PsiNet anonymously and under IP spoofing, PsiNet account spoofing, etc.? Unfortunately, there is something stopping me. I still consider Jamus a friend, as I'm sure he does me. Until that changes, I'm going to abide by his rule over his software. I'd lawfully reinstall PsiNet in a heartbeat, but I won't be using it while banned.

LOL

Take this however you like -- totally disregard my opinion as an ignorant appraisal from an incompetent fool, whatever... but I do know a fair bit about computer security in general, and to the best of my knowledge, there is NOTHING that Bob could have done to harm any of you.

He hacked an admin account. Ooooo, scary... what can an admin account do? Uh, ban you. Oh yeah, unban you. Ummm, look up your Simutronics account number (how is that harmful, I mean, I wouldn't even recognize my own account # if I saw it, lol).

Oh, silence you.

Um, totally fuck up the server software.

..... uh... steal credit card numbers? Well maybe that's possible, but hacking PsiNet sure as Hell doesn't help someone do it.

Guys, he logged in as somebody else. That's all. I mean the absolute worst that could've happened is he banned you, OR he impersonated you and made everybody hate you because he acted like an ignorant retarded child under your name to deliberately ruin your reputation.

That's really about all the potential harm there is to the situation guys. It's a chat server. I mean... it's not like Jamus has our social security numbers, ya know.

<< Guys, he logged in as somebody else. >>

Hacking in as an administrator can cause a lot of damage. The thing that makes me very frightful of the PsiNet server is the force uninstall feature.

It is actually considered incredibly poor security to enable a server to forcefully execute something on a client, and if you look at any half-decent server/online service, it's entirely unheard of to have a server force a computer to uninstall the client software. Locking a client from accessing the server, that's acceptable and responsible. But having a server force something onto a client, that kind of authority poses many exploitable security risks. You might think the worst that can happen is a forced uninstall of the PsiNet client, but such a feature, in the hands of a hacker, can easily be exploited to execute remote code on a client's computer.

A simple buffer-overflow can change a force uninstall of the PsiNet client into a forced execution of virtually anything the hacker wants.

Don't underestimate the many types of vulnerabilities that exist when programming over a network, and never overestimate how secure someone elses program might be. As I said, Jamus can be greatful that the worst anyone did was ban some people, but Shaelun, if you want to see the kinds of exploits possible... download Ollydebugger and attach it to the PsiNet client. Have a look at the source code for the client and tell me you don't see its many security flaws.

<<The thing that makes me very frightful of the PsiNet server is the force uninstall feature.>>

I think more people have this concern than don't. You, Shaelun, and I have a common opinion here.

<< I think more people have this concern than don't. You, Shaelun, and I have a common opinion here. >>

Honestly, it is unheard of for a server to do something like that and it really begs the question as to what else the server may force onto the client. How is this forced protocol implemented? Is it also unencrypted like everything else on PsiNet?

If it is unencrypted, then someone can get this force uninstall protocol using Etherdetect or some other network detection tool, and could force uninstall PsiNet from a variety of computers without actually being the administrator.

Most people here know that IP addresses can be faked. So if you faked your IP address to be the PsiNet server (which can be done using low level TCP packet modification), and sent over the plain unencrypted message to force uninstall the PsiNet client from some arbitrary PsiNet user, what security feature is there in place for the PsiNet client to deny such a request?

Admittedly, such a hack isn't a 5 minute ordeal like logging onto the PsiNet server as anyone you wish. Infact, the hack I speak of does require some low level knowledge of how to modify TCP packets to make them appear that they came from another address, but just looking over the PsiNet client code, I don't see anything stopping such a hack from happening.

At the least, one could force uninstall PsiNet from anyone's computer they wish, and if my suspicion is true, although unconfirmed, if this forced protocol is as unsecure and as simple as I suspect it to be, one could do a lot more than just a forced uninstallation.

[Edited on 11-25-2005 by Kranar]

Our company specializes in liscensing software for hospitals. As the licenses expire we seek renewals and upgrades. We have never in our company's history force uninstalled our software from a client.

We connect either via VPN or dialup access in order to maintain and troubleshoot the software and also run diagnostics on our proprietary hardware that accompanies the software.

If for some reason we have a client in breach of contract, then we go onsite and remove the proprietary hardware and provide a legal writ to cease and decist the use of the software residing on the mal offending hospital's server.

Imposing ourselves into a client's network to perform an action without the authorization of the client would be bad business indeed. Even if the action is contractually agreed upon beforehand.

<<Honestly, it is unheard of for a server to do something like that and it really begs the question as to what else the server may force onto the client.>>

Jamus has said before that if he ever wanted to do such a thing, it would be entirely possible and grant him the ability to essentially take over someone's character.

Sounds like the makings of a lawsuit to me. Not Jamus messing around, but a company messing around with a client’s network.

Well, time to post again, I guess.

Full SSL encryption between the PsiNet Client and Server is not enough to prevent impersonation. Full SSL encryption was considered and I did eventually decide that it was unnecessary. I would prefer that the majority of the information PsiNet sends be human-readable, but did eventually have to concede that some form of encryption was necessary.

To explain why SSL encryption on the psinet socket would not help: Bobmuhthol did not replace names in the login string sent from client to server. He actually replaced the login string sent from the game- that is, from simu- to the psinet client. The PsiNet client, having no greater way to determine its authenticity, trusted that the name reported from the game was correct, and sent that to the server. Even were the psinet socket encrypted, as long as the game socket is not, there is no protection.

Kranar is completely right about the way my network was-- before. Bob's first attempt forced me to acknowledge that I was not being as responsible as necessary, and I did then implement encryption as part of the psinet login process. (This was back in early September.)

The login process from client to server is in fact encrypted using a method that I wrote personally. After the login process, the stream returns to normal human-readable mode.

Character keys (basically server-assigned passwords, not encryption at all) were used as the method of preventing identity theft like Bob tried. The idea was, if I can't verify that the person the game reports is truly the person at the computer, then I can at least verify that he has access to that character's account on PsiNet with a key.

Of course, as Shaelun has noted, this does not prevent new, bogus character names from being used, because they have no key selected, and because PsiNet is essentially open-registration. However, there are other features in place to reduce this risk.

All this said, I believe Kranar's mistakes in characterizing PsiNet were mostly genuine; he probably hasn't inspected PsiNet's login routine since September when encryption was, finally, introduced. Before then, it WAS irresponsible, at worst. Naive, at best.

Also, Kranar, while I have said this many times in the past, it appears it bears restating. I did not 'throw a hissy-fit' because a GM stated that PsiNet was insecure. This was a fact I was well aware of. The GM in question, Brauden, did not make any qualifications, such as 'it is possible that' or 'a program such as this could'. He said, directly, that PsiNet allowed the author to compromise any account logged in using it. That was not, and is not, a truth. That was a plain and simple lie, and I did feel entitled to meet my accuser.

In the end, I cancelled my account over it. I haven't played GS in quite some time.

To return, perhaps, to the topic more at hand: Bob's later attacks were, admittedly, more taking advantage of my own mistakes than hacking. He correctly guessed that, as Jamus had not been used in about two years, it probably would not have a key assigned to it. Laughably, I overlooked this, and he was able to impersonate him. I let this go.

He did the same thing with Chica later. Another mistake on my part, yes, and admittedly. But regardless of which flaw he took advantage of - either human or technical - I cannot in good faith allow it to go without consequences. He got caught.

I do hope this sheds some light on some of the things touched on in this post. I'll return if it requires more attention.

Ah, some more notes to address. I should have read more.

The force uninstallation procedure is a single one. With that notable exception, the client will not execute any commands or code sent to it from the server, period. And of course, the uninstallation procedure is part of the login process, which is encrypted.

<<Jamus has said before that if he ever wanted to do such a thing, it would be entirely possible and grant him the ability to essentially take over someone's character. >>

If PsiNet were a malicious program, I could update it to do such a thing. Of course, I would make the entire socket encrypted then, not just the login procedure, so that those functions would not be visible.

And of course yes, it is probably possible to inject packets into the TCP stream from an unauthorized third party. however, without any guarantee of where that packet would be injected, and without the ability to, conversely, intercept the response (and at that point, it becomes much more an issue of your network's security, if your streams can be read so casually), the damage potential here seems rather minimal.

[Edit: Will I ever be done?]

>>Why not? Why not just check EXACTLY what Simutronics sends as the character name by looking at the TCP packet sent by the server, and verifying that it did come from the server? Why not just check exactly what the WizardFE or Stormfront have as the name of the character by doing some simple memory peeks (the Win32 API function ReadProcessMemory allows you to read the memory of another process and so you can easily use it to see who the WizardFE has as being logged into the game)? Why not do both to have 2 layers of authentication? <<

I allow third party programs, such as Lich or UltraTech, to be used in conjunction with PsiNet. I allow that they may be 'closer' to the game stream than I am. So checking the source of the packet is unhelpful.

As for memory checking the name given to the FEs... if the name is replaced before being sent to PsiNet, it will *still* be replaced when it gets to the FEs.. which will then use that name, the same as PsiNet did. Did I misunderstand?

[Edited on 11-25-2005 by JamusPsi]