00:56 < JulianAssange> http://www.wired.com/2015/02/silk-road-ross-ulbricht-verdict/ 13:22 < allu2> Yo, is there any known vulnerability in TW that could allow attacket to get ip's of clients? http://i.imgur.com/B467VOv.png happened on ChickenServer2, first thought is that they had some way X of knowing clients ip's and then tested this by sending spoofed chat messages to make clients say the ip/port, then used that info to try guess rcon password 13:24 < allu2> I've tried to find if there was any rcon logins but didn't see anything suspecious there, next I checked my servers auth log but nothing but me there ether, also checked what I can from TeeBot but it simply can't talk to server to anyone in private so I'd think they would've notice if it had some how been tricked to leak the ip/ports :S 13:24 < EastBite> your ip address is public from the moment on, you are refreshing serverlist 13:24 < EastBite> so yea 13:25 <@minus> indeed 13:25 < allu2> I mean some player Z on my server managed to know the ip's of other clients on the server :S 13:25 < allu2> and I though this shouldn't be possible for anyone but the server or rcon users 13:25 < EastBite> it is possible 13:26 < EastBite> just needs a lot of trying 13:26 < allu2> ? thats seems bad :S 13:26 < EastBite> the teeworlds protocol isn't designed to security 13:27 <@minus> though the issue could very well stem from the mod 13:27 <@matricks> EastBite: how can you figure out the other players ip? 13:27 < EastBite> honeypot server 13:28 <@matricks> ahh 13:28 <@matricks> you can't know it, but it reduces the amount you need to search.. 13:28 <@matricks> coo' 13:28 < EastBite> ^ spoofing a hundred ips doesn't take that long 13:28 <@minus> takes a second, literally 13:29 < EastBite> and there seems to be a problem with windows udp sockets 13:29 <@minus> i think i wrote about that once, not sure if published or not 13:29 < EastBite> often the same sourceport is being used 13:29 < allu2> Shortly after the server was filled with Dummy tee's from some Chinese addresses 13:29 <@matricks> sigh 13:30 < allu2> 175.30.209.1:1337, 175.30.209.0:1337, 175.30.209.2:1337 and so on.. 13:30 <@minus> matricks: halp, i need 13 bytes encoded onto a base of 42 characters, how do i do that? 13:30 < Kottizen> How about giving all clients a randomly generated token, that they have to provide together with a password in order to even be considered let access to rcon? 13:30 <@matricks> Kottizen: I was about to say that 13:30 <@minus> i think heinrich5991 already did something on that front 13:30 <@matricks> yeah 13:30 <@matricks> security token on connect 13:31 <@matricks> to make sure you can't spoof randomly 13:31 <@matricks> you couldn't just exchange public keys etc 13:31 <@matricks> security... such a never ending battle 13:31 < allu2> Sounds nice, is it possible such feature could come officially before launch of 0.7 when ever that might be? 13:31 <@matricks> allu2: no 13:32 <@matricks> allu2: requires network change which means new version number 13:32 < allu2> awws 13:33 <@matricks> version number is major.network.patch 13:34 <@matricks> anything that changes the protocol needs to change the network number 13:34 < EastBite> matricks: there is another hacky way for such a handshake 13:34 <@matricks> but it also doesn't mean that there can be a 0.7 before the current 0.7 and that will become 0.8 13:34 < allu2> I'm just rather depressed when it comes to waiting next version number to be launched :P 13:35 < EastBite> pretenting a mapchange and expecting the right chunk requests from the client afterwards 13:35 < EastBite> or so 13:35 < Kottizen> Theoretically it could be made backwards compatible. A server admin could choose to enable it on their 0.6.4, and if enabled, only 0.6.4 clients can access rcon. 13:35 < allu2> That'd be nice 13:35 < Safa_[A_boy]> Hello. Can someone point me to the function that takes the string and draws it? I mean the text renderer 14:10 <@matricks> Safa_[A_boy]: engine/client/text.cpp 14:11 <@matricks> Safa_[A_boy]: https://github.com/teeworlds/teeworlds/blob/0.6/src/engine/client/text.cpp#L551 14:11 < Safa_[A_boy]> Thanks! :) 14:49 < Safa_[A_boy]> So, When I try to type Arabic in the chat nothing got shown 14:49 <@matricks> .. 14:50 < allu2> matricks: adding arabic support on the todolist? :P 14:50 < Safa_[A_boy]> What did you do? :p 14:51 <@matricks> allu2: noo.... 14:52 < Safa_[A_boy]> In previous releases It was shown, After I reinstalled teeworlds it disappeared 14:52 <@matricks> well, not on my todo list atleast... 14:52 <@matricks> if I were todo some language stuff on teeworlds... I would remove it all 14:52 < allu2> lol, no chat at all? 14:52 < Safa_[A_boy]> Only English, Not Arabic 14:52 <@matricks> I think I've voiced my opinion on this quite well 14:53 <@matricks> allu2: naa, just remove all translations etc 14:53 < Safa_[A_boy]> Dont get angry please :) 14:53 <@matricks> and remove the language support 14:53 < allu2> Ah, well I'm kind of person who appears here only when something is not working or is troubling me ^^ 14:54 <@matricks> I've toyed with the idea to remove nick names, chat etc as well 14:54 <@matricks> remove custom skins and let the server random it 14:54 < Safa_[A_boy]> Remove the server too :) 14:54 <@matricks> thought about that as well 14:54 < allu2> Actually that doesn't sound all that bad when I think about it 14:55 <@matricks> focus on the game, less fluff 14:55 <@matricks> thought about doing a 128k version of teeworlds 14:55 < allu2> :D 14:55 < allu2> reminds me ov TW 1.0 somehow :P 14:56 <@minus> matricks: something like kkrieger? 14:57 <@matricks> yah 15:06 < Safa_[A_boy]> Looks like I just had to reboot my computer 15:21 < JulianAssange> allu2: might want to just heck your whole server for infection(a virus, not the mod :>) 15:21 <@matricks> *check 15:23 < JulianAssange> yes that 15:23 < JulianAssange> since if it's chinese, they probably have pwned your server, and are just messing with you 15:24 < JulianAssange> unless actually, the 'hackers' just cloned the names, waited for them to leave, then rejoined and printed out random IPs lol 15:25 < JulianAssange> screenshot doesn't show enough to know though 15:25 * matricks is never going todo multiplayer again 15:25 <@minus> why not :( 15:26 < EastBite> JulianAssange: there were cases like these on other servers aswell 15:26 <@matricks> fucking hassle 15:26 <@minus> no p2p multiplayer? 15:26 < EastBite> I will :D 15:26 <@matricks> minus: so much work for such small gains 15:26 <@matricks> minus: we had a discussion at the office today about multiplayer cheating etc 15:26 < EastBite> small gain? 15:26 <@minus> matricks: for science! 15:27 <@matricks> EastBite: the amount of work that is needed for a small game is insane 15:27 < EastBite> creating a multiplayer game always is like creating an own social world 15:27 <@matricks> and all the problems with hacking and cheating... 15:27 <@matricks> cheating in a single player game is like.. well, you are only cheating yourself 15:27 < EastBite> teeworlds does really well against cheating 15:28 < EastBite> even without anticheat mechanism 15:28 < JulianAssange> EastBite: cases of what 15:28 < JulianAssange> randomly joining and posting random ips? 15:28 < EastBite> spaming, rcon misuse, playerkicking, dos 15:29 < allu2> JulianAssange: I doubt the server itself is compromised (Ofcourse there is no way to be 100% sure) and I confirmed myself that the people who said their IPs did come from those and have been playing on the server without problems several times before 15:29 <@matricks> gonna do teeworlds 2... single player game 15:29 <@minus> ew 15:29 < EastBite> I'll make a mmorpg :3 15:29 <@minus> ._. 15:29 < botnik> http://www.urbandictionary.com/define.php?term=._. 15:29 < EastBite> ._. 15:29 < botnik> http://www.urbandictionary.com/define.php?term=._. 15:29 < JulianAssange> .. 15:30 < JulianAssange> ._. 15:30 < botnik> http://www.urbandictionary.com/define.php?term=._. 15:30 < JulianAssange> i know about the dos stuf(i'm the original reporter), but i haven't seen other stuff 15:30 < allu2> TeeBot2 logs all IPs and connection and leaving times of all players who join in the server, same information can also be confirmed from the servers own log file 15:30 <@matricks> I actually have ideas and plans how a singleplayer teeworlds would be 15:30 <@matricks> and we have actually done one version before 15:31 < allu2> EastBite: how about making Teeworlds based card game, card games seem popular thesedays :P 15:31 < EastBite> virtual card games... 15:31 < EastBite> matricks: what kind of ideas? 15:32 < JulianAssange> unless money is involved and you're in gibraltar, nothx 15:32 * allu2 uses the masterserver (reveals all tee's on the opponents hand) 15:32 <@matricks> allu2: I've been doing some thinking about that and you can make a card game p2p and still have the security and hidden cards 15:32 <@matricks> allu2: no need for servers etc 15:32 < allu2> I was visioning a card called "masterserver" ^^ 15:32 < JulianAssange> yu-gi-oh 15:32 <@matricks> EastBite: how it would be structured, laws and rules of the world and progressio 15:33 < EastBite> roundbased still is p2p compatible, indeed 15:33 <@matricks> a game like hearth stone can be done without any thirdparty 15:33 <@matricks> and still prevent all cheating 15:34 < allu2> Would be cool :) 15:34 < Muttley> allu2, can it be the teebot has a vulnerability ? 15:34 < JulianAssange> send me teebot src and i'll look if you want 15:36 < allu2> It could be indeed, https://github.com/Allu2/TeeBot2 15:37 < JulianAssange> python 15:37 < JulianAssange> lol 15:37 < JulianAssange> probably is a vuln in that then 15:37 < allu2> But I doubt it because TeeBot can't speak ip's out without it being public 15:38 < allu2> it can use say/broadcast 15:38 < Muttley> anyone care to test me map ? gs01.digistrado.nl:9305 15:38 < JulianAssange> allu2: do you use port 1337 for this bot? 15:38 < allu2> Nope 15:38 < EastBite> how does the bot work? 15:38 < allu2> Bot works on localhost on server running the TW 15:38 < EastBite> econ? 15:39 < allu2> uses econ 15:39 < EastBite> k 15:39 < allu2> but as said, only in localhost while the econ port is blocked from outside 15:39 < JulianAssange> "port = 1337 (or what ever port you use)" 15:39 < JulianAssange> what does that port represent? 15:39 < allu2> Its the econ port of TW server 15:39 < allu2> the one that is blocked from outside by ufw/iptables 15:39 < JulianAssange> oh 15:40 < EastBite> ^ just bind it on localhost 15:41 < allu2> Still, Econ and the Bots connection should be save 15:41 < JulianAssange> just the reason I bring that up, is beause the src ports were 1337 (175.30.209.1:1337, 175.30.209.0:1337, 175.30.209.2:1337) 15:41 < JulianAssange> that might be nothing though 15:41 < JulianAssange> since it;s si common 15:41 < allu2> Probably spoofed 15:41 < EastBite> of course spoofed 15:42 < JulianAssange> ^ 15:42 < JulianAssange> i meant, deliberatly 15:43 < allu2> The main consern is if you can break out of bot's say/broadcast messages since thats the only time bot sends something to server that can include user crafted strings 15:44 < EastBite> why is teebot even dumping all that ips in global chat? 15:44 < EastBite> + sourceport 15:45 < allu2> EastBite: it doesn't 15:45 < EastBite> ah it's not teebot sry 15:45 < allu2> I'd assume someone is testing if they got the ip/port right witht heir spoofing 15:45 < EastBite> yea, I think so too 15:46 < JulianAssange> what;s the purpose of teebot anyways 15:46 < Muttley> quake like messages 15:46 < Muttley> xD 15:46 < allu2> Basicly print killing spree messages for now 15:46 < EastBite> without modding the server I guess 15:46 < JulianAssange> i don't know what means 15:46 < JulianAssange> oh 15:46 < allu2> and later when I feel like it I add "Double kill, Triplekill" and such 15:46 < Muttley> allu2, would be nice if you could add sounds ;-) 15:47 < allu2> That would be clientside thing :D 15:47 < EastBite> allu2: you might encourage people to use the ddnet client, since it uses a multiple randomized sourceport 15:47 < EastBite> the attack doesnt work there 15:49 < Muttley> allu2, what server version of tw are u using ? 15:49 < allu2> Hum I'd still like to avoid advising use of modded clients.. Any chanse that modification could be added to vanilla with minor version change? 15:49 < allu2> 0.6.3 15:49 < Muttley> ok 15:52 < EastBite> allu2: that would be nice of course 15:52 < allu2> Was thinking that if its backwards compatible it shouldn't be a problem, right? 15:52 < EastBite> but since there is barely any updating on the 0.6 branch, ddnet has become a 0.6 replacement with dozens of fixes 15:53 < EastBite> allu2: yea, no problem 15:54 < allu2> Is there some reason why this wouldn't be done? Or is it just lack of people to take of the changes fit them in and make a pull request? 15:54 < EastBite> the mian focus is on 0.7 I guess 15:54 < EastBite> main* 15:54 < JulianAssange> allu2: what is your server ip 15:55 < allu2> eh starts with 178... probably fastest to find it by searching ChickenServer and picking the 2 or 5 15:55 < JulianAssange> i don't have teeworlds atm 15:55 < allu2> ok let me get the address for you.. 15:56 < allu2> 178.62.229.94 16:01 < JulianAssange> ok idk 16:04 < EastBite> hm was there a teeworlds modification which implemented collision damage? 16:04 < EastBite> should be pretty easy to impleme nt 16:05 < allu2> I'd like to see ammunition collision :P blocking enemy grenades with pistol fire and stuff :D 16:05 < EastBite> I would love hooking grenades and throwing back :D 16:05 < JulianAssange> basketball mod has that 16:06 < JulianAssange> well 16:06 < JulianAssange> not w/ hook 16:06 < EastBite> :p 16:07 < allu2> Could bring some interesting new elements to the game ^^ 16:10 < JulianAssange> http://www.usatoday.com/story/news/politics/2015/02/04/putin-aspergers-syndrome-study-pentagon/22855927/ thank u putin