01:36 < bridge> [teeworlds] what do you guys think about hashing rcon passwords before sending them? So i can feel more save when using same pw for online banking and i auth in public wifi without vpn 🙂 01:37 < bridge> [teeworlds] it doesnt protect the actual tw server but at least the password 01:53 < bridge> [teeworlds] Would be cool 01:55 < bridge> [teeworlds] regarding the tokens being sent to the masterserver, how often do they need to be renewed? on every request or only once until the dawn of time? or maybe something in between? 01:58 < bridge> [teeworlds] hm, seemingly on every request 😮 13:39 < bridge> [teeworlds] @jxsl13 every ten seconds IIRC 13:40 < bridge> [teeworlds] @ChillerDragon first, please don't use reuse passwords, use a password manager 13:41 < bridge> [teeworlds] then, hashing the password with a standard hash like SHA256 doesn't actually do anything good for your weak password, the password hash is now known to the attacker and can be attacked offline 13:41 < bridge> [teeworlds] hashing it with something like PKBKDF2 would make the server prone to DoS if not guarded against 13:41 < bridge> [teeworlds] hm, I kind of sent the token handshake, and two continuous server list requests and my test kinda failed with a header mismatch 13:42 < bridge> [teeworlds] put the token part bedore every request, but would love to give that go implementation more performance compared to the python implementation. 13:43 < bridge> [teeworlds] the IPv6 ip parsing from binary seems to be incorrect in the python tw_api.py script ._. 13:44 < bridge> [teeworlds] `._.` 13:44 < bridge> [teeworlds] okay, apparently every 10 seconds 13:44 < bridge> [teeworlds] *16 seconds 13:44 < bridge> [teeworlds] 16 seconds then, ok :) 13:45 < bridge> [teeworlds] IPv6 parsing is wrong in what way? 13:45 < bridge> [teeworlds] aren't there only IPv6 addresses in the server list, with a special prefix for IPv4 addresses? 13:46 < bridge> [teeworlds] well, we don't have ipv6 servers for testing ._. 13:46 < bridge> [teeworlds] hmm I see. But still if its a like 8 digit long password i would not be able to crack the SHA256 @heinrich5991 13:47 < bridge> [teeworlds] not digit char xd 13:47 < bridge> [teeworlds] Ipv6 seems to have two bytes encoded as hex values in between each colon : 13:47 < bridge> [teeworlds] 4 hex values each 13:48 < bridge> [teeworlds] what happens there seems to be the same as for ipv4, it seems to encode one byte between each colon 13:48 < bridge> [teeworlds] as hex 13:48 < bridge> [teeworlds] so 2 hex values 13:49 < bridge> [teeworlds] Ideally having a bunch of SHA keys would be ideal in Teeworlds :) you could automatically login to any server you have access to by sending your pub keys 13:49 < bridge> [teeworlds] that would be awesome 13:49 < bridge> [teeworlds] as in 0.6, maybe still it's rather easy to habe a honey pot server running that collects login attempts 13:49 < bridge> [teeworlds] But the ability to give people a password is important too, for convenience ^^' so probably not worth the effort and bloat 13:57 < bridge> [teeworlds] yea and key means managing the config when switching devices 13:58 < bridge> [teeworlds] or we need teecloud for autmatic syncing and accounts :DDDD 14:26 < bridge> [teeworlds] here the ipv6 part tested 14:26 < bridge> [teeworlds] https://cdn.discordapp.com/attachments/490150878934990850/669533230185316374/Bildschirmfoto_2020-01-22_um_14.24.50.png 14:36 < bridge> [teeworlds] @heinrich5991 I know performing a SHA256 is not perfect but better than nothing imo. Im sure in some cases it improves security at least a bit. We already have sha256 code so that should not add too much bloat. Or is sha256 also a dos vector already? 14:38 < bridge> [teeworlds] what's the difference between having your sha256 string vs having your password in regard to gaining access to your rcon? 14:39 < bridge> [teeworlds] so it is saved to use the password in multiple places @jxsl13 because if somebody sniffes my teeworlds traffic he never sees the actual password 14:40 < bridge> [teeworlds] so i can type in my easy to remmber password like "bunnybunny400" and use the same pw for my online banking 😄 14:40 < bridge> [teeworlds] the attacker only gets a hash 14:40 < bridge> [teeworlds] and "bunnybunny400" doesnt show up in wireshark anymore 14:40 < bridge> [teeworlds] if somone sniffs your traffic, that person knows your sha256 string and might use that to gain access? 14:40 < bridge> [teeworlds] well my bank does not allow to enter a prehashed pw they want "bunnybunny400" 14:41 < bridge> [teeworlds] so he has to crack it first 14:41 < bridge> [teeworlds] why does he have to crack it ._. 14:41 < bridge> [teeworlds] you know how hashing works right? 14:41 < bridge> [teeworlds] not enough, I guess 14:42 < bridge> [teeworlds] your pw is hashed 14:42 < bridge> [teeworlds] and the hash sent to the server 14:42 < bridge> [teeworlds] am I right? 14:42 < bridge> [teeworlds] the user types in bunnybunny400 in his client and the client then performs a sha256 locally and sends c4a5d06e0307dc3dfc208216eb31e5ef73efedaffc0390c83d6925a59b8f66a8 to the server 14:42 < bridge> [teeworlds] so c4a5d06e0307dc3dfc208216eb31e5ef73efedaffc0390c83d6925a59b8f66a8 can be sniffed 14:43 < bridge> [teeworlds] ok 14:43 < bridge> [teeworlds] the server then looks at the config and hashes sv_rcon_password and then compares 14:43 < bridge> [teeworlds] ok 14:43 < bridge> [teeworlds] what happens if somone knows your hash and sends it to that server? 14:43 < bridge> [teeworlds] nothing 14:43 < bridge> [teeworlds] the server compares it against its own hash and he gains access? 14:44 < bridge> [teeworlds] https://cdn.discordapp.com/attachments/490150878934990850/669537772750766090/unknown.png 14:44 < bridge> [teeworlds] it would be wrong password 14:44 < bridge> [teeworlds] oh wait 14:44 < bridge> [teeworlds] I mean you can use a modified client in order not to hash that again 14:44 < bridge> [teeworlds] ah no 14:44 < bridge> [teeworlds] sorry me brainded 14:44 < bridge> [teeworlds] the teeworlds server is not protectet 14:44 < bridge> [teeworlds] so sniffing the password and gaining rcon is possible 14:44 < bridge> [teeworlds] but the password it self is not leaked 14:45 < bridge> [teeworlds] so even if he hacked my tw server he doesnt know my fav password is bunnybunny400 14:45 < bridge> [teeworlds] it would only protect the pw from being leaked, but not prevent people from gaining access to random rcon 14:45 < bridge> [teeworlds] yes 14:45 < bridge> [teeworlds] hm k 14:45 < bridge> [teeworlds] which is a good thing if you think about how many people reuse passwords 14:46 < bridge> [teeworlds] well, if somone tells everyone where they reuse their rcon password as well, that might be another potential risk that needs fixing 14:46 < bridge> [teeworlds] xD 14:46 < bridge> [teeworlds] xd 14:46 < bridge> [teeworlds] fixing humans is hard 14:46 < bridge> [teeworlds] *uses hammer* 14:49 < bridge> [teeworlds] "People reuse passwords" 14:49 < bridge> [teeworlds] Im glad i dont do that, each one of identifyy servers has a different password, with numbers and stuff 14:50 < bridge> [teeworlds] oof, numbers + stuff 😄 -> max length 10 -> "[\d]+stuff" 14:50 < bridge> [teeworlds] >:D 14:50 < bridge> [teeworlds] I don't talk about passwords, I just set my ban time high enough 14:50 < bridge> [teeworlds] x) 14:51 < bridge> [teeworlds] lol 14:52 < bridge> [teeworlds] Im implementing noby's anticheat system on most of my servers now 14:52 < bridge> [teeworlds] 😮 is it open source? 14:52 < bridge> [teeworlds] No its not 14:52 < bridge> [teeworlds] :sadbunny: 14:52 < bridge> [teeworlds] I just got the source, bc he hosts a server for us 14:52 < bridge> [teeworlds] But i aint sharing it 14:52 < bridge> [teeworlds] open source all the way 😮 14:53 < bridge> [teeworlds] what servers are going to be having that? what mods? 14:53 < bridge> [teeworlds] Vanilla ones i guess 14:53 < bridge> [teeworlds] oof 14:53 < bridge> [teeworlds] Not really needed for block/ddrce servers 14:53 < bridge> [teeworlds] don't host them as vanilla 14:53 < bridge> [teeworlds] or you might get a master server ban 14:53 < bridge> [teeworlds] like ctf+ 14:53 < bridge> [teeworlds] Ye im aware 14:53 < bridge> [teeworlds] ok :0 14:54 < bridge> [teeworlds] well on 0.6 are already "vanilla" servers which are modified 14:54 < bridge> [teeworlds] for months/years 14:54 < bridge> [teeworlds] report -> get them banned 14:54 < bridge> [teeworlds] who even reports them if they dont change gameplay 14:55 < bridge> [teeworlds] you can 😮 14:55 < bridge> [teeworlds] yea, but devs or the ones which are responsible for the game should take a look into the game sometimes 14:56 < bridge> [teeworlds] I think I have seen Oy once ingame 14:56 < bridge> [teeworlds] maybe 14:58 < bridge> [teeworlds] Dune plays actively 14:58 < bridge> [teeworlds] Devs are not resposible for master bans 14:58 < bridge> [teeworlds] I have seen oy too 14:59 < bridge> [teeworlds] and which modified servers are you talking about @ShootXen ? 14:59 < bridge> [teeworlds] Dont worry about xen, xen is always complaining about something 14:59 < bridge> [teeworlds] All kind of people :D, would be boring otherwise 15:08 < bridge> [teeworlds] @ShootXen if you see modified servers displaying vanilla gametypes, you can report them with their IP here 15:08 < bridge> [teeworlds] That's how it has always worked 15:08 < bridge> [teeworlds] Surely you'll understand we don't have time to personally check every 0.6 server 15:09 < bridge> [teeworlds] @Dune he was talking about my servers 15:09 < bridge> [teeworlds] ban them! 15:09 < bridge> [teeworlds] 😮 15:10 < bridge> [teeworlds] I guess how that goes with the skript is a matter of opinion but I guess that should be fine 15:10 < bridge> [teeworlds] @ChillerDragon you're not running modified servers as CTF, are you? 15:10 < bridge> [teeworlds] my problem is, that when I restart servers too fast, that they cannot rebind the econ socket... is there a way to fix that ._. 15:10 < bridge> [teeworlds] /econ port 15:11 < bridge> [teeworlds] his server is not modified, it just uses some, I call it, econ-strap-on extension 😄 15:11 < bridge> [teeworlds] no but its easy to think that @Dune 15:11 < bridge> [teeworlds] Ah, it's the econ servers, I see 15:11 < bridge> [teeworlds] y 17:31 < bridge> [teeworlds] cheeky password "number and stuff" 17:31 < bridge> [teeworlds] my dictionairy attack has it in a second 17:33 < rand> smth is weird with some ddnet server, they appear to announce 0 as PlayerSlots (while having connected players) 18:13 < bridge> [teeworlds] Thats probably my bad 18:13 < bridge> [teeworlds] When I have time I will fix it 18:14 < bridge> [teeworlds] Dont ban those, they rely on my source, I made some mistake I guess 18:42 < bridge> [teeworlds] @ChillerDragon no, using plain SHA256 will just give you a false sense of security for your insecure password 18:42 < bridge> [teeworlds] @ChillerDragon DON'T REUSE PASSWORDS 18:42 < bridge> [teeworlds] if you do right now, get a password manager and make sure all your new passwords are unique 18:44 < bridge> [teeworlds] I live a dangerous life :0 18:44 < bridge> [teeworlds] don't reuse passwords :< 18:45 < bridge> [teeworlds] writing passwords down, using a password manager are all better than reusing passwords 18:46 < bridge> [teeworlds] https://haveibeenpwned.com/ 18:47 < bridge> [teeworlds] yy ik 18:48 < bridge> [teeworlds] i do not use my tw passwords for anything else but still.. 18:55 < bridge> [teeworlds] then SHA256ing wouldn't help you at all 18:55 < bridge> [teeworlds] but even if you'd do that, a simple SHA256 does not save your weak password 19:03 < bridge> [teeworlds] not me but maybe others 19:04 < bridge> [teeworlds] oh and btw am i the only one who is afraight of entering real passwords in https://haveibeenpwned.com/ ? 19:04 < bridge> [teeworlds] enter your mail instead 19:07 < bridge> [teeworlds] yea did that 19:07 < bridge> [teeworlds] woot im pwned xd 19:08 < bridge> [teeworlds] does it say where? 19:08 < bridge> [teeworlds] yes 19:08 < bridge> [teeworlds] am i blind? 19:09 < bridge> [teeworlds] maybe you need to confirm the email address first 19:09 < bridge> [teeworlds] ah younow 19:09 < bridge> [teeworlds] but that only leaks my younow pw not my actual mail pw huh? 19:09 < bridge> [teeworlds] i almost shit my pants 19:13 < bridge> [teeworlds] yes 19:13 < bridge> [teeworlds] this is public leaks only btw 19:15 < bridge> [teeworlds] you are getting informed via email, what breach your email is part of. 19:29 < bridge> [teeworlds] i guess public leaks are the worst 19:32 < bridge> [teeworlds] does solofng have a ranking? 19:32 < bridge> [teeworlds] give it a ranking, people love rankings 19:33 < bridge> [teeworlds] x) 19:36 < bridge> [teeworlds] I got a ranking repo actually for anyone to use it 😮 19:36 < bridge> [teeworlds] but only with redis and sqlite support. 19:37 < bridge> [teeworlds] (and only cmake) 20:07 < bridge> [teeworlds] yes it has a ranking 20:08 < bridge> [teeworlds] i use files and i have a annoying bug that sometimes breaks everything xd 20:33 < bridge> [teeworlds] 😄 20:33 < bridge> [teeworlds] just tell people it has ranking 20:36 < rand> @fokkonaut : I didn't find the origin on ddnet/ddnet7 repo (github) 21:14 < bridge> [teeworlds] ? 21:14 < bridge> [teeworlds] well 21:14 < bridge> [teeworlds] I will look into it.