Teeworlds - bridge

Teeworlds

IRC / bridge

One-way IRC channel bridge. If you want to be able to send messages to IRC, contact @Dune or @heinrich5991. https://www.teeworlds.com/?page=docs&wiki=rules/irc_rules

Between 2020-01-22 00:00:00Z and 2020-01-23 00:00:00Z

what do you guys think about hashing rcon passwords before sending them? So i can feel more save when using same pw for online banking and i auth in public wifi without vpn

00:37

it doesnt protect the actual tw server but at least the password

Would be cool

regarding the tokens being sent to the masterserver, how often do they need to be renewed? on every request or only once until the dawn of time? or maybe something in between?

00:58

hm, seemingly on every request

@jxsl13 every ten seconds IIRC

12:40

@ChillerDragon first, please don't use reuse passwords, use a password manager

12:41

then, hashing the password with a standard hash like SHA256 doesn't actually do anything good for your weak password, the password hash is now known to the attacker and can be attacked offline

12:41

hashing it with something like PKBKDF2 would make the server prone to DoS if not guarded against

hm, I kind of sent the token handshake, and two continuous server list requests and my test kinda failed with a header mismatch

12:42

put the token part bedore every request, but would love to give that go implementation more performance compared to the python implementation.

12:43

the IPv6 ip parsing from binary seems to be incorrect in the python twapi.py script ..

12:44

._.

okay, apparently every 10 seconds

12:44

*16 seconds

16 seconds then, ok :)

IPv6 parsing is wrong in what way?

12:45

aren't there only IPv6 addresses in the server list, with a special prefix for IPv4 addresses?

well, we don't have ipv6 servers for testing ._.

hmm I see. But still if its a like 8 digit long password i would not be able to crack the SHA256 @heinrich5991

12:47

not digit char xd

Ipv6 seems to have two bytes encoded as hex values in between each colon :

12:47

4 hex values each

12:48

what happens there seems to be the same as for ipv4, it seems to encode one byte between each colon

12:48

as hex

12:48

so 2 hex values

Ideally having a bunch of SHA keys would be ideal in Teeworlds :) you could automatically login to any server you have access to by sending your pub keys

that would be awesome

12:49

as in 0.6, maybe still it's rather easy to habe a honey pot server running that collects login attempts

But the ability to give people a password is important too, for convenience ^^' so probably not worth the effort and bloat

yea and key means managing the config when switching devices

12:58

or we need teecloud for autmatic syncing and accounts :DDDD

here the ipv6 part tested

Image attachment

@heinrich5991 I know performing a SHA256 is not perfect but better than nothing imo. Im sure in some cases it improves security at least a bit. We already have sha256 code so that should not add too much bloat. Or is sha256 also a dos vector already?

what's the difference between having your sha256 string vs having your password in regard to gaining access to your rcon?

so it is saved to use the password in multiple places @jxsl13 because if somebody sniffes my teeworlds traffic he never sees the actual password

13:40

so i can type in my easy to remmber password like "bunnybunny400" and use the same pw for my online banking

13:40

the attacker only gets a hash

13:40

and "bunnybunny400" doesnt show up in wireshark anymore

if somone sniffs your traffic, that person knows your sha256 string and might use that to gain access?

well my bank does not allow to enter a prehashed pw they want "bunnybunny400"

13:41

so he has to crack it first

why does he have to crack it ._.

you know how hashing works right?

not enough, I guess

13:42

your pw is hashed

13:42

and the hash sent to the server

13:42

am I right?

the user types in bunnybunny400 in his client and the client then performs a sha256 locally and sends c4a5d06e0307dc3dfc208216eb31e5ef73efedaffc0390c83d6925a59b8f66a8 to the server

13:42

so c4a5d06e0307dc3dfc208216eb31e5ef73efedaffc0390c83d6925a59b8f66a8 can be sniffed

ok

the server then looks at the config and hashes sv_rcon_password and then compares

ok

13:43

what happens if somone knows your hash and sends it to that server?

nothing

the server compares it against its own hash and he gains access?

Image attachment

13:44

it would be wrong password

13:44

oh wait

I mean you can use a modified client in order not to hash that again

ah no

13:44

sorry me brainded

13:44

the teeworlds server is not protectet

13:44

so sniffing the password and gaining rcon is possible

13:44

but the password it self is not leaked

13:45

so even if he hacked my tw server he doesnt know my fav password is bunnybunny400

it would only protect the pw from being leaked, but not prevent people from gaining access to random rcon

yes

hm k

which is a good thing if you think about how many people reuse passwords

well, if somone tells everyone where they reuse their rcon password as well, that might be another potential risk that needs fixing

13:46

xD

xd

13:46

fixing humans is hard

uses hammer

"People reuse passwords" Im glad i dont do that, each one of identifyy servers has a different password, with numbers and stuff

oof, numbers + stuff

-> max length 10 -> "[\d]+stuff"

13:50

>:D

13:50

I don't talk about passwords, I just set my ban time high enough

13:50

x)

lol

13:52

Im implementing noby's anticheat system on most of my servers now

is it open source?

No its not

:sadbunny:

I just got the source, bc he hosts a server for us

13:52

But i aint sharing it

open source all the way

13:53

what servers are going to be having that? what mods?

Vanilla ones i guess

oof

Not really needed for block/ddrce servers

don't host them as vanilla

13:53

or you might get a master server ban

13:53

like ctf+

Ye im aware

ok :0

well on 0.6 are already "vanilla" servers which are modified

13:54

for months/years

report -> get them banned

who even reports them if they dont change gameplay

you can

yea, but devs or the ones which are responsible for the game should take a look into the game sometimes

I think I have seen Oy once ingame

13:56

maybe

Dune plays actively

Devs are not resposible for master bans

I have seen oy too

and which modified servers are you talking about @ShootXen ?

Dont worry about xen, xen is always complaining about something

All kind of people :D, would be boring otherwise

@ShootXen if you see modified servers displaying vanilla gametypes, you can report them with their IP here

14:08

That's how it has always worked

14:08

Surely you'll understand we don't have time to personally check every 0.6 server

@Dune he was talking about my servers

ban them!

14:09

I guess how that goes with the skript is a matter of opinion but I guess that should be fine

@ChillerDragon you're not running modified servers as CTF, are you?

my problem is, that when I restart servers too fast, that they cannot rebind the econ socket... is there a way to fix that ._.

14:10

/econ port

14:11

his server is not modified, it just uses some, I call it, econ-strap-on extension

no but its easy to think that @Dune

Ah, it's the econ servers, I see

y

cheeky password "number and stuff"

16:31

my dictionairy attack has it in a second

smth is weird with some ddnet server, they appear to announce 0 as PlayerSlots (while having connected players)

Thats probably my bad

17:13

When I have time I will fix it

17:14

Dont ban those, they rely on my source, I made some mistake I guess

@ChillerDragon no, using plain SHA256 will just give you a false sense of security for your insecure password

17:42

@ChillerDragon DON'T REUSE PASSWORDS

17:42

if you do right now, get a password manager and make sure all your new passwords are unique

I live a dangerous life :0

don't reuse passwords :<

17:45

writing passwords down, using a password manager are all better than reusing passwords

17:46

https://haveibeenpwned.com/

yy ik

17:48

i do not use my tw passwords for anything else but still..

then SHA256ing wouldn't help you at all

17:55

but even if you'd do that, a simple SHA256 does not save your weak password

not me but maybe others

18:04

oh and btw am i the only one who is afraight of entering real passwords in https://haveibeenpwned.com/ ?

enter your mail instead

yea did that

18:07

woot im pwned xd

18:08

does it say where?

yes

am i blind?

maybe you need to confirm the email address first

ah younow

18:09

but that only leaks my younow pw not my actual mail pw huh?

18:09

i almost shit my pants

yes

18:13

this is public leaks only btw

you are getting informed via email, what breach your email is part of.

i guess public leaks are the worst

does solofng have a ranking?

18:32

give it a ranking, people love rankings

18:33

x)

18:36

I got a ranking repo actually for anyone to use it

18:36

but only with redis and sqlite support.

18:37

(and only cmake)

yes it has a ranking

19:08

i use files and i have a annoying bug that sometimes breaks everything xd

19:33

just tell people it has ranking

@fokkonaut : I didn't find the origin on ddnet/ddnet7 repo (github)

?

20:14

well

20:14

I will look into it.

Exported 172 message(s)