Author |
Message |
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Fri Jun 15, 2007 6:24 pm Post subject: |
|
|
|
|
*takes a pin and pops bd's balloon, laughs, and walks away* har... _________________ Performance is often the art of cheating carefully. - James Gosling
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Fri Jun 15, 2007 8:43 pm Post subject: |
|
|
|
|
-prizes himself prox (huge radius) and fires a huge bomb towards cypher (he used up all his repels and I have anti on. All he can do is esc q)
Muhahaha.
J/k <3
If they want mysql they will go to you. If they don't do mysql, they will (hopefully) come to me. All is fair.
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Fri Jun 15, 2007 9:25 pm Post subject: |
|
|
|
|
Smong wrote: | How about making it save banners. Make sure there are ?changepassword and ?adduser op commands (and an option to not allow new users, so only ?adduser can be used). |
Everything added. Any more suggestions?
|
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Fri Jun 15, 2007 9:27 pm Post subject: |
|
|
|
|
BDwinsAlt wrote: | -prizes himself prox (huge radius) and fires a huge bomb towards cypher (he used up all his repels and I have anti on. All he can do is esc q)
Muhahaha.
J/k <3
If they want mysql they will go to you. If they don't do mysql, they will (hopefully) come to me. All is fair. |
Or if they want subgame to connect to it.
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Fri Jun 15, 2007 9:39 pm Post subject: |
|
|
|
|
Don't make me add subgame support. Reiz mich nicht. (Don't tempt me)
|
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Sat Jun 16, 2007 7:07 pm Post subject: |
|
|
|
|
How are you saving stuff to disk? Custom DB (like pocob)? _________________ ss news
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Sat Jun 16, 2007 8:07 pm Post subject: |
|
|
|
|
Just a custom way of saving everything to text files. I split different parts with a colon.
Login uses... Name:MD5Password:Squad:Email (?setemail)
An example: BDwinsAlt:a1b2c3d4e5f6g7h8:UBill:bdwinsalt@gmail.com
There are obviously different files for different things (like ?ban).
I was going to use mysql but cypher was using it, I didn't want to think about people using jdbc + mysql (some don't have a clue), and it was just easy for people who don't want to run any other special software.
It may be slower and a bit more work to code, but it works fine. I timed a login, 2 ms. Thats after it reads the bans, banfree,operators, and decides whether or not they are banned, then allows them to login. I thought that was awesome. I understand that it will differ from machine to machine because of different processor speeds. If it has 2ms on mine, it shouldn't be too much slower on any other pc.
Cypher and his MySQL.
|
|
Back to top |
|
|
Mine GO BOOM Hunch Hunch What What
Age:40 Gender: Joined: Aug 01 2002 Posts: 3614 Location: Las Vegas Offline
|
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Sat Jun 16, 2007 10:02 pm Post subject: |
|
|
|
|
If the person has the salt, and knows what role the salt plays into the password hash, how much more effort is created on their end?
|
|
Back to top |
|
|
Mine GO BOOM Hunch Hunch What What
Age:40 Gender: Joined: Aug 01 2002 Posts: 3614 Location: Las Vegas Offline
|
Posted: Sat Jun 16, 2007 10:45 pm Post subject: |
|
|
|
|
You'd have to regenerate a whole new rainbow table just for it. The reason for the salt is so every password hash is unique. If player A and player B both used the same password, no one would know. And if player C used a commonly hashed password such as 'password', the cracker wouldn't be able to notice that instantly.
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Sun Jun 17, 2007 12:18 am Post subject: |
|
|
|
|
Oh I see. I'll definitely add that. Why would anyone want to steal passwords from a game? I know people do it, but I think it's retarded. Ahh well it's easy enough to add a few characters to the end. Thanks for the suggestion.
Edit: Added to auth, password commands, and adduser. I made a random 5 character string containing letters and numbers to be added to the end of the password. That should be a lot more secure. Any more suggestions?
|
|
Back to top |
|
|
Doc Flabby Server Help Squatter
Joined: Feb 26 2006 Posts: 636 Offline
|
Posted: Sun Jun 17, 2007 6:32 am Post subject: |
|
|
|
|
don't use md5 for passwords, its not designed for it, and it can be cracked in a few hours using a bot-net/distributed computer. use sha-512 instead.
I havn't given up on skybill, btw just trying to figure a way to develop the database bit more elegantly _________________ Rediscover online gaming. Get Subspace | STF The future...prehaps
|
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Sun Jun 17, 2007 6:58 am Post subject: |
|
|
|
|
Now going back to the DB, are you opening the files everytime you want to find something, or are you loading everything into memory when the program starts? I think pocob loads everything into mem, being java there's probably an overhead for that.
|
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Sun Jun 17, 2007 9:02 am Post subject: |
|
|
|
|
I'd recommend using SQLite, it's a nice storage application. There's talk about Mozilla Firefox 3 will be using it for offline storage.
|
|
Back to top |
|
|
Mine GO BOOM Hunch Hunch What What
Age:40 Gender: Joined: Aug 01 2002 Posts: 3614 Location: Las Vegas Offline
|
Posted: Sun Jun 17, 2007 10:28 am Post subject: |
|
|
|
|
How are you two dealing with longer usernames? Subgame supports accepting a 32 character username from the login packet, but then only deals with 20 characters later on. I don't remember how Grelminar deals with the security hole in ASSS, but I believe the billing server needs to deal with it for subgame to be secure.
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Sun Jun 17, 2007 3:33 pm Post subject: |
|
|
|
|
Right now my biller only supports ASSS. (Once I get everything done for that one, I'll add subgame support).
Right now I don't have a max length on user names. I could add one. Having an extremely long name is ridiculous anyway. I could easily make a max length and deny entry if it's over that length the way I have it setup.
As for the login thing, it opens the file each time. I guess I could load it into memory and update it each time a password is changed or a squad is changed.
I think it's easier just to load it each time. It only takes a few ms to load everything for a player to enter the game. I'll play around and see what's best.
By adding the salt, wouldn't that make the salted md5 passwords almost uncrackable unless they found out what the salt was?
Say a password is server, if I make it server9iw2v, and I MD5 that, who is going to have that on their list of possible passwords? Should I add bytes to the password as well?
Making a = ? or something crazy like that. I think everything is pretty secure after salting and md5. I know I wouldn't be able to crack it if I tried. You can only get an md5 password by encoding and seeing if it matches. Someone would have to think of that password before anyone could even try to crack it.
I doubt anyone would think of the password I used as an example (server9iw2v) [That isn't what I used, but it's the same concept.)
|
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Sun Jun 17, 2007 4:06 pm Post subject: |
|
|
|
|
I ensure no username is greater than 24 characters since this is the smallest limitation either in the client<->server, or server <-> biller UDP protocol. There is/was some debate whether or not the 24 characters includes a \0.
|
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Sun Jun 17, 2007 4:57 pm Post subject: |
|
|
|
|
Asss trims it to 19 characters when you login, but it can be changed afterwards (for example ^ prefix) up to 23 characters long.
@BDwinsAlt
Doc Flabby wrote: | don't use md5 for passwords ... it can be cracked in a few hours using a bot-net/distributed computer. |
|
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Sun Jun 17, 2007 5:24 pm Post subject: |
|
|
|
|
Updated my src to max out the user name at 23 characters.
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Sun Jun 17, 2007 6:44 pm Post subject: |
|
|
|
|
Ok I'm going to salt + md5, and then put it into sha-512. Is that secure enough?
I hope so.
Edit: That's what I did. Should be a lot more secure now. Doubt anyone will crack it.
|
|
Back to top |
|
|
Mine GO BOOM Hunch Hunch What What
Age:40 Gender: Joined: Aug 01 2002 Posts: 3614 Location: Las Vegas Offline
|
Posted: Sun Jun 17, 2007 8:24 pm Post subject: |
|
|
|
|
BDwinsAlt wrote: | Ok I'm going to salt + md5, and then put it into sha-512. Is that secure enough? |
You should never hash a hash. That just makes it worse. Pick one, and only use one.
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Wed Jun 20, 2007 5:18 pm Post subject: |
|
|
|
|
Ok I took out one of the hashes. I also added a module that will be open source so players can add what ever they want. I made it handle all commands and events before it goes to that modules because I don't want players to be able to steal passwords when ?password is sent. So you can only add commands that don't already exist.
You can get the following things from UBillConnect to UBillCmd:
Pid, cmd, arg, bang, out
PID = Player ID who sent the command.
CMD = the actual command sent.
ARG = The argument for the command.
BANG = The player's bang level
OUT = The thing used to send messages back to the server.
I'll post an example once I get on my other pc.
/*
Author: BDwinsAlt
Edited: June 20, 2007 [4:33 AM]
Credits:
Smong - Showing me factory classes allowing me to send messages across zones.
Doc Flabby - Commenting his code to show me how ASSS handles events.
Mine GO Boom - Keeping me in line and allowing me to continue posting on his fourms.
CypherJF - Being a cool friend and giving me ideas. (Love ya)
Sass - Didn't help me with biller, but he is cool. (Lova ya, too)
Hamm - Being patient while I was updating the biller.
Sonic VI - Allowing me to test my netban command on an actual player and not myself.
*God* - For being there for me and allowing me to have the things I need in order to live and code.
*** ~Important Information~ ***
----------------------------------------------------------------------
pid = Player ID
cmd = Command that was sent
arg = argument for that command
bang = user's bang level (5 = Netop ... 1 = Mod [0 for Player] )
out = The thing used to send the message.
----------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Send can be modified to send sounds if you like.
E.X: send = "MSG:" + pid + ":12:"; [Use right before out.println()]
See ?newbie command for more information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ This is the only part I can leave open source because of security issues.
~ Existing commands won't get sent here; there is no use in trying to get passwords this way.
TIP: Don't seperate parts of a command with a colon, this will cause multi args and you are only granted one.
Split them using something else (like a semicolon or something). [Until I edit]
*/
import java.io.*;
public class UBillCmd {
// Create a way for UBillConnect to get the information to send.
// Handle all commands here
public void handleCmd(String pid, String cmd, String arg, int bang, PrintWriter out)
{
// This is just to keep you from typing it each time.
String send = "MSG:" + pid + ":0:";
// Find out if a command is equals to something below.
// *About*
if (cmd.equalsIgnoreCase("about"))
{
out.println(send + "I am a simple, lonely biller. I just sit here and listen to all your commands.");
}
// *Bstaff*
else if (cmd.equalsIgnoreCase("bstaff"))
{
try {
// Opens bstaff.txt file for reading.
BufferedReader in = new BufferedReader(new FileReader("bstaff.txt"));
String lines = in.readLine();
// Starts while loop
while(lines != null)
{
out.println(send + lines); // Sends the text to the player line by line
lines = in.readLine(); // Reads the next line
}
in.close(); // Closes the file
// End while Loop
} catch(Exception e){out.println(send + "Unable to locate bstaff.txt.");} // If file doesn't exist
}
// *Levels*
else if (cmd.equalsIgnoreCase("levels"))
{
out.println(send + "NetOp = 5");
out.println(send + "Owner = 4");
out.println(send + "SysOp = 3");
out.println(send + "SMod = 2");
out.println(send + "Mod = 1");
}
// *Poetry*
else if (cmd.equalsIgnoreCase("poetry"))
{
out.println(send + "Roses are red. Violets are blue. All my base are belong to you.");
}
// ~~ Start Man section ~~
else if (cmd.equalsIgnoreCase("man"))
{
if (arg.equalsIgnoreCase(""))
{
out.println(send + "Ect. Commands: ?about, ?bstaff, ?levels, ?poetry");
}
else if (arg.equalsIgnoreCase("about"))
{
out.println(send + "Args: None");
out.println(send + "Syntax: ?about");
out.println(send + "Description: Sends a little information about the biller.");
}
else if (arg.equalsIgnoreCase("bstaff"))
{
out.println(send + "Args: None");
out.println(send + "Syntax: ?bstaff");
out.println(send + "Description: Displays biller staff.");
}
else if (arg.equalsIgnoreCase("levels"))
{
out.println(send + "Args: None");
out.println(send + "Syntax: ?levels");
out.println(send + "Description: Displays the different operating levels.");
}
else if (arg.equalsIgnoreCase("poetry"))
{
out.println(send + "Args: None");
out.println(send + "Syntax: ?poetry");
out.println(send + "Description: Displays a simple, geeky poem.");
}
} // End Man section
else if (cmd.equalsIgnoreCase("newbie") && bang == 0)
{
// Example of sending things your own way using different sounds and bang levels.
out.println("MSG:" + pid + ":3:" + "Newb!");
}
} // End handleCmd
} // End Class
|
Edit: Forgot to take a comment out. You can send more than one line of text back.
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Sat Jun 23, 2007 2:09 am Post subject: |
|
|
|
|
I have a screen shot of my progress. I just now added a small GUI for now. I can pack it into a jar because I won't have to worry about a console anymore. I think it looks better this way. The reason the top is a charcoal color is because my system theme is overriding the Java theme.
The GUI was just something sudden. It wasn't really that complex either. I'll be adding more GUIs to it. I may add a setup GUI so you can just execute a jar and enter the values.
I could also make a name removal system (old names get removed) with this.
A person could set a last login date of something like July 4, 2002 (Pretending the database is that old) and any logins from before then would be deleted.
Any ideas/suggestions?
I plan on making it so you can change the welcome message and network name (like SSBD) while the biller is running.
HUGE thanks again to Smong. I've bene using that factory class like crazy.
Opps forgot to include a ban/invaild login example. Oh well. You see the basic idea.
Edit: Looks a bit weird for now. I added config (I figured password is more important than network name. BTW, the textfiled for greeting has more content in front of it. You can keep typing and typing. It doesn't stop at the edge.
Screenshot-5.png - 21.89 KB
File downloaded or viewed 38 time(s)
Screenshot-4.png - 19.89 KB
File downloaded or viewed 43 time(s)
|
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Sat Jun 23, 2007 11:34 am Post subject: |
|
|
|
|
If you change settings via the GUI do they save back to config files? Or is everything hardcoded? Also that class is a "singleton" apparently, so you'll have to stop calling it a factory
|
|
Back to top |
|
|
BDwinsAlt Agurus's Posse
Age:33 Gender: Joined: Jun 16 2003 Posts: 1145 Location: Alabama Offline
|
Posted: Sat Jun 23, 2007 4:06 pm Post subject: |
|
|
|
|
But I store lots of objects. I'll just call it a smong class.
The greeting and password are loaded from the file when the setup utility is started. When you click save & quit, it saves what ever is in the boxes to the file. So if you don't change anything it stays the same (Still updates it, but it will be the same information). If you change something, it updates with the new information.
I'm pretty sure the biller loads the password each time a zone trys to connect to see if it matches the current one. it should since I'm pretty sure the greeting does that.
EDIT: I will try to tie up any loose ends and release a beta before my vacation on Wednesday -Sunday.
You guys can beta test it (if you want) and report any issues to me.
I did most of my coding in the middle of the night (12-5am or so) so it may have small grammar issues.
I can't make it better until I know what's wrong with it first.
|
|
Back to top |
|
|
|