Matrix Games Forums

Forums  Register  Login  Photo Gallery  Member List  Search  Calendars  FAQ 

My Profile  Inbox  Address Book  My Subscription  My Forums  Log Out

ATTN: MATRIX: PWORDS ARE VISIBLE

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [New Releases from Matrix Games] >> The Operational Art of War IV >> Tech Support >> ATTN: MATRIX: PWORDS ARE VISIBLE Page: [1]
Login
Message << Older Topic   Newer Topic >>
ATTN: MATRIX: PWORDS ARE VISIBLE - 11/25/2019 10:24:42 PM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline
Following up on a recent discussion about passwords:

Just make all games "open" to join, rather than the existent
"non" password thing. I can see your passwords.

ATTN: Do not use your Matrix passwords for that.

Criminals might see that.

I am not a criminal, but if you post a game on the on line thing,
using a "password" ...

I guarantee that I can crack it at will.

I think that the "password" routine for creating new on line games
might be confusing for new players.

DO NOT USE YOUR MATRIX PASSWORD FOR THAT.

Cheers!


< Message edited by Hellen_slith -- 11/25/2019 10:26:57 PM >
Post #: 1
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/27/2019 10:54:21 AM   
Shadrach


Posts: 722
Joined: 10/16/2001
From: Oslo, Norway
Status: offline
That's surely interesting. Would you be able to give any more detail?
When you say you can see the password, do you mean it's visible in-game, or that the encrypted password is easily decrypted from the save-file?

Have you reported this to Matrix Support?

I tend to use simple passwords for PBEM anyway, figuring that the chances of an opponent cheating by obtaining my password would be minimal.

However, I have reported here (and to support) a long time ago, that when logging in to the PBEM++ system, your PBEM++ password as well as your serial# is sent over the internet in clear text, as the connection to the server is not encrypted. So any middleman snooping would easily be able to obtain it. But then again, who would be interested in that anyway - unless you use the same password for other services, like your email, and you don't do that right?

Here's an example. I've obfuscated any passwords and serials. Note that the "slith_exchange" password is *not* my password but the password used by the client (TOAW4) to authenticate to the Slitherine server. So I see no issue posting it here, as it's plainly readable by the world anyway...

GET /PBEM2/op_art_war_iv_pc/serial_information.php?serialNum=XXXXXXXXXXXXXXXXXXXXX&password=slith_exchange HTTP/1.1

GET /PBEM2/op_art_war_iv_pc/auth.php?serialNum=XXXXXXXXXXXXXXXXXX&login=XXXXXXXXXXXXX&password=XXXXXXXXXXXX HTTP/1.1

This information is easily available to anyone using the correct tool with minimal knowledge. Of course, this is run on my local machine so snooping is easy, an attacker would need to be positioned on your network, in your router, your ISP or somewhere along the route travelled by the data over the internet.


< Message edited by Shadrach -- 11/27/2019 11:09:43 AM >

(in reply to Hellen_slith)
Post #: 2
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/27/2019 9:58:21 PM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline

quote:

ORIGINAL: Shadrach

That's surely interesting. Would you be able to give any more detail?
When you say you can see the password, do you mean it's visible in-game, or that the encrypted password is easily decrypted from the save-file?

Have you reported this to Matrix Support? ....

However, I have reported here (and to support) a long time ago, that when logging in to the PBEM++ system, your PBEM++ password as well as your serial# is sent over the internet in clear text, as the connection to the server is not encrypted. So any middleman snooping would easily be able to obtain it. But then again, who would be interested in that anyway - unless you use the same password for other services, like your email, and you don't do that right?

Here's an example. I've obfuscated any passwords and serials. Note that the "slith_exchange" password is *not* my password but the password used by the client (TOAW4) to authenticate to the Slitherine server. So I see no issue posting it here, as it's plainly readable by the world anyway...

GET /PBEM2/op_art_war_iv_pc/serial_information.php?serialNum=XXXXXXXXXXXXXXXXXXXXX&password=slith_exchange HTTP/1.1

GET /PBEM2/op_art_war_iv_pc/auth.php?serialNum=XXXXXXXXXXXXXXXXXX&login=XXXXXXXXXXXXX&password=XXXXXXXXXXXX HTTP/1.1

This information is easily available to anyone using the correct tool with minimal knowledge. Of course, this is run on my local machine so snooping is easy, an attacker would need to be positioned on your network, in your router, your ISP or somewhere along the route travelled by the data over the internet.



Ah, well, that is even more problematic. I only mentioned it b/c the routine of "creating" a challenge might be confusing, and that people should be aware that creating a "password" for a challenge really does not "password" a challenge. Perhaps there should be (instead) a mechanism where you can set a game to "PRIVATE" so that folks don't go in there and start accepting all the challenges, just to troll.

That routine (as it stands) is confusing ... it might lead people to think that they are creating an "open" challenge (when it is really a password that is visible, with the right tool and knowledge) and that the password is akin to the password for playing the game like in regular PBEM. That is not the case.

Also, that since the password IS visible, to be sure to not use a password that is your Matrix password (and, of course, to not use a password that you use for other things.)

That plain text file is troublesome ... if the game serial number is in there, too (and I'm not sure if it is or not, I only noticed that other password) then that is something that really should be addressed, I think. I don't think that is transmitted to others, but I can't tell. I'll look at it again, to see if I see any other anomalies.

The whole PBEM "plus plus" is kind of wacky, anyway. There are other minor issues with it that I hope they can fix someday. As for using any of that info for "cheating" for play style, I really don't care about that ... if someone wants to "cheat" on me, I just view it as more of a challenge, kind of like setting Elmer to "INTELLIGENCE equals "STRONG" and "CHEAT PLUS TWO" ... and if folks feel the need to cheat against me in the game, that just tells me that I'm getting stronger as a player. I'm pretty weak as far as that goes ... no need to cheat.

Okay, well, thanks for the info! Will try to see what else I can get to bring it up.

(in reply to Shadrach)
Post #: 3
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/27/2019 10:18:06 PM   
Shadrach


Posts: 722
Joined: 10/16/2001
From: Oslo, Norway
Status: offline
The whole PBEM++ system is a boondoggle held together with sticky tape and chewing gum
I don't use it much and I've not created any passworded challenges, which I assume is what you're talking about (to block others from accepting it)?

I've played a couple of challenges the regular way, with passwords, and I think these are encrypted for each player into the save file itself, and I believe this system is secure enough. Unless this is what you mean, and the password for the PBEM++ opponent is easily read from somewhere?

The plain text I posted was from a network snooping program running on my local machine, and the strings are HTTP requests to the server. The password sent is the password used to log in to the system itself. The system sends my game's serial code as well, so if anyone is able to read that along the way, they will be able to register the game using my code.

(in reply to Hellen_slith)
Post #: 4
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/27/2019 10:28:53 PM   
Shadrach


Posts: 722
Joined: 10/16/2001
From: Oslo, Norway
Status: offline
Here's a fun game: Create a new passworded challenge, see if I can find the password you set for it

quote:

when it is really a password that is visible, with the right tool and knowledge


If you don't mind, I'd appreciate it you'd PM me how you've found it? Or I suspect maybe you're using the same tools as I am.

< Message edited by Shadrach -- 11/27/2019 10:30:21 PM >

(in reply to Shadrach)
Post #: 5
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/27/2019 11:57:28 PM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline
quote:

ORIGINAL: Shadrach

Here's a fun game: Create a new passworded challenge, see if I can find the password you set for it

quote:

when it is really a password that is visible, with the right tool and knowledge


If you don't mind, I'd appreciate it you'd PM me how you've found it? Or I suspect maybe you're using the same tools as I am.


Ok, I'll create ... a "Next War" challenge w/ a password
I'm sure you know how to start it, despite the "password"

Or, if you cannot start that game, then I'll need to show you how to "defeat" (that is, learn) that password

EDIT: challenge posted. Can Warsaw Pact defeat the password? Will CyberWar precede the next great conflict? The World holds its breath!

Your turn! Post a challenge w/ a password, and I'll start that game! BONUS POINTS for me: I'll tell you as much as I can about yourself, only from the challenge you post.

< Message edited by Hellen_slith -- 11/28/2019 12:23:36 AM >

(in reply to Shadrach)
Post #: 6
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/28/2019 12:34:24 AM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline
quote:

ORIGINAL: Shadrach

.... I've not created any passworded challenges, which I assume is what you're talking about (to block others from accepting it)? ....



Yes, exactly. Trolls might about, if so, then they could (conceivably) wreak havoc w/ the online "passworded" game system.

I could do that myself, easily enough, if I had a criminal mind.

But I don't, and point this out to TPTB so that they will fix it.

On a brighter note: when I get that microphone thing that plugs in to the computer thing, I plan to start an IRC channel for all of us TOAW peoples, so that we can talk to each other.

Should be a real boon for new folks asking questions about the game. I am a bit flabbergasted that it does not already exist.

Anyway, GAME ON! Crack that password!

< Message edited by Hellen_slith -- 11/28/2019 12:36:50 AM >

(in reply to Shadrach)
Post #: 7
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/28/2019 10:46:25 AM   
Shadrach


Posts: 722
Joined: 10/16/2001
From: Oslo, Norway
Status: offline
quote:

ORIGINAL: Hellen_slith
EDIT: challenge posted. Can Warsaw Pact defeat the password? Will CyberWar precede the next great conflict? The World holds its breath!


Muhahaha the Warsaw Pact will always prevail!

This guy:
https://en.wikipedia.org/wiki/Solomon_Grundy_(comics)

quote:


Your turn! Post a challenge w/ a password, and I'll start that game! BONUS POINTS for me: I'll tell you as much as I can about yourself, only from the challenge you post.


Done. 2nd Kharkov.

I'll be interested to know if you use a similar method to me or something else entirely. I mean, I just use this one:
https://nirsoft.net/utils/smsniff.html
Which is easy, not hacking at all, and perfectly legal

EDIT: Oh, I didn't think about the JSON log file. Man, that's even easier!
Well, that's just really badly thought out. Why in the world would they think logging that stuff to file was a good idea???

quote:

On a brighter note: when I get that microphone thing that plugs in to the computer thing, I plan to start an IRC channel for all of us TOAW peoples, so that we can talk to each other.


Sounds like a good plan. But you do know IRC has no voice chat right, just text?

I believe the one all the kids are using these days is:
https://discordapp.com/

I've grown up with IRC though, I don't like that fancy "voice chat" fluff anyway.


< Message edited by Shadrach -- 11/28/2019 11:11:03 AM >

(in reply to Hellen_slith)
Post #: 8
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/28/2019 2:32:26 PM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline
LoL I love Solomon Grundy! Esp. in Super Friends,

after Brainiac says, "All I want is is a decent pair of pants!"

.... Solomon Grundy says, "Solomon Grundy want pants too!!!"

Yes the log text is the one with the password, not sure what else is in there. I will see here in a few minutes.

(in reply to Shadrach)
Post #: 9
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/28/2019 4:41:14 PM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline
Ah, yes, The Four Seasons is a great concerto.

There is group called "Red Priest" who does some awesome Vivaldi videos, I like this one.

That one gal is about to saw her cello right in half!

https://www.youtube.com/watch?v=bjTh2huJh1k

(in reply to Hellen_slith)
Post #: 10
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 11/28/2019 8:01:20 PM   
Shadrach


Posts: 722
Joined: 10/16/2001
From: Oslo, Norway
Status: offline
Nicely done - actually it is my browser which is called Vivaldi: https://vivaldi.com/
That video is amazing though!

So we've shown it's possible to circumvent the password "protection" of challenges in the PBEM++ system. Thing is though, you'd need to first be logged in, so it's not something any random troll could do, but it's still a very bad design to log what's supposed to be secrets straight into a log file.

I tried to search my Matrix support tickets for any report I've made of the insecure network connection issue, couldn't find one. I might submit one, although in my experience with Matrix Support, nothing will ever happen. I might have just posted here on this forum about it but can't find it either.

I guess it's up to you whether you'd want the trouble of reporting the issue of the JSON file to TPTB. Knowing Matrix Support, the first reply you get will ask you to send a DXDiag log file to diagnose your "problem"

(in reply to Hellen_slith)
Post #: 11
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 12/4/2019 7:15:40 PM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline
Yes, I was fortunate to attend a live performance of The Four Seasons at DSO ...

an amazing fiddle player did the solos.
I don't remember her name, but I do recall, saying to my guest
(while a second fiddle was "warming up" for the concert")

"Kind of LATE to be practicing that part, don't ya think?"

Also, at first, I was like ... why the link to Somolon Grundy?
Then it dawned on me. Grundy is my maternal Grandmother's maiden name LoL

LoL

ANYWAY, yes, it is a minor issue, but the whole "do you want to pword this game"
might be a bit confusing to people new to TOAW and the Slitherine "server" "on-line" thing.

FOR EXAMPLE: I noticed the other day a "passworded" game lingering there waiting for opponent,
so I emailed the "host" asking if I could join, if he wanted to play me in that (I had to scour these forums for his email)

He replied, "nah, is a game set up for my friend ...." That's cool. It still abides.

BUT, I then created a "mirror" game, WITHOUT a password, hoping that he might bite ....
instead, I got a Sand Bass, within not more than an hour ... GAME STARTED.

So, my takeaway from all that was,
(1) how to start a game "on line" and the "password" bit is totally confusing for new players
(2) there should be an EASY way to contact folks who DO "password" the game, maybe some sort of "contact this challenger" pouch;
(3) from another thread, there is confusion as to what to do when a player inadvertently "saves" the game, thus converting it to PBEM "regular"
(4) Mr. Cross's suggestion to just "replay" in that case via the server, is not supported that I can see
(5) and, of course, the TOTALLY FRUSTRATING "non mechanic" for last moves [scenario endings] whereby the "server" SHOULD automatically email that last PBL file to BOTH players, instead of saying, "YOU CAN REPLAY THE LAST MOVE etc. etc." which is completely untrue.

I see now why you say that whole system is held together only with duct tape and spit.

Did anyone even BETA that "on line" PBEM thing? As it stands, it really is in need of SERIOUS work.

Also, I have started to read through that JSON file, and there seems to be some "features" that have never borne fruit ... e.g., what is the "AWARDS" field in there, were we supposed to get medals at some point? Still reading through all JSON file, but I did notice "AWARDS" ... do we get awards? Or was that set aside at some point?

Curious. Okay, well, have a great day!





< Message edited by Hellen_slith -- 12/4/2019 7:17:00 PM >

(in reply to Shadrach)
Post #: 12
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 12/4/2019 7:44:27 PM   
jmlima

 

Posts: 591
Joined: 3/1/2007
Status: offline
The fact that this discussion is here and nobody from Matrix seems even remotely bothered about the fact that 'secure' pbem system is in fact bugger-all secure is somewhere between hilarious and depressing.

(in reply to Hellen_slith)
Post #: 13
RE: ATTN: MATRIX: PWORDS ARE VISIBLE - 12/4/2019 8:28:23 PM   
Hellen_slith


Posts: 1727
Joined: 10/10/2005
Status: offline
Yes, well in the meantime at least we can advise new players of the issues.

(1) if you want to start a game with anybody, then don't "password" the game (I suspect that some might think that that is just a password to start your move -- it is not ...) and,

(2) if you post a challenge with a password, and if it stays up more than a week or two, I *will* "crack" it and accept the challenge.

If only to remove it from the list.

In other words, if you want a game with anyone who is available, DO NOT "PASSWORD" IT.

Thus, my suggestion to be able to mark a challenge "PRIVATE" (with or without a "password"),

if folks do not want other folks starting the game.

EXAMPLE: a FitE2 game was posted a few months ago, with a password.
That challenge stayed on the list for WEEKS, until I took it upon myself
to investigate. On another forum, I found a post from that challenger, asking for an opponent for that game.

So I started the game. I spent two hours moving the Germans.
I absolutely SLAUGHTERED the Soviets on turn 1 (which usually happens in that scene).

He resigned <sigh>

Make it an "open" challenge.

(in reply to jmlima)
Post #: 14
Page:   [1]
All Forums >> [New Releases from Matrix Games] >> The Operational Art of War IV >> Tech Support >> ATTN: MATRIX: PWORDS ARE VISIBLE Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.141