Author | Message | Time |
---|---|---|
shout | I was wondering the logon packet sequence for SC/BW/W2BE on to battle.net. Bnetdocs has been down for about 18 hours that I know of, and I'm just looking for some information. | July 29, 2004, 10:08 PM |
Lobo.id | July 29, 2004, 10:13 PM | |
St0rm.iD | wow, open bnetdocs is still in existance, nice. | July 29, 2004, 10:19 PM |
ChR0NiC | [quote author=Maddox link=board=17;threadid=7958;start=0#msg73275 date=1091139235] http://camel.ik0ns.com:86/wiki/index.php I always use that because it's open to every one and anyone can add or correct things. [/quote] Seems to be currently down :-\ or just running really slow. And Userloser's Packet Referral is great but it doesn't discuss 0x3A, 0x29 logon responses. Other than that, it's great. Edit: And the reason I think this is necessary is because he is using SC/BW/W2. | July 29, 2004, 10:48 PM |
UserLoser. | [quote author=ChR0NiC link=board=17;threadid=7958;start=0#msg73281 date=1091141330] And Userloser's Packet Referral is great but it doesn't discuss 0x3A, 0x29 logon responses. Other than that, it's great. [/quote] Laziness explains that. Maybe later tonight I'll work on it since I found some fun stuff in SSHR. | July 29, 2004, 10:51 PM |
Myndfyr | [quote author=Maddox link=board=17;threadid=7958;start=0#msg73275 date=1091139235] http://camel.ik0ns.com:86/wiki/index.php I always use that because it's open to every one and anyone can add or correct things. [/quote] I've had some problems accessing it from that URI now and then. He suggests using the redirector: http://wiki.ik0ns.com | July 29, 2004, 11:06 PM |
ChR0NiC | [quote author=UserLoser. link=board=17;threadid=7958;start=0#msg73282 date=1091141480] Laziness explains that. Maybe later tonight I'll work on it since I found some fun stuff in SSHR. [/quote] Sorry I didn't mean it as an attack on you :-[ [quote author=Myndfyre link=board=17;threadid=7958;start=0#msg73285 date=1091142364] I've had some problems accessing it from that URI now and then. He suggests using the redirector: http://wiki.ik0ns.com [/quote] Thanks runs much better than the original | July 29, 2004, 11:43 PM |
OnlyMeat | [quote author=Maddox link=board=17;threadid=7958;start=0#msg73275 date=1091139235] http://camel.ik0ns.com:86/wiki/index.php I always use that because it's open to every one and anyone can add or correct things. [/quote] Cool :) | July 29, 2004, 11:48 PM |
Eli_1 | I like it because it hasn't IPbanned me for typing my password wrong 3-4 times. :-\ *shakes fist* Damn you bnetdocs for banning me! | July 29, 2004, 11:58 PM |
shout | Off topic: Eli_1, about your signature, how do you SAIL in a canoe? Can you really do that? | July 30, 2004, 12:11 AM |
Arta | I moved house, so I lost my connection for a bit. It's back up now. Eli: I've removed that ban as well now. BnetDocs will no longer ban normal accounts for failed logons. | July 30, 2004, 12:59 AM |
PaiD | Message We're sorry, but BnetDocs is currently unavailable. Please try again later. Got that after I logged in | July 30, 2004, 1:05 AM |
St0rm.iD | gogo open bnet docs! | July 30, 2004, 1:11 AM |
Arta | hmm. It's really there now. DNS was being screwy. | July 30, 2004, 1:13 AM |
Maddox | Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time. | July 30, 2004, 1:25 AM |
ChR0NiC | [quote author=Maddox link=board=17;threadid=7958;start=15#msg73307 date=1091150733] Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time. [/quote] I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P | July 30, 2004, 2:26 AM |
UserLoser. | [quote author=ChR0NiC link=board=17;threadid=7958;start=15#msg73311 date=1091154380] [quote author=Maddox link=board=17;threadid=7958;start=15#msg73307 date=1091150733] Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time. [/quote] I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P [/quote] Get Mozilla Firefox. You won't ever have to type in a password again. | July 30, 2004, 2:45 AM |
Spht | [quote author=UserLoser. link=board=17;threadid=7958;start=15#msg73314 date=1091155543] [quote author=ChR0NiC link=board=17;threadid=7958;start=15#msg73311 date=1091154380] [quote author=Maddox link=board=17;threadid=7958;start=15#msg73307 date=1091150733] Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time. [/quote] I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P [/quote] Get Mozilla Firefox. You won't ever have to type in a password again. [/quote] It has voice recognition? | July 30, 2004, 2:51 AM |
St0rm.iD | Now that's truly a great way to input your password. Someone could listen in...and you can't say weird ones like xkJ867Z | July 30, 2004, 3:08 AM |
Arta | If someone can suggest a secure way to do it then I'll add a 'remember my logon' checkbox. It can't: - Store password in cookie - Keep session open forever | July 30, 2004, 3:34 AM |
Eli_1 | shout -- I have no idea. I saw storm say it in a previous thread, and I just had to use it as my sig. I was crackin' up. Arta -- Thanks. :D | July 30, 2004, 4:04 AM |
shout | I still can't get to bnetdocs... | July 30, 2004, 4:37 PM |
Adron | [quote author=Arta[vL] link=board=17;threadid=7958;start=15#msg73324 date=1091158499] If someone can suggest a secure way to do it then I'll add a 'remember my logon' checkbox. It can't: - Store password in cookie - Keep session open forever [/quote] Make a cookie consisting of user name, time, and secret. Something like this: Adron:12345678:b95d5bbba7e84699ab9286d7a686be00 The secret is calculated in this way: H:\>echo Adron:12345678:artassecret|md5sum b95d5bbba7e84699ab9286d7a686be00 *- "artassecret" could either be a fixed secret value for your application, or a unique secret for each user. It shouldn't be the password, because it mustn't be brute-forceable. A 128-bit random number would be good. You can reset the cookie with a new logon time each time the user visits bnetdocs, or you can set it just once and then the user will have to relogon after a certain time. Spot any weaknesses here? Edit: This is the way I made the user name information transfer from the forum to the radio station btw. | July 30, 2004, 4:38 PM |
ChR0NiC | [quote author=Adron link=board=17;threadid=7958;start=15#msg73368 date=1091205485] It shouldn't be the password, because it mustn't be brute-forceable. A 128-bit random number would be good. Spot any weaknesses here? [/quote] Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account. | July 30, 2004, 5:09 PM |
Arta | Adron: That's how I store session cookies already. I don't want to keep sessions open for extended periods of time. The only other option is to automatically log people on, which requires a usable saved password. Even if that method were used, the old problem that having a hash of a password is the same as having the password itsself still applies. Chronic: None of this applies to normal users. | July 30, 2004, 5:19 PM |
UserLoser. | [quote author=ChR0NiC link=board=17;threadid=7958;start=15#msg73375 date=1091207379] I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account. [/quote] Viewing information that certain users do not want to be revealed to other people who they may not trust or know. | July 30, 2004, 6:08 PM |
Kp | [quote author=Arta[vL] link=board=17;threadid=7958;start=15#msg73377 date=1091207985]I don't want to keep sessions open for extended periods of time.[/quote] Why not? It's not exactly a high level of overhead to save a few extra cookies serverside. :) | July 30, 2004, 6:35 PM |
Arta | It exposes the system to session theft. | July 30, 2004, 8:32 PM |
St0rm.iD | If you can bruteforce a 160-bit number, get back to me. | July 30, 2004, 9:02 PM |
BinaryzL | [quote author=$t0rm link=board=17;threadid=7958;start=15#msg73401 date=1091221348] If you can bruteforce a 160-bit number, get back to me. [/quote] I could..with my quantum computer. | July 31, 2004, 4:09 AM |
St0rm.iD | Give every person in India a calculator. | July 31, 2004, 4:27 AM |
ChR0NiC | [quote author=$t0rm link=board=17;threadid=7958;start=30#msg73447 date=1091248028] Give every person in India a calculator. [/quote] And a carton of smokes >:( | July 31, 2004, 4:28 AM |
Adron | [quote author=Arta[vL] link=board=17;threadid=7958;start=15#msg73377 date=1091207985] Adron: That's how I store session cookies already. I don't want to keep sessions open for extended periods of time. The only other option is to automatically log people on, which requires a usable saved password. Even if that method were used, the old problem that having a hash of a password is the same as having the password itsself still applies. Chronic: None of this applies to normal users. [/quote] It's not a session cookie - it's an automatic logon cookie. You can use the same secret for all users, you don't have to store anything extra for each user that would require resources on the server. The users won't be having a hash of a password, they'll be having a hash of name + time + shared secret. They can't use that to log on as any other user. They also can't obtain the password from the cookie. | July 31, 2004, 12:07 PM |
Adron | [quote author=Arta[vL] link=board=17;threadid=7958;start=15#msg73399 date=1091219577] It exposes the system to session theft. [/quote] This is what people want - the ability to have their computer log them in automatically. That necessarily means that the computer will have whatever token is required to authenticate. And yes, that token could be stolen. Those tokens could be stolen already, from the password cache in IE or whatever corresponding function there is in other browsers. Since the session cookies are unique to each user, it's not possible to make an attack based on setting the cookie in your domain ahead of time. Since that's impossible, what would remain is to use a cross-site scripting attack. If your site is vulnerable to cross-site scripting, it can be compromised already, so no reason to worry about that any more for this case. | July 31, 2004, 12:10 PM |
Adron | [quote author=ChR0NiC link=board=17;threadid=7958;start=15#msg73375 date=1091207379] Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account. [/quote] It's about the principles. The same thing could be used to protect your bank account. Now, do you spot any weaknesses there? | July 31, 2004, 12:12 PM |
Twix | [quote author=Adron link=board=17;threadid=7958;start=30#msg73475 date=1091275946] [quote author=ChR0NiC link=board=17;threadid=7958;start=15#msg73375 date=1091207379] Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account. [/quote] It's about the principles. The same thing could be used to protect your bank account. Now, do you spot any weaknesses there? [/quote] actaully not 2 long ago sombody cracked into the visa accounts and they end up having to cancle over a million creidt cards | July 31, 2004, 2:52 PM |
KkBlazekK | Why not just have no login? Its saves on thinking a secure way... | August 12, 2004, 5:02 AM |