76
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
77
Development / 2020/05/03 - Blockland r2005-r2012
« on: May 03, 2020, 05:33:24 AM »
r2005
This update patches 2 buffer overflow bugs in response to this ongoing incident.
It is also compiled in the latest version of visual studio with Control Flow Guard enabled. This may provide some general protection against this type of bug.
There may be some side effects. I have noted a slight performance decrease, but it seems to be unrelated to CFG.
I am planning a more thorough solution to the compromised key problem, please be patient.
r2006
Addressed another potential vulnerability of the same type.
r2007
Many unsafe string copy and concatenation operations updated.
r2009
Minor cleanup, one additional buffer limit fix
Removed "-1" event on Speedkart_Lighthouse
Removed ultra shortcut on Speedkart_Descent
Brightened lighting on Speedkart_Harbor
I have re-enabled key authentication, with the limitation that it will not work on new IP addresses. That means you can log in and play as normal, but only if your IP is the same as it was a few days ago (or the last time you logged in).
Everyone in the list of stolen keys who had a steamID linked to their account has been made steam-only. Of the remaining keys on the list, I found suspicious log in activity on the following BLIDs:
4578
20406
22324
27013
30372
35295
39877
43110
46163
I reverted their IP addresses to what they were before this started. There may be other compromised keys, but given the pattern here there probably aren't that many that were actually logged into.
This isn't a complete solution obviously, it's just a stop-gap to let a few more people play while I implement a more permanent fix.
The permanent solution is going to be using steam for authentication. Having everyone store a password on their computer is just too high value of a target with too large of an attack surface. It's stressful enough just keeping them on my server.
You will be able to host dedicated servers
You will be able to keep your BLID (even alts)
You will be able to have multiple installation folders
It's going to take a little bit of time. If I don't implement everything at once or the plan changes, try not to sperg out immediately.
r2011
Removed case where key.dat would be cleared when auth failed
Updated to latest steamworks sdk
r2012
Fix for unintended change in stricmp behavior
This update patches 2 buffer overflow bugs in response to this ongoing incident.
It is also compiled in the latest version of visual studio with Control Flow Guard enabled. This may provide some general protection against this type of bug.
There may be some side effects. I have noted a slight performance decrease, but it seems to be unrelated to CFG.
I am planning a more thorough solution to the compromised key problem, please be patient.
r2006
Addressed another potential vulnerability of the same type.
r2007
Many unsafe string copy and concatenation operations updated.
r2009
Minor cleanup, one additional buffer limit fix
Removed "-1" event on Speedkart_Lighthouse
Removed ultra shortcut on Speedkart_Descent
Brightened lighting on Speedkart_Harbor
I have re-enabled key authentication, with the limitation that it will not work on new IP addresses. That means you can log in and play as normal, but only if your IP is the same as it was a few days ago (or the last time you logged in).
Everyone in the list of stolen keys who had a steamID linked to their account has been made steam-only. Of the remaining keys on the list, I found suspicious log in activity on the following BLIDs:
4578
20406
22324
27013
30372
35295
39877
43110
46163
I reverted their IP addresses to what they were before this started. There may be other compromised keys, but given the pattern here there probably aren't that many that were actually logged into.
This isn't a complete solution obviously, it's just a stop-gap to let a few more people play while I implement a more permanent fix.
The permanent solution is going to be using steam for authentication. Having everyone store a password on their computer is just too high value of a target with too large of an attack surface. It's stressful enough just keeping them on my server.
You will be able to host dedicated servers
You will be able to keep your BLID (even alts)
You will be able to have multiple installation folders
It's going to take a little bit of time. If I don't implement everything at once or the plan changes, try not to sperg out immediately.
r2011
Removed case where key.dat would be cleared when auth failed
Updated to latest steamworks sdk
r2012
Fix for unintended change in stricmp behavior
78
Drama / Key Compromise
« on: May 02, 2020, 10:53:04 PM »
A number of Blockland keys have been compromised. The method is currently unknown.
Current hypotheses:
I have taken the following actions to mitigate the chaos while this plays out:
Email or message me if you have actual knowledge of the problem.
Edit: Blockland r2005 released.
Current hypotheses:
- Remote code execution - A malicious server would exploit a buffer overflow or similar flaw to execute arbitrary code on clients that joined (or vice versa). Exploits of this nature have been found before, and a number of bad actors are constantly looking for them.
- Exploit in Blockland Glass - I don't know anything about this mod. Beyond social engineering attacks (ie making a fake 'enter your key' dialog), script code should not be able to read the key data, but there may be bugs/exploits/oversights around this protection.
- Database compromise - This seems extremely unlikely to me because no famous retired accounts have been compromised. My key has no special protections and I doubt an attacker could resist the temptation.
I have taken the following actions to mitigate the chaos while this plays out:
- Disabled non-steam authentication
- Disabled linking keys to Blockland forum accounts
- Disabled converting Blockland keys to steam accounts
Email or message me if you have actual knowledge of the problem.
Edit: Blockland r2005 released.
81
Clan Discussion / Re: Square Society: See Cape Gloire! Join The Brighter Dark's servers!
« on: April 05, 2020, 10:58:49 AM »
Bump
82
Drama / Re: What Garry's Mod playermodel did you use?
« on: January 12, 2020, 11:46:47 AM »Quote
The reporter has made the following comment:
extremely likely chance this is an alt of tito/torin/edd/whoever as it's impersonating my steam account, https://steamcommunity.com/id/Roooasss/
Quote
The reporter has made the following comment:
although not the post itself, the profile is impersonating the user "Rose the Floran"'s steam account and it's most likely an alt of a problem user.
Quote
The reporter has made the following comment:
Impersonator; the impersonator is also a guy who has been harassing the person they've impersonated as; potential Thot Patrol account
Discuss.
83
Games / MOVED: Re: What Garry's Mod playermodel did you use?
« on: January 12, 2020, 09:25:59 AM »84
Off Topic / Re: Post real life pictures of yourself.
« on: October 18, 2019, 10:49:35 AM »
"Sleep" is habitual problem user "Donnies Catch", "hootaloo", "Toothed Deer" and probably a dozen others.
85
Drama / Re: whos the worst furry on the forums
« on: October 07, 2019, 04:25:20 AM »Big avatars 2, kinda
I have no tolerance for people hoarding bugs. If there's a problem you need to describe it properly or I'm just going to ban everyone who did it and call it a day.
86
Drama / Re: whos the worst furry on the forums
« on: October 06, 2019, 06:42:54 PM »
Whats wrong with the forum software this time?
87
Drama / Latest kidalex ban
« on: July 30, 2019, 09:27:37 PM »
Kidalex on his latest alt posted an "hrt item" add-on that in addition to its advertised features, contained code that would change the shapename of certain blockland users to "transmission friend".
The problem is not that the add-on is offensive or that it uses bad words.
The problems are:
The trojan horse nature of this add-on is what warrants an immediate ban. I know you're going to have your silly discord wars, but don't try to recruit other servers into it with back door code.
The problem is not that the add-on is offensive or that it uses bad words.
The problems are:
- The add-on is labeled as an item and but is actually an abuse/vendetta list
- The add-on undermines base functionality of Blockland (shapename) for no reason other than abuse/vendetta
The trojan horse nature of this add-on is what warrants an immediate ban. I know you're going to have your silly discord wars, but don't try to recruit other servers into it with back door code.
88
Drama / Re: pkfire literally out of control and he needs to be stopped
« on: July 22, 2019, 01:16:25 AM »
There. I literally cannot tell the difference between compromised accounts and normal user behavior in this place.
89
Development / 2019/07/13 - Blockland r2000
« on: July 13, 2019, 05:40:47 PM »
Fixes for some issues reported by CompMix:
- Security issue related to a network event.
- Fix for one type of speed hack.
- Fixed splash objects not being deleted.
90
Off Topic / Re: Google goes NUCLEAR | Project Veritas CENSORED
« on: June 25, 2019, 07:35:47 PM »
So who needs to get banned here?
HULKHOGANWWFWORLDCHAMPION
Meth
CuboneĀ½
SubDaWoofer
CM1107ProjectInfinium
?
HULKHOGANWWFWORLDCHAMPION
Meth
CuboneĀ½
SubDaWoofer
CM1107ProjectInfinium
?