1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
6
Development / 2020/05/29 - Blockland r2033
« on: May 29, 2020, 09:55:15 AM »
Blockland r2033
- Duplicate clients are now kicked by default. If you want to allow multi-clienting, set $Pref::Server::AllowMultiClient = 1
- Fixed case where netEvents could overflow the packet buffer and be partially sent. This should fix some cases of freezing during datablock load and "(Mis)" disconnects.
7
Development / 2020/05/20 - Blockland r2023-r2031
« on: May 20, 2020, 04:16:50 AM »
Blockland r2023
There are many code changes involved here so if you see any bugs with names, joining, hosting, etc, don't hesitate to report them.
Blockland r2024
Blockland r2025
Blockland r2026
Blockland r2029
Blockland r2030
Blockland r2031
Convert your game to Steam:
You can link Blockland IDs to your Steam account using your original purchase email. Other methods of conversion will be added based on feedback, but this is the most sure-fire.
Hosting a dedicated server:
It's basically a password that allows a dedicated server to post to the master server in your name. They can be regenerated at any time, so there is reduced risk in using them on a third party hosting provider. However, you are still responsible for what is done with your login tokens, protect them accordingly.
You'll also need to log in to your BLID on the client at least once to set the username.
- The Blockland client now requires Steam to join internet games. LAN and single player are unrestricted.
- You can still use the launcher or a portable installation, you just need to have Steam running in the background.
- Dedicated servers do not use Steam, but must have a login token in order to post the to the master server (details below)
- Multiple BLIDs can be linked to one Steam account.
- You can no longer change your username. One BLID = one name.
- Everyone with the default "Blockhead" name has had their name cleared and will be able to set a new name when they log in.
- My BLID has changed from 0 to 1.
- Joining a server now more complicated than before. I would advise that add-ons should avoid direct creation or manipulation of GameConnection objects. Just use the default ConnectToServer(%address, %password, %useDirect, %useArranged) script function if you have your own server browser/join gui.
There are many code changes involved here so if you see any bugs with names, joining, hosting, etc, don't hesitate to report them.
Blockland r2024
- Added getKeyNumID() back in for add-on compatibility.
Blockland r2025
- I meant getNumKeyID()
- Added isUnlocked() for backwards compatibility, always returns true.
Blockland r2026
- Fixed server list bug
- Compiled without control flow guard
Blockland r2029
- Renamed parts of default joinServerGui in an attempt to avoid add-on interference
- Fixed joining passworded servers
- Fixed passworded servers not showing up as orange
- Fixed server filters
- Fixed server list mixing up as pings come in
- Added %client.bl_id back in for add-on compatibility
- Fixed main.cs syntax error/unterminated string
- Added steam_appid.txt to support using steam from launcher/portable install
Blockland r2030
- Fixed eval error on colorGui
- Improved error message when joining a server using old arguments, now immediately gets "Bad connection arguments" instead of going ahead with auth and getting "invalid blid"
- More join dialog renaming in attempt to avoid mystery add-ons
Blockland r2031
- Fixed server list not pinging more than 10 servers
- Selected blid is now remembered in a $pref and automatically applied
- Can now multi-client on a server without auth failing
Convert your game to Steam:
You can link Blockland IDs to your Steam account using your original purchase email. Other methods of conversion will be added based on feedback, but this is the most sure-fire.
- If you do not already use Steam, create a new account
- Choose the purchase email method, forum email method, or key method and log in with Steam
- You will be redirected to the Steam site to log in, and then redirected back to Blockland.us. The page uses openID, your login credentials never leave the Steam site.
- Enter the email address you used to purchase Blockland.
- A list of Blockland IDs purchased from that email will be displayed. Select the ones that you wish to link to your Steam account.
- Click "Request Email Link". A confirmation email will be sent to you.
- Open the email and click the confirmation link within 1 hour.
Hosting a dedicated server:
- Connect your Blockand ID to Steam (see above)
- Go to the Dedicated Server Token Management page.
- A list of your BLIDs will be displayed
- Click "Regen" to get a dToken for each BLID you want to host a dedicated server with
- Copy the token and add it to your dedicated server command line arguments like so:
Code: [Select]
-dtoken 5716e25fa0c81149e2c24b977aa20f3eIt's basically a password that allows a dedicated server to post to the master server in your name. They can be regenerated at any time, so there is reduced risk in using them on a third party hosting provider. However, you are still responsible for what is done with your login tokens, protect them accordingly.
You'll also need to log in to your BLID on the client at least once to set the username.
11
Development / 2020/05/03 - Blockland r2005-r2012
« on: May 03, 2020, 04:33:24 AM »
r2005
This update patches 2 buffer overflow bugs in response to this ongoing incident.
It is also compiled in the latest version of visual studio with Control Flow Guard enabled. This may provide some general protection against this type of bug.
There may be some side effects. I have noted a slight performance decrease, but it seems to be unrelated to CFG.
I am planning a more thorough solution to the compromised key problem, please be patient.
r2006
Addressed another potential vulnerability of the same type.
r2007
Many unsafe string copy and concatenation operations updated.
r2009
Minor cleanup, one additional buffer limit fix
Removed "-1" event on Speedkart_Lighthouse
Removed ultra shortcut on Speedkart_Descent
Brightened lighting on Speedkart_Harbor
I have re-enabled key authentication, with the limitation that it will not work on new IP addresses. That means you can log in and play as normal, but only if your IP is the same as it was a few days ago (or the last time you logged in).
Everyone in the list of stolen keys who had a steamID linked to their account has been made steam-only. Of the remaining keys on the list, I found suspicious log in activity on the following BLIDs:
4578
20406
22324
27013
30372
35295
39877
43110
46163
I reverted their IP addresses to what they were before this started. There may be other compromised keys, but given the pattern here there probably aren't that many that were actually logged into.
This isn't a complete solution obviously, it's just a stop-gap to let a few more people play while I implement a more permanent fix.
The permanent solution is going to be using steam for authentication. Having everyone store a password on their computer is just too high value of a target with too large of an attack surface. It's stressful enough just keeping them on my server.
You will be able to host dedicated servers
You will be able to keep your BLID (even alts)
You will be able to have multiple installation folders
It's going to take a little bit of time. If I don't implement everything at once or the plan changes, try not to sperg out immediately.
r2011
Removed case where key.dat would be cleared when auth failed
Updated to latest steamworks sdk
r2012
Fix for unintended change in stricmp behavior
This update patches 2 buffer overflow bugs in response to this ongoing incident.
It is also compiled in the latest version of visual studio with Control Flow Guard enabled. This may provide some general protection against this type of bug.
There may be some side effects. I have noted a slight performance decrease, but it seems to be unrelated to CFG.
I am planning a more thorough solution to the compromised key problem, please be patient.
r2006
Addressed another potential vulnerability of the same type.
r2007
Many unsafe string copy and concatenation operations updated.
r2009
Minor cleanup, one additional buffer limit fix
Removed "-1" event on Speedkart_Lighthouse
Removed ultra shortcut on Speedkart_Descent
Brightened lighting on Speedkart_Harbor
I have re-enabled key authentication, with the limitation that it will not work on new IP addresses. That means you can log in and play as normal, but only if your IP is the same as it was a few days ago (or the last time you logged in).
Everyone in the list of stolen keys who had a steamID linked to their account has been made steam-only. Of the remaining keys on the list, I found suspicious log in activity on the following BLIDs:
4578
20406
22324
27013
30372
35295
39877
43110
46163
I reverted their IP addresses to what they were before this started. There may be other compromised keys, but given the pattern here there probably aren't that many that were actually logged into.
This isn't a complete solution obviously, it's just a stop-gap to let a few more people play while I implement a more permanent fix.
The permanent solution is going to be using steam for authentication. Having everyone store a password on their computer is just too high value of a target with too large of an attack surface. It's stressful enough just keeping them on my server.
You will be able to host dedicated servers
You will be able to keep your BLID (even alts)
You will be able to have multiple installation folders
It's going to take a little bit of time. If I don't implement everything at once or the plan changes, try not to sperg out immediately.
r2011
Removed case where key.dat would be cleared when auth failed
Updated to latest steamworks sdk
r2012
Fix for unintended change in stricmp behavior
12
Drama / Key Compromise
« on: May 02, 2020, 09:53:04 PM »
A number of Blockland keys have been compromised. The method is currently unknown.
Current hypotheses:
I have taken the following actions to mitigate the chaos while this plays out:
Email or message me if you have actual knowledge of the problem.
Edit: Blockland r2005 released.
Current hypotheses:
- Remote code execution - A malicious server would exploit a buffer overflow or similar flaw to execute arbitrary code on clients that joined (or vice versa). Exploits of this nature have been found before, and a number of bad actors are constantly looking for them.
- Exploit in Blockland Glass - I don't know anything about this mod. Beyond social engineering attacks (ie making a fake 'enter your key' dialog), script code should not be able to read the key data, but there may be bugs/exploits/oversights around this protection.
- Database compromise - This seems extremely unlikely to me because no famous retired accounts have been compromised. My key has no special protections and I doubt an attacker could resist the temptation.
I have taken the following actions to mitigate the chaos while this plays out:
- Disabled non-steam authentication
- Disabled linking keys to Blockland forum accounts
- Disabled converting Blockland keys to steam accounts
Email or message me if you have actual knowledge of the problem.
Edit: Blockland r2005 released.
15