RBL - Ephialtes

[Deathwishez]

I see that there are security warning here, but honestly, I don't think that the thread should have been removed. It was a rather dramatic step.

I'm siding with cucumberdude. Say what you will, but I don't see enough justification in this.

[Ad Bot]

[cucumberdude]

I'm interested, because both of you - Ephialtes and Cucumberdude - seem to be pretty reasonable people. However, looking over the "evidence" you've provided, I've come to a conclusion that, indeed, the security breech was pretty serious, but since you've fixed that(?), it simply makes your website the same as any other like it that's posted on the forum. I do agree that adding a rule against them would be a good idea, but if he's just going to only target a few, I don't see the point. Forgive me if I'm wrong with anything I've mentioned in this post.

There was no security breach, to be clear. I think you mean security flaw. Nobody ever actually managed to access the data. Apart from that, I somewhat agree.

My point in asking for the creation of a rule was not because I think player owned sites are dangerous - it's because I felt like my site was being unfairly targeted. The idea was to show Ephialtes that his actions were inconsistent; the removal of my site seemed arbitrary.

[cucumberdude]

I see that there are security warning here, but honestly, I don't think that the thread should have been removed. It was a rather dramatic step.

I'm siding with cucumberdude. Say what you will, but I don't see enough justification in this.

And thanks.

I think a PM asking me to incorporate password encryption would probably have been sufficient.

[Custard]

This is all good information and evidence, but the problem here is whether Ephialtes had the authority to take such action or not. Ephialtes' reason for taking down the site advertisement was completely valid and proper, however, it did not comply with any rules posted onto the General Section's rule list.

But, if forum administrators were restricted towards taking certain situations under their own jurisdiction, the forum members would be prone to higher amounts of rare dangers such as these.

-Ephialtes had no power on whether people still joined the site or not, whether did he have the power to take it down.

-Ephialtes' worry for the forum member's safety brought about the closing of your topic.

Even if this brings about no laws to back up his decision, it's completely valid, and respectively necessary to the safety of others browsing the forums.

If you look closely into the constitution of the United States, it says that the congress has the right to create laws that are "necessary and proper" for the improving of their country.

The same thing applies here. If the safety of the forum members comes into hand, Ephialtes will have a good mind to disregard the absence of an actual law to back up his decision, and make a move before somebody gets hurt.

(Keep in mind, the necessary and proper clause is extremely contradicting, and runs based off of the opinions of the representatives. So Ephialtes' decision can be looked at through many different perspectives.)

[cucumberdude]

Ephialtes' reason for taking down the site advertisement was completely valid and proper

According to Ephialtes the reason of removal was 'because it stores passwords'.

There are many player owned web sites on the forums (take, for example, clan forums) that do the same. Why are they not removed?

If you look closely into the constitution of the United States, it says that the congress has the right to create laws that are "necessary and proper" for the improving of their country.

This is just stupid. The forums has nothing to do with the constitution. It's not a democracy, and there aren't 'laws'.

But, if forum administrators were restricted towards taking certain situations under their own jurisdiction, the forum members would be prone to higher amounts of rare dangers such as these.
[...]
The same thing applies here. If the safety of the forum members comes into hand, Ephialtes will have a good mind to disregard the absence of an actual law to back up his decision, and make a move before somebody gets hurt.

You seem to think that this has to do with some sort of serious threat to members. While before encryption it was, it no longer was afterward. I'm not trying to somehow diminish the authority of an administrator - I'm questioning whether the behavior was abusive. Of course in a situation where it was likely that I was collecting passwords for some evil master plan, Ephialtes would have been unquestionably in the right. The grey zone here is when does selective, arbitrary administration outside of the written rules become abusive. That's a question that's important to consider - and that's really difficult to answer.

[DrenDran]

Also, do note that cucumberdude cannot prove he added encryption.

[DontCare4Free]

Please note the difference between encrypting and hashing. With encryption you use a key which can then be used to reverse the action, while hashing is keyless and irreversible (except for rainbows/brute force).
Also, the serverside snippet that cucumber sent still assumed that passwords were stored serverside.

On a completely unrelated note, I think it would be interesting to see the security of storing the password as a known value (user id/username/email/registration date/you name it) encrypted using the password as a key. That way you could check if it decrypts correctly without storing the password directly.

On another unrelated note, cucumber, have you ever heard of OpenID?

[Deathwishez]

Also, do note that cucumberdude cannot prove he added encryption.

And how exactly would he?

[DontCare4Free]

And how exactly would he?

It's impossible.

[cucumberdude]

Encryption serverside cannot be proved.

Clientside encryption could be, but clientside encryption is pointless (assuming I'm not running some hurrdurr password collecting scam) because anybody who intercepted the password between the client and server would as good as have the password.

Please note the difference between encrypting and hashing. With encryption you use a key which can then be used to reverse the action, while hashing is keyless and irreversible (except for rainbows/brute force).
Also, the serverside snippet that cucumber sent still assumed that passwords were stored serverside.

Interesting, I didn't know that. Subtle difference. I have used AES in previous projects, so I'm used to saying 'encrypted'.

On a completely unrelated note, I think it would be interesting to see the security of storing the password as a known value (user id/username/email/registration date/you name it) encrypted using the password as a key. That way you could check if it decrypts correctly without storing the password directly.

So, using the password as a seed? I'm not really sure what the advantage would be, if the user wanted password recovery it would still be impossible.

On another unrelated note, cucumber, have you ever heard of OpenID?

Vaguely. Is it that global internet ID thing? I didn't think it was really all that widely used.

[DontCare4Free]

Clientside encryption could be, but clientside encryption is pointless (assuming I'm not running some hurrdurr password collecting scam) because anybody who intercepted the password between the client and server would as good as have the password.

No, anyone intercepting it could NOT as good have the password since they can't reverse the hashing which means that they can't use it to use the account on other sites (assuming same pass, etc).

Interesting, I didn't know that. Subtle difference. I have used AES in previous projects, so I'm used to saying 'encrypted'.

Using AES for passwords would be entirely useless.

So, using the password as a seed? I'm not really sure what the advantage would be, if the user wanted password recovery it would still be impossible.

I assume that you mean "recovering the old password".
No, that would be impossible which is one of the points about it.
However, what you usually do when you use a password recovery feature is that the site sends a new password to your e-mail. That would not be impossible since the encrypted data is already known. What is not known is the encryption KEY. The thing is that you retrieve the encrypted data and the decrypted data from the database. Then you try decrypting it with the password as key and then if it succeeds you compare the decrypted data with the data from the database. If those succeeds, log me in, otherwise, refuse.

Vaguely. Is it that global internet ID thing? I didn't think it was really all that widely used.

Actually some big sites allow both using "their" account system and OpenID. Drupal (which I personally like quite much) ships with an OpenID module by default (although disabled), I'm not sure about how it handles passwords though.
Some big sites (for example StackExchange (StackOverflow, etc) and SuseStudio) only allows login via OpenID.
Also, for example Google and Yahoo acts as OpenID providers which means that any site allowing OpenID-logins can be logged into with your Google/Yahoo account.

[Iban]

These big ol' fancy arguments are fine and dandy, but what ya'll is forgetting is that this service is a) completely loving pointless, and b) should not require registrations in the first place.

[DontCare4Free]

These big ol' fancy arguments are fine and dandy, but what ya'll is forgetting is that this service is a) completely loving pointless, and b) should not require registrations in the first place.

I agree about it being pointless, however I do see a point in having some kind of auth. However (in my eyes) that auth could very well be provided via OpenID or anything.

[TheFutureOfDark]

[Iban]

I agree about it being pointless, however I do see a point in having some kind of auth. However (in my eyes) that auth could very well be provided via OpenID or anything.

OpenID is fine. The problem here is that the dude was storing a massive amount of passwords provided by members of Blockland in plain text, associated with their name and email. This isn't OK.