Author Topic: RBL - Ephialtes (Read 7176 times)

IkeTheGeneric · March 11, 2011, 08:19:46 PM

Quote from: TheFutureOfDark on March 11, 2011, 07:52:30 PM

Seriously stop using images as a way to talk that's not how you converse with other human beings

Ad Bot · Advertisement

cucumberdude · March 11, 2011, 09:00:42 PM

Quote from: DontCare4Free on March 11, 2011, 04:43:30 PM

No, anyone intercepting it could NOT as good have the password since they can't reverse the hashing which means that they can't use it to use the account on other sites (assuming same pass, etc).

That's true. But it still doesn't offer much of an advantage as compared to serverside encryption.

Quote from: DontCare4Free on March 11, 2011, 04:43:30 PM

Using AES for passwords would be entirely useless.

I was referring to a different project. I am fully aware that AES can be decrypted. I use md5 for this.

Quote from: DontCare4Free on March 11, 2011, 04:43:30 PM

I assume that you mean "recovering the old password".
No, that would be impossible which is one of the points about it.
However, what you usually do when you use a password recovery feature is that the site sends a new password to your e-mail. That would not be impossible since the encrypted data is already known. What is not known is the encryption KEY. The thing is that you retrieve the encrypted data and the decrypted data from the database. Then you try decrypting it with the password as key and then if it succeeds you compare the decrypted data with the data from the database. If those succeeds, log me in, otherwise, refuse.

That's just over complicating things... Easier to apply a simple md5 hash, seeing as there aren't really any advantages to seeding with a password. Interesting idea all the same.

Quote from: DontCare4Free on March 11, 2011, 04:43:30 PM

Actually some big sites allow both using "their" account system and OpenID. Drupal (which I personally like quite much) ships with an OpenID module by default (although disabled), I'm not sure about how it handles passwords though.
Some big sites (for example StackExchange (StackOverflow, etc) and SuseStudio) only allows login via OpenID.
Also, for example Google and Yahoo acts as OpenID providers which means that any site allowing OpenID-logins can be logged into with your Google/Yahoo account.

Interesting.

That was a nice tech discussion but, back on topic of the drama...

Quote from: Iban on March 11, 2011, 08:07:23 PM

OpenID is fine. The problem here is that the dude was storing a massive amount of passwords provided by members of Blockland in plain text, associated with their name and email. This isn't OK.

That is incorrect. Re-read the ENTIRE thing, then post. Passwords are md5 hashed.

Quote from: DontCare4Free on March 11, 2011, 05:07:32 PM

I agree about it being pointless

Quote from: Iban on March 11, 2011, 04:53:05 PM

this service is a) completely loving pointless

Yall are right. What's the point of a rating system? Nothing but a lil' source of entertainment. Not really worthwhile. Hey forget it, while we're at it, what's the point of blockland? So loving pointless man. Just some bullstuff game that you enjoy. forget that stuff. Bro brb throwing computer out of window, that stuff is so pointless - I just use it for games and pointless stuff like that.

Come on, that's a terrible argument. It really doesn't matter what the service is - if it's safe and legitimate, it shouldn't be banned from the forums.

Kalphiter · March 12, 2011, 12:24:07 AM

Quote from: cucumberdude on March 11, 2011, 09:00:42 PM

It really doesn't matter what the service is - if it's safe and legitimate, it shouldn't be banned from the forums.

Obviously you have failed to fulfill that.

DrenDran · March 12, 2011, 12:32:07 AM

Quote from: Iban on March 11, 2011, 08:07:23 PM

OpenID is fine. The problem here is that the dude was storing a massive amount of passwords provided by members of Blockland in plain text, associated with their name and email. This isn't OK.

But would you have known this if he didn't tell you?

Kalphiter · March 12, 2011, 12:33:20 AM

Quote from: DrenDran on March 12, 2011, 12:32:07 AM

But would you have known this if he didn't tell you?

He admitted to not having any encryption at all, and at this point it's still not provable.

Custard · March 12, 2011, 12:35:55 AM

Quote from: cucumberdude on March 11, 2011, 03:27:41 AM

According to Ephialtes the reason of removal was 'because it stores passwords'.

There are many player owned web sites on the forums (take, for example, clan forums) that do the same. Why are they not removed?
This is just stupid. The forums has nothing to do with the constitution. It's not a democracy, and there aren't 'laws'.
You seem to think that this has to do with some sort of serious threat to members. While before encryption it was, it no longer was afterward. I'm not trying to somehow diminish the authority of an administrator - I'm questioning whether the behavior was abusive. Of course in a situation where it was likely that I was collecting passwords for some evil master plan, Ephialtes would have been unquestionably in the right. The grey zone here is when does selective, arbitrary administration outside of the written rules become abusive. That's a question that's important to consider - and that's really difficult to answer.

I'm not saying you're a threat to the community members, I'm just stating that Ephialtes has absolute authority over taking your topic down, and the necessary and proper clause was a prime example of this power. In this case, Ephialtes has the right to force rules that are necessary and proper for the safety of the community, whether they are actual rules or not.

Thanks to Ephialtes' good jurisdiction, however, there's hardly any corruption from the administrative branch of members. However, when taking laws, or rules, into ones own hands, one must elaborate and interpret what is right and what is wrong according to current rules. This is where Ephialtes has it hard in troubled situations like these.

Also, the process of forcing and creating laws has absolutely nothing to do with Democracy.

And in technicality, anything that must be followed in order to keep order in a certain community is called a law, and that applies towards the forum rules. Of course you're not going to find this rule under the rule list, but that's where this good interpretation and jurisdiction comes in. Ephialtes had a choice to make, and this decision made the most sense at the time.

Now, having been "fixed" of it's issue, I'd suspect Ephialtes would let you continue to advertise your website. I have yet to discover the reasoning behind that.

cucumberdude · March 12, 2011, 01:26:45 AM

Quote from: Custard on March 12, 2011, 12:35:55 AM

Now, having been "fixed" of it's issue, I'd suspect Ephialtes would let you continue to advertise your website. I have yet to discover the reasoning behind that.

Sorry, I must have misunderstood you. This is how I feel as well. The problem being that

Quote from: Kalphiter on March 12, 2011, 12:33:20 AM

at this point it's still not provable

There's really no way I can prove that I'm using serverside encryption - people just have to take my word for it.

Of course, that's often the case, even RTB doesn't encrypt clientside, and the data they're handling is far more important (private mods and whatnot).

DontCare4Free · March 12, 2011, 05:39:27 AM

Quote from: cucumberdude on March 11, 2011, 09:00:42 PM

I use md5 for this.

MD5 is old and has been broken. Use SHA1 instead.

Quote from: cucumberdude on March 12, 2011, 01:26:45 AM

Of course, that's often the case, even RTB doesn't encrypt clientside, and the data they're handling is far more important (private mods and whatnot).

So you claim that private mods are more important than passwords?

Also, it would be possible to prove that you aren't storing passwords in plaintext if you just used OpenID instead.

UncleNinja · March 12, 2011, 05:46:05 AM

Quote from: DontCare4Free on March 12, 2011, 05:39:27 AM

MD5 is old and has been broken. Use SHA1 instead.

Actually, SHA1 has some issues of its own, although they aren't as serious. Really he should be using a subset of SHA-2 like SHA256.

cucumberdude · March 12, 2011, 01:15:29 PM

Quote from: DontCare4Free on March 12, 2011, 05:39:27 AM

MD5 is old and has been broken. Use SHA1 instead.

Eh, probably safe enough. These aren't bank accounts, and let's face it - I doubt anybody on the forums can even exploit md5's vulnerabilities.

I supposed I could go and SHA-2 hash on top of the md5... lol

DontCare4Free · March 12, 2011, 01:46:00 PM

Quote from: cucumberdude on March 12, 2011, 01:15:29 PM

Eh, probably safe enough. These aren't bank accounts, and let's face it - I doubt anybody on the forums can even exploit md5's vulnerabilities.

I supposed I could go and SHA-2 hash on top of the md5... lol

Just use OpenID and the whole problem will go away.

DrenDran · March 12, 2011, 10:07:00 PM

Quote from: DontCare4Free on March 12, 2011, 01:46:00 PM

Just use OpenID and the whole problem will go away.

You're quite the supporter.

Iban · March 12, 2011, 10:09:42 PM

I'm not signing up any website Blockland related that is not on the blockland.us website, or on returntoblockland.com. That's just stupid.

IkeTheGeneric · March 12, 2011, 10:11:19 PM

Quote from: Iban on March 12, 2011, 10:09:42 PM

I'm not signing up any website Blockland related that is not on the blockland.us website, or on returntoblockland.com. That's just stupid.

I think I'm going to sign up an account there with the password "forgetyoukalphiter"

lol

DrenDran · March 12, 2011, 10:54:32 PM

Quote from: Iban on March 12, 2011, 10:09:42 PM

I'm not signing up any website Blockland related that is not on the blockland.us website, or on returntoblockland.com. That's just stupid.

Wait, you'd sign up for return to blockland but no other?
Assuming you use a new password, there's no risk at all, and if the webhost isn't handicapped, there wouldn't be any risk anyway. Granted this post isn't supposed to imply any opinions about OP or his website.