Computermix, Ipquarx, and Cca - CBM being hacked into to steal keys [chat+pics]

[XR-7]

if you haven't used CBM, they don't have your key.

He is in the OP

[Ad Bot]

[Brickmaster]

He is in the OP

stuff.

[Blockaium]

WHAT THE forget

[Jasa]

"Has not provided any API for hosting service owners to authenticate their clients' servers which means clients must give their key (although this could be an electronic process) to the hosting service for authentication. The keys of all the clients' can be decrypted and stolen by a person running the hosting service. Such a major security issue has not been patched and the keys of every hosting service user is threatened. Coupled with Badspot's "too bad, buy another key and give me more money" mentality towards key theft, this is a disaster waiting to happen."
June 2014

[Maxxi]

"Has not provided any API for hosting service owners to authenticate their clients' servers which means clients must give their key (although this could be an electronic process) to the hosting service for authentication. The keys of all the clients' can be decrypted and stolen by a person running the hosting service. Such a major security issue has not been patched and the keys of every hosting service user is threatened. Coupled with Badspot's "too bad, buy another key and give me more money" mentality towards key theft, this is a disaster waiting to happen."
June 2014

Hmm, weird.

[Nizza Deutchsen Man]

Hmm, weird.

It couldn't be clearer that the lack of an authentication API caused this disaster. Forget about new features or updates. this basic authentication bug was neglected for years.

[Kishgal]

It's not a "bug," nor is it anything that he needs to "fix." There is no reason for Badspot to enable and help people profit off his game if he doesn't want to.
You shouldn't need some specific service for this game in the first place, setting up a server is so simple. Just get a VPS if you really can't support it locally.

[Nizza Deutchsen Man]

It's not a "bug," nor is it anything that he needs to "fix."

If the easy, proven theft and decryption of authentication keys is not a security bug, what is?

[Kishgal]

What do you want him do about that? The current system is already great if a user isn't a moron and doesn't hand out their information.

[the hacker]

Honestly, Taboo is right. External hosting services can't be trusted if giving them your key is required.

[#Ravencroft]

So is there any solid proof that Computermix is even part of this? I can't really believe Cca and Paperclip's word on it. Especially since Cca is the one who's always been so interested in cracking keys and collecting revoked keys to find patterns...

[The Brighter Dark]

"Has not provided any API for hosting service owners to authenticate their clients' servers which means clients must give their key (although this could be an electronic process) to the hosting service for authentication. The keys of all the clients' can be decrypted and stolen by a person running the hosting service. Such a major security issue has not been patched and the keys of every hosting service user is threatened. Coupled with Badspot's "too bad, buy another key and give me more money" mentality towards key theft, this is a disaster waiting to happen."
June 2014

you add your key to a file in FTP, then after the server auths for the first time the file is deleted, leaving only the key.dat

[Kishgal]

Not that I've seen. As far as I can all he's really ever done is reverse engineering of programs anyway, which is a whole different ball game. It's not unthinkable that he could have helped out in some way, maybe key decryption, but it seems unlikely.

[Thorfin25]

If the easy, proven theft and decryption of authentication keys is not a security bug, what is?

There's actually this very easy system in play to help prevent the theft of your key. It's called common sense!

[rggbnnnnn]

Well Crap. Knew I probably did not need the service, if anything happens to my key my steam is rggbnnnnn.

Thanks for warning me about this.