Author Topic: The current key.dat format is insecure.  (Read 4579 times)

Did you report this to badspot directly before posting it publicly? If not, you failed to do proper responsible disclosure.

Although this isn't a full exploit, I suppose, although if they're smart enough to get their hands on key.dat files, they're probably smart enough to put the pieces together.
« Last Edit: November 09, 2014, 12:25:12 PM by Lugnut »

not really scary, he needs a key.dat file to do it. he can't do it over the air.
Sort of related
it's not cbmhost's fault that this jackass hacked into the FTP and somehow decrypted the key.dat file
it was probably a bruteforce attack

Xalos is my new role model.

Did you report this to badspot directly before posting it publicly? If not, you failed to do proper responsible disclosure.
why report a bug to the creator directly when you can do that AND get everyone to kiss your ass at the same time??

Compy, the reason this issue still exists is because Badspot has been neglecting it. The best bet to get it fixed would be to make fixing the error a necessity.

Compy, the reason this issue still exists is because Badspot has been neglecting it. The best bet to get it fixed would be to make fixing the error a necessity.
True, but only after it has definitely been raised to his attention. If you send a PM to badspot about the bug, and he fails to respond and fix it in a reasonable amount of time (say, a month, or a week depending on how critical it is) then you sound alarms about how stuffty of a dev he is.

If he does respond and fixes it, you could still make the "I'm awesome" post. This benefits everyone - you get your ass kissing, the bug is patched, and the dev gets to save face.

As it stands, Xalos presumably skipped that step and went right to the stage where he unleashes an exploit an exploit into the public without giving the developer any chance to respond.

True, but only after it has definitely been raised to his attention. If you send a PM to badspot about the bug, and he fails to respond and fix it in a reasonable amount of time (say, a month, or a week depending on how critical it is) then you sound alarms about how stuffty of a dev he is.

If he does respond and fixes it, you could still make the "I'm awesome" post. This benefits everyone - you get your ass kissing, the bug is patched, and the dev gets to save face.

As it stands, Xalos presumably skipped that step and went right to the stage where he unleashes an exploit an exploit into the public without giving the developer any chance to respond.
Thankfully you can't really exploit it unless you hack a hosting service.


http://en.wikipedia.org/wiki/Grey_hat
Quote
Whereas white hat hackers generally advise companies of security exploits quietly, grey hat hackers generally "advise the hacker community as well as the vendors and then watch the fallout".

okay. guess it shows which side of the line xalos is on
Thankfully you can't really exploit it unless you hack a hosting service.
true, which is arguably the primary redeeming factor here

okay. guess it shows which side of the line xalos is on

Actually, the whole article exists in an attempt to explain that grey hat hackers are on neither side of the line; they sit on the line and are in both black hat and white hat territory.

Actually, the whole article exists in an attempt to explain that grey hat hackers are on neither side of the line; they sit on the line and are in both black hat and white hat territory.
i guess I was thinking the line between white and grey, although you're more right

ok so let me understand this. the suggestion here is to salt the encryption

whatever the hell this code means, in a way is salting. looks more like the code used for ROT13 but with random values stapled to it. anyway the CPU and MACAddress + "XXXXX" act as a salt
Quote
byte[] bCPU = Encoding.ASCII.GetBytes(CPU);
byte[] bHex = Encoding.ASCII.GetBytes("XXXXX" + MACAddress);
Result = (byte)(bKey ^ ((bHex + bCPU) % 256));
it could be better but it works. I don't even know if knowing the CPU and MACAddress value will get you anywhere. so being on the same computer to scout how the key.dat file is made is essential.

to expand on your suggestion you said to salt using CSPRNG, the best way to salt as its completely random because apparently they have algorithms to detect their own generations and make sure no patterns or whatever exist within it. well is it really necessary? its a lego game thats hosting its files locally. its not some super famous cloud system thats targeted by the biggest and baddest hackers in the world.

the easier route here is to suggest better security to the people doing these silly hosting services and not badspot because its a waste of time. the current system works fine, its security was never meant to be some professional grade A locked down convoluted encryption algorithm because its not worth it.

why report a bug to the creator directly when you can do that AND get everyone to kiss your ass at the same time??
this guy knows whats up. but at the same time I fail to see an actual issue here

ITT: Compy butthurt that he didn't find this out first

wow

I am amazed that you said things that I don't understand

-snoop-
I cannot understand a single thing you're saying.

ITT: Compy butthurt that he didn't find this out first
I can almost guarantee he already knew, probably years before this topic was made.