2020/05/20 - Blockland r2023-r2031

Author Topic: 2020/05/20 - Blockland r2023-r2031  (Read 96695 times)

You can no longer change your username.  One BLID = one name.
not epic at all. i dont personally change my name often at all but i see how others would want to over the years. my forum name is still horrible from 2010. maybe only allow name changes once per couple months or something. provide a name history page to keep track of peoples past identities.

Badspot

  • Administrator
https://forum.blockland.us/index.php?topic=325774.msg10032036#msg10032036

The bytes mentioned aren't at that exact address though, you'll have to look for em

I'm just going to compile without CFG.  Sucks, but if I'm at the mercy rando openGL driver behavior there's not much I can do.  I don't know how to debug this.

Badspot

  • Administrator
Server list is messed up, investigating.

woop too late didnt see that post lmao


Quote
Copy the token and add it to your dedicated server command line arguments like so:
but how do i find "dedicated server command line"

Why are you putting so much inconvenience on regular users to try to stop every form of abuse? I'd rather deal with a few annoying individuals than go through all the crap you're laying on us just to play the game. Not being able to change names? Tell me you're joking.

Even disabling key auth is chasing a red herring. The exploit could have easily been used to steal entire steam accounts, or worse. Perhaps we're lucky there was such an easy and enticing target already available, so they didn't resort to even worse ones. Key-sharing and other stuff you love to hate but no one cares about will still happen on steam, it will just be throwaway steam account sharing instead. The only good thing to come out of this is temporary hosting keys, but that could have been done with the normal auth system too.

And what about people who have played this game for years, and can't link to steam because they no longer have the e-mail they bought the game with? It seems like you're just telling them to forget off or buy another copy, and maybe it's my bad for expecing better of you. If you're wondering what the hypothetical solution to this problem is, it's to let non-compromised users link to steam using their key, and let compromised users do so only from their locked IP. This way you only have to tell a couple of unlucky users to eat stuff, rather than half the people who still play this game.

Maybe I have no right to ask for better, since you'll probably make a nice couple hundred bucks off the suckers who will have to buy a new copy since their e-mail from 10 years ago is no longer accessible. But come the forget on man.

Even disabling key auth is chasing a red herring. The exploit could have easily been used to steal entire steam accounts, or worse. Perhaps we're lucky there was such an easy and enticing target already available, so they didn't resort to even worse ones. Key-sharing and other stuff you love to hate but no one cares about will still happen on steam, it will just be throwaway steam account sharing instead. The only good thing to come out of this is temporary hosting keys, but that could have been done with the normal auth system too.
i mean, no. the rce couldn't have stolen access to your steam account considering the base level of entry is your username + password + immediate access to your email (you're alerted whenever someone tries to log in.) and you're encouraged to put in a phone number to do basic tasks. by shifting it over to steam badspot is giving you protection from these kinds of RCE's that keys didn't provide

i mean, no. the rce couldn't have stolen access to your steam account considering the base level of entry is your username + password + immediate access to your email (you're alerted whenever someone tries to log in.) and you're encouraged to put in a phone number to do basic tasks. by shifting it over to steam badspot is giving you protection from these kinds of RCE's that keys didn't provide
They have full user-level access to your computer. They can install any kind of malware, create and delete files, and generate actions directly from your PC as if you did them. Anything you can do on your computer, an intruder with RCE can do, including changing the passwords to accounts you're already 2fa'd into. Trying to mitigate an RCE attack by not letting them steal your blockland or steam account is loving pointless, you should be more worried about them stealing your identity and credit cards, or installing ransomware or any other kind of malware.

Badspot

  • Administrator
Why are you putting so much inconvenience on regular users

Literally just run steam.  Such inconvenience.  I'm so cruel.  Write more paragraphs.

Literally just run steam.  Such inconvenience.  I'm so cruel.  Write more paragraphs.

Consider reading past the first line.

I'm on 2026, the server list is still messed up. I've tried disabling any addons that affect the server list gui, but no dice.

just put a timer on name changing like this is going straight to plan z and skipping every other way to stop this kind of handicapation

Users already have a BL_ID that they can be permantly identified by, perhaps a better solution would be to put a really long timeout on name changes — like a month or so. That way, legitimate name changes can still be a thing.

Badspot

  • Administrator
Consider reading past the first line.
Consider not opening your screed with the dumbest premise possible.  If you want a line by line, here goes:

I'd rather deal with a few annoying individuals than go through all the crap you're laying on us just to play the game.
Ok great.  Now you can deal with them because you're logged in with your steam account instead of your super secret blockland password that I have to keep for you.

Even disabling key auth is chasing a red herring. The exploit could have easily been used to steal entire steam accounts, or worse.
Sure, but that sounds like a job for steam support or the police, not Badspot. 

Key-sharing and other stuff you love to hate but no one cares about will still happen on steam, it will just be throwaway steam account sharing instead.
I haven't checked on key sharing in over a decade, it's just the people who need to get banned are usually sharing keys.  Major disruptions happen every time someone Self Deletes and posts their key publicly.  Sharing a steam login among a few trolls is a far different animal than posting an un-changeable key publicly. 

The only good thing to come out of this is temporary hosting keys, but that could have been done with the normal auth system too.
It is done using the normal auth system.  The normal auth system uses steam now.

And what about people who have played this game for years, and can't link to steam because they no longer have the e-mail they bought the game with?
Maybe they can use the other methods of conversion that I said I would implement in the post you didn't read. 

It seems like you're just telling them to forget off
It seems that way because you have built me up as some kind of fantasy cartoon villain in your own mind. 

If you're wondering what the hypothetical solution to this problem is, it's to let non-compromised users link to steam using their key, and let compromised users do so only from their locked IP.
Yes but the only way we have to tell who is compromised and who is not is the word of a angry script kiddy teen and a soulless Machiavellian robot.  On top of that, implementing multiple web forms at once is a recipe for disaster.  The solution to both problems is to implement the safest solution first and let people use that while the other options are developed. 


 

Badspot

  • Administrator
I'm on 2026, the server list is still messed up. I've tried disabling any addons that affect the server list gui, but no dice.

Messed up in what way?