'[censored]' list

[Zachron]

The problem with IP bans, is you ban entire city blocks, or entire cities depending on the localized configuration of the network. This can cause problems when a good player is siblings with an abusive player or lives next door to an abusive player, or lives within 5 miles of an abusive player. Now I believe it is possible to ban a "specific" IP rather than a general IP, but you still run into an issue, as some computers change their "specific" IP every time they log on, and some internet connection types have multiple computers that are not on the same LAN sharing the same persistent "specific" IP. (For the record, I don't know the exact terminology here.) Nick bans, and ignore lists should do the trick for now.

[Zarel]

Okay what's my IP? It isn't on public display. Public display is when anyone can get it just at a glance. IPs are more like library books. You need a card to check them out. There isn't much security there but there is a tiny sliver.

Sigh. You really wanna go there? Fine. Check your PMs.

And you misunderstood. I sent screenshots of someone to his ISP and got his internet shut off and he's made it quite clear he's looking for a round two. It was just an example of some trouble you can cause by knowing someones IP.

Really? There was probably other evidence. If not, then he can sue his ISP for breach of contract and earn a bunch of money. So with someone's IP, you can give them a bunch of money? Sign me up, I'm 160.94.47.16 (and yes, that's my IP. OH LOOK I'M STILL ALIVE HINT HINT)!

However, it's unlikely that, without those sorts of powers, people can easily see your IP address - those clever little gadgets that show you your IP do exactly that - they show EACH person their OWN IP address. Noone else can see yours.

Oh, big surprise, gadgets that show you your IP address show you your IP address. Tell me something I don't know.

The question isn't what they appear to do (which is rather obvious) but what they can do, and they can record your IP address. And in that case, someone else can see your IP.

No ordinary user on the wesnoth server can find out your IP. It's not peer to peer.

But if you're hosting a game? How do you know who to connect to? Does the server proxy everything? From what I've heard from ilor talking about how MP works, it doesn't...

Rather you can't do much without an IP. If Gambit seems alarmist you seem ignorant.

The difference is that you are intentionally twisting my statement, even though you know exactly what I mean: You can't do much with the IP address of your average client machine unless you have consent. On the other hand, I see no signs that I am misinterpreting Gambit.

Okay, okay, I see what you mean now. But most common attacks don't require IPs at all ("I sent you a greeting card! greetingcard.exe", "Here, log into PayPal, it's legit, srsly", exploits of browser vulnerabilities, etc).

[Soliton]

Definitely ignorant.

[Euthanatos93]

Talk about MAJORLY DERAILED. FORGET ABOUT #**(&ing IP's for christ's sake.

Yeah anyway. BETTER HOST CONTROLS FTW.

I want an option to make ONLY REGISTERED USERS join my games. Non-registered users can be explicitly invited with an /invite command like IRC.

Then I want a [censored] list that automatically excludes anyone on it from my games.

If this is done it will crop up that there are about half a dozen faggots out there who will have 100+ accounts. Some database management should be able to sort that out in short order every so often.

This wishlist of should improve the finding of reliable games by reliable players.

[Zarel]

That reminds me. As a conversation with Soliton has revealed, wesnothd proxies everything, so it'd be possible to ban people by IP without ever revealing anyone's IP.

Edit: Removing somewhat inflammatory statement that was only tangentially related.

[Euthanatos93]

If he's paranoid enough to take intrusion-detection/counter-intrusion measures I think it means he knows what he's doing.

Of course, on the other hand, if your Computer Security is a bundled firewall and AV program from a 'reputable vendor' then you've lost already.

Paranoia will serve you better in times of no enemies than no paranoia will in times of enemies.

[Zarel]

If he's paranoid enough to take intrusion-detection/counter-intrusion measures I think it means he knows what he's doing.

Of course, on the other hand, if your Computer Security is a bundled firewall and AV program from a 'reputable vendor' then you've lost already.

The problem with paranoia is that without knowledge of security, it doesn't make you any more secure.

The term "paranoia" conjures images of, for instance, people buying lion-repelling rocks. It's not so much that the possibility of a lion attack is so small in the US, but also that the rock isn't actually going to repel any lions.

Same idea here. No matter how much you shield your IP, your computer is going to get hacked if you give your password to paypal.com.hackers.net. And no matter how many times you give out your IP, your computer isn't going to get hacked if you make sure not to give your password to untrusted parties, and not to run untrusted code, and install updates as they are available. (Sure, it won't be mathematically perfectly secure, but when's the last time you heard of someone getting hacked that wasn't a result of one of the above three?)

Paranoia will serve you better in times of no enemies than no paranoia will in times of enemies.

Paranoia in times of no enemies is pretty much what 1984 warns against. It's what causes the gradual erosion of freedom, as people give up their freedom for a bit more "security" that doesn't actually make them any more secure.

[Aethaeryn]

Paranoia in times of no enemies is pretty much what 1984 warns against. It's what causes the gradual erosion of freedom, as people give up their freedom for a bit more "security" that doesn't actually make them any more secure.

What are you talking about? Oceania is at war with Eurasia.

[Gambit]

The OP ackowledged our tangent so theres no need to pm this I guess I did however send Zarel a pm with [what I suspect to be] his full address and phone number.

your computer isn't going to get hacked if you make sure not to give your password to untrusted parties, and not to run untrusted code, and install updates as they are available.

All the time. Crackers don't need any of this to break into your computer. In the days of dialup they just needed your phone number. Today with dsl all they need is your IP address and an open door.

In fact where I live they don't even need any of that. People in my town are [censored]. Everyone has wireless. Everyone has file and print sharing turned on and only 1/8 of them have passwords or WEP keys. You could litterally drive around town wiping harddrives. Or you could spam their printers with pr0no until they run out of ink and paper. And the worst part of it all; The courthouse has the same setup Luckily they're probably backwards enough to still be using paper files for everything.

I recently went to the eye doctors. All my insurance information is on file there ya know. I wanted to connect to their wireless from my laptop during the two hour wait (they're always backed up). They had a password. But after one wrong guess the thing actually gave me a hint! "six characters". Three guesses. 123456, 654321, edward. The last one was right. The chief optimologist's husband's name. Full file sharing enabled of course. So just like that if I was a malicious person I could find out everything about every patient that had ever been there because they keep full digital records.

But you see the password was never given. No untrusted code was run. All I needed was an access point and a brain. And lacking a brain there are brute-forcers for the password. IP addresses are easy ways to get access points.


Also Zarel really did find my IP. But he had to have a library card to do it. If I'da been a bit more on the ball I'd have taken his library card and stuck it someplace where it would have gotten a lot of hits very fast. Oh well.

[Yoyobuae]

Who's fault is it to choose weak passwords?

Very strong passwords are not that hard, it's just matter of using it them frequently enough to memorize them.

For example the password:
$B,=u6@Mg5P]cmV7`

I use passwords of similar strength for anything important.

[Zarel]

The OP ackowledged our tangent so theres no need to pm this I guess I did however send Zarel a pm with [what I suspect to be] his full address and phone number.

Yeah, you sent me the address and phone number of the guy who paid for the AEsoft domain name, who is not me. You know, instead of running a WHOIS query on aesoft.org, you could have gone to aesoft.org, which says my name on the home page.

Some achievement, considering I freely give out my personal information online. Nice to meet you; here's my card: http://aesoft.org/zarel/bcard.gif

And seriously, what's your point? Were you just trying to impress me with your knowledge of how to use WHOIS? Because that's really not very impressive.

All the time. Crackers don't need any of this to break into your computer. In the days of dialup they just needed your phone number. Today with dsl all they need is your IP address and an open door.

Meh, fine, add "don't do stupid things like have your password be the word 'password' " to the list. How are they going to find an "open door"? Unless you're running a server, you're unlikely to have any ports open, and even if you do, they're unlikely to be open to the public internet. Your open ports are usually behind a hardware firewall (i.e. a router) and two software firewalls, and that's addition to the fact that Windows doesn't allow your ports to be accessed unless you're in a trusted network.

In fact where I live they don't even need any of that. People in my town are [censored]. Everyone has wireless. Everyone has file and print sharing turned on and only 1/8 of them have passwords or WEP keys. You could litterally drive around town wiping harddrives. Or you could spam their printers with pr0no until they run out of ink and paper. And the worst part of it all; The courthouse has the same setup Luckily they're probably backwards enough to still be using paper files for everything.

Okay, so if you don't protect yourself you can get hacked, okay. My point is still that protecting your IP isn't going to help, and you're just proving my point.

But you see the password was never given. No untrusted code was run. All I needed was an access point and a brain. And lacking a brain there are brute-forcers for the password. IP addresses are easy ways to get access points.

...what do IP addresses have to do with getting access points?

Also Zarel really did find my IP. But he had to have a library card to do it. If I'da been a bit more on the ball I'd have taken his library card and stuck it someplace where it would have gotten a lot of hits very fast. Oh well.

I really dislike your "library card" metaphor.

Anyway, even if you had stuck my IP logger somewhere else, you would have had to see it first, and I knew that your IP would be the first one on the list. And are you really going to right click every smiley to see if it's hosted on a different server? There's a trade-off between hassle and security, and that is not where it is.

[Yoyobuae]

That's perhaps the problem. It's impossible to know what's out there.

The most inoffensive smilie turns into a entrypoint into directly to your PC. Heh, he could've also made a transparent 1 pixel image, and no one would've noticed at all either. What do you know? There might be some unknown GIF exploit in use. All of us might be running Zarel's trojan or something. We just don't know. But thats probably not true (or is it?).

You'll never be sure, there will always be risks. Like I read in a book:
Mr Client: "Mr Security, we want our servers to be 100% secure"
Mr Security: "Well, that's easy"
***Mr Security starts unplugging the servers from the network***
Mr Client: "What are you doing!?!?"
Mr Security: "That's the only way the server will ever be 100% secure!"

Reality is: We want to tolerate some level of risk. The price for too high to get rid of it. So the best we can do is to simply try to gain what we can without sacrificing too much.

Use firewalls, choose good passwords, don't use WEP (WEP keys can be obtain "from the air", no need to guess password even), secure any important info with encryption, etc

[Gambit]

Were you just trying to impress me with your knowledge of how to use WHOIS?

Yes
It ussually works.

I mean you're at University of Minnesota and it was a Minnesota address so there were only two possibilities. It was you. Or it was someone you met there.

My library card metaphor works. You still had to take special steps to get my IP. Can we get this split to off-topic?

[sarcasm]
P.s. I don't have to right click them. You can just hover. Unless bbcode [img] tags have alt attributes.
[/sarcasm]

[Yoyobuae]

What if he uses a 1x1 pixel fully transparent gif?

[Gambit]

I guess if one is that paranoid they could quote zarels post until the end of time to check them for images.