config - password security is bad!

[romfis]

HI all!

Google ENGLISH:
I do see sending repeatedly player those mutually their Config like it play, around to show which attitudes one have that am bad also. BUT…

Some players are inexperienced and do not know that also the PASSWORD for global Login stand there and it unintentionally sent without to know them the straight their PASSWORD with to have sent!

I would find and/or would not recommend it better for the storage of the PASSWORD into to extra other file to put down not into a general CONFIG!

I mean it so for example on Windows:
…\My Documents\My BZFlag files\2,0\config.cfg - attitudes for BZFlag
…\My Documents\My BZFlag files\2,0\password.cfg - here the password for global Login.

I would suggest it for BZFlag 2.2.0, and if it is still possible also on BZFlag 2.0.X!


GERMAN:
Ich sehe öfters Spieler die gegenseitig ihre Config senden wie sie spielen, um zu zeigen welche Einstellungen man hat das ist auch nicht schlecht. ABER...

Manche Spieler sind unerfahren und wissen nicht das dort auch das PASSWORT für Global Login steht und es wird unabsichtlich gesendet ohne zu wissen das sie gerade ihr PASSWORT mit gesendet haben!

Ich würde es besser finden bzw. empfehlen das für die Speicherung des PASSWORTES in eine extra andere Datei abzulegen nicht in eine Allgemeine CONFIG!

Ich meine es das so zum Beispiel auf Windows:
..\Eigene Dateien\My BZFlag Files\2.0\config.cfg - Einstellungen für BZFlag
..\Eigene Dateien\My BZFlag Files\2.0\password.cfg - Hier das Passwort für Global Login.

Ich würde es für BZFlag 2.2.0 vorschlagen, und falls es noch möglich ist auch auf BZFlag 2.0.X!

P.S. Ich hoffe das wer zum diesen Thema hier einen User finden lassen kann, um das Bitte in ein besseres English zu übersetzen. Danke an allen an deutschsprachigen User die auch English können!

romfis

[Skeeve]

HI all!

Google ENGLISH:

Why do you use that. It's useless. Even bad school english is better than that!

[macsforme]

Hmmm, from what I can make of the translation... good point. I've had someone sneak a peek into my config file before... fortunately I had disabled the -password option by putting a "#" in front of it. For private servers, the passwords in the -passdb file are encrypted somehow... maybe provide the capability to encrypt an operator password to store in the config file somehow?

Or did I completely miss the point of what he said?

[Skeeve]

Or did I completely miss the point of what he said?

I think he means the password in config.cfg for the client. You are talking about the server, aren't you?

[romfis]

HI all!

Google ENGLISH:

Why do you use that. It's useless. Even bad school english is better than that!

@Skeeve:
Mein English ist schlecht und das wissen SIE auch und ich weis das SIE auch etwas besser DEUTSCH sprechen können! Ich hatte leider kein ENGLISH in der Schule, das bisschen ENGLISH das ich kann, habe ich mir selber mit der zeit im INTERNET angelernt, für ein ENGLISH KURS fehlt mir derzeit noch etwas Zeit und Geld.
Aber wie ich sehe sind SIE erst "04 JUN 2006" hier angemeldet im Forum und SIE beklagen nur über mein schlechtes English anstatt ewtl. mir zu Helfen, wenn SIE das nicht machen wollen auch gut aber SIE brauchen nicht jedes Mal hinweisen das mein ENGLISH schlecht ist bzw. das von "Google", DANKE!!!

romfis

[Skeeve]

The following post is German only as it is not intended to be BZ specific but to clarify misunderstandings between romfis and me.

Mein English ist schlecht und das wissen SIE auch

Woher soll ich das wissen? Ich wußte z.B. nicht:

Ich hatte leider kein ENGLISH in der Schule,

Dennoch: Google englisch ist so schlecht...

das bisschen ENGLISH das ich kann, habe ich mir selber mit der zeit im INTERNET angelernt,

Das ist doch gut! Verwende es doch!

anstatt ewtl. mir zu Helfen,

Jederzeit gerne.

wenn SIE das nicht machen wollen auch gut aber SIE brauchen nicht jedesmal hinweisen das mein ENGLISH schlecht ist, DANKE!!!

Nicht DEINES! Das von google! Automatische Übersetzungen sind nun mal Schrott!

Ich hätte mich nie mokiert hättest Du nicht "GOOGLE English" davor geschrieben. Das kam mir so vor wie jemand der zu faul ist, sein (egal wie schlechtes) Englisch zu bemühen. Entschuldige, aber so ist es nun mal. Bei solchen automatischen Übersetzungen kannst Du doch keine ernsthaften Antworten erwarten.

Naja... Und was den anderen Thread angeht: Ich habe mich wirklich bemüht und es wirklich nicht verstanden, was Du da sagen wolltest. Versuche es doch nochmal zu erklären, aber so, daß ich alter Sack das auch verstehen und dann helfe ich auch mit der Übersetzung.

So. Alles wieder gut?

[romfis]

@Skeeve:
Naja, eigentlich logisch wenn einer nicht English kann das man Hilfen nimmt auch wenn sie schlecht sind wie Google aber immerhin besser denk ich als mein English, ich kann nur einzelne KLEINE Sätze wenn überhaupt, sonnst nur einzelne Wörter den Rest mit einen Translator damit versuch ich einen sinn daraus zu machen bei English-Deutsch.
Ins Englische schon etwas schwerer weil man nicht weis wie das zusammenhängt hab schon ein Deutsches Wort in drei verschieden Englischen Wörtern übersetzt mit English Buch, Google Translator und mit einem Programm Translator alle Wörter verschieden, voll arg finde ich

Das English ist auch sicher so wie die Deutsche Sprache das ein Wort gleich 3 oder mehrere Arten gibt es zu verstehen.

So. Alles wieder gut?

JA! Hab scheinbar auch bisschen überreagiert, das passiert auch manchmal bei mir
Und Sorry, das ich dich etwas stärker angegriffen haben sollte!

romfis

[CannonBallGuy]

HI all!

Google ENGLISH:

Why do you use that. It's useless. Even bad school english is better than that!

Because he is German?
Besides, I understood him perfectly.

He says that the player's global-login password (the one you enter on the "Join A Game" page should not be stored in your config.cfg file.
Players often share their config files, by email, or whatever, and often they will not think to remove the password from this file.
Obviously this is a big problem.

[joevano]

HI all!

Google ENGLISH:

Why do you use that. It's useless. Even bad school english is better than that!

Because he is German?
Besides, I understood him perfectly.

Great point, Romfis. I had not thought of this as being a problem, but I can see how it could become one. I also had no problem with understanding the Google English translation (after reading is twice). Yes, the first sentence is not a very good translation, but after that it is not too hard to figure out, and it the brings the first sentence into focus.

[JeffM]

this is a known issue.
this is the exact reason why there is an option to NOT save your password localy. If your local computer is not secure, then do not store your password.

[io]

yeah, i first thought that you mean the server config but by reading the other posts it is clear now.

btw. i didn't even know that in the config file my pw is stored ... lol

[Skeeve]

Because he is German?

Nope. He isn't. He's Austrian. (Just nitpicking)

Besides, I understood him perfectly.

I didn't understand the english part. Maybe it's because my english (I am german) isn't the best.

But as you could see from the german discussion between him and me, everything is clarified now. I had the impression he's a lazy guy not willing to use his school english. But he isn't because all the english he speaks is self educated and that's something I have much respect for.

So I won't ever complain about his google english but will try to help translate.

[A Meteorite]

As Jeff pointed out, you shouldn't have your password remembered. It's a huge hole. And using MD5 on your password would be pointless because a cracker can just send the encrypted hash to do global login (well, at least they wouldn't be able to login to the BZBB).

The devs could do an optional OpenSSL "module", but it would require a key that you generate. You can assign a key a password (which makes remembering global login pointless) or you can make it password-less (which defeats the purpose of an encrypted password). I doubt this would happen, but it would be a useful feature for some who want to remember only one password.

Now when do fingerprint scanners start coming out?

[romfis]

Right CBG and Mark!!

German
HA! Das ist der Punkt was ich meine Mark! und CBG!

Ich denke JeffM hat mich falsch verstanden was ich meine, außer ich habe seinen Posting nicht richtig übersetzt.

Es geht nicht darum ob der Computer sicher ist oder nicht, sondern nur wenn ein unerfahrener Spieler seine Config Senden will, weil halt ein bestimmter Grund dafür ist was auch immer..., kann es sein durch Unwissenheit das Passwort mit gesendet wird weil viele nicht wissen das dort das gespeichert ist, darum mein Vorschlag das es verbessert gehört. Das man nur die Passwörter in eine extra Datei abspeichern sollte und von der Config entfernen.

Ein Beispiel:
Ich hatte mit einigen bekannten Spieler die Config's vertauscht weil die meisten Spieler meine Config sehen wollen und bieten im Gegenzug ihre eigene an, hatte ihre bekommen und sah jedes Mal die PW's LOL! Ich hab sie aufmerksam gemacht das sie es mit gesendet haben unabsichtlich und es ändern sollten, wenn auch an andere Spieler gesendet wurde. Ich hab Persönlich kein problem damit wenn das Passwort in der Config steht. Ich weis das es dort steht und lösche das PW vorher bevor ich sende.

Nächstes Beispiel war Heute ich sendete meine Config für T42, weil ich der Meinung bin das es ewtl. Hilft für mein Team.
Der neben Effekt war automatisch das "doc holiday" seine Config sendete mit seinem Passwort. Ich habe ihn dann per ICQ gesagt das er es ändern soll weil ab jetzt 10 Spieler mit seinen Account spielen könnten!

Naja, das waren noch dazu meine zwei Beispiele dazu, ob es verbessert wird oder nicht liegt nicht an mir sondern den Entwicklern von BZFlag.

Ich hoffe jemand kann mir das "grob" übersetzen ins Englische, Danke!
Glaub eine Google Übersetzung würde bei diesen Post nicht reichen.

Please wait for a English Translator, a German User please posting that in English, Thanks!!

romfis

[Skeeve]

Okay... I'll try my best in translating romfis' post (I don't do a translation by the word but by the meaning):

Right CBG and Mark!!
HA! That's what I meant, Mark! and CBG!

I think, JeffM didn't get me right, unless I mistranslated his post.

My concerns are not about a safe computer but about an unexperienced user who, for whatever reason, wants to send his config. He might, because he doesn't know better, send his passwort. Many people don't know that it's stored in the config. This is why I propsed an improvement. It's sufficient to store the password in a seperate file and remove it from the config.

An example:
I (romfis) exchanged config files with other players, because they wanted to see mine. They offered me their's. I received them and each time I saw the passwords. I told them they they send them unintentional and that they should change it. I have no problem with the password being in the config. I know that it's there and delete it before I send the file.

Next example: Today I did send my config for T42 because I thought it would be helpful for my team.
The result was that "doc holiday" sent his config including his password. I told him in ICQ that he should change it because from now on 10 others could play with his account.

These were just 2 examples. Wether or not it will be improved is up to the developers.

[romfis]

Thanks Skeeve for Translate!

romfis

[Saturos]

Jeff understood your post and pointed out that there is an option that allows you not to save the password locally. If you select it, your password won't be part of your config. Simple, isn't it?

[JeffM]

the problem I see is that the default is to save the password. As romfis says this is a problem for new users.

for 2.2 I have made it so we only save the callsign by default.

[Sky King]

Not to overcomplicate things... but what about splitting the file so that the settings are in config.cfg, and both the username and password are in credentials.cfg?

[JeffM]

it's no harder to get that then it is to get anything else?

no mater how you store it, if somone can get the file your screwed, even if we encrypt it, because the source code that everyone has includes the decription stuff.

the client side config is not something that should be spread around, not like a server config. The client side config only contains things specific to a single computer.

for 2.2 I am looking into doing player profiles, we may change the storage of player related stuff at that time, but it is not a major concern. maybe we can store it in a system specific binary file...

for server configs the general trend is to move away from using a server password and using global authentication and permisions for all administraton.

[CannonBallGuy]

Jeff, romfis' point was the he emails his config.cfg file to friends so they can try it out, etc.
He knows the password is in that file, so he takes it out.
Others send their file to him but they do NOT take the password out.

Storing the password in a separate file would solve this issue, though, as you say, it would not help if someone can get the new file with the password.

[JeffM]

why would he email his client config to another user, it's not like a server config. the only thing in it would be video settings, and that will be set for his specific hardware.

but I understand, and as I said we'll look into it if we do profiles. I've changed the default for 2.2 and made the menu show that it's a plaintext password so that should help with the noobs not do it by default.

[CannonBallGuy]

His client config has all his playing settings. When anyone can edit their config, you have infinite different varieties of controls, which obviously people like to share with each other.

Even just using the in-game menu, you can get a huge variety of different configs.

[BinarySpike]

it's no harder to get that then it is to get anything else?

no mater how you store it, if somone can get the file your screwed, even if we encrypt it, because the source code that everyone has includes the decription stuff.

Simple, encrypt the password per computer hardware information.

It would require you to have the exact same computer hardware to do it... I mean how many people know how to get that information?

I've done some researching into this for fun, a while back, and it's possible... the hardware stuff would have to be intense to actually be secure...

I agree that it should be in another file though.

I was running Digital Paintball on my grandfathers windows while I was on my trip and JohnDeere sent me his client. I had passwords and all
(but he didn't use passwords... so I didn't actually get a password... it was just possible...)

[Skeeve]

Simple, encrypt the password per computer hardware information.

It would require you to have the exact same computer hardware to do it... I mean how many people know how to get that information?

1. If you use the Hardware as a key you have to
a) be able to generate such a key on *any* Platform
(Win, Linux, IRIX, Mac OS...)
b) would this change as soon as the hardware is changed
c) would this be in no way be more secure than any other randomly generated & stored key
If you computer is compromised anyone can either get that key or gather the necessary information needed to generate the hardware key.
2. It's not necessary to have the exact same plattform if you do a brute-force attack. Maybe even analysis of the source code can help you reducing the range of possible values.

The only safe way would be to use something like RSA and a public/private key pair.

On the other hand, these algorithms require you to type in a pass phrase and we are again where we left of...

So in my opinion the best solution would be to simply store the password as plain text in a file solely for this purpose. This should only be viewable by the user (chmod 600, at least on platforms where this is possible) and to advise the user *not* to store it should it be a shared computer.

Why as plain text?
1. Because no encryption would help against anyone really interested in the PW
2. Because this way the user will *see* that it's unsafe, should he look into the file
3. Because he can easily retrieve it, should he need it for whatever purpose.