1  |   Order by index

Dec 1, 2003, 2:43am

I believe if you look closely at the events in AW and in this news
group, you should have learned the following:

1) Some people crave attention so badly, they'll stoop to any level to
get it - even when it makes them look like total fools.

2) Evidently, there are people that like to prey on the appearance of
"cyber terrorism" to in and of itself terrorize the AW community.

I do not, for a moment, believe a world was deleted without backup
copies of the data existing somewhere. I do not, for a second, believe a
world with talented individuals as A!!CT has wouldn't take the simple
measures of backing up their data regularly. This simple point aside, I
believe this soap opera gives us an opportunity to review how we can protect
our worlds within the limitations of the AW browser and world servers
available to us.

If any of the world owners out there are concerned about the security
and stability of their world builds and object paths, there are several
methods that can be taken. First and foremost is a REGULAR backing up of all
world data. This is easily accomplished either by using bots to back up the
data, or by having the world host do regular prop/at/elevdumps. This helps
protect against innocent accidental deletions, along with deliberate
malicious action. Second is to protect the security of the object path. This
can be accomplished in a couple of ways. Make sure you place blank
index.html files in the directories of the object path. I built some booby
trapped Flash pages for that purpose. 5 seconds to get out, then a mass of
popups, calling URL loads of - you guessed it, more booby trapped Flash.
What can I say, it's cheap entertainment.

Also, the zip password is important to maintaining the security of the
object path. I honestly do not believe any object paths that are being
compromised are being "sniffed" to have the PW derived from browser
communication. I believe it is far more likely that common AW objects in
object paths are being used for comparison, cutting down on the time to
crack the password. If you are able to provide a special program an unzipped
example of a .rwx file, then give it the zip with that file inside, password
protected, it takes FAR less time to crack the password than with a "brute
force" crack. I believe Andras has come up with a tool for inserting comment
lines, to take the text of .rwx files inside zips to a non standard file VS.
the stock AW objects downloaded.

Can anyone think of any points I've missed? And ENZO - I don't envy you
the job of cleaning up this mess tomorrow morning - :)

Dec 1, 2003, 2:58am

True...very true. If A!!CT doesnt have backups, I laugh at them. By default,
all of my world servers back up their data every 30 minutes, then every day,
cron (scheduled commands) backs up the world server directory (i keep it in
/world) and makes a tar.gz of it. I was even thinking of having it email
me/ftp backups to another server, which is probably a good plan.

-Ep0ch


[View Quote] 1) Some people crave attention so badly, they'll stoop to any level to
get it - even when it makes them look like total fools.

2) Evidently, there are people that like to prey on the appearance of
"cyber terrorism" to in and of itself terrorize the AW community.

I do not, for a moment, believe a world was deleted without backup
copies of the data existing somewhere. I do not, for a second, believe a
world with talented individuals as A!!CT has wouldn't take the simple
measures of backing up their data regularly. This simple point aside, I
believe this soap opera gives us an opportunity to review how we can protect
our worlds within the limitations of the AW browser and world servers
available to us.

If any of the world owners out there are concerned about the security
and stability of their world builds and object paths, there are several
methods that can be taken. First and foremost is a REGULAR backing up of all
world data. This is easily accomplished either by using bots to back up the
data, or by having the world host do regular prop/at/elevdumps. This helps
protect against innocent accidental deletions, along with deliberate
malicious action. Second is to protect the security of the object path. This
can be accomplished in a couple of ways. Make sure you place blank
index.html files in the directories of the object path. I built some booby
trapped Flash pages for that purpose. 5 seconds to get out, then a mass of
popups, calling URL loads of - you guessed it, more booby trapped Flash.
What can I say, it's cheap entertainment.

Also, the zip password is important to maintaining the security of the
object path. I honestly do not believe any object paths that are being
compromised are being "sniffed" to have the PW derived from browser
communication. I believe it is far more likely that common AW objects in
object paths are being used for comparison, cutting down on the time to
crack the password. If you are able to provide a special program an unzipped
example of a .rwx file, then give it the zip with that file inside, password
protected, it takes FAR less time to crack the password than with a "brute
force" crack. I believe Andras has come up with a tool for inserting comment
lines, to take the text of .rwx files inside zips to a non standard file VS.
the stock AW objects downloaded.

Can anyone think of any points I've missed? And ENZO - I don't envy you
the job of cleaning up this mess tomorrow morning - :)

Dec 1, 2003, 3:26am

No one cares Ep0ch.. Go away.

--
Brock
AW: 308723

Administrator
IceFlare Starbeam Network

[View Quote]

Dec 1, 2003, 3:28am

How nice and caring of you Brock.

-Ep0ch

[View Quote] --
Brock
AW: 308723

Administrator
IceFlare Starbeam Network

[View Quote]

Dec 1, 2003, 5:59am

Good points, very good points. Ever since the little problem with awrpg a
few months back, we have been making world backups frequently :) Granted we
aren't forced to make them every night, or every thirty minutes as people
claim, because really we don't make *that* many changes to the world
itself.. but yes, ever since then we've been fairly regular in backing up
our world :)

Poseidon

[View Quote]

Dec 1, 2003, 7:21am

Yes Mongo but you you know how long it takes to rebuild a P-130 world, plus
several other?
Also why should anyone have to rebuild their world every 5 seconds?
Yes we have back ups but they are never right to the second when the backups
involve a open build world. To be current, I would have to do a back up
every 5 seconds.
Why cant AW just ban these losers and disable their citizenships. And keep
them off my back?
I may be setting a bad example here with my attitude and langue latey, but
if it was you and AWI was closed for 4 days do to a Holiday, you'd be going
off the shrt end too.
Never fails, M A T T always does his dirty work on the weekends or holidays
when he knows AW will be closed a few days.
MrBruce
[View Quote]

Dec 1, 2003, 7:25am

Ep0ch you never miss an oppertunity to poke jibs at me or A!!CT do you?
MrBruce
[View Quote]

Dec 1, 2003, 8:02am

> object path. I honestly do not believe any object paths that are being
> compromised are being "sniffed" to have the PW derived from browser
> communication. I believe it is far more likely that common AW objects in
> object paths are being used for comparison, cutting down on the time to
> crack the password.

This is such a common misconception. I got hold of the first true
Browser-Based Object Path Password decrypter in 2001. They've been around
for some time. The algorythm that encrypts the password in AW isn't so much
weak as it just hasen't changed in years and AW hackers have had a long time
to work on it.

Even now theres still EXE's floating around that decrypt OP passwords, and I
even saw a bot once that logs in as a citizen and then crawls through the
entire world list cataloging OP passwords.

The only point I want to make is, yes - 99% of the kids that "terrorise"
people like MrBruce are just attention seeking losers who actually know
nothing.

What's important is there are 2 or 3 people in AW with skills you wouldn't
believe. There are hacks in existance that can gain Caretaker control of any
world from scratch, with no priviledges to start with. Luckily these mroe
serious bits of code remain in the posesion of their authors, and the
authors are mature enough to keep their findings to themselfs and the Dev
team.

All I am saying is don't underestimate "hackers" as a collective, but don't
get wound up by these pathetic idiots that parade around trying associate
themselves with the ones who really can.

Dec 1, 2003, 8:33am

We already have 4 flame war threads going on....I thought I'd change the
subject......uh....so how's life?.....Er....bad start.......lets see.....how
about those "world's to watch"......damn....thats bad too.......tylenol
anyone??


[View Quote]

Dec 1, 2003, 9:19am

[View Quote] I swear to god, even I'm not that bad. There's been 8 consecutive flame
threads. Not even InSaNiTy has done that. Congratulations Bruce,
you're the new gnome -- I pass the tree to you.

--
--Bowen--
http://bowen.homelinux.com
Give me ideas.

Dec 1, 2003, 9:37am

Never password your SEQ files. They appear unzipped in the cache, so
if they are zipped and passworded on the object path, it is easy to
compare both and extract the password. Same for the avatars.dat
file.

Alex


[View Quote] > Can anyone think of any points I've missed? And ENZO - I don't envy you
>the job of cleaning up this mess tomorrow morning - :)

Dec 1, 2003, 1:40pm

Never password your sound (.wav) files for the same reason.

[View Quote]

Dec 1, 2003, 3:03pm

You should get admin bot by andras. Great tool for keeping your world
backed up, especially with your hosting situation. Just start it everytime
you start AW. You can specify how often to back up. If you want a backup
every 5 seconds (on property), it can be done. Reasonably put: you as a
world owner did not take proper precautions to secure data. The AW software
does not guarantee that your data is secure, it is your responsibility as a
world owner to backup your data.

I will admit to not manually making a backup every day. But The world
server software has built in the ability to automatically backup data every
how many ever seconds (so you could keep backups every minute, hour, day,
etc...) When configured properly the world server does the work for you, so
this is what I do, I have it set for weekly backups, because the files are
large, and varry in how much changes, so 1 week works for me... should
something occur within the week where all my property would be lost, simply
propdump the last known good save and viola world is back to an acceptable
state, the users of the world will be much more willing to cope with data
being corrupt, or someone stealing your ppw, than not having any backups and
starting from scratch.

Not trying to attack you bruce, but lots of your posts are very off key and
need some facts put into the mix. Here is the url to setup automatic backup
for the world server.
http://www.activeworlds.com/help/aw34/world_backups.html

DM


[View Quote]

Dec 1, 2003, 3:08pm

Yes very true. I leared that one long ago when I was looking through my
cache cleaning it out of old world downloads and noticed that all the seq
and wav's were there as normal files. Needless to say I fixed that in short
order, repassworded and changed all the other files slightly. I never could
understand why seq were never protected like avatars, objects, and texture
masks can be. Seq can take a long time to make and can often be used with
many different avatars (perhaps not perfectly but close enough). The same
goes for custom wav sounds.

-DB


[View Quote]

Dec 1, 2003, 6:05pm

Ok... I think we all learned that when you go into a uni.. and pretened to
be someone you aren't... that you MAY hear things people say about you that
may not make you too happy. Would these people say it if they knew that
person was there.. probably not.. It happens in real life just as much as
here.. I say anyone who goes around changing their name to snoop, deserves
to hear whatever they hear. When you go looking for trouble.. it will surely
find you.


[View Quote]

Dec 2, 2003, 8:40am

I was not snooping, I went there because these clowns were emil bombing my
business email server with 10,500 F----You emails and other stupid garbage
emails to fill up my mailserver and cause deletion of important mail. Youd
done the same thing had it been your email server that was being email
bombed 10,500 times by a kid hanging out there. One of ones hanging out
there with him told me so in an AOL instant messenger program thats why I
went there in the first palce.
MrBruce
[View Quote]

Dec 2, 2003, 10:14am

hahahah I expected nothing less than an argument from ya ..
glad to see you didn't disappoint me !

[View Quote]

Dec 2, 2003, 2:10pm

"mrbruce" <MrBruce at a1ct.com> wrote in
news:3fcc6c2e at server1.Activeworlds.com:

> I was not snooping, I went there because these clowns were emil
> bombing my business email server with 10,500 F----You emails and other
> stupid garbage emails to fill up my mailserver and cause deletion of
> important mail. Youd done the same thing had it been your email server
> that was being email bombed 10,500 times by a kid hanging out there.
> One of ones hanging out there with him told me so in an AOL instant
> messenger program thats why I went there in the first palce.

Can you prove there was any deletion of important mail? I really don't see
why any important mail would've been deleted, even considering the amount
of mails handled.

This "mailbombing" constitutes a DoS attack, though, so you could probably
bring criminal charges against whoever commited the act. Unfortunately, you
might not get anyone to investigate it if there is no significant financial
damage.

KAH

1  |   Order by index