|
[ONLINE] Making AW Secure (Wishlist)
[ONLINE] Making AW Secure // Wishlist
Aug 11, 2002, 11:42am
Due to recent events in the UK (such as the 2 girls that have been abducted after using the internet on a chat room) I think its
important that AW does its bit to help keep people secure, citizenships is pretty secure with a cit being able to block someone
pretty much forever, however for tourists its a little bit less so.
I think that to do our bit for security I propose a set of drastic measures.
- Browser ID: A key that is stored on the Active Worlds server but NOT accessible to anyone outside AWCorp that is a
individual key based on the browser type, and computer hardware but also does not give any information about the hardware itself.
This can be used to identify each user individually no matter what. AWC should also be able to ban people from worlds based on this
code if the world owner requests it.
- Fixed Tourists Name: Currently anyone can be impersonated by copying someone's tourist name, this must be fixed as its possibly
the worst security risk in AW. Even as tourists people should have the option to reserve a unique tourist ID that they can log on
with using a password that is kept valid as long as they are on at least once every 30 days, although AWCorp will inevitably presume
this will cut registrations, it will also dramatically increase security.
- Chat Training: Citizens and Tourists should be offered free training on AW regarding how to stay safe in chat rooms, no other chat
service offers this whatsoever, and it would be very good for publicity as well.
If we ever intend for Active Worlds to become the true forefront we must make sure even the tourists are safe, after all, im sure we
will all feel great if someone is lured to their death by someone on AW by manipulating tourist mode after we have been reassured it
was too much hard work.
I would like a responce from AWC on this 1, we already know that people like Flagg, Shamus and Kellie read the NG's and it would be
very much apreciated if we could have a public statement on this most serious of matters. Infact, I think that this outweighs
anything that AWC could put effort into at this time.
- Mark
- AWTeen Major Events, AWTeen Bots / Effects
Aug 11, 2002, 12:08pm
A 'browser ID' would be hard to figure. People already got pissed about the
computer ID when it was introduced. Also, what would be in this 'browser
ID'? Every serial number that your OS can get, you can change. I suppose
the only *true* secure ID on your computer would be your proc serial, but
most processors don't have software accessible serial numbers.
Proc ID: Few machines have them.
MAC Address: Very few people have them, buy a new NIC, you have a new one.
Can be changed.
GUID: Changes every restart.
HD Serial: Can be changed.
BIOS Serial: Reflashing your bios changes this.
There's nothing on current computers that could be 100% secure. The only
real way would be putting an EEPROM with its write fuse blown controlled
through a I2C/SMbus on the motherboard. Would be extremely cheap way to
tracking new generation motherboards. Sadly, very few people would purchase
these new generation mobos due to the serial number stored on their
hardware. Personally, I wouldn't.
-Joe
[View Quote]"strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
news:3d5669da at server1.Activeworlds.com...
> Due to recent events in the UK (such as the 2 girls that have been
abducted after using the internet on a chat room) I think its
> important that AW does its bit to help keep people secure, citizenships is
pretty secure with a cit being able to block someone
> pretty much forever, however for tourists its a little bit less so.
>
> I think that to do our bit for security I propose a set of drastic
measures.
> - Browser ID: A key that is stored on the Active Worlds server but
NOT accessible to anyone outside AWCorp that is a
> individual key based on the browser type, and computer hardware but also
does not give any information about the hardware itself.
> This can be used to identify each user individually no matter what. AWC
should also be able to ban people from worlds based on this
> code if the world owner requests it.
> - Fixed Tourists Name: Currently anyone can be impersonated by copying
someone's tourist name, this must be fixed as its possibly
> the worst security risk in AW. Even as tourists people should have the
option to reserve a unique tourist ID that they can log on
> with using a password that is kept valid as long as they are on at least
once every 30 days, although AWCorp will inevitably presume
> this will cut registrations, it will also dramatically increase security.
> - Chat Training: Citizens and Tourists should be offered free training on
AW regarding how to stay safe in chat rooms, no other chat
> service offers this whatsoever, and it would be very good for publicity as
well.
>
> If we ever intend for Active Worlds to become the true forefront we must
make sure even the tourists are safe, after all, im sure we
> will all feel great if someone is lured to their death by someone on AW by
manipulating tourist mode after we have been reassured it
> was too much hard work.
>
> I would like a responce from AWC on this 1, we already know that people
like Flagg, Shamus and Kellie read the NG's and it would be
> very much apreciated if we could have a public statement on this most
serious of matters. Infact, I think that this outweighs
> anything that AWC could put effort into at this time.
>
> - Mark
> - AWTeen Major Events, AWTeen Bots / Effects
>
>
|
Aug 11, 2002, 2:42pm
How about PHP download script on the browser that creates a individual browser key based on hardware?
[View Quote]"joeman" <Joeman at bootdown.com> wrote in message news:3d566fe6 at server1.Activeworlds.com...
> A 'browser ID' would be hard to figure. People already got pissed about the
> computer ID when it was introduced. Also, what would be in this 'browser
> ID'? Every serial number that your OS can get, you can change. I suppose
> the only *true* secure ID on your computer would be your proc serial, but
> most processors don't have software accessible serial numbers.
>
> Proc ID: Few machines have them.
> MAC Address: Very few people have them, buy a new NIC, you have a new one.
> Can be changed.
> GUID: Changes every restart.
> HD Serial: Can be changed.
> BIOS Serial: Reflashing your bios changes this.
>
> There's nothing on current computers that could be 100% secure. The only
> real way would be putting an EEPROM with its write fuse blown controlled
> through a I2C/SMbus on the motherboard. Would be extremely cheap way to
> tracking new generation motherboards. Sadly, very few people would purchase
> these new generation mobos due to the serial number stored on their
> hardware. Personally, I wouldn't.
>
> -Joe
>
>
> "strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
> news:3d5669da at server1.Activeworlds.com...
> abducted after using the internet on a chat room) I think its
> pretty secure with a cit being able to block someone
> measures.
> NOT accessible to anyone outside AWCorp that is a
> does not give any information about the hardware itself.
> should also be able to ban people from worlds based on this
> someone's tourist name, this must be fixed as its possibly
> option to reserve a unique tourist ID that they can log on
> once every 30 days, although AWCorp will inevitably presume
> AW regarding how to stay safe in chat rooms, no other chat
> well.
> make sure even the tourists are safe, after all, im sure we
> manipulating tourist mode after we have been reassured it
> like Flagg, Shamus and Kellie read the NG's and it would be
> serious of matters. Infact, I think that this outweighs
>
>
|
Aug 11, 2002, 3:42pm
All the hardware IDs and the like could be changed, so when they come on
next, the key is different.
-Joe
[View Quote]"strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
news:3d5693e6 at server1.Activeworlds.com...
> How about PHP download script on the browser that creates a individual
browser key based on hardware?
>
> "joeman" <Joeman at bootdown.com> wrote in message
news:3d566fe6 at server1.Activeworlds.com...
the
'browser
suppose
but
one.
only
purchase
citizenships is
but
also
AWC
least
security.
on
publicity as
must
AW by
people
>
>
|
Aug 11, 2002, 3:50pm
what about software IDS?
[View Quote]"joeman" <Joeman at bootdown.com> wrote in message news:3d56a208$1 at server1.Activeworlds.com...
> All the hardware IDs and the like could be changed, so when they come on
> next, the key is different.
>
> -Joe
>
> "strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
> news:3d5693e6 at server1.Activeworlds.com...
> browser key based on hardware?
> news:3d566fe6 at server1.Activeworlds.com...
> the
> 'browser
> suppose
> but
> one.
> only
> purchase
> citizenships is
> but
> also
> AWC
> least
> security.
> on
> publicity as
> must
> AW by
> people
>
>
|
Aug 11, 2002, 8:10pm
Software ids would be sooooo easy to change. Any person with a hex editor
could change your current hardware ID.
-Joe
[View Quote]"strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
news:3d56a3fc at server1.Activeworlds.com...
> what about software IDS?
> "joeman" <Joeman at bootdown.com> wrote in message
news:3d56a208$1 at server1.Activeworlds.com...
about
serial,
new
controlled
way to
so.
server
but
what.
copying
the
training
e
on
most
>
>
|
Aug 12, 2002, 2:15am
why the hell r little kids getting abducted all the timer? just have the
parents keep their stupid little brats inside and off the damn internet!!
they don't belong in chat rooms anyway if they're gonna misuse them by
giving out personel info...stupid idiots
[View Quote]"strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
news:3d5669da at server1.Activeworlds.com...
> Due to recent events in the UK (such as the 2 girls that have been
abducted after using the internet on a chat room) I think its
> important that AW does its bit to help keep people secure, citizenships is
pretty secure with a cit being able to block someone
> pretty much forever, however for tourists its a little bit less so.
>
> I think that to do our bit for security I propose a set of drastic
measures.
> - Browser ID: A key that is stored on the Active Worlds server but
NOT accessible to anyone outside AWCorp that is a
> individual key based on the browser type, and computer hardware but also
does not give any information about the hardware itself.
> This can be used to identify each user individually no matter what. AWC
should also be able to ban people from worlds based on this
> code if the world owner requests it.
> - Fixed Tourists Name: Currently anyone can be impersonated by copying
someone's tourist name, this must be fixed as its possibly
> the worst security risk in AW. Even as tourists people should have the
option to reserve a unique tourist ID that they can log on
> with using a password that is kept valid as long as they are on at least
once every 30 days, although AWCorp will inevitably presume
> this will cut registrations, it will also dramatically increase security.
> - Chat Training: Citizens and Tourists should be offered free training on
AW regarding how to stay safe in chat rooms, no other chat
> service offers this whatsoever, and it would be very good for publicity as
well.
>
> If we ever intend for Active Worlds to become the true forefront we must
make sure even the tourists are safe, after all, im sure we
> will all feel great if someone is lured to their death by someone on AW by
manipulating tourist mode after we have been reassured it
> was too much hard work.
>
> I would like a responce from AWC on this 1, we already know that people
like Flagg, Shamus and Kellie read the NG's and it would be
> very much apreciated if we could have a public statement on this most
serious of matters. Infact, I think that this outweighs
> anything that AWC could put effort into at this time.
>
> - Mark
> - AWTeen Major Events, AWTeen Bots / Effects
>
>
|
Aug 12, 2002, 2:16am
and dude...two tourists can not have the same name, lol
[View Quote]"strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
news:3d5669da at server1.Activeworlds.com...
> Due to recent events in the UK (such as the 2 girls that have been
abducted after using the internet on a chat room) I think its
> important that AW does its bit to help keep people secure, citizenships is
pretty secure with a cit being able to block someone
> pretty much forever, however for tourists its a little bit less so.
>
> I think that to do our bit for security I propose a set of drastic
measures.
> - Browser ID: A key that is stored on the Active Worlds server but
NOT accessible to anyone outside AWCorp that is a
> individual key based on the browser type, and computer hardware but also
does not give any information about the hardware itself.
> This can be used to identify each user individually no matter what. AWC
should also be able to ban people from worlds based on this
> code if the world owner requests it.
> - Fixed Tourists Name: Currently anyone can be impersonated by copying
someone's tourist name, this must be fixed as its possibly
> the worst security risk in AW. Even as tourists people should have the
option to reserve a unique tourist ID that they can log on
> with using a password that is kept valid as long as they are on at least
once every 30 days, although AWCorp will inevitably presume
> this will cut registrations, it will also dramatically increase security.
> - Chat Training: Citizens and Tourists should be offered free training on
AW regarding how to stay safe in chat rooms, no other chat
> service offers this whatsoever, and it would be very good for publicity as
well.
>
> If we ever intend for Active Worlds to become the true forefront we must
make sure even the tourists are safe, after all, im sure we
> will all feel great if someone is lured to their death by someone on AW by
manipulating tourist mode after we have been reassured it
> was too much hard work.
>
> I would like a responce from AWC on this 1, we already know that people
like Flagg, Shamus and Kellie read the NG's and it would be
> very much apreciated if we could have a public statement on this most
serious of matters. Infact, I think that this outweighs
> anything that AWC could put effort into at this time.
>
> - Mark
> - AWTeen Major Events, AWTeen Bots / Effects
>
>
|
Aug 12, 2002, 3:07am
Ok, lets convert this from TardSpeak to English.
[View Quote]"slim smokey" <Smokey360j at ync.net> wrote in message
news:3d57366a at server1.Activeworlds.com...
> why the hell r little kids getting abducted all the timer? just have the
|
[W]hy the hell [are] little kids getting abducted all the [time]? [J]ust
have the
> parents keep their stupid little brats inside and off the damn internet!!
parents keep their stupid little [kids] inside and off the damn internet!!
> they don't belong in chat rooms anyway if they're gonna misuse them by
[T]hey don't belong in chat rooms anyway if they're [goning] to misuse them
by (what are you doing on the internet then?)
> giving out personel info...stupid idiots
giving out personal information... Stuipd idiots.
Wow, your poor grasp of the english language makes me rench up my guts. I
mean, really. What are you doing on the computer when you speak at the
level of a second grader and spell much worse. If you tell people not to
use the net when they're kids, why the hell are you on it? Were you born
retarded or did you work at it?
-Joe
[View Quote]> "strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
> news:3d5669da at server1.Activeworlds.com...
> abducted after using the internet on a chat room) I think its
is
> pretty secure with a cit being able to block someone
> measures.
but
> NOT accessible to anyone outside AWCorp that is a
> does not give any information about the hardware itself.
> should also be able to ban people from worlds based on this
> someone's tourist name, this must be fixed as its possibly
> option to reserve a unique tourist ID that they can log on
> once every 30 days, although AWCorp will inevitably presume
security.
on
> AW regarding how to stay safe in chat rooms, no other chat
as
> well.
> make sure even the tourists are safe, after all, im sure we
by
> manipulating tourist mode after we have been reassured it
> like Flagg, Shamus and Kellie read the NG's and it would be
> serious of matters. Infact, I think that this outweighs
>
>
|
Aug 12, 2002, 3:09am
Read before you spout. Once one tourists session expires, anyone can come
on with his name.
-Joe
[View Quote]"slim smokey" <Smokey360j at ync.net> wrote in message
news:3d5736b9$1 at server1.Activeworlds.com...
> and dude...two tourists can not have the same name, lol
|
TardToEnglish: Dude, two tourists can't have the same name,
LOLOLFROROFLOLOL!!!
Dolt...
[View Quote]> "strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
> news:3d5669da at server1.Activeworlds.com...
> abducted after using the internet on a chat room) I think its
is
> pretty secure with a cit being able to block someone
> measures.
but
> NOT accessible to anyone outside AWCorp that is a
> does not give any information about the hardware itself.
> should also be able to ban people from worlds based on this
> someone's tourist name, this must be fixed as its possibly
> option to reserve a unique tourist ID that they can log on
> once every 30 days, although AWCorp will inevitably presume
security.
on
> AW regarding how to stay safe in chat rooms, no other chat
as
> well.
> make sure even the tourists are safe, after all, im sure we
by
> manipulating tourist mode after we have been reassured it
> like Flagg, Shamus and Kellie read the NG's and it would be
> serious of matters. Infact, I think that this outweighs
>
>
|
Aug 12, 2002, 3:27am
[View Quote]"slim smokey" <Smokey360j at ync.net> wrote in message
news:3d57366a at server1.Activeworlds.com...
> why the hell r little kids getting abducted all the timer?
>stupid idiots.
|
gee, I hope you're next...
Aug 12, 2002, 3:55pm
When I create various files that need to make sure they are none distributable I ask the person its for for to run a program on their computer which takes their HD serial, Reg version etc and creates a 20 - 50 byte long number which they then give me. I then use another proggy to change that number into an encrypted script, I then hardcode the encryption string into the program + the internal version of the number generater and encoder. The bot then creates the new string and compares em, if they are not the same the product self corrupts or just wont work.
The idea is if a script could be made to compile into the browser on download based on Hardware info that will be deleted after the key is made. It could be worked into the browser if done right (I have no idea how to get a script to create individual browsers) and not many people are going to go changing their hardware settings every day.
-Mark
[View Quote]"joeman" <Joeman at bootdown.com> wrote in message news:3d56a208$1 at server1.Activeworlds.com...
> All the hardware IDs and the like could be changed, so when they come on
> next, the key is different.
>
> -Joe
>
> "strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message
> news:3d5693e6 at server1.Activeworlds.com...
> browser key based on hardware?
> news:3d566fe6 at server1.Activeworlds.com...
> the
> 'browser
> suppose
> but
> one.
> only
> purchase
> citizenships is
> but
> also
> AWC
> least
> security.
> on
> publicity as
> must
> AW by
> people
>
>
|
Aug 12, 2002, 4:28pm
You can change one assembly instruction and bypass that. Just change the "jump to X only if the following is true" instruction into
"jump to X" and your "protection" is defeated.
-Agent1
[View Quote]"strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message news:3d57f685 at server1.Activeworlds.com...
> The bot then creates the new string and compares em, if they are not the same the product self corrupts or just wont work.
|
Aug 12, 2002, 5:00pm
Encrypted functions and encrypted source code, how the heck are they meant to find and defeat that? I mean it would stop most people, obviously not the major hackers
[View Quote]"agent1" <Agent1 at my.activeworlds.com> wrote in message news:3d57fe55$1 at server1.Activeworlds.com...
> You can change one assembly instruction and bypass that. Just change the "jump to X only if the following is true" instruction into
> "jump to X" and your "protection" is defeated.
>
> -Agent1
>
> "strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message news:3d57f685 at server1.Activeworlds.com...
>
>
>
|
Aug 12, 2002, 7:45pm
[View Quote]"strike rapier" <strike at rapiercom.freeserve.co.uk> wrote in message news:3d5805bb at server1.Activeworlds.com...
> Encrypted functions and encrypted source code, how the heck are they meant to find and defeat that?
|
What are you talking about? Just because the source is encrypted, doesn't mean they can't just hex edit the binary.
> I mean it would stop most people, obviously not the major hackers
It doesn't even take a "major hacker" to do this - just look up a couple of assembly instructions and change one for another.
-Agent1
Aug 15, 2002, 7:00pm
O_O
[View Quote]"maki" <maki at awmaki.com> wrote in message
news:3d57473f at server1.Activeworlds.com...
> "slim smokey" <Smokey360j at ync.net> wrote in message
> news:3d57366a at server1.Activeworlds.com...
>
> gee, I hope you're next...
>
>
|
Aug 17, 2002, 6:36am
*Shrug* if that's his attitude I don't see why not, he obviously is completely oblivious to the fact that most these kids actually end up dead, maybe if he ended up the same way he might learn a bit of appreciation for the fact in the few millions of a second before he was brain dead.
-Mark
-Don't think me cruel, im just the messenger
[View Quote]"d a n" <awdan at aol.com> wrote in message news:3d5c167c at server1.Activeworlds.com...
> O_O
>
>
|
|