Security Breach -Biggest in Trem History?

[Plague Bringer]

notice how he (almost) completely avoided the topic and attempted to redirect all of the blame?

[vcxzet]

:evil:  

[benmachine]

Guys, I have a terrible confession to make...

...it was me who told Polly how to fake GUIDs. I didn't do it maliciously, it was mostly out of curiousity, and I needed someone to test it. Now, of course, if what you're saying is true, it seems pretty stupid that I trusted them, and for that I'm sorry.
Personally I haven't used the knowledge since that night for testing, I've been using my qkey GUID (which Polly knows, btw). Also of note: I discovered how after someone with an anomalous GUID connected to Polly's server and he/she came to #tremulous to ask about it. It is therefore possible that neither I nor Polly were the first people to discover this method, and you might thank Polly for publicizing it and allowing it to be fixed.
To be fair, the bugzilla report on it does credit Polly for bringing the bug to the attention of the reporter, so if it were not for your accusations, I'd still be assuming good faith.

edit: I just got the IRC logs: #tremulous and PM with polly (edit: removed for discussion of hax)
The #tremulous log contains everything I said to polly that night, so you might want to skip to the double line breaks I inserted if you don't care much about what we discussed initially (and tbh don't know why you would).
edit two: it seems there are some erroneous characters in those logs, something to do with character encoding I'd guess. I cba to fix it though, it's still readable. Suffice to say they weren't in the original.

[vcxzet]

Also of note: I discovered how after someone with an anomalous GUID connected to Polly's server and he/she came to #tremulous to ask about it. It is therefore possible that neither I nor Polly were the first people to discover this method, and you might thank Polly for publicizing it and allowing it to be fixed.

DOH it was probably me with the anomalous guid. But I've never stolen anyone's guid (probably I would but I have no server)

[Pol]

Nope, it wasn't you.

And S11.Info doesn't steal GUIDs.

[Rawr]

Lies.

[tuple]

My side of the story?My side of the story is that it wouldn't really matter if I say it was me, not me, you, raWr, or anybody else.  Who would ever know with 100% certainty ?

While it is true that we could in no way determine conclusively who was sitting behind the offending IP, the evidence that the source of the malicious behavior was in fact the IP that you use is pretty conclusive.  The likelihood that there was someone else using your computer, using your computer as a proxy or spoofing your IP is extremely small.  If that is in fact what has happened, you would have the proof that would clear your name.

I am not rapt in acting maliciously against any of my server's guests, or those of another server, or other server admins.

We have no way of knowing this and it is irrelevant to the discussion.

Tremulous's current GUID / ip userinfo system is obviously flawed.  Even tjw's latest 'new guid per server' hack is hardly worthy of the effort.

This is irrelevant.  If I leave my door unlocked, that does not give anyone permission to rob my house.  That many, many people knew of this vulnerability is common knowledge among many in the tremulous community.  That someone personally decided to take advantage of the vulnerability to act maliciously is in no way related.  Someone made a decision to act maliciously, the identity of that individual is the question here.

[Mario]

The following screenshots are from the S11 Info Server. As you can see in the following image, the user with blank GUID's & player 4 with a default GUID are him:




Pol also denied being there at the time the event took place on Dretch Storm. All admins were set to level 0 and random players were given level 5 due to a compromised GUID. But the server operator of D*S (GhostShell) tells me that the following people had level 5 at the time from the thread http://dretchstorm.com/node/93:

Mr. Gumby   66.63.211.173
[COL]Jose   201.220.86.99
The Me [banana]   70.174.101.101
FireHazard@ubuntu   69.37.19.142
Newbie#27   65.110.228.135 <--- 1st person using !setlevel

Match the last ip of Newbie#27 to the blank GUID in the !namelog and tell me who you see...[/url]

[Ace1]

lol thats kinda true

[tuple]

Ace1, quit posting stupid shit everywhere just to get you post count up, or at least get rid of that annoyingly large signature.

[David]

Ace1, quit posting stupid shit everywhere just to get you post count up, or at least get rid of that annoyingly large signature.

preferably do both.

[Plague Bringer]

Ace1, quit posting stupid shit everywhere just to get you post count up, or at least get rid of that annoyingly large signature.

preferably do both.

yeah, lol , who made that thing anyway? Deisel?

[Ace1]

hey stfu and stop slabberin i am only tryin to help but use obusily dont like the compition

[Caveman]

hey stfu and stop slabberin i am only tryin to help but use obusily dont like the compition

Anyone up to translate this into a readable form?

[AKAnotu]

hey stfu and stop slabberin i am only tryin to help but use obusily dont like the compition

Anyone up to translate this into a readable form?

stfu and stop slobbering i am only trying to help but you obviously don't like the competition

[Ace1]

lol guys i am just a bit ticked off that i cant get m pot forwarding problem fixed so guys plz help me i am in need of any helkp to get my server up and runnin

[FooBar]

Ace, I'd be happy to help you with port forwarding in any spare time I have (not right now), but could you try to do a couple of things?  First, learn to spell and form complete sentences, and also, use punctuation.  Please!  Second, only post on a thread when you have a real point to make; don't just post to say "i agree" or something like that.

You're a nice guy and very earnest, and I guarantee that if you do those two things everyone around here will love you, or at least like you a lot more.

Thank you!

[benmachine]

The following screenshots are from the S11 Info Server. As you can see in the following image, the user with blank GUID's & player 4 with a default GUID are him:

Sorry, please elaborate: as I can see? How can I see?
It could be anyone who knows the trick, unless I'm missing something...

[Caveman]

The trick is that that statement is wrong.
All we can see is 2 clients connected from the same IP, one with a none legit guid...

[Ace1]

Ace, I'd be happy to help you with port forwarding in any spare time I have (not right now), but could you try to do a couple of things?  First, learn to spell and form complete sentences, and also, use punctuation.  Please!  Second, only post on a thread when you have a real point to make; don't just post to say "i agree" or something like that.

You're a nice guy and very earnest, and I guarantee that if you do those two things everyone around here will love you, or at least like you a lot more.

Thank you!

Yes FooBar I will try and complete these requests you have made, and yes i should get on with everyone around here as i am very approchable as you have learnt and many others have as well if they have played with me. So sry everyone if i was a bit cheky.

[Pol]

/s/approchable/approachable
/s/learnt/learned
/s/sry/sorry
/s/cheky/(cheeky|cheesy)
/s/Ace1/illiterate

BTW, Who the fuck is the moderator here?

...editing the content of my messages without my consent?

"NOPE! GUESS WHAT, I AM!"

...

Wtf is that shit?

Obviously this entire board is fucking moronic, being run by morons, and moderated by morons.

AND both the IRC channels on quakenet have the same exact problem.

The Tremulous community at large has to get it's fucking act together.

The game has potential, but you've certainly done your part in discouraging an intellectual contributor from wanting to even discuss it.

Take care, fuckers

[Smokey]

/s/approchable/approachable
/s/learnt/learned
/s/sry/sorry
/s/cheky/(cheeky|cheesy)
/s/Ace1/illiterate

BTW, Who the fuck is the moderator here?

...editing the content of my messages without my consent?

"NOPE! GUESS WHAT, I AM!"

...

Wtf is that shit?

Obviously this entire board is fucking moronic, being run by morons, and moderated by morons.

AND both the IRC channels on quakenet have the same exact problem.

The Tremulous community at large has to get it's fucking act together.

The game has potential, but you've certainly done your part in discouraging an intellectual contributor from wanting to even discuss it.

Take care, fuckers

lol, anyone else remember that post with all his info? lewl.

[Caveman]

... intellectual contributor ...

If that was supposed to mean you, you phail. You can not even refrain from using fecal expressions and try to look down upon those that tried to help you.

Go outside and play with the rattlesnakes / cars in the traffic.

[Stof]

Now, would you PLEASE stop that :evil:

[vcxzet]

[Rawr]

[TinMan]

BAN HIM!

[Ace1]

lol tin. ban him incase he does it again.

[Rawr]

Pol is now stealing }MG{'s Bandwidth OH KNOZ!

[khalsa]

ZOMG! Not my Bandwidths!

Somebody should do something!

Note: The }MG{ Map mirror is open to all for public use, feel free to set your auto-downloads cvars of your server to http://www.mercenariesguild.net and for individuals looking for maps see: http://www.mercenariesguild.net/base/


Khalsa