Code center > Bugs and fixes

EricL's FTP IM + my attempt to save it for what is worth

<< < (2/3) > >>

Botsareus:
So I just have to put in the real credentials when compiling code. And no other users will be able to compile code and use IM without it. That is kinda brilliant Peter. Thanks. But what if someone hacks for credentials? I need Numsgils input on this as well.

No real security issues beyond that. But I still want to keep track of users with a username and password. Have no idea how to do it though.

I may end up actually implementing my current list of changes since I feel better about the whole thing. The list got rather big. But that will be during my time off from college. I also want to try a little money making project first during my time off. So it will be a while.

Numsgil:
I would imagine it's relatively trivial for someone to portsnoop their own computer and find the FTP credentials from a running version of DB, so it's not like making even the entire thing closed source would necessarily mean no one has the FTP login.

Best bet is a separate config file attached to the binary like Peter is saying.  Like this.  I'm not sure if something like that exists in VB6 but there's probably clever things we can do even if you can't do that in VB6.  But it just means people won't see the FTP credentials from casual inspection or web browsing.  It doesn't mean the FTP credentials are secure.

In the long run, like I was saying before, it'd be better to have users login with their forum usernames + passwords.  That would make it easy to revoke access to a specific person if they're abusing things.  A concerted troll would still be able to spoil things, but at least it wouldn't be as easy as getting a single set of FTP credentials.  But that's not a trivial undertaking.

Botsareus:

--- Quote ---I would imagine it's relatively trivial for someone to portsnoop their own computer and find the FTP credentials from a running version of DB, so it's not like making even the entire thing closed source would necessarily mean no one has the FTP login
--- End quote ---

I dig it. Server credentials will be eventually stolen. But what good is credentials if a user can not mess with the source in the first place? That is my philosophy behind it. edit: I plan to do the organism save code from scratch because I want organisms at start of simulation. It will not be comparable with DBII anyway.

Also, I do want to go with individual usernames and passwords. And possible hook up an automatic league runner to this as well.

Botsareus:
I may end up just doing it open source 2.49 with more or less EricLs ftp. If I will find myself with nothing better to do. But fair warning this will include my drastic changes to vegys.

Peter:
I don't know how FTP works in darwinbots, but take a look if the library you use supports FTPS. It's basically FTP, but over SSL.

With SSL, I don't think intercepting credentials is trivial. May have to resort to decompiling or looking in memory for the password.

Forum credentials to log into FTP sounds nice, but I don't know if it's worth that much effort to stop a troll. Do many people want to spend time to troll IM? I think it more efficient to keep the existing system of a single user and ban IP's that abuse it.

Most important, make sure the webserver or even anyone running IM on their computers cannot be harmed.

Was the EricL FTP IM hacked?

Navigation

[0] Message Index

[#] Next page

[*] Previous page