• Welcome to Valhalla Legends Archive.
 

I found a problem with BNLS.

Started by Deception, May 05, 2005, 11:51 PM

Previous topic - Next topic
|

Adron

Quote from: Deception on May 05, 2005, 11:51 PM
BNLS receives your account passwords and CD-Keys in plaintext from the client.
It then hashes them and sends back the hashed value to the client to be sent to Battle.net.

Now, the whole purpose of hashing in the first place is to make it impossible to obtain the password/CD-Key when sending it to Battle.net (through sniffers and what not). You send a hashed value instead of the plaintext value.

So, the problem with BNLS is simple: It defeats the purpose of hashing in the first place.

For Starcraft and similar cdkeys, BNLS doesn't actually defeat the purpose of hashing the cd key. This is because the unknown part of the cd key is so small as to be easily brute forceable if you can obtain a dump of the packets exchanged between client and server.

For the rest, what BNLS does is offer you freedom of choice. You can use BNLS for everything, at the same security level as connecting to battle.net with a chat gateway bot. You can use BNLS for the version check calculations only, to save you from having the game files locally. Or you can not use BNLS at all.

The freedom is yours.

Adron

#91
Quote from: Lenny on May 08, 2005, 10:39 PM
We'll I've seen Adron active in the forums.  But I'm assuming Administrators don't deal with moderation issues.

I try to avoid moderating forums that I'm not a moderator of. I will occasionally, if I think the post is bad enough, but I'll prefer to then ban the users involved instead.


Edit: Besides, if I did, I'd have to think more carefully about what I post. I post off-topic things on forums now and then, and then I like to see moderators trashing my posts. If I was a moderator on the forum, I'd have to remove my own posts, and that would be such a waste of time.

Stealth

The fact of the matter is that the OP is a troll. This entire thread is a deliberate attention grab and contains not a single productive post except iago's and Kane's.  >:(
- Stealth
Author of StealthBot

iago

Quote from: Adron on May 10, 2005, 10:20 AM
Quote from: Deception on May 05, 2005, 11:51 PM
BNLS receives your account passwords and CD-Keys in plaintext from the client.
It then hashes them and sends back the hashed value to the client to be sent to Battle.net.

Now, the whole purpose of hashing in the first place is to make it impossible to obtain the password/CD-Key when sending it to Battle.net (through sniffers and what not). You send a hashed value instead of the plaintext value.

So, the problem with BNLS is simple: It defeats the purpose of hashing in the first place.

For Starcraft and similar cdkeys, BNLS doesn't actually defeat the purpose of hashing the cd key. This is because the unknown part of the cd key is so small as to be easily brute forceable if you can obtain a dump of the packets exchanged between client and server.

For the rest, what BNLS does is offer you freedom of choice. You can use BNLS for everything, at the same security level as connecting to battle.net with a chat gateway bot. You can use BNLS for the version check calculations only, to save you from having the game files locally. Or you can not use BNLS at all.

The freedom is yours.


What you said is true for Starcraft and possibly War2/Diablo2.  And for cdkeys only.  War3 does a much better job of concealing the important information.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


tA-Kane

Doesn't WarCraft 3 do the same job of concealing cdkeys as StarCraft does? Remember that StarCraft has been patched to use 0x51.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

R.a.B.B.i.T

Quote from: HdxBmx27 on May 09, 2005, 07:56 PM
Quote from: Networks on May 09, 2005, 07:51 PM
* Networks ponders how many threads we can go! Lets break a world record guys!

1085 pages??? holy crap. (Ive seent his befor, but hte site it was on got shutdown.)
~-~(HDX)~-~
http://vbforums.com/showthread.php?p=2004246&highlight=Post+Race#post2004246
1144 pages.

Adron

Quote from: iago on May 10, 2005, 12:28 PM
Quote from: Adron on May 10, 2005, 10:20 AM
For Starcraft and similar cdkeys, BNLS doesn't actually defeat the purpose of hashing the cd key. This is because the unknown part of the cd key is so small as to be easily brute forceable if you can obtain a dump of the packets exchanged between client and server.

For the rest, what BNLS does is offer you freedom of choice. You can use BNLS for everything, at the same security level as connecting to battle.net with a chat gateway bot. You can use BNLS for the version check calculations only, to save you from having the game files locally. Or you can not use BNLS at all.

The freedom is yours.


What you said is true for Starcraft and possibly War2/Diablo2.  And for cdkeys only.  War3 does a much better job of concealing the important information.

Passwords for War3 are hard to brute force. For Starcraft etc, they're doable. But either way, I see no big problem sending b.net passwords in cleartext across the Internet. I send pop3 or imap passwords in cleartext all the time, and those would be a much bigger pain to lose. If someone got my b.net password, I could always do password recovery through e-mail on it.

The important thing to protect is your cd key, and for cd keys you can't say any of the battle.net games are safe. If you get a packet log of the login sequence from any client, you would be able to brute force the raw cd key within a very reasonable time.

iago

Quote from: Adron on May 12, 2005, 10:26 AM
Quote from: iago on May 10, 2005, 12:28 PM
Quote from: Adron on May 10, 2005, 10:20 AM
For Starcraft and similar cdkeys, BNLS doesn't actually defeat the purpose of hashing the cd key. This is because the unknown part of the cd key is so small as to be easily brute forceable if you can obtain a dump of the packets exchanged between client and server.

For the rest, what BNLS does is offer you freedom of choice. You can use BNLS for everything, at the same security level as connecting to battle.net with a chat gateway bot. You can use BNLS for the version check calculations only, to save you from having the game files locally. Or you can not use BNLS at all.

The freedom is yours.


What you said is true for Starcraft and possibly War2/Diablo2.  And for cdkeys only.  War3 does a much better job of concealing the important information.

Passwords for War3 are hard to brute force. For Starcraft etc, they're doable. But either way, I see no big problem sending b.net passwords in cleartext across the Internet. I send pop3 or imap passwords in cleartext all the time, and those would be a much bigger pain to lose. If someone got my b.net password, I could always do password recovery through e-mail on it.

The important thing to protect is your cd key, and for cd keys you can't say any of the battle.net games are safe. If you get a packet log of the login sequence from any client, you would be able to brute force the raw cd key within a very reasonable time.


That's true, the email recovery is quite helpful.

I hate pop3, I use SSL to connect to it on every server (except vL's..).  I also don't use non-anonymouse FTP.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Arta

Quote from: Stealth on May 10, 2005, 10:40 AM
The fact of the matter is that the OP is a troll. This entire thread is a deliberate attention grab and contains not a single productive post except iago's and Kane's.  >:(

*And Arta's :P

Deception

Quote from: Warrior on May 09, 2005, 08:00 PM
I personally don't agree with iago on this matter and never have. I think that if you're scared to send some data to a server because you fear people are out to get you and take your password, then you should get off the internet. Anyone who says BNLS is insecure is paranoid. Period.

You don't agree with iago for one reason.

That reason is that iago agrees with me and you can't admit when you're wrong (much like various other heavy posters here).
- Deception of Dark Council

|