• Welcome to Valhalla Legends Archive.
 

BNLS Question

Started by David, October 21, 2005, 03:47 PM

Previous topic - Next topic

David

Isn't is true that passwords and keys are sent un-hashed to the BNLS server, and anyone with access to the server, if they wanted to, not saying the would, could retrieve keys / usernames / passwords?
Quote from: l]ante on March 15, 2004, 11:40 AM
You learned 8 languages in 8 months?
Geez, go code a life.

UserLoser.

Quote from: David on October 21, 2005, 03:47 PM
Isn't is true that passwords and keys are sent un-hashed to the BNLS server, and anyone with access to the server, if they wanted to, not saying the would, could retrieve keys / usernames / passwords?

Uh huh.  So what's your point?

David

I don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.
Quote from: l]ante on March 15, 2004, 11:40 AM
You learned 8 languages in 8 months?
Geez, go code a life.

Kp

Quote from: David on October 21, 2005, 07:25 PMI don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.

Well, that someone probably cannot. :)  BNLS doesn't log any of that data, and the only other way to capture it would be by doing a wire capture of the inbound traffic.  Given the volume of data that the vL server moves (BNLS, botnet, TeamSpeak, etc.), doing a wire capture is not fun.  I wanted to do it once to try to debug some strangeness with one of our other services.  It did not go well. :)
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

PaiD

Also if the login isnt for w3. BNLS never gets the Username.

Joe[x86]

Quote from: Kp on October 21, 2005, 07:55 PM
Quote from: David on October 21, 2005, 07:25 PMI don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.

Well, that someone probably cannot. :) BNLS doesn't log any of that data, and the only other way to capture it would be by doing a wire capture of the inbound traffic. Given the volume of data that the vL server moves (BNLS, botnet, TeamSpeak, etc.), doing a wire capture is not fun. I wanted to do it once to try to debug some strangeness with one of our other services. It did not go well. :)

Ethereal filter, ((tcp.port == 9367)). You've got the BNLS traffic. Nothing more, nothing less. =)
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

The-FooL

Think of it this way: with all the thousands of logins at any given time, if they wanted to steal a key, what is the chance that it would be yours?

Explicit

Quote from: The-FooL on October 21, 2005, 11:41 PM
Think of it this way: with all the thousands of logins at any given time, if they wanted to steal a key, what is the chance that it would be yours?

They wouldn't want it, period.
I'm awake in the infinite cold.

[13:41:45]<@Fapiko> Why is TehUser asking for wang pictures?
[13:42:03]<@TehUser> I wasn't asking for wang pictures, I was looking at them.
[13:47:40]<@TehUser> Mine's fairly short.

Eric

If they were to require that the passwords and/or CD-Keys be hashed before they were transmitted, it would defeat the purpose of using BNLS.

Kp

Quote from: Joe on October 21, 2005, 09:36 PM
Quote from: Kp on October 21, 2005, 07:55 PM
Quote from: David on October 21, 2005, 07:25 PMI don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.
Well, that someone probably cannot. :) BNLS doesn't log any of that data, and the only other way to capture it would be by doing a wire capture of the inbound traffic. Given the volume of data that the vL server moves (BNLS, botnet, TeamSpeak, etc.), doing a wire capture is not fun. I wanted to do it once to try to debug some strangeness with one of our other services. It did not go well. :)
Ethereal filter, ((tcp.port == 9367)). You've got the BNLS traffic. Nothing more, nothing less. =)

You completely missed the point of my post.  Finding a particular event is easy, if you're willing to incur the overhead of capturing all the junk that's coming through the box.  Even using a capture filter instead of a display filter, there's overhead associated with capturing all the packets just so they can be discarded.  My point was that trying to run a capture on a serious production box (particularly a Windows-based one that doesn't even have decent capture tools shipped with the distribution!) is a nuisance, not that it cannot be done.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Networks

If you're worried about it, there are numerous methods of using BNLS functions to not have to use hash files while not sacrificing security: BNCSutil. Hash the information and send the hash information to BNLS and all is well providing someone doesn't try to brute your hash. At least it's harder. :D

David

This whole topic was just to prove a point to someone, I wasn't trying to down the BNLS server, I use it, I like it, I always have.
Quote from: l]ante on March 15, 2004, 11:40 AM
You learned 8 languages in 8 months?
Geez, go code a life.

Explicit

If you already knew how BNLS functioned, why make an entire thread asking the question? It's been covered many times in the past.
I'm awake in the infinite cold.

[13:41:45]<@Fapiko> Why is TehUser asking for wang pictures?
[13:42:03]<@TehUser> I wasn't asking for wang pictures, I was looking at them.
[13:47:40]<@TehUser> Mine's fairly short.

Lenny

BNLS is just one of those things you use at your own risk.  Whether or not your information is stolen, the responsibility still lies with the user.  You must remember BNLS is a free service.

And it's already been stated before, it's just silly to do anything besides checkrevision remotely...
The Bovine Revolution
Something unimportant

Live Battle.net:

WARNING: The preceding message may have contained content unsuitable for young children.

Grok

In all the years BNLS has been running, I am unaware of a single security breach, or even an unsupported complaint of one.