BNLS Question

David · October 21, 2005, 03:47 PM

Isn't is true that passwords and keys are sent un-hashed to the BNLS server, and anyone with access to the server, if they wanted to, not saying the would, could retrieve keys / usernames / passwords?

UserLoser. · October 21, 2005, 04:12 PM

Quote from: David on October 21, 2005, 03:47 PM
Isn't is true that passwords and keys are sent un-hashed to the BNLS server, and anyone with access to the server, if they wanted to, not saying the would, could retrieve keys / usernames / passwords?

Uh huh. So what's your point?

David · October 21, 2005, 07:25 PM

I don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.

Kp · October 21, 2005, 07:55 PM

Quote from: David on October 21, 2005, 07:25 PMI don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.

Well, that someone probably cannot.

BNLS doesn't log any of that data, and the only other way to capture it would be by doing a wire capture of the inbound traffic. Given the volume of data that the vL server moves (BNLS, botnet, TeamSpeak, etc.), doing a wire capture is not fun. I wanted to do it once to try to debug some strangeness with one of our other services. It did not go well.

PaiD · October 21, 2005, 09:10 PM

Also if the login isnt for w3. BNLS never gets the Username.

Joe[x86] · October 21, 2005, 09:36 PM

Quote from: Kp on October 21, 2005, 07:55 PM
Quote from: David on October 21, 2005, 07:25 PMI don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.

Well, that someone probably cannot. BNLS doesn't log any of that data, and the only other way to capture it would be by doing a wire capture of the inbound traffic. Given the volume of data that the vL server moves (BNLS, botnet, TeamSpeak, etc.), doing a wire capture is not fun. I wanted to do it once to try to debug some strangeness with one of our other services. It did not go well.

Ethereal filter, ((tcp.port == 9367)). You've got the BNLS traffic. Nothing more, nothing less. =)

The-FooL · October 21, 2005, 11:41 PM

Think of it this way: with all the thousands of logins at any given time, if they wanted to steal a key, what is the chance that it would be yours?

Explicit · October 22, 2005, 03:21 AM

Quote from: The-FooL on October 21, 2005, 11:41 PM
Think of it this way: with all the thousands of logins at any given time, if they wanted to steal a key, what is the chance that it would be yours?

They wouldn't want it, period.

Eric · October 22, 2005, 03:42 AM

If they were to require that the passwords and/or CD-Keys be hashed before they were transmitted, it would defeat the purpose of using BNLS.

Kp · October 22, 2005, 08:37 AM

Quote from: Joe on October 21, 2005, 09:36 PM
Quote from: Kp on October 21, 2005, 07:55 PM
Quote from: David on October 21, 2005, 07:25 PMI don't have issues with it, I personally use BNLS, but someone was trying to tell a buddy of mine that they cannot retrieve the passwords and keys from the server.
Well, that someone probably cannot. BNLS doesn't log any of that data, and the only other way to capture it would be by doing a wire capture of the inbound traffic. Given the volume of data that the vL server moves (BNLS, botnet, TeamSpeak, etc.), doing a wire capture is not fun. I wanted to do it once to try to debug some strangeness with one of our other services. It did not go well.
Ethereal filter, ((tcp.port == 9367)). You've got the BNLS traffic. Nothing more, nothing less. =)

You completely missed the point of my post. Finding a particular event is easy, if you're willing to incur the overhead of capturing all the junk that's coming through the box. Even using a capture filter instead of a display filter, there's overhead associated with capturing all the packets just so they can be discarded. My point was that trying to run a capture on a serious production box (particularly a Windows-based one that doesn't even have decent capture tools shipped with the distribution!) is a nuisance, not that it cannot be done.

Networks · October 22, 2005, 03:11 PM

If you're worried about it, there are numerous methods of using BNLS functions to not have to use hash files while not sacrificing security: BNCSutil. Hash the information and send the hash information to BNLS and all is well providing someone doesn't try to brute your hash. At least it's harder.

David · October 22, 2005, 08:41 PM

This whole topic was just to prove a point to someone, I wasn't trying to down the BNLS server, I use it, I like it, I always have.

Explicit · October 22, 2005, 08:59 PM

If you already knew how BNLS functioned, why make an entire thread asking the question? It's been covered many times in the past.

Lenny · October 23, 2005, 06:37 PM

BNLS is just one of those things you use at your own risk. Whether or not your information is stolen, the responsibility still lies with the user. You must remember BNLS is a free service.

And it's already been stated before, it's just silly to do anything besides checkrevision remotely...

Grok · October 24, 2005, 10:07 AM

In all the years BNLS has been running, I am unaware of a single security breach, or even an unsupported complaint of one.

BNLS Question

UserLoser.

PaiD