ydal

Value of two-factor authentication in MMOs

2010-07-27T17:22:09Z

Cypherpunks everywhere know that using two-factor authentication, when done right, is inherently more secure.

Nothing can be said against the security of wisely-used one-factor authentication, but care must be taken to ensure the ongoing security of that factor. If you use a password, you need to choose a secure one — and if you don’t change it regularly, it logically gets weaker, too.

I know of at least one WoW player who is positively paranoid about exposing their passwords to someone, even though they don’t exhibit that behaviour elsewhere.

And then, of course, there’s the people who complain about having their accounts hacked, even though they used a secure password like their birthday. Or abcde.

A mitigating factor against people being too stupid to use passwords securely, then, is needed. And that’s where two-factor authentication comes along.

Two-factor authentication, in essence, means that there you need to prove your own identity by two different means. This isn’t like using two different passwords. The common examples for factors include “things the user knows” — like a password, PIN, etc, “things the user has”, like some form of physical security token, and “things the user is”, i.e. biometric verification methods.

Biometric verification is more “comfortable” to use, but does have two major drawbacks:

it requires specialized equipment (in most cases)
it is vulnerable to replay attacks

So, mainly for reasons of practicality, owning an authentication token is the best method of getting a second factor into the mix.

But why would a company like Blizzard, for example, cough up the effort to actually enable something like authenticators — not only via device, but by mobile phone, too — and then go ahead and reward players (in the form of an in-game pet, but nevertheless) for using an authenticator — merely to save people from their own stupidity?

Simple enough: to help battle against “economic” abuse, and to help protect their own interests by having to deal with less “hacked account” cases.

Even though the latter reason might just be enough to implement it, the former is actually the most important one. Gold farming is a serious problem for online gaming companies, and even underdeveloped economies like that of WoW can suffer greatly from such manipulation.

If you want to read a fictional example of a near-future vision on the importance and concepts of gold farming, you should read up on Cory Doctorow’s “For The Win”. Even though it’s a bit over the top compared to the current state of the game, it might very well be similar in the years to come.

Of course, the battle.net authentication token Blizzard distributes does seem to have reliability problems, the mobile authenticator — a Java application — seems to work fairly well, and, compared to the DIGIPASS Go 6 authenticators used by Blizzard, actually has a reverse-engineered spec available.

Even though the DIGIPASS algorithm was, to the author’s knowledge, not broken so far, the fact that the developing company does not disclose the DIGIPASS source code to non-customers, along with a rather cheeky attitude, should serve as sufficient indicators to avoid their products.

Using grub2 to recover your system

2010-06-17T14:54:10Z

grub2 is hailed as the all new, super modular cure-all remedy for all booting problem you’ve had, have and will have. At least that’s the way the developers and some enthusiasts see it, whereas most blokes who’ve actually had to use it with more than arrow keys and enter will paint a slightly different picture.

The thing with grub2 is that even though in theory it sounds like the end of all things booting, it’s about as well-documented as the question for life, the universe, and everything.

And as I today had to try to fight my way through googling for necessary information again, I’d thought I’d create a quick step-by-step reference with all the most interesting bits you’ll ever need already there.

Thusly, the ingredients needed to resurrect your computer with grub2. The gist is that you have the goal of booting one specific operating system on your computer, from wherein which you’ll use whatever methods you deem necessary to update your grub in the “right way” — usually a downgrade to an older version and waiting for the dust to blow over.

A booting grub2. If your grub2 already fails to boot because of some random error, you need to get a grub in smelling distance of your BIOS. One of the most proven methods is to
1. Download a USB rescue image like grml (usually from Your Other Computer or that of somebody else)
2. Put it on an USB stick (dd if=grml-variant_version.iso of=/dev/sdx in most cases, with appropriately chosen variables)
3. (Re)boot, eventually adjusting the priority for your USB HDD/USB key
And that’s it, you’re in a grub. Also note that it’s recommendable to have an USB stick with a rescue image lying around for the times when you can’t just easily download it.
Enter the command line/shell mode by pressing ‘c’.
Do an ‘ls’, which will give you a listing of recognized devices. Doing an ‘ls device’, e.g. ls (hd0,1) will give you more information about that device.
If the information by your ls isn’t complete, you will have to load some modules (by using insmod modulename). Here’s a checklist:
1. If you do not see any other devices which look like your hard drive(s), e.g. you only have an (hd0) device from your USB medium, then load a device driver. They will allow you to find the actual devices. Examples include:
  - biosdisk
  - scsi
  - fs_uuid
  - pci
  - raid
  - mdraid
  - dm_nv
2. If you have devices, but no partitions, you’ll need a partition driver. It seems the default grub config does not load any partition driver, and debugging this is just a bit annoying. But there’s two easy choices for most people:
  - Load the module “part_msdos”.
  - If this doesn’t help, try “part_gpt”.
  These are the two most common partition tables (at least for next to everyone reading this guide in need) and should help your grub find its partitions again.
3. Eventually, you will also have to load your filesystem drivers. I presume you already know which those are, but for the sake of completion:
  - Almost all Linux use ext2
  - Most current Windows will use ntfs, but fat is also an option.
  - Mac users will use hfsplus for newer systems, hfs for older ones.
4. To search for a file, you use the search -f filename command, which will give you results on where files of that name are stored. Use root device to set the resultant device as the root device for your further operations. If you only want to load your old grub config, type in configfile filename, whereas filename will usually be something like /grub/grub.cfg or /boot/grub/grub.cfg.
5. Should this fail to resolve your problem, or not be what you’re aiming for, you’ll need to find the operating system. For most Linuxens, you’ll probably have a file called /vmlinuz or /boot/vmlinuz to search for. For Windows operating systems, look for /Windows/win.ini. For Mac: no clue. When found, set your root device (with root device).
6. Now methods will become divergent, as operating systems differ in the way of booting them.
  Linux
  1. kernel kernel_filename
  2. initrd initrd_filename [most current kernels come with an “initial ramdisk” holding modules etc.]
  3. boot — if all goes well, you’re set.
  Windows
  1. chainloader +1
  2. boot
  MacOS
  
  Probably the same as Windows, using the chainloader.
And that’s it. It should cover most cases you’d need to restore your capability of booting your operating system. You’ll probably want to fix/install your bootloader after this, though.

A helpful tool for debugging your current grub state is probe, which will allow you to check what drivers are assigned to devices.

vimium mapping for Dvorak layouts

2010-06-15T14:14:12Z

I recently stumbled upon the rather neat vimium extension for Chrom(e|ium), which does much the same as the vimperator extension for Firefox. The problem, though, as with vimperator and vim itself, is that the default keyboard mappings are a bit of a pain in the arse for Dvorak users, as hjkl isn’t on the home row anymore, much less next to each other.

Therefore, it needs some remapping to get in a halfway familiar and Dvorak-compatible layout, which would look like this:

unmapAll

map r reload
map e removeTab
map u restoreTab
map h scrollDown
map t scrollUp
map d scrollLeft
map n scrollRight
map <c-h> scrollPageDown
map <c-t> scrollPageUp
map <c-u> scrollFullPageDown
map D goBack
map N goForward
map T nextTab
map H previousTab
map <c-y> createTab
map gg scrollToTop
map G scrollToBottom
map gf toggleViewSource
map zi zoomIn
map zo zoomOut
map yy copyCurrentUrl
map i enterInsertMode
map f activateLinkHintsMode
map F activateLinkHintsModeToOpenInNewTab
map / enterFindMode
map . performFind
map , performBackwardsFind

Just paste it in the remap field of the extension’s “advanced options” menu.

D&D rules lawyering: cover and stealth

2010-04-15T20:50:20Z

I was recently reading up on the stealth and cover mechanics, and even though I was fairly certain about what is and what is not possible, I found out that one edge case isn’t particularly well-documented.

The rules, to be exact the Stealth rules correction from Player’s Handbook 2, state:

Becoming Hidden: You can make a Stealth check against an enemy only if you have superior cover or total concealment against the enemy or if you’re outside the enemy’s line of sight. Outside combat, the DM can allow you to make a Stealth check against a distracted enemy, even if you don’t have superior cover or total concealment and aren’t outside the enemy’s line of sight. The distracted enemy might be focused on something in a different direction, allowing you to sneak up.

So, what it especially says is that “superior cover” works as a basis to get hidden behind. According to the Dungeon Master’s Guide on determining cover for ranged attacks:

Choose a Corner: The attacker chooses one corner of a square he occupies, and draws imaginary lines from that corner to every corner of any one square the defender occupies. If none of those lines are blocked by a solid object or an enemy creature, the attacker has a clear shot. The defender doesn’t have cover. (A line that runs parallel right along a wall isn’t blocked.)
Superior Cover: The defender has superior cover if no matter which corner in your space you choose and no matter which square of the target’s space you choose, three or four lines are blocked. If four lines are blocked from every corner, you can’t target the defender.

So, in theory, if you’d have a situation where you’d have superior cover from an enemy, e.g.

you’d be able to stealth yourself and gain combat advantage.

The only thing that really denies this possibility are, again, the Stealth updates from Player’s Handbook 2, this time the “Remaining Hidden” section [emphasis mine]:

Keep Out of Sight: If you no longer have any cover or concealment against an enemy, you don’t remain hidden from that enemy. You don’t need superior cover, total concealment, or to stay outside line of sight, but you do need some degree of cover or concealment to remain hidden. You can’t use another creature as cover to remain hidden.

Many thanks to @Milambus for looking up that passage. [And making me feel stupid for not having found it myself, by the way.]

And that’s the only problem. So, you could gain stealth moving behind enemies, but immediately lose stealth status again by being only behind a creature.

In a sense, this is balanced, since your rogue strikers could then just continue to camp behind your own fighters and shoot sneak attacks at enemies from just behind their buddies (since they don’t block for the player), which would make combat encounters quick enough, but also a bit boring.

Then again, as my player rogue pointed out, when there’s two huge dragonborn warriors pounding away at an enemy, how are they not supposed to be able to hide behind them? They aren’t 5′ wide, surely, but certainly bigger than a half-elf in every other dimension.

I just think that with a further update (yuck), we might be able to get a bit of clarification on the fact how allies grant cover, but cannot grant superior cover.

D&D Characters: Shamorn Fallenheart, Tiefling Bard

2010-04-15T20:50:56Z

As a bit of a side occupation, I like to engage in some character design for role-playing games, as it just comes as a natural extension of being a hobby-ish writer person.

Thus, I present: Shamorn Fallenheart, a tiefling bard from High Imaskar.

Birth — and over misgivings

Shamorn was born in Gheldaneth, the fading Mulanian metropolis of High Imaskar, and his parents believed in the prophecies stating Shamorn to bring forth better times for the tiefling folk of the Gheldaneth slums. Being raised in a community of hired hands to accompany adventurers on dangerous treasure hunts through the depths of the sunken city, hopes were laid on him, and him alone, to liberate them from this life of unofficial slavery.

Early life

Our young tiefling was always a bit pampered. The male role models of the community were often too busy getting killed on a foolish quest, as was Shamorn’s own father — shortly before his fourth birthday. As it were, there was none of the usual goading and testing a tiefling endures as part of growing up. The consequences of this, as well as the pampering he received by his mother and other “faithfuls”, would be dire indeed.

Thus Shamorn grew to be a young adult, helping out everywhere in the community, without ever taking up a real job. He had many on and off teachers, versing him in skills as @skills and the heritage of the tiefling race, training him in the use of weapons and telling stories of heroic deeds throughout time.

Constantly surrounded by an appreciation for life, for heroism, the history and culture of his people and a will to bring good to them, it came as a great surprise to many that Shamorn Fallenheart, Prophesied Saviour of the Gheldaneth Tieflings, came to start training to be…

… a bard.

There was a wandering Elven Bard in Gheldaneth at the time, and Shamorn choose to apprentice himself to him, believing that becoming a bard, a herald of their people, would be worth much more than simply slaughtering any would-be oppressors or being a leader to guide the people to their Promised Land.

As was to be expected, his decision did not sit well with some, if not most, of his elders. His mother came just short of disinheriting him, and he was forever branded as a wimp by most others. Still, there were some people who still believed in him, and he managed to stay in the community, even though everyone tried to forget about any kind of prophesy laid upon him.

The turning point

His apprenticeship was going well, all things considered. But his teacher, unbeknowest to him, was a bit of a braggart and ignorant, that is to say: not a very good bard. Still, Shamorn managed to master his natural graps of the Arcane under his tutorship, even though the social values might have been slightly distorted.

Sadly, this distortion and the infusion of heroic tales led to an unfortunate incident. A rough band of treasure hunters, with a fierce reputation for their harsh effectiveness and rumours of a brutal and unrelenting manner towards opposition, sought out their enclave to hire some of their men for help. So, after a few minutes of shouting, waving of weapons and dragging people out of their hovels, Shamorn thought it was time to act.

Bravely stepping forward, he confronted the leader of the scavengers, demanding of him to cease these despicable acts and appealing to his good sense, as a man, to respect his people’s wishes.

The screams as the leader’s minions started slaughtering the women and children are still stuck in Shamorn’s head. He still only has vague memories of that moment, but there is one thing he is quite confident of:

As his mother’s lifeless body was thrown in front of him, crumpled up in a heap, he snapped. Shamorn went into a rage, slamming into the minions and fighting them fiercely. It seemed the demon in him had taken control, for he was full of laughter at the slaughter he was causing, taunting his enemies as he smashed their faces in with his $weapon or embedded his daggers into their hearts, even just ripping into them with his claws and biting as he went along.

It did not take long for him to cut through the minions, emerging bathed in blood, eldritch powers abound and flames crackling around his body. His Elven master bard was astonished at the display, and recognized the potential of a warlock in him should he have even been trained thusly. As it was, the teacher preferred to cower in fear and observe what happened next.

Shamorn confronted the leader of the scavengers who was just standing there, shocked to his core.

“This is what happens when you try to compel my folk, human!” the bard stated in an almost neutral voice, only a hint of a burning darkfire noticable in the voice. And with that, he slew the leader of the group that brought death to his kin.

And as if by miracle, Shamorn immediately calmed down to his usual, naive self. The only hint at his monstrosity was the fact that he surveyed the slaughter he had caused without fear, shame or disgust. Looking around him, he found few people left alive. Some were cowering inside their hovels, either hiding their faces or staring out at him with fear. Others seem to have run a way, and it was eerily silent.

Shamorn cleared his throat. “My master, I will be leaving now. Do you wish to accompany me?”

His master, still shaking slightly, replied “No, my apprentice. I do not think that you need me any further. Consider your training complete.”

And with these short words, the recently orphaned Shamorn Fallenheart set out into the Realms, venturing forth to herald his people — and to leave this blighted home which has been cursed by his deeds.

The character statistics will follow as soon as I have access to the relevant documents again. I might also write a short story or two detailing the background or later adventures.

pisg: patch to irssi parser for euIRC ‘admin’ user mode

2010-04-20T10:16:30Z

As pisg is ill-equipped to handle support for ‘admin’ users in the standard configuration, I went on a quick code hunt to find the bit of code responsible for stripping nick modes from a log line. A bit counter-intuitively, this function is called normalline, and not something like normalize or strip_mode.

Anyhow, here’s a small patch to fix the problem for the Irssi parser module:

--- modules/Pisg/Parser/Format/irssi.pm.old	2008-02-13 21:40:25.000000000 +0100
+++ modules/Pisg/Parser/Format/irssi.pm	2010-03-16 02:29:42.000000000 +0100
@@ -10,7 +10,7 @@
     my ($type, %args) = @_;
     my $self = {
         cfg => $args{cfg},
-        normalline => '^(\d+):\d+[^<*^!]+<[@%+~& ]?([^>]+)> (.*)',
+        normalline => '^(\d+):\d+[^<*^!]+<[@%+~&! ]?([^>]+)> (.*)',
         actionline => '^(\d+):\d+[^ ]+ +\* (\S+) (.*)',
         thirdline  => '^(\d+):(\d+)[^-]+-\!- (\S+) (\S+) (\S+) (\S+) (\S+)(.*)',
     };

Or you could just download the diff directly.

A new reason for leaving Ubuntu

2010-02-26T02:23:45Z

So, if you’re wondering yourself: “Why, Ubuntu is in the process of making everything quite a bit more annoying and fucking things up”, yet still think “that might just be misjudged opinion”, then fret no more. There’s an easy way to now know that Canonical has officially gone bonkers.

The Ubuntu One Music Store.

After installing an annoying App Market-like “Software center” by default, switching users over to a IM client that’s only remotely usable, trying to sell you a cloud-based storage solution and switching to Yahoo as the default search engine, you really have to wonder what the guys responsible are up to.

So.

In short, Canonical is on the verge of going Apple. Just bail boat while you still can.

D&D item: Martyr’s Collar

2010-04-15T20:51:36Z

Seeing how everyone else is currently creating interesting items, I thought that I should throw one of my ideas into the mix. And after a bit of tinkering with how it should work, I present:

Martyr’s Collar Level 5

Resting tight against the throat, the wearer is always reminded of the price of sacrifice.

Lv 5 1.000 gp

Item slot:: Neck
Property:: This item can mean instant death for the character. To wield it, the character must succeed at a hard willpower check. After three failures, the character needs to take an extended rest before trying again.

Power (At-Will ♦ Necrotic):: Standard action. A conscious and willing character may activate the collar while it is around their throat. The collar magically constricts, severing the user’s head from their body. The user’s life energy serves as a power source for the collar and sends every attuned ally in range (burst 10) to the point defined by the attuning process.
Being able to survive the decapitation does not save the user, as all of their life energy is used up to power the collar’s magic.
The allies do not need to be willing, conscious, or even alive. If, for whatever reason, the destination is not reachable, the collar will not activate. After the teleportation, the collar expands to its normal proportions and loses any attunement.
Power (Daily):: Standard action. Every willing ally in a burst 5 are attuned to the collar, and the item itself is attuned to the location. When the at-will power is used, all allies attuned and in range are transported back to the current location. The collar does not need to be worn to be attuned; any character touching the item can initiate the process. When passing between owners, the item does not lose connection to any attuned user or the attuned location.

Nobody really knows how these devices ever came to be, but they seem to have been used by devout and loyal warriors throughout time to save comrades from certain death by using their own life to shield them. The ultimate heroic sacrifice, most souls sacrificing their bodies this way ascend to the Astral Sea.

Trusting self-signed certificates with Google Chrome on Linux

2010-04-18T21:43:54Z

Update: added the “C” flag to SSL attributes which I accidentally forgot to include.
Also changed $HOST to $host, as $HOST is the shell parameter for the current hostname…

If you’re not really sure about how you can stop Chrome from permanently reminding you that the server you’re connecting to is a bad boy (read: using a self-signed certificate), you’ll probably end up looking at CACert’s Browser Client page by way of Google. With a bit of reading documentation, you can probably find out how to import a self-signed certificate and mark it as trusted, but since you’re probably lazy, you’d rather just copy and paste a few instructions.

First, I have to stress is that blindly trusting a certificate you download off the internet is a Bad Idea. But expressing a certain laissez-faire attitude: if you’re stupid enough to copy and paste blindly, you deserve it.

Second, simple copy and paste instructions:

openssl s_client -connect $host:443 -showcerts > temporary_file
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i temporary_file

Third, explanations:

s_client just connects to the given hostname, 443 being, as you should know, the (default) HTTP SSL port.
–showcerts shows all kinds of information about the certificate, including the certificate itself. You will probably have to hit ^C/^D to stop s_client.
If you get multiple (and different) certificates, first one will be the server certificate, and second one the CA certificate.
certutil (package hint: libnss3-tools can be used to manage your local «Network Security Services» SQLite database.
The specified argument for certutil are:
1. The database to use (in this case, the user-specific NSS database).
2. The flag to add something to the database (-A).
3. The “trust types” for the certificate, in “SSL, S/MIME, CA” notification: “P” for a trusted peer, and “C” for a certificate authority that may issue server certificates.
4. A shortname to identify the certificate in the database. The hostname works well and is fairly obvious.

A records on top level domains

2010-01-08T15:30:37Z

After I stumbled upon the wonderful URL shortener http://to/ today and immediately began posting it on IRC, I received a comment that someone didn’t even know that is was possible to do so. I, of course, could only comment “of course it’s possible”. But in the same train of thought, I just had to have a look at who else has a valid A record on their top level domain. So I fetched the IANA TLD list and, after being baffled by the punycode TLDs, threw some sh at the problem:
(for domain in $(grep -v '^#' tlds-alpha-by-domain.txt); do host -t A "${domain}."; done) | grep -v 'has no A record'

For the sake of enjoyability, I thus offer the results in table form, along with what kind of site is running on port 80. Data timestamp is 2010–01-08T16:05:00+0100, location for routing is DTAG-DIAL26 / AS3320.

TLD	IP	content (port 80)
AC	193.223.78.210	“Always connected” (NIC.AC)
AI	209.59.119.34	“Offshore Information Services”
BI	196.2.8.205	“It works!”
CM	195.24.205.60	`cm [195.24.205.60] 80 (www) : Connection refused`
DK	193.163.102.23	“DK Hostmaster” (NIC.DK)
GG	87.117.196.80	Channel Isles Domain Registration
HK	203.119.2.28	`hk [203.119.2.28] 80 (www) : No route to host`
IO	193.223.78.212	NIC.IO
JE	87.117.196.80	Channel Isles Domain Registration
PH	203.119.4.7	HTTP 500.100 via broken Microsoft IIS
PN	80.68.93.100	Apache default home page
PW	203.199.114.33	`pw [203.199.114.33] 80 (www) : No route to host`
SH	64.251.31.234	`sh [64.251.31.234] 80 (www) : No route to host`
TK	217.119.57.22	“TK your long URL”, free .tk domain name registry
TM	193.223.78.213	NIC.TM
TO	216.74.32.107	TO./ URL shortener
UZ	91.212.89.8	some WAP page I can’d decipher
WS	63.101.245.10	`ws [63.101.245.10] 80 (www) : Connection timed out`

So, in short, 5 of 18 (27%) are downright broken, one is being autistic, and a further 2 (11%) are not configured to do anything meaningful, leading to a total of 8 — or 44% — of TLD A records being useless. Bonus: none of the sites have AAAA records and, thus, no IPv6 availability.