Jump to content

Iain Maltz

Resident
  • Posts

    3
  • Joined

  • Last visited

Reputation

2 Neutral
  1. Just pay Discord to run the back end chat service, they seem able to manage chat rooms with thousands of people in and manage presence notifications (and various other things). To be honest a whole bunch of technologies that achieve this have come and gone over the decade and a half (and then some) that group chat has been unreliable. (Edit: Yes, not entirely a serious suggestion, Discord likely doesn't run a service in a way that could be used as a subcontracting service for another system entirely, so everyone would have to register and bind discord accounts and probably other things, point more is how frequently other solutions have managed to cope with all these issues while group chat has barely progressed despite its obvious repeated issues)
  2. 350 billion guesses/second would be (presumably, no idea why you brought this up) a theorical local computation speed for cracking a hash of "assumed" security. If the hash is known such as MD5 there may be (and in MD5 are) known weaknesses in the algorithm, plus unsalted hashes are prone to Rainbow Table attacks, all of which dramatically reduce the workloads, esp if your 6 character password in any way resembles anything and isn't just a totally random string. No-one's doing (remotely close to) 350 billion ops per second of anything over the internet, lockouts or not. You'd probably have to write your own TCP/IP stack to get around open local port limits during connection setup, not even taking into account the processing times of every request and remote limits on the server by IP or simply resource exhaustion (aka DOS attack) For what it's worth.
  3. Having been tearing my hair out wondering why my bot code can't log in a specific account for a few days now.... At least from the viewers perspective, logins are done via an MD5 hash of the password (which really makes the length constraint irrelevant as the MD5 output is fixed length regardless of input size).... I tried logging in with the viewer and this account, worked fine, but my bot would only get generic auth failure errors. I eventually intercepted the Login XML document from firestorm to see how that was working and spotted the obvious MD5 mismatch, with me doing a replay attack through my bot working just fine... I found this page while googling the "second life MD5 login", because I figured they were using some "modified" MD5 or something... But no, just substring the first 16 characters of the password and MD5 hash that and you get the right hash, and it lets you log in. Can't speak to the web login service, not poked that, but the viewer/agent login service only respects the first 16 characters of the password apparently. But the viewer masks this behaviour from you and lets you use >16 chars. But if i'm right, changing the last character on your >16 character password will still log you in fine, because it's truncated before being hashed. Enjoy... I did. Edit: Nothing complains at /registration/ time if you put too long a password in... Also website does the exact same truncation. I discovered this using a random 24 character password. Turns out if i take the first 16 characters of my password then I can then type whatever garbage I like after that and i can log in to my.secondlife.com too - same behaviour as the viewer basically. Wonder if they store anything more than an MD5 hashed version at the SL end (doesn't seem to be any need to), and if not, is there any practical reason for the limitation? MD5 strings all come out as 16 characters anyway, so you can just take the extra chars into the hash. Though obviously a bit late to be changing this now
×
×
  • Create New...