alternative to ip validation on RC
 

Many people who use RC to connect are on dial up, and numerous ip additions are needed. This is sometimes a real inconvenience, and I have been on both the end of the one to update the ip list for someone, and have beem the on e to be not able to log in to rc, and needed to wait for hours for another admin to log in and update my ip list.

Not only is this a problem with dial up, but I have a comcast high speed cable modem, and it seems that they too have recently gone to DHCP, and in the past three days I have had at least five differences in my ip in the second set of numbers. for example, 64.181.*.* where the 181 is, that number almost always changes at least once, if not two or three times a day, and my cable modem is always on!

How about using the MAC address of the network card to identify a specific computer to log in? That hardware integrated number does not change unless you get a different comptuer. Or some kind of consistent number, without needing to shell out big bucks to comcast for a business account, which is the only way to get a static ip from them now.

Stefan said something about being able to ban by "computer ID".

There should also be a way to limit the RC access to Computer ID as well.

That is a bad idea because MAC addresses are rather easy to spoof.

Yes, it does. Also, what about people who connect to the internet without a network card? The IP address is really about the only thing that cannot be manipulated by the client.


Just log the set of IP adresses you receive and make out a pattern. "All the numbers change" is not a pattern.

If there is none that Graal would be content with, settle for the most common one, and if that fails you, gain new IP adresses until you get one that matches.


And what the hell is a computer ID and why would you ban people's computers?

...
The new Graal banning system uses some computer ID to ban the player therefore no account can log in. =O

Yes - I've suggested this to Stefan a bunch of times, the last being just a few days ago. Glad someone agrees.

Bad idea. It can be spoofed.

True, but it's still better to have something extra for large IP ranges such as AOL. Obviously just computer ID based protection would be bad, I'll agree with that.

Perhaps a password system would achieve this, set up in this mannor.

A 56k user, or any user, logs onto RC as normal using their account name and password.

When they connect to the server via RC, no functions, nor RC chat will be available to them, and they will not appear on the playerlist.

The NPC server will then PM them asking for their RC password. This password will be able to be set and saved by a manager or admin. The player then PMs the server the password to authenticate, and if correct, RC works as normal.

While not as secure as an IP, it is for sure an extra level of protection.

I was going to suggest something like this. It would make things much easier for me than having to give the manager my 54364346 ips. ;)

About the MAC Addresses:

It may be ease to spoof the MAC Address, but it would be hard to know what to spoof it to.
If the person managed to get their password and username, it doesn't matter whether the person is a hacker or not; They just need to ask to add their IP, and they pass in flawlessly; The staff get too used to adding IPs for that person, and the security measure is wrecked by doing so.

Like passwords. Except that if you want to work on a server, the staff there get your MAC address.
Asking to add MAC addresses will not be much different in this regard.

But MAC addresses never change so you will only need to have one or two set. When the person is hired, they can tell the admin how many MAC addresses they'll need (depending on how many different computers they use) and if anyone steals their account and password, they'll need to add one more MAC address than the player said he would need (causing the admin to become suspicious).

If you ask me, using MAC addresses is more secure than IP. A combination of the two might be better.

Eh? If you're staff on the server, why would you want to hack in another staff's account? I mean, you'd see it through "Change Rights" or "View Other Players" Either of these should be set only if you trust the person in the first place.

Umm... MAC Addresses are diectly linked to your HARDWARE ID (CONSTANT VARIABLE). Of course, changing hardware would cause a change in MAC Address, but it would be a lot more suspectible if you changed. In that case, the person would direct to a higher staff -- Someone (supposidly) more responsible/knowledgible on the subject. Dail-up users would be getting a slack, increasing security. Static IPs can still be used for IP Checking. It's just one more set of protection. (both validating the IP and Hardware.)

Graalians just need to stop being *****s as far as security goes. Most of the problems with account theft is the owners themselves giving out the passwords or allowing players to send them viruses - in which case if a hacker gains access to someones passwords outside of an email account, they don't need a IP to log on. They just need to log on using the staff member's computer.

Graal's security system is far from flawless, but if a security breach occurs it's usually the fault of an ingorant staff member - not the system itself.

Last time I checked, this was about dynamic ip ranges and not people being idiots and giving people your account and password. And also, if a player sends a virus because of an action on Graal, than (s)he (and correct me if I'm wrong, please) can be banned on Graal.

Nope.

Yeah that's a very good idea having to switch peoples ips for Dial up / Non Static-IP Addresses Is annoying and time wasting i'm on aol now do to i cannot afford another alternate isp, it stays in a area but most aol ips don't and others so yeah.

Graal v4 already makes it possible to ban people based on computer id, so it would also be possible to restrict accounts to certain computer ids. The id is based on the hardware and is encoded, also no one gets to see that encoded number, only the index of the id in the database is used for banning and such. Id 1 is my linux computer at the office.
To break that system is not that simple, someone would need to hack your computer, get the hardware specs and emulate them at his/her own computer.

Or trick someone into sending them their DxDiag.

Good, since it bans the computer I.D it would be more difficult for hackers/sharers/ to get back on with other accounts very smart one.

Yeah, it's an 'old' topic at this point, but I was curious...
wouldn't a dual key style system, similar to to PGP/GPG be a more secure alternative?
I'm not necessarily referencing the data encryption here, so much as the concept of digital signature verification.
if pubkey on server is a match for privkey on computer, then allow access.
Seems more secure than mac addresses (Which are easily forged. and definitely not secure), and potentially even more secure than computer based id systems. As I don't know the precise specs on the computer based id system, I can only speculate there.
As far as bans go, im sure that comp based id would be fine. I imagine however, that the security conscious wouldn't have a problem with something potentially more secure.
no messy ip ranges to deal with at all, however. Pubkey could be given out freely without fear of potential emulation by another less than trustworthy staff member, or pretty much anyone else for that matter. Honestly, I'd rather type in two passwords, than have to worry about having 30 wildly variable ip ranges to deal with.