| Time |
Nick |
Message |
| 00:00 |
|
SwissalpS joined #luanti |
| 00:08 |
|
SFENCE joined #luanti |
| 00:26 |
|
MTDiscord1 joined #luanti |
| 00:27 |
|
Trifton2 joined #luanti |
| 00:36 |
|
silverwolf73827 joined #luanti |
| 00:37 |
|
jonadab joined #luanti |
| 00:41 |
|
qqe joined #luanti |
| 00:42 |
|
user333_ joined #luanti |
| 00:42 |
|
tzenfore joined #luanti |
| 00:42 |
|
mrcheese joined #luanti |
| 00:42 |
|
sofar joined #luanti |
| 00:42 |
|
swee joined #luanti |
| 00:42 |
|
fluxionary joined #luanti |
| 00:42 |
|
Menchers joined #luanti |
| 00:42 |
|
lmisu joined #luanti |
| 00:42 |
|
user333_ joined #luanti |
| 01:17 |
|
SFENCE joined #luanti |
| 01:27 |
|
pgimeno_ joined #luanti |
| 01:51 |
|
SFENCE joined #luanti |
| 02:05 |
|
Eragon joined #luanti |
| 02:26 |
|
SFENCE joined #luanti |
| 02:33 |
|
turtleman joined #luanti |
| 03:00 |
|
SFENCE joined #luanti |
| 03:30 |
MTDiscord |
<adrian530> user333 are you still around by any chance |
| 03:30 |
user333_ |
yea |
| 03:30 |
MTDiscord |
<adrian530> did u do anything weird with the backend :P |
| 03:31 |
user333_ |
yes |
| 03:31 |
user333_ |
is it online rn? |
| 03:31 |
MTDiscord |
<adrian530> nope :P |
| 03:31 |
user333_ |
yay, then yes |
| 03:31 |
MTDiscord |
<adrian530> what was it :P |
| 03:31 |
user333_ |
i sent a POST request containing 1GB of text |
| 03:32 |
user333_ |
overflowed the RAM and segfaulted i assume |
| 03:32 |
MTDiscord |
<adrian530> potentially |
| 03:33 |
user333_ |
so either give it a 30GB swapfile and make it slower than grandma or terminate incoming connections that send over 1MB |
| 03:34 |
user333_ |
what did prounce say when he saw the backend was offline... |
| 03:34 |
MTDiscord |
<adrian530> nothing yet |
| 03:35 |
|
SFENCE joined #luanti |
| 03:35 |
user333_ |
well that's quite the exploit then... also ignore the 28,000 accounts that a friend registered with a script |
| 03:35 |
MTDiscord |
<adrian530> i kinda should thank u cuz exploiting this stuff before the version is officially released is prolly a good thing |
| 03:35 |
MTDiscord |
<adrian530> also yeah limiting account creation was one of our ideas |
| 03:35 |
MTDiscord |
<adrian530> specifically to avoid that |
| 03:36 |
user333_ |
overflowing disc is another concern, you could register billions of accounts and fill it all up |
| 03:39 |
user333_ |
fyi the backend has been offline since like 9:00 my time... |
| 03:40 |
user333_ |
when i ran my script :> |
| 03:48 |
* mrcheese |
watches user333_ crash a backend |
| 03:48 |
user333_ |
:D |
| 03:54 |
mrcheese |
lol with that logic you could just register several gigabytes of accounts and just kill the disk. im surprised how easy this is to break |
| 03:55 |
user333_ |
simple, add an account limit |
| 03:55 |
mrcheese |
yea lol |
| 03:55 |
user333_ |
5 is a reasonable limit imo |
| 03:55 |
mrcheese |
also the input sanitization.... how does one forget that- |
| 03:56 |
user333_ |
"...at 4AM..." |
| 03:56 |
mrcheese |
idk 5 accounts per IP...... people with VPNs: |
| 03:57 |
user333_ |
true but to kill the disk you would need billions of accounts... more accounts then IPs |
| 03:57 |
user333_ |
(*IPs available to the VPN) |
| 03:59 |
mrcheese |
true |
| 04:00 |
|
MTDiscord joined #luanti |
| 04:00 |
|
SFENCE joined #luanti |
| 04:18 |
|
LapGameASC joined #luanti |
| 04:21 |
|
LapGameASC joined #luanti |
| 04:36 |
|
SFENCE joined #luanti |
| 05:10 |
|
SFENCE joined #luanti |
| 05:30 |
|
SFENCE joined #luanti |
| 06:04 |
|
SFENCE joined #luanti |
| 06:11 |
|
repetitivestrai- joined #luanti |
| 06:19 |
|
FeXoR joined #luanti |
| 06:38 |
|
SFENCE joined #luanti |
| 07:12 |
|
SFENCE joined #luanti |
| 07:41 |
|
SFENCE joined #luanti |
| 08:03 |
|
mrcheese joined #luanti |
| 08:20 |
|
qqe joined #luanti |
| 08:47 |
|
mrcheese joined #luanti |
| 09:33 |
MTDiscord |
<the4spaceconstants2181> nono let the country do that |
| 09:47 |
|
YuGiOhJCJ joined #luanti |
| 10:14 |
|
YuGiOhJCJ joined #luanti |
| 10:19 |
|
illwieckz joined #luanti |
| 10:34 |
|
nuala joined #luanti |
| 10:49 |
|
qqe joined #luanti |
| 12:21 |
|
ralfwause joined #luanti |
| 12:41 |
MinetestBot |
[git] sfan5 -> luanti-org/luanti: Remove Irrlicht devices except SDL (#16580) e924f42 https://github.com/luanti-org/luanti/commit/e924f425f2e8bb46882507e109fa3d0e780d8910 (2025-10-30T12:39:44Z) |
| 13:14 |
erle |
input sanitization is bullshit. you need input validation insetad. |
| 13:15 |
user333_ |
i still managed to crash their server even with input sanitization :P |
| 13:16 |
erle |
as i said, sanitization is bullshit |
| 13:16 |
erle |
user333_ are you aware of IRC bot science? |
| 13:16 |
erle |
user333_ https://irc-bot-science.clsr.net/ |
| 13:16 |
user333_ |
uuh no? i'm fairly new to IRC |
| 13:17 |
erle |
if you follow this link, you get sent a HTTP response with 1GB of small headers: https://irc-bot-science.clsr.net/longheaders |
| 13:17 |
erle |
read the page, it is very funny |
| 13:17 |
erle |
and might give you more ideas |
| 13:17 |
user333_ |
uh yeah, i crashed them by sending a 1GB POST request to their registration API |
| 13:18 |
erle |
simple as |
| 13:18 |
erle |
i once heard from a former coworker that some *cough* iot appliances allocate a lot of memory if your requests or responses simply *say* that their content size is OMG HUGE |
| 13:19 |
[MatrxMT] |
<Blockhead256> the s in iot stands for security |
| 13:20 |
erle |
yes, been there done that |
| 13:20 |
user333_ |
ew, internet-connected appliances, yet another way for the manufacturer to access your network, send you ads, make basic features require subscriptions, and find out all your personal info |
| 13:20 |
[MatrxMT] |
<Blockhead256> how does my matrix link preview show that correctly but firefox refuses to load it due to overlong SSL record? |
| 13:20 |
erle |
not necessarily |
| 13:20 |
erle |
i used to work for a company that made stuff that i think is okay. like, e.g. predictive maintenance. |
| 13:21 |
erle |
ideally you want to send the technician *before* some device fails |
| 13:21 |
erle |
managing of stadium/university lights also |
| 13:22 |
erle |
or simply “turn on your washing machine via API when you are on the way home from work so your clothing does not lie wet and smells slightly off” |
| 13:22 |
[MatrxMT] |
<Blockhead256> predictive maintenance, digital twins, smart building, a lot of that makes sense |
| 13:22 |
erle |
well yeah the company sold to other companies |
| 13:22 |
user333_ |
you can do that with pretty much any washing machine + a wifi-enabled microcontroller |
| 13:22 |
erle |
often it was “classical product needs some iot thing, can you help us” |
| 13:22 |
[MatrxMT] |
<Blockhead256> a TV that uses Automatic Content Recognition to snoop on your HDMI input and send it to ad networks, not so good |
| 13:22 |
erle |
user333_ you want any idiot to be able to do it though. so e.g. the pairing process needs to be rock-solid but simple to use. |
| 13:23 |
erle |
like, scan the QR code (it leads to a website) to start the pairing process, but then you *have* to press the button on the device as proof of ownership so no one snatches it from the qr code in your unboxing video |
| 13:24 |
user333_ |
you could probably spam-send an API request to the server and wait until someone pressed it |
| 13:24 |
erle |
that gets you denied pretty fast lol |
| 13:25 |
erle |
also the legit user would notice |
| 13:25 |
erle |
one customer wanted something that worked even in emergencies in the absence of internet, so device authentication was done by qr codes. meaning, normally you scan the code from some other device, but you can also just print it out if you are e.g. underground or coverage sucks. |
| 13:26 |
erle |
a bit like the covid vax certificates |
| 13:26 |
erle |
or train ticket qr codes |
| 13:27 |
erle |
user333_ typically, end users have problems that are very specific to a device and a domain. and industrial customers have problems that come from earlier choices. |
| 13:27 |
[MatrxMT] |
<Blockhead256> nobody cared to check your details/number on proof of vaccination here lul |
| 13:27 |
[MatrxMT] |
<Blockhead256> could just be a png |
| 13:27 |
erle |
like “we need TLS on this ESP8266, but the RAM is tiny” |
| 13:27 |
user333_ |
anyway, here's the script that took down their server this time: https://paste.centos.org/view/cc3bc969 |
| 13:27 |
erle |
the answer involved some space-time trade-offs and elliptic curves |
| 13:28 |
erle |
user333_ which server anyway? |
| 13:28 |
user333_ |
TeamAcedia's backend |
| 13:28 |
erle |
oh i see |
| 13:28 |
erle |
backend for what? |
| 13:28 |
user333_ |
accounts |
| 13:28 |
user333_ |
and cosmetics |
| 13:28 |
erle |
cosmatics lol |
| 13:28 |
erle |
user333_ do you know about slowloris? xD |
| 13:28 |
user333_ |
no? |
| 13:29 |
erle |
https://en.wikipedia.org/wiki/Slowloris_(cyber_attack) check it out |
| 13:30 |
sfan5 |
what is this TeamAcedia thing |
| 13:30 |
user333_ |
the hacking group that took out the serverlist this year |
| 13:31 |
user333_ |
they also made the most popular cheat client |
| 13:31 |
[MatrxMT] |
<Blockhead256> https://github.com/TeamAcedia |
| 13:31 |
erle |
cool, so it's spy vs spy now |
| 13:31 |
user333_ |
so... i managed to crash their server... twice |
| 13:31 |
erle |
i vaguely remember that cora (?) once made a patched client where the server list was just JSON served by something |
| 13:31 |
sfan5 |
sending some basic fake data is not exactly "hacking" but I see |
| 13:32 |
user333_ |
you understand what i mean though |
| 13:32 |
erle |
if you want to go that way, one could argue the way you use afl is not exactly “fuzzing” … it's not like it matters what you call it, outcomes matter. |
| 13:32 |
[MatrxMT] |
<Blockhead256> check the logs, that was one of them talking to 333 before |
| 13:33 |
[MatrxMT] |
<Blockhead256> "AI is what hasn't been done before" -- "Hacking is when you use specific techniques" |
| 13:33 |
user333_ |
yeah, i registered an account with a script that used a million zeroes for the username XD |
| 13:33 |
erle |
user333_ if you want to crash more (and learn how to write way more secure software), read some LANGSEC papers: htttps://langsec.org – in particular “Security Applications of Formal Language Theory” and “The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them” |
| 13:33 |
erle |
in that order |
| 13:33 |
[MatrxMT] |
<birdlover32767> have you tried SQL injection yet |
| 13:33 |
erle |
it shows you how to prevent (or find) entire ranges of bugs |
| 13:34 |
erle |
and will also explain why i say sanitization is bullshit |
| 13:34 |
user333_ |
birdlover32767: i'm going to try it, the backend is written in Go which i don't know |
| 13:34 |
user333_ |
but the syntax looks like python + lua + c++ |
| 13:34 |
erle |
user333_ go read the papers. you will become a better security clown that way. |
| 13:35 |
erle |
then you can clown on team acedia more |
| 13:35 |
erle |
also it will prevent you from doing more script-kiddie things i hope |
| 13:36 |
erle |
because you will be occupied with little IT security academia |
| 13:36 |
user333_ |
i'm also going to try registering accounts with escapes in the names |
| 13:36 |
user333_ |
like \n and \r |
| 13:36 |
erle |
user333_ come on |
| 13:37 |
erle |
user333_ there are so many funnier ways to do it. e.g. you know about the hypothesis framework? it allows you to make a generator “give me a string that fits this regex” and stuff. |
| 13:37 |
user333_ |
well you never know what might work, why do it the hard way when you can do it the easy way |
| 13:37 |
erle |
anyway, taking the serverlist down is ass |
| 13:38 |
erle |
it's not like cheating or exploiting dupe bugs |
| 13:38 |
erle |
(of which i have done a lot hehe) |
| 13:38 |
user333_ |
i got revenge on them for that ig :> |
| 13:39 |
[MatrxMT] |
<Blockhead256> it's like the kid who tags on top of a mural instead of leaving tags on unpainted concrete |
| 13:39 |
erle |
sfan5 is there some implementation/intent detail that would prevent eventually going to a static JSON server list and letting the client sort it out? i assume it could reduce server load. |
| 13:39 |
erle |
and also allow people to host their server list from a static file hoster ig |
| 13:39 |
user333_ |
i have discovered a whole lot of ingame bugs myself, like being able to clip through certain blocks with MTG fences |
| 13:40 |
erle |
yes, a lot of people discover that eventually |
| 13:40 |
[MatrxMT] |
<Blockhead256> what's stopping people from pointing their clients at a static JSON now? |
| 13:40 |
user333_ |
or being able to sneak+jump through blocks on early 5.x clients |
| 13:40 |
user333_ |
Blockhead: why would you want to do that? :P |
| 13:41 |
[MatrxMT] |
<Blockhead256> that's more a question for erle tbh |
| 13:41 |
[MatrxMT] |
<Blockhead256> definitely durable if you have a server on your LAN.. but, part of the data is the online players and the mods, those change fairly frequently. |
| 13:42 |
[MatrxMT] |
<Blockhead256> but maybe the architecture we're talking about is different, where it's on HTTP but not made by the Python app like it currently is but actually there on disk (going beyond my knowledge sorry) |
| 13:43 |
[MatrxMT] |
<Blockhead256> not dynamically served |
| 13:43 |
erle |
Blockhead256 idk actually which is why i am asking if there is something that prevents it. maybe client protocol filtering and stuff like that. |
| 13:44 |
erle |
my minettest-servers script still works |
| 13:45 |
|
silverwolf73827 joined #luanti |
| 13:45 |
[MatrxMT] |
<Blockhead256> I thought the filtering was done client-side, though the rank (order) is dynamically calculated and there's a big penalty for 0.4.x support |
| 13:46 |
erle |
> there's a big penalty for 0.4.x support |
| 13:46 |
erle |
is this an anti-multicraft measure? |
| 13:46 |
user333_ |
hehe, the TeamAcedia server has been offline for over 12 hours now |
| 13:46 |
[MatrxMT] |
<birdlover32767> i mean, 0.4.x is unsupported by default |
| 13:46 |
[MatrxMT] |
<Blockhead256> I think it is in part. I think it's been discussed on the tracker... |
| 13:47 |
erle |
user333_ great way to let everyone know YOU did it. now they have a target! |
| 13:47 |
user333_ |
erle: they already know |
| 13:47 |
erle |
i hope you responsibly disclosed the issue |
| 13:47 |
user333_ |
nah, they just talked to me in IRC here |
| 13:47 |
user333_ |
read the logs |
| 13:48 |
user333_ |
https://irc.luanti.org/luanti/2025-10-29 |
| 13:50 |
[MatrxMT] |
<Blockhead256> the git log shows a lot of justifications for various things |
| 13:51 |
[MatrxMT] |
<Blockhead256> https://github.com/luanti-org/serverlist/commit/9f144f3e3c40a52ee423466f19f8eff37f859111 |
| 13:51 |
[MatrxMT] |
<Blockhead256> it's probably the best record of the serverlist's reasoning |
| 13:52 |
[MatrxMT] |
<Blockhead256> there aren't as many PRs against it though. It's free software but managed more directly but the operator than by committee and bikeshed |
| 13:52 |
[MatrxMT] |
<Blockhead256> s/but the/by the |
| 13:54 |
user333_ |
anyway a 14yo kid (aka me) was able to take down luanti's biggest hacking group's backend server B-) |
| 13:55 |
[MatrxMT] |
<Blockhead256> this says more about the state of the hacking groups we have lol |
| 13:56 |
user333_ |
also helps their backend is open-source |
| 13:56 |
user333_ |
https://github.com/TeamAcedia/TeamAcedia-Backend/ |
| 13:58 |
[MatrxMT] |
<Blockhead256> ah, so it's fine, you're just doing security research for them |
| 14:01 |
user333_ |
you could put it that way |
| 14:03 |
user333_ |
i do think the usernames could have SQL injection vulnerabilities |
| 14:04 |
[MatrxMT] |
<Blockhead256> https://xkcd.com/327/ |
| 14:05 |
user333_ |
XD |
| 14:05 |
user333_ |
now to wait for the server to come back online so i can try it |
| 14:05 |
sfan5 |
did someone break github |
| 14:06 |
user333_ |
https://github.com/luanti-org/luanti/ loads for me |
| 14:07 |
sfan5 |
I got some unicorn errors just a few minutes ago ¯\_(ツ)_/¯ |
| 14:09 |
[MatrxMT] |
<Blockhead256> the bug where being logged out breaks the milestones? surely not what you're talking about... |
| 14:21 |
MinetestBot |
[git] sfan5 -> luanti-org/luanti: Refactor texture source to prepare for array textures 0794912 https://github.com/luanti-org/luanti/commit/0794912374c00474036dee3093d07d90cda3038c (2025-10-30T14:19:26Z) |
| 14:21 |
MinetestBot |
[git] sfan5 -> luanti-org/luanti: Irrlicht: expose MaxArrayTextureLayers 3c60b34 https://github.com/luanti-org/luanti/commit/3c60b348a62a70c2d491f1eefcc0ad683a94a2c6 (2025-10-30T14:19:26Z) |
| 14:21 |
MinetestBot |
[git] sfan5 -> luanti-org/luanti: Irrlicht: upload array textures more efficiently ae6aac8 https://github.com/luanti-org/luanti/commit/ae6aac8aa94675a7050c75199266cfd9dd9b0154 (2025-10-30T14:19:27Z) |
| 14:21 |
MinetestBot |
[git] sfan5 -> luanti-org/luanti: Irrlicht: fix mipmaps regenerated multiple times 04a443e https://github.com/luanti-org/luanti/commit/04a443e39234f198fd0d0f8c11a85d93f83a005b (2025-10-30T14:19:30Z) |
| 14:21 |
MinetestBot |
[git] (1 newer commits not shown) |
| 14:59 |
|
SFENCE joined #luanti |
| 15:12 |
|
SwissalpS joined #luanti |
| 15:14 |
|
SFENCE joined #luanti |
| 15:18 |
|
SFENCE joined #luanti |
| 15:22 |
|
PoochInquisitor joined #luanti |
| 15:29 |
|
SFENCE joined #luanti |
| 15:35 |
|
SFENCE joined #luanti |
| 15:43 |
|
Thermoriax joined #luanti |
| 15:44 |
|
SFENCE joined #luanti |
| 16:12 |
|
jaca122 joined #luanti |
| 16:36 |
MinetestBot |
[git] appgurueu -> luanti-org/luanti: Refactor: Remove obsolete `IAnimatedMeshSceneNode` interface (#16631) 1ead48c https://github.com/luanti-org/luanti/commit/1ead48c58b316b376e02d135a9a043201a72b41a (2025-10-30T16:34:45Z) |
| 16:41 |
|
SFENCE joined #luanti |
| 16:42 |
erle |
user333_ if you are really 14, go read and comprehend the LANGSEC papers. they will help you a lot with becoming better at programming and hacking. |
| 16:43 |
erle |
someone broke github indeed. performance took a nosedive in the last few years. |
| 16:43 |
erle |
people with a gazillion cores probably don't notice it, but it has become quite sluggish. |
| 16:44 |
|
mrcheese joined #luanti |
| 16:45 |
erle |
(one way to notice these things even with fast computers/network is to open the same page in like 20 tabs at once. stuff lags? yeah.) |
| 17:16 |
|
SFENCE joined #luanti |
| 17:21 |
|
nekobit joined #luanti |
| 17:22 |
|
nekobit joined #luanti |
| 17:44 |
|
fluxionary joined #luanti |
| 17:55 |
|
SFENCE joined #luanti |
| 18:14 |
|
SFENCE joined #luanti |
| 18:18 |
|
Talkless joined #luanti |
| 18:22 |
|
SFENCE joined #luanti |
| 18:26 |
|
SFENCE joined #luanti |
| 18:50 |
|
nekobit joined #luanti |
| 19:09 |
|
lumidify joined #luanti |
| 19:23 |
|
SFENCE joined #luanti |
| 19:54 |
|
jaca122 joined #luanti |
| 19:57 |
|
mrkubax10 joined #luanti |
| 19:59 |
|
SFENCE joined #luanti |
| 20:24 |
|
SFENCE joined #luanti |
| 20:34 |
|
SFENCE joined #luanti |
| 20:34 |
|
mrkubax10 joined #luanti |
| 20:51 |
|
SFENCE joined #luanti |
| 21:35 |
|
Trifton joined #luanti |
| 22:43 |
|
Trifton_ joined #luanti |
| 23:09 |
|
tzenfore joined #luanti |
| 23:09 |
|
Trifton2 joined #luanti |
| 23:33 |
|
panwolfram joined #luanti |
