Time Nick Message 03:30 MTDiscord user333 are you still around by any chance 03:30 user333_ yea 03:30 MTDiscord did u do anything weird with the backend :P 03:31 user333_ yes 03:31 user333_ is it online rn? 03:31 MTDiscord nope :P 03:31 user333_ yay, then yes 03:31 MTDiscord what was it :P 03:31 user333_ i sent a POST request containing 1GB of text 03:32 user333_ overflowed the RAM and segfaulted i assume 03:32 MTDiscord potentially 03:33 user333_ so either give it a 30GB swapfile and make it slower than grandma or terminate incoming connections that send over 1MB 03:34 user333_ what did prounce say when he saw the backend was offline... 03:34 MTDiscord nothing yet 03:35 user333_ well that's quite the exploit then... also ignore the 28,000 accounts that a friend registered with a script 03:35 MTDiscord i kinda should thank u cuz exploiting this stuff before the version is officially released is prolly a good thing 03:35 MTDiscord also yeah limiting account creation was one of our ideas 03:35 MTDiscord specifically to avoid that 03:36 user333_ overflowing disc is another concern, you could register billions of accounts and fill it all up 03:39 user333_ fyi the backend has been offline since like 9:00 my time... 03:40 user333_ when i ran my script :> 03:48 * mrcheese watches user333_ crash a backend 03:48 user333_ :D 03:54 mrcheese lol with that logic you could just register several gigabytes of accounts and just kill the disk. im surprised how easy this is to break 03:55 user333_ simple, add an account limit 03:55 mrcheese yea lol 03:55 user333_ 5 is a reasonable limit imo 03:55 mrcheese also the input sanitization.... how does one forget that- 03:56 user333_ "...at 4AM..." 03:56 mrcheese idk 5 accounts per IP...... people with VPNs: 03:57 user333_ true but to kill the disk you would need billions of accounts... more accounts then IPs 03:57 user333_ (*IPs available to the VPN) 03:59 mrcheese true 09:33 MTDiscord nono let the country do that 12:41 MinetestBot 02[git] 04sfan5 -> 03luanti-org/luanti: Remove Irrlicht devices except SDL (#16580) 13e924f42 https://github.com/luanti-org/luanti/commit/e924f425f2e8bb46882507e109fa3d0e780d8910 (152025-10-30T12:39:44Z) 13:14 erle input sanitization is bullshit. you need input validation insetad. 13:15 user333_ i still managed to crash their server even with input sanitization :P 13:16 erle as i said, sanitization is bullshit 13:16 erle user333_ are you aware of IRC bot science? 13:16 erle user333_ https://irc-bot-science.clsr.net/ 13:16 user333_ uuh no? i'm fairly new to IRC 13:17 erle if you follow this link, you get sent a HTTP response with 1GB of small headers: https://irc-bot-science.clsr.net/longheaders 13:17 erle read the page, it is very funny 13:17 erle and might give you more ideas 13:17 user333_ uh yeah, i crashed them by sending a 1GB POST request to their registration API 13:18 erle simple as 13:18 erle i once heard from a former coworker that some *cough* iot appliances allocate a lot of memory if your requests or responses simply *say* that their content size is OMG HUGE 13:19 [MatrxMT] the s in iot stands for security 13:20 erle yes, been there done that 13:20 user333_ ew, internet-connected appliances, yet another way for the manufacturer to access your network, send you ads, make basic features require subscriptions, and find out all your personal info 13:20 [MatrxMT] how does my matrix link preview show that correctly but firefox refuses to load it due to overlong SSL record? 13:20 erle not necessarily 13:20 erle i used to work for a company that made stuff that i think is okay. like, e.g. predictive maintenance. 13:21 erle ideally you want to send the technician *before* some device fails 13:21 erle managing of stadium/university lights also 13:22 erle or simply “turn on your washing machine via API when you are on the way home from work so your clothing does not lie wet and smells slightly off” 13:22 [MatrxMT] predictive maintenance, digital twins, smart building, a lot of that makes sense 13:22 erle well yeah the company sold to other companies 13:22 user333_ you can do that with pretty much any washing machine + a wifi-enabled microcontroller 13:22 erle often it was “classical product needs some iot thing, can you help us” 13:22 [MatrxMT] a TV that uses Automatic Content Recognition to snoop on your HDMI input and send it to ad networks, not so good 13:22 erle user333_ you want any idiot to be able to do it though. so e.g. the pairing process needs to be rock-solid but simple to use. 13:23 erle like, scan the QR code (it leads to a website) to start the pairing process, but then you *have* to press the button on the device as proof of ownership so no one snatches it from the qr code in your unboxing video 13:24 user333_ you could probably spam-send an API request to the server and wait until someone pressed it 13:24 erle that gets you denied pretty fast lol 13:25 erle also the legit user would notice 13:25 erle one customer wanted something that worked even in emergencies in the absence of internet, so device authentication was done by qr codes. meaning, normally you scan the code from some other device, but you can also just print it out if you are e.g. underground or coverage sucks. 13:26 erle a bit like the covid vax certificates 13:26 erle or train ticket qr codes 13:27 erle user333_ typically, end users have problems that are very specific to a device and a domain. and industrial customers have problems that come from earlier choices. 13:27 [MatrxMT] nobody cared to check your details/number on proof of vaccination here lul 13:27 [MatrxMT] could just be a png 13:27 erle like “we need TLS on this ESP8266, but the RAM is tiny” 13:27 user333_ anyway, here's the script that took down their server this time: https://paste.centos.org/view/cc3bc969 13:27 erle the answer involved some space-time trade-offs and elliptic curves 13:28 erle user333_ which server anyway? 13:28 user333_ TeamAcedia's backend 13:28 erle oh i see 13:28 erle backend for what? 13:28 user333_ accounts 13:28 user333_ and cosmetics 13:28 erle cosmatics lol 13:28 erle user333_ do you know about slowloris? xD 13:28 user333_ no? 13:29 erle https://en.wikipedia.org/wiki/Slowloris_(cyber_attack) check it out 13:30 sfan5 what is this TeamAcedia thing 13:30 user333_ the hacking group that took out the serverlist this year 13:31 user333_ they also made the most popular cheat client 13:31 [MatrxMT] https://github.com/TeamAcedia 13:31 erle cool, so it's spy vs spy now 13:31 user333_ so... i managed to crash their server... twice 13:31 erle i vaguely remember that cora (?) once made a patched client where the server list was just JSON served by something 13:31 sfan5 sending some basic fake data is not exactly "hacking" but I see 13:32 user333_ you understand what i mean though 13:32 erle if you want to go that way, one could argue the way you use afl is not exactly “fuzzing” … it's not like it matters what you call it, outcomes matter. 13:32 [MatrxMT] check the logs, that was one of them talking to 333 before 13:33 [MatrxMT] "AI is what hasn't been done before" -- "Hacking is when you use specific techniques" 13:33 user333_ yeah, i registered an account with a script that used a million zeroes for the username XD 13:33 erle user333_ if you want to crash more (and learn how to write way more secure software), read some LANGSEC papers: htttps://langsec.org – in particular “Security Applications of Formal Language Theory” and “The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them” 13:33 erle in that order 13:33 [MatrxMT] have you tried SQL injection yet 13:33 erle it shows you how to prevent (or find) entire ranges of bugs 13:34 erle and will also explain why i say sanitization is bullshit 13:34 user333_ birdlover32767: i'm going to try it, the backend is written in Go which i don't know 13:34 user333_ but the syntax looks like python + lua + c++ 13:34 erle user333_ go read the papers. you will become a better security clown that way. 13:35 erle then you can clown on team acedia more 13:35 erle also it will prevent you from doing more script-kiddie things i hope 13:36 erle because you will be occupied with little IT security academia 13:36 user333_ i'm also going to try registering accounts with escapes in the names 13:36 user333_ like \n and \r 13:36 erle user333_ come on 13:37 erle user333_ there are so many funnier ways to do it. e.g. you know about the hypothesis framework? it allows you to make a generator “give me a string that fits this regex” and stuff. 13:37 user333_ well you never know what might work, why do it the hard way when you can do it the easy way 13:37 erle anyway, taking the serverlist down is ass 13:38 erle it's not like cheating or exploiting dupe bugs 13:38 erle (of which i have done a lot hehe) 13:38 user333_ i got revenge on them for that ig :> 13:39 [MatrxMT] it's like the kid who tags on top of a mural instead of leaving tags on unpainted concrete 13:39 erle sfan5 is there some implementation/intent detail that would prevent eventually going to a static JSON server list and letting the client sort it out? i assume it could reduce server load. 13:39 erle and also allow people to host their server list from a static file hoster ig 13:39 user333_ i have discovered a whole lot of ingame bugs myself, like being able to clip through certain blocks with MTG fences 13:40 erle yes, a lot of people discover that eventually 13:40 [MatrxMT] what's stopping people from pointing their clients at a static JSON now? 13:40 user333_ or being able to sneak+jump through blocks on early 5.x clients 13:40 user333_ Blockhead: why would you want to do that? :P 13:41 [MatrxMT] that's more a question for erle tbh 13:41 [MatrxMT] definitely durable if you have a server on your LAN.. but, part of the data is the online players and the mods, those change fairly frequently. 13:42 [MatrxMT] but maybe the architecture we're talking about is different, where it's on HTTP but not made by the Python app like it currently is but actually there on disk (going beyond my knowledge sorry) 13:43 [MatrxMT] not dynamically served 13:43 erle Blockhead256 idk actually which is why i am asking if there is something that prevents it. maybe client protocol filtering and stuff like that. 13:44 erle my minettest-servers script still works 13:45 [MatrxMT] I thought the filtering was done client-side, though the rank (order) is dynamically calculated and there's a big penalty for 0.4.x support 13:46 erle > there's a big penalty for 0.4.x support 13:46 erle is this an anti-multicraft measure? 13:46 user333_ hehe, the TeamAcedia server has been offline for over 12 hours now 13:46 [MatrxMT] i mean, 0.4.x is unsupported by default 13:46 [MatrxMT] I think it is in part. I think it's been discussed on the tracker... 13:47 erle user333_ great way to let everyone know YOU did it. now they have a target! 13:47 user333_ erle: they already know 13:47 erle i hope you responsibly disclosed the issue 13:47 user333_ nah, they just talked to me in IRC here 13:47 user333_ read the logs 13:48 user333_ https://irc.luanti.org/luanti/2025-10-29 13:50 [MatrxMT] the git log shows a lot of justifications for various things 13:51 [MatrxMT] https://github.com/luanti-org/serverlist/commit/9f144f3e3c40a52ee423466f19f8eff37f859111 13:51 [MatrxMT] it's probably the best record of the serverlist's reasoning 13:52 [MatrxMT] there aren't as many PRs against it though. It's free software but managed more directly but the operator than by committee and bikeshed 13:52 [MatrxMT] s/but the/by the 13:54 user333_ anyway a 14yo kid (aka me) was able to take down luanti's biggest hacking group's backend server B-) 13:55 [MatrxMT] this says more about the state of the hacking groups we have lol 13:56 user333_ also helps their backend is open-source 13:56 user333_ https://github.com/TeamAcedia/TeamAcedia-Backend/ 13:58 [MatrxMT] ah, so it's fine, you're just doing security research for them 14:01 user333_ you could put it that way 14:03 user333_ i do think the usernames could have SQL injection vulnerabilities 14:04 [MatrxMT] https://xkcd.com/327/ 14:05 user333_ XD 14:05 user333_ now to wait for the server to come back online so i can try it 14:05 sfan5 did someone break github 14:06 user333_ https://github.com/luanti-org/luanti/ loads for me 14:07 sfan5 I got some unicorn errors just a few minutes ago ¯\_(ツ)_/¯ 14:09 [MatrxMT] the bug where being logged out breaks the milestones? surely not what you're talking about... 14:21 MinetestBot 02[git] 04sfan5 -> 03luanti-org/luanti: Refactor texture source to prepare for array textures 130794912 https://github.com/luanti-org/luanti/commit/0794912374c00474036dee3093d07d90cda3038c (152025-10-30T14:19:26Z) 14:21 MinetestBot 02[git] 04sfan5 -> 03luanti-org/luanti: Irrlicht: expose MaxArrayTextureLayers 133c60b34 https://github.com/luanti-org/luanti/commit/3c60b348a62a70c2d491f1eefcc0ad683a94a2c6 (152025-10-30T14:19:26Z) 14:21 MinetestBot 02[git] 04sfan5 -> 03luanti-org/luanti: Irrlicht: upload array textures more efficiently 13ae6aac8 https://github.com/luanti-org/luanti/commit/ae6aac8aa94675a7050c75199266cfd9dd9b0154 (152025-10-30T14:19:27Z) 14:21 MinetestBot 02[git] 04sfan5 -> 03luanti-org/luanti: Irrlicht: fix mipmaps regenerated multiple times 1304a443e https://github.com/luanti-org/luanti/commit/04a443e39234f198fd0d0f8c11a85d93f83a005b (152025-10-30T14:19:30Z) 14:21 MinetestBot 02[git] (1 newer commits not shown) 16:36 MinetestBot 02[git] 04appgurueu -> 03luanti-org/luanti: Refactor: Remove obsolete `IAnimatedMeshSceneNode` interface (#16631) 131ead48c https://github.com/luanti-org/luanti/commit/1ead48c58b316b376e02d135a9a043201a72b41a (152025-10-30T16:34:45Z) 16:42 erle user333_ if you are really 14, go read and comprehend the LANGSEC papers. they will help you a lot with becoming better at programming and hacking. 16:43 erle someone broke github indeed. performance took a nosedive in the last few years. 16:43 erle people with a gazillion cores probably don't notice it, but it has become quite sluggish. 16:45 erle (one way to notice these things even with fast computers/network is to open the same page in like 20 tabs at once. stuff lags? yeah.)