DoomServ security hole

[Guest AFTERSHOCK]

Hmm, since the Doomserv defenders are doing such a good job of showing the effect that doomserv can have on intelligence, why don't the rest of us back off, take a rest, and laugh our heads off as the opposition makes our point for us. And makes it very well, I might add!

AFTERSHOCK

[Guest fod_vile]

aurikan said:

I really have no stake in this.and TGO discourages our peer review (along with you dumb little shits from doomserv), snip

you just exposed your ONE and only reason for all this
"Dumb little shits from Doomserv"
That rather tarnishes your "I am the great protector of all who worship me" image
your just a sad spiteful no hoper with a massive chip on your shoulder about Doomserv and anyone who uses it and used some information from a 3rd party and a lot of lies and malicious acts
to kill doomserv

[Guest fod_vile]

aurikan said:

It wasn't a mistake...if you read the article that cph posted a link to, you'll see that full disclosure is a technique used to uncover and patch exploits - by describing the exact details, the programmer(s) will understand exactly what bug(s) the exploit utilises. It's like a really detailed bug report.

If YOU read the article it clearly states:
"» The vendor should be given a reasonable chance to provide a patch or new version before the vulnerabiliry details are made public.
» A lot of script-kiddies without any detailed knowledge can now exploit the vulnerabilities. If the details had been kept secret, they would not had the resources to do it."(sic)

[aurikan]

Toke said:

You need to learn to bullshit better. You cant just show off knowledge like that wile TRYING TO DO SOMETHING GOOD wile at the same time releasing more information on how mess with doomserv and expect us to beleave it. You attempt to bring down doomserv is working so please stop. If you post any more information on how hack doomserv then it will really be obvious what you are trying to do. If made that bad of a "mistake" I wouldnt still be talking about it and trying to do it agin. We dont want your help, all we want is for you to leave us alone, stop telling people how to hack the server, and occasionaly choke. Is it that hard for you just to stop HELPING people that think your fag? Or are you hot for us?

As for booting incedent on doomserv there where 3 people on, me you and a newbie. You or tgo could have booted me and if tgo was there he would have booted you not me. That means:

Aurikan is a fucking lier

Toke, I wish you'd focus on the issue and stop attacking me. Th issue is that doomserv has security holes - very SERIOUS security holes. I'm not talking about a small exploit that gives your internet explorer cookies to a malicious user if you are stupid enough to open an attachment. This exploit gives full access to a malicious user and there is nothing you can do to stop it except close doomserv before your system is compromised - but by then it might be too late.

And seeing the pattern on who is lying and who is telling the truth in this "discussion" ... you and your screenshots, fod and his missing files ... i think we all know what the real story is.

grow up

[aurikan]

fod_vile said:

you just exposed your ONE and only reason for all this
"Dumb little shits from Doomserv"
That rather tarnishes your "I am the great protector of all who worship me" image
your just a sad spiteful no hoper with a massive chip on your shoulder about Doomserv and anyone who uses it and used some information from a 3rd party and a lot of lies and malicious acts
to kill doomserv

actually my reference to the "dumb little shits from doomserv" pertains mostly to two people who frequent(ed) doomserv and now, since i revealed the exploit, are harassing me and attacking me ceaselessly.

so get a life.

[aurikan]

Toke said:

Im with Linguica, maybe you should delete this page.

you may be "with" linguica but i doubt he would be with you

[Guest fod_vile]

Teppic said:

I had to read this three times to get the gist of your little joke : Much like it would have been had it been written grammatically correctly the first time! .

You do have some "unusual" fixation with grammar
I assume you mean the "told" in school?That was intentional, but I hardly think that posts to here should have to be edited, fine honed, and polished to get accross their meaning? One thing I DO notice is it took you 24hrs to read my little snippet , think, and reply with something that contributes nothing to this discussion, and after reading most of your msg's I allow one was interesting but wrong, the rest are either snide remarks or factually wrong, I also note that Islebot's interjection of "A secrity hole ridden pece of crap "(sic) has completely got past your grammar fixation, perhaps we will need to wait another 24 hrs ?
As it took you 3 readings of my little msg and 24 hrs I shall , in future, type more slowly as obviously you cannot read very fast

[GavinJCD]

aurikan said:

Here's the latest twist, I'd just like all of you to know that I tried to load up DoomServ 4 Beta, just to see the new features and fixes TGO has implemented. Unfortunately, this IP (137.69.101.147), one of the IPs I performed research from in discovering the exploit, is (surprise surprise) banned.

This means that (unless I find an exploit which allows me to log in anyway) I cannot evaluate whether or not TGO has actually patched the security holes. Therefore I'd like to warn all current and potential future DoomServ users: beware! For that client might potentially allow a malicious user root access to your box.

.

Leave it Aurikan, they don't want your help because they are stupid, still, noone should go near doomserv until it's been proven safe. Banning Aurikan was just stupid, and I hope TGO gets what it deserves.

[GavinJCD]

Toke said:

You said it, it was dumb. To dumb for it to be a mistake by aurikan.

you know the more I read this shit the more I am wondering why you are so pissed about this exploit being found. is it so impossible for us to believe that you knew about this thing? That this exploit is a bug?, or is it quite possibly there by design, something for you all to think about.

[stphrz]

Toke said:

Are you going to let him talk about you like that fraggle?

Listen. Whoever hacked DoomServ and lied about who he was to try to hurt someone else is probably not going to admit it. Are you trying to provoke a fight between me and fraggle? It ain't gonna work pal. If you have proof of who did this then present it or just shut the fuck up and keep your backhanded accusations to yourself. I still think it was a good thing that the security problems of DoomServ were exposed. I just disagree with some of the actions the hackers took.

[Guest fod_vile]

GavinJCD said:

Leave it Aurikan, they don't want your help because they are stupid, still, noone should go near doomserv until it's been proven safe. Banning Aurikan was just stupid, and I hope TGO gets what it deserves.

Please ask Aurikan't how he knows he was banned? Perhaps when he tried to log in he got msg "forcefully removed" ?
This only means the server was down much like the "40006" error in 3.5v

[aurikan]

fod_vile said:

If YOU read the article it clearly states:
"» The vendor should be given a reasonable chance to provide a patch or new version before the vulnerabiliry details are made public.
» A lot of script-kiddies without any detailed knowledge can now exploit the vulnerabilities. If the details had been kept secret, they would not had the resources to do it."(sic)

I have read the article, and I would like to point out that you here, and in your other post regarding the article, are mis-quoting it.

One of the restrictions is indeed "The vendor should be given ..." And I did try to give him the chance to respond to me however the email bounced.

The part of script kiddies is not under the same section, as "Restrictions". Instead it is under the section of "Cons". And of course there are unfortunate side effects of this method of securing the service, however it is not listed as a "Restriction". It's just a necessary evil. Either you are stupid or you think the people who read this thread are stupid to think you could put this over on them.

[GavinJCD]

fod_vile said:

Please ask Aurikan't how he knows he was banned? Perhaps when he tried to log in he got msg "forcefully removed" ?
This only means the server was down much like the "40006" error in 3.5v

??
don't you know anything
if the server was down his telnet client wouldn't even be abe to connect. You really need to know what your talking about before you make comments like that.

[aurikan]

Toke said:

Are you going to let him talk about you like that fraggle?

Fraggle??? i don't believe it. i don't even see fraggle's name in the discussion. he's probably off working on smmu somewhere. what did you do, pick a name out of a hat?

ohhhh mordeth how could you misrepresent yourself as fiffy! no, no it was fanatic!

[aurikan]

fod_vile said:

I would enter into a battle of wits with you man , but i refuse to fight an unarmed man

Odd -- it seems you already have, and soundly lost

[GavinJCD]

AFTERSHOCK said:

Hmm, since the Doomserv defenders are doing such a good job of showing the effect that doomserv can have on intelligence, why don't the rest of us back off, take a rest, and laugh our heads off as the opposition makes our point for us. And makes it very well, I might add!

AFTERSHOCK

I'm not sure why Toke and Fodders are defending doomserv, there is a flaw which has thankfully been uncovered. It was a very dangerous security hole which could have and maybe already has lead to a lot of damage.
The fact is blaming Aurikan is very foolish and stupid, also stupid is the obvious fabrications about him deleting files of ppls hardrives. I do not know why TOKE and Fodders are so against him, he has helped everyone in the doom communith and instead of congratulating him for his efforts you are harassing him, and making up stories.
This whole ting has gotten out of hand. I personally am not going to touch doomserv again wheather the bug is fixed or not...I am not prepared to take the risk. Toke, you being a oomserv moderator and all should stop whining about what Aurikan has done and start wondering about the safety of your machine.

[GavinJCD]

Lüt said:

You guys are weird. So there's a security problem, big whoop. Somebody fix it and get it out of the way.

I think if his initial emails bounced then he should have posted a public warning. However giving a 2-page tutorial on exactly how to do it... that was just plain stupid, and even Fiffy would know the consequences of that.

As for your personal problems with eachother, take it to email, that's what it's there for.

no, not stupid as there is not much danger at this point, the only danger is for the stupid kiddies that still log onto doomserv after the post.

[Guest fod_vile]

GavinJCD said:

??
don't you know anything
if the server was down his telnet client wouldn't even be abe to connect. You really need to know what your talking about before you make comments like that.

you really are biased
read his post "Here's the latest twist, I'd just like all of you to know that I tried to load up DoomServ 4 Beta, just to see the new features and fixes TGO has implemented"
now maybe I am wrong but from that i assumed he was using the beta to log onto doomserv? did he SAY he was using a telnet client? "you really need to know what your (sic) talking about before you make comments like that"
don't you know anything?

[GavinJCD]

Toke said:

ACK..
right, you have managed to seriously piss me off, he hates doomserv yes, he doesn't hate the ppl that log onto it, he hates just the service, and the idiotic ppl in charge of the service, he is simply trying to help the general public.
And here you are trying to rationalize your remarks by saying he hates doomserv, well I'm beginning to hate doomserv at this point in time now seeing the kind of ppl that run it.

[Guest fod_vile]

aurikan said:

I have read the article, and I would like to point out that you here, and in your other post regarding the article, are mis-quoting it.

One of the restrictions is indeed "The vendor should be given ..." And I did try to give him the chance to respond to me however the email bounced.

The part of script kiddies is not under the same section, as "Restrictions". Instead it is under the section of "Cons". And of course there are unfortunate side effects of this method of securing the service, however it is not listed as a "Restriction". It's just a necessary evil. Either you are stupid or you think the people who read this thread are stupid to think you could put this over on them.

In this post i didn't mention restrictions followed by quotes.
I in no way misrepresented what the article suggests, except perhaps in including the "restrictions" part in the quote. In earlier article my only point to make was in the article I was directed to read. It said those things which i think backed up my premise that TGO should have been given a fairer "crack of the whip" both quotes were, in my mind "cons"
But I DO notice in your choice of quote back to me you deliberatley ommited "given a reasonable chance " ,subtle

[GavinJCD]

Toke said:

You need to learn to bullshit better. You cant just show off knowledge like that wile TRYING TO DO SOMETHING GOOD wile at the same time releasing more information on how mess with doomserv and expect us to beleave it. You attempt to bring down doomserv is working so please stop. If you post any more information on how hack doomserv then it will really be obvious what you are trying to do. If made that bad of a "mistake" I wouldnt still be talking about it and trying to do it agin. We dont want your help, all we want is for you to leave us alone, stop telling people how to hack the server, and occasionaly choke. Is it that hard for you just to stop HELPING people that think your fag? Or are you hot for us?

As for booting incedent on doomserv there where 3 people on, me you and a newbie. You or tgo could have booted me and if tgo was there he would have booted you not me. That means:

Aurikan is a fucking lier

Lier eh?, maybe instead of raning you should come up with some sort of proof, which as we already know is impossble because there is none, your entire reaction to this situation is to blame Aurikan for uncovering the hole.
What would you rather he do Toke?

[GavinJCD]

fod_vile said:

you just exposed your ONE and only reason for all this
"Dumb little shits from Doomserv"
That rather tarnishes your "I am the great protector of all who worship me" image
your just a sad spiteful no hoper with a massive chip on your shoulder about Doomserv and anyone who uses it and used some information from a 3rd party and a lot of lies and malicious acts
to kill doomserv

oh dear, another seriously bad reply. You seem to think that Aruikans only reason to uncover such a security flaw was to doom doomserv and make himslef king of the doom community. I must state that this is all GUESSWORK. Your guessing, you have no proof, and nether has TOKE. Aurikan hates doomserv due to the stupid ppl that run it, and the poor security precautions on it. You saying that Aurikan is out to get doomserv is meaningless, what does it matter what his motives are, he has saved many ppl including myself a lot of bother. You should stop bickering and try to help TGO to fix his software.

[GavinJCD]

fod_vile said:

you really are biased
read his post "Here's the latest twist, I'd just like all of you to know that I tried to load up DoomServ 4 Beta, just to see the new features and fixes TGO has implemented"
now maybe I am wrong but from that i assumed he was using the beta to log onto doomserv? did he SAY he was using a telnet client? "you really need to know what your (sic) talking about before you make comments like that"
don't you know anything?

maybe, I am not familiar with the workings of doomserv, nor do I want to be, such research would require me being logged in, and I do NOT want to do that, ever.

[aurikan]

fod_vile said:

In this post i didn't mention restrictions followed by quotes.
I in no way misrepresented what the article suggests, except perhaps in including the "restrictions" part in the quote. In earlier article my only point to make was in the article I was directed to read. It said those things which i think backed up my premise that TGO should have been given a fairer "crack of the whip" both quotes were, in my mind "cons"
But I DO notice in your choice of quote back to me you deliberatley ommited "given a reasonable chance " ,subtle

why don't you just complain i didn't post the whole article?? you've stated "reasonable chance" a number of times, and i argue that i did - by trying to contact him. Now you're just distracting the argument.

And i didn't "deliberately omit" it. yes, i omitted it, because i didn't feel like typing out the whole quote, and replaced it with an ellipsis (sp?) But to accuse me of doing it deliberately - that's laughably wrong

[Guest fod_vile]

GavinJCD said:

I'm not sure why Toke and Fodders are defending doomserv, there is a flaw which has thankfully been uncovered. It was a very dangerous security hole which could have and maybe already has lead to a lot of damage.
The fact is blaming Aurikan is very foolish and stupid, also stupid is the obvious fabrications about him deleting files of ppls hardrives. I do not know why TOKE and Fodders are so against him, he has helped everyone in the doom communith and instead of congratulating him for his efforts you are harassing him, and making up stories.
This whole ting has gotten out of hand. I personally am not going to touch doomserv again wheather the bug is fixed or not...I am not prepared to take the risk. Toke, you being a oomserv moderator and all should stop whining about what Aurikan has done and start wondering about the safety of your machine.

i in no way decry the laudability of Aurikan's posting of a security flaw (sound of handclapping in background)
the posting details of how any one could do it i do decry
and since halfway thro this discussion? I begin to doubt his reasons

[GavinJCD]

fod_vile said:

In this post i didn't mention restrictions followed by quotes.
I in no way misrepresented what the article suggests, except perhaps in including the "restrictions" part in the quote. In earlier article my only point to make was in the article I was directed to read. It said those things which i think backed up my premise that TGO should have been given a fairer "crack of the whip" both quotes were, in my mind "cons"
But I DO notice in your choice of quote back to me you deliberatley ommited "given a reasonable chance " ,subtle

hmm, you need to stop attacking Aurikan here Fod, and start looking at what your trying to defent

"doomserv is for doom players, not hackers"
I'm starting to wonder if that's true.

[Guest fod_vile]

GavinJCD said:

oh dear, another seriously bad reply. You seem to think that Aruikans only reason to uncover such a security flaw was to doom doomserv and make himslef king of the doom community. I must state that this is all GUESSWORK. Your guessing, you have no proof, and nether has TOKE. Aurikan hates doomserv due to the stupid ppl that run it, and the poor security precautions on it. You saying that Aurikan is out to get doomserv is meaningless, what does it matter what his motives are, he has saved many ppl including myself a lot of bother. You should stop bickering and try to help TGO to fix his software.

will do

[Guest fod_vile]

GavinJCD said:

you know the more I read this shit the more I am wondering why you are so pissed about this exploit being found. is it so impossible for us to believe that you knew about this thing? That this exploit is a bug?, or is it quite possibly there by design, something for you all to think about.

oh dear Gavin's looking under his bed for bogeymen now :)

[aurikan]

fod_vile said:

you really are biased
read his post "Here's the latest twist, I'd just like all of you to know that I tried to load up DoomServ 4 Beta, just to see the new features and fixes TGO has implemented"
now maybe I am wrong but from that i assumed he was using the beta to log onto doomserv? did he SAY he was using a telnet client? "you really need to know what your (sic) talking about before you make comments like that"
don't you know anything?

actually, gavin in this case is rather well-informed. i logged on, successfully, with both telnet, and the client (after a bit of hex editing the exe). fortunately the beta seems leaps and bounds better in terms of the protocol fitness. however that doesn't mean it's secure. however, it is a step in the right direction.

[Guest fod_vile]

and your going to follow protocol and inform TGO of the insecurety?
doubt it
like you ommited all this in earlier post about "being banned and not able to get on" ohhhh no one use doomserv