PDA

View Full Version : Campaign Security



Bale Nomad
February 2nd, 2017, 23:28
I just purchased an Ultimate subscription to try out FG2. I noticed a username and password field are available fields when you create a new campaign, so I created a test campaign to try those fields. When I later select that campaign to load, it shows the username, and the password field is blank. When I start the campaign, I am not prompted for a password.

I scoured the campaign files looking for any vestige of the password - an xml tag, a mysterious hashed value, anything - and found nothing.

Does this mean that when I have the port forwarded as recommended (as it is now) anyone with a demo version of FG2 and my ip address can come barging into one of my games uninvited?

Trenloe
February 2nd, 2017, 23:57
The GM is not prompted for the password. They should only need to enter it once for a specific campaign - i.e. the password is assigned to one campaigns, not all of your campaigns. If the "Password:" field for your campaign is blank when you start the campaign then players won't be asked to enter a password.

Bale Nomad
February 3rd, 2017, 00:36
I started another instance on my computer and joined the game with the password on it, and I did not get prompted for a password. I started an instance on another computer, using a default demo version install, and joined the game without being prompted for a password. Is the player prompted for a password only when they are connecting from outside the local network?

Nickademus
February 3rd, 2017, 00:42
You should be prompted when joining with localhost.

The one time I found I wasn't being prompted, I discovered that I put the password in the GM name slot instead...

damned
February 3rd, 2017, 01:01
with around 4 billion active ip addresses the only times a random person has landed in my game turned out to be someone i had played with very recently and they connected to the wrong alias. Ive also done the same - gone to land in one GMs game and landed in anothers :)

Nickademus
February 3rd, 2017, 01:39
I had a player hop into one of my prep session in a campaign that was to be exported to a module (not for actual play). Since then I put a password on my prep sessions.

Bale Nomad
February 3rd, 2017, 04:57
I think I figured out what happened. When I created the campaign with the password on it (we'll call it campaign 1), I entered both a username and password in the correct fields, and then I clicked the FG "Start" button. When I selected it to load again, the password was not displayed in the bottom left panel of the campaign selection window, and the username appeared to be simply a text label instead of a text entry field, so I thought the password was not being displayed to protect it. I then connected from a player session and was not prompted for a password. I thought it odd that the password would be protected with no apparent way to change it through the options, and I went searching for at least a password XML tag in the campaign files thinking I would find a hashed value somewhere.

I created another campaign with a username and password (campaign 2), and this time I pressed the <Enter> key after entering the password in its field on the new campaign setup panel before clicking the "Start" button. I was once again able to connect to the campaign from a player session without being prompted. I exited the GM session, and the next time I went to load campaign 2, I saw the password in the field in the bottom left panel of the campaign selection window. This time the player session was prompted for the password.

I went back to campaign 1 and clicked the space next to the "Password:" label on the campaign selection window, and was able to enter a password. Once again, I clicked the "Start" button without pressing the <Enter> key and connected with a player session with no password prompt. The next time I loaded campaign 1, I was prompted for the password in the player session.

There seems to be a bug of some kind with entering data into the password field. It seems the password field is inconsistent when it comes to accepting values. I am using FG Ultimate v.3.2.3.

Bale Nomad
February 3rd, 2017, 05:03
It would be nice to have an explanation of the security feature in the documentation. It also would be nice to know if at least the username or password are protected in transit instead of being sent as clear text. There are plenty of threats to all our computers and personal information out there on the internet, regardless of how small a target we think we are. When it comes to automated tools that search for any and every vulnerability, no target is too small.

damned
February 3rd, 2017, 06:08
It would be nice to have an explanation of the security feature in the documentation. It also would be nice to know if at least the username or password are protected in transit instead of being sent as clear text. There are plenty of threats to all our computers and personal information out there on the internet, regardless of how small a target we think we are. When it comes to automated tools that search for any and every vulnerability, no target is too small.

In the real world there are plenty of targets that are "too small". Time is money for hackers too. You attack those targets that give you a return on your effort. BTW to anyone else reading this Im not giving advice on securing or not securing your network your game your life...
Without any real knowledge of the password feature I suspect it is sent using either plain text or very basic encryption...
The password is stored in a plain text file called campaign.xml in plain text.

<password>123456789</password>

Zacchaeus
February 3rd, 2017, 12:40
I've never felt the need to enter a password so I've never explored this. However I just started a new campaign, entered a password and tabbed out of the password field and then clicked start. When I attempt to join my own game now I am prompted for a password. On closing and reopening the campaign I see both the username and password on the bottom left panel. Sounds like you need to move focus away from the password field after entering it for it to work first time.

Bale Nomad
February 4th, 2017, 07:00
Zacchaeus: thanks for trying a test to try to repeat the problem.

All: I am not saying the sky is falling, so please don't denigrate you or me with flame messages. That wouldn't be helpful to anyone.

I conducted several tests and developed a series of repeatable ones to demonstrate when the campaign password field does and does not work. I emailed the full text of those tests along with my general security concerns to the support department.

Given the campaign password is stored in plain text, I got a little concerned about my Smite Works username and password. When I didn't find it in the file system, I went digging in the registry. I was relieved to find the password hashed in the registry. This still leaves me with some concern about the campaign passwords.

If you haven't watched this video, please do so: https://www.youtube.com/watch?v=7U-RbOKanYs

Yes, I used my time to manually investigate these issues. Yes, hackers wouldn't waste their own time to do what I did. They have drone programs that do the work for them. My concern is that a drone program, not a human being, could go snooping through a GM's computer and find the clear text passwords in the campaign data files. The problem isn't that hackers might go barging into FG2 gaming sessions. The problem is that hackers' drone programs could harvest more clear text passwords that people are actually using to add to their growing databases. This is what the majority of people don't get.

I'm not saying that FG2 does or does not have vulnerabilities. I'm not saying that hackers will leverage FG2 as a direct attack vector. I am saying that uninformed GMs could be contributing to the larger hacking problem. It wouldn't take long for a drone program to harvest these clear text passwords if a GMs computer were to be infected.

So far I like the program. I hope it has continued success. I also hope its users will become better informed.

Since the only real purpose of the campaign passwords is to keep unwanted players out, and since we know they are stored in clear text, then feel free to make it as common a thing as you want. Make it your middle name, your birthdate, your high school mascot's name ... whatever. Just don't make it something that you would EVER actually use for something serious, like your bank account.

If Smite Works decides to hash the campaign passwords, that would be a good idea. If you forget it, so what! It's your computer, and it's an XML file. You can simply delete the password tags from the XML file and then change it in the program to something new.

damned
February 4th, 2017, 09:24
Zacchaeus: thanks for trying a test to try to repeat the problem.

All: I am not saying the sky is falling, so please don't denigrate you or me with flame messages. That wouldn't be helpful to anyone.

I conducted several tests and developed a series of repeatable ones to demonstrate when the campaign password field does and does not work. I emailed the full text of those tests along with my general security concerns to the support department.

Given the campaign password is stored in plain text, I got a little concerned about my Smite Works username and password. When I didn't find it in the file system, I went digging in the registry. I was relieved to find the password hashed in the registry. This still leaves me with some concern about the campaign passwords.

If you haven't watched this video, please do so: https://www.youtube.com/watch?v=7U-RbOKanYs

Yes, I used my time to manually investigate these issues. Yes, hackers wouldn't waste their own time to do what I did. They have drone programs that do the work for them. My concern is that a drone program, not a human being, could go snooping through a GM's computer and find the clear text passwords in the campaign data files. The problem isn't that hackers might go barging into FG2 gaming sessions. The problem is that hackers' drone programs could harvest more clear text passwords that people are actually using to add to their growing databases. This is what the majority of people don't get.

I'm not saying that FG2 does or does not have vulnerabilities. I'm not saying that hackers will leverage FG2 as a direct attack vector. I am saying that uninformed GMs could be contributing to the larger hacking problem. It wouldn't take long for a drone program to harvest these clear text passwords if a GMs computer were to be infected.

So far I like the program. I hope it has continued success. I also hope its users will become better informed.

Since the only real purpose of the campaign passwords is to keep unwanted players out, and since we know they are stored in clear text, then feel free to make it as common a thing as you want. Make it your middle name, your birthdate, your high school mascot's name ... whatever. Just don't make it something that you would EVER actually use for something serious, like your bank account.

If Smite Works decides to hash the campaign passwords, that would be a good idea. If you forget it, so what! It's your computer, and it's an XML file. You can simply delete the password tags from the XML file and then change it in the program to something new.

As its a password that you share with players it should only ever be a simple/easy/shareable password. It should not be one that you ever use anywhere else.

Nickademus
February 4th, 2017, 15:49
I appreciate the information, and found the video entertaining. Though I really think we are talking about apples and oranges here even though both are called passwords. I don't know anyone that would use a complex secure password for an FG game. It might be true that some of the people I play with use simple passwords for important things, but that is a bad habit that I would tell them to stop if I found out (and has nothing to do with the FG password).

Trenloe
February 4th, 2017, 16:50
The campaign password is purely used to stop players joining a FG session which you don't want players to join - for example, you're doing prep or development and you don't want your players joining early: use a simple campaign password the players won't guess. Or, in the rare occasion that you may need to block a previous player from your session, use a simple campaign password or change the one you used previously.

Getting access to one of your campaigns (only when the GM has it running) doesn't give a potential hacker much access to your system beyond being annoying in the FG chat window and rolling lots of dice. The FG devs specifically limit the LUA libraries available in FG (e.g. no direct file access) and are very aware of keeping the FG functionality locked down in terms of what could be done if someone managed to get too much access to FG. For example, players can't control what code is available in a FG session - the GM has complete control over that based off the ruleset and extensions they load before starting the campaign, more code cannot be loaded/modified once the campaign has started.

So, whereas at a purely theoretical level, passing plain text passwords over the Internet, or storing those values unencrypted in a text file, is not a good thing. In this case - a simple password to allow/restrict access to a very security conscious application (not the computer it is running on), is nothing to get too concerned about IMHO.

LordEntrails
February 4th, 2017, 19:41
I think Bale's concern, and one I see value in, is that people may use a password in FG that they use elsewhere for something actually important.

Now, all of us that frequent this forum and are interested in this topic are probably aware enough of the issues in doing such. And wouldn't contribute to the concern.

But, that doesn't mean doesn't mean the issue doesn't impact our society at large. Or that there is value in considering changing how things are done in FG to help, in a little way, the "greater good".

damned
February 5th, 2017, 00:26
I think Bale's concern, and one I see value in, is that people may use a password in FG that they use elsewhere for something actually important.

Now, all of us that frequent this forum and are interested in this topic are probably aware enough of the issues in doing such. And wouldn't contribute to the concern.

But, that doesn't mean doesn't mean the issue doesn't impact our society at large. Or that there is value in considering changing how things are done in FG to help, in a little way, the "greater good".

That campaign lock password is never transmitted over the internet by the GMs machine - only be a player connecting to the GMs computer.
If you give someone your password so they can connect you have already given your password away.

And Bale Nomad dont worry - no one is denigrating you or your comments or trying to start a flame war.