22 réponses à ce sujet

[PlasmaJohn]

The Master Server hasn't been responding for about an hour now.  FYI if this has yet to be reported.  Is there an ETA on how long it will be down?

Thanks

[NWNOL]

I'm not able to connect to Main Server still.

[Lightfoot8]

NOTICE: NWN Authentication Server Down

[PlasmaJohn]

Not sure what you were trying to link, but that announcement was made several days ago. The Master Server had hiccuped for an hour or two the day prior to that post but was back up and working until today.

It would be nice to know if this is going to be an extended outage or not. We have some scheduled events planned for the holiday weekend and we need to know if we should be looking into alternate arrangements.

[FunkySwerve]

You should just turn master server authentication off for your module. If you have a group already planned, I don't understand why this would be a hindrance to you. Can you elaborate?

Funky

[PlasmaJohn]

I'm surprised you suggested that. I'm not going to expose our playerbase to having their characters hijacked. I have alternatives, but they're a bit extreme. I was holding off until the Master Sever was dead for sure. Frankly I'm sick of the outages and am seriously considering implementing one of them.

[TSMDude]

PlasmaJohn wrote...

 I'm not going to expose our playerbase to having their characters hijacked. .

Most servers I know have the Master off...not sure what you mean by hijacked?(Not trying to be rude just wondering is all.)

[Avalon_DM]

Basically without master server authentication turned on ... anyone could log onto the server using another players login without knowing the correct password. It's bad enough Bioware beiung hacked and possibly thousands of players' info being taken ... this is our only way to protect our players.

[PlasmaJohn]

PlasmaJohn wrote...

Frankly I'm sick of the outages and am seriously considering implementing one of them.

I just wanted to add that in no way should my frustration be taken as a demand to do something now, now, now.  Bioware's gone beyond the call of duty by continuing to support NWN multiplayer authentication this long.

[Rhogar]

FunkySwerve wrote...

You should just turn master server authentication off for your module. If you have a group already planned, I don't understand why this would be a hindrance to you. Can you elaborate?

Funky

How can one turn the master server authentication off???Please answer as soon as you can

[Fester Pot]

Have the server turn it off in their nwnplayer.ini file.

Master Server Authentication Required For Player Login=0

FP!

[Khuzadrepa]

It's in the nwnplayer.ini file serverside. The option is called:
Master Server Authentication Required For Player Login=1

Change the '1' to a zero and save the file.

EDIT: FP beat me to it...

Modifié par Khuzadrepa, 30 juin 2011 - 08:53 .

[FunkySwerve]

PlasmaJohn wrote...

I'm surprised you suggested that. I'm not going to expose our playerbase to having their characters hijacked. I have alternatives, but they're a bit extreme. I was holding off until the Master Sever was dead for sure. Frankly I'm sick of the outages and am seriously considering implementing one of them.

I'm not suggesting exposing your characters to hijacking, and the MS alone does NOT prevent said hijacking. For that, you need a passwording system linking accounts to passwords. We have an optional one, required only for dms. Simply linking cd key to account won't do it, as it's possible to defeat that by means I won't elaborate on (but you can find a discussion on the nwnx boards if you look). Now, we ALSO link cd keys to accounts, but only because it's useful for banning - it's only a minor impediment to account theft. I wouldn't characterterize either the passwording or cd key account linking as 'extreme', so I'm not sure what exactly it is you're contemplating.

Funky

[PlasmaJohn]

FunkySwerve wrote...

... and the MS alone does NOT prevent said hijacking. ...

I'm comfortable enough with the MS's password validation.  Is it perfect? No, but much better than I had hoped (I had very low expectations).  Frankly I'm much more comfortable with that than I am with in-game passwording or connection matching techniques.

[WebShaman]

Funky is right here - there are better ways to "secure" one's server.

And such does not require the MS authentification method, so in such a case as now, where it is not available, the protection is still in place.

I would suggest dropping Funky a PM.

[FunkySwerve]

PlasmaJohn wrote...
  Frankly I'm much more comfortable with that than I am with in-game passwording or connection matching techniques.

Succinctly put, you shouldn't be.

Funky

[PlasmaJohn]

Logins not cdkeys. I take nothing at face value even the authentication performed by the MS. I'm familiar enough with it at the protocol level to say "could have been done better but good enough".

If you have something provable instead of hearsay, feel free to drop me a PM with details.

[FunkySwerve]

Nothing I've said has been hearsay. Hearsay is, generally speaking, out-of-court-speech (or a document) submitted as evidence of a substantive matter in controversy before a court by someone other than the speaker. Used more loosely, as you are, it refers to secondhand, or anecdotal statements, rather than those based on the experience of the person speaking. Everything I said is based on extensive personal experience. If you don't want to avail yourself of it, it's no skin off my nose. But complaining about inability to schedule events because of MS downtime, and then turning up your nose at more practical approaches to security that don't require the MS at all, is just bleeping silly.

Funky

[WebShaman]

I can only agree with what Funky has said so far - on one PW that I was part of the Admin, we had such a system (no, I did not script it). It worked very well.

Especially for the DMs. AFAIK, we never had a break-in.

[PlasmaJohn]

@Funky: Sorry used the wrong buzzword.  Maybe "facts not in evidence"? 

Sorry, "in your experience" is not good enough for me to switch to a) sending passwords in the clear and authenticating passwords after they have an active connection.  If I'm understanding other lore that itself is a very bad idea (but can be mitigated by using an entry server).

Look, if you want people to take you seriously about "your experience" you need to find somebody else outside of your circle to verify your claims.  Otherwise it's all a load of grade school "nyah nyah nyah nanny-nanny boo-boo"

@Web: we've never had a break-in either .

[FunkySwerve]

As I said, I'm really not fretted if you don't want to listen. Given that WebShaman has already confirmed what I have said repeatedly, and is in no way, shape, or form related to me or my PW, it's a little hard to compass who you'd consider to be outside  my 'circle' - apparently my powers of influence are grander than I'd ever imagined. Never mind that I've already told you where you can find more information on this. If you really don't understand why I'm not going to discuss it on a public forum, there's no point in explaining it to you.

As for authenticating passwords after they have an active connection, it is not a very bad idea. It is in fact a very, very good idea, if you're as interested in the security of your players as you profess, because it is the only substantive, proactive protection you can give them from account theft. It does not require the use of an entry server, and an entry server will not protect you or your players from this risk. Whatever it is you think you understand about 'other lore', you are seriously out of your depth here.

Furthermore, if you've never had a break-in, why all the confidence about MS protection being superior to serverside cd-key verification and passwording? Your security - and calling it that is rather generous - has never even been given a chance to fail. Fail it would, in spectacular fashion, since you rely on the MS. Ours, by contrast, has evolved in response to repeated attacks, and includes our own nwnx plugin - a plugin that is the only protection out there against one serious threat.

Before you make more inane accusations of grade-school antics, we only distribute the plugin to confirmed server ops running linux, because there is no windows port, and the plugin reveals the nature of the security threat. We've distributed it to around 10 ops so far, and you're welcome to it as well if you're running linux.

In summary: you should not rely on the MS for security, and MS downtimes are simply not a reason to cancel scheduled events.

Funky

[Khuzadrepa]

PlasmaJohn wrote...
Look, if you want people to take you seriously about "your experience" you need to find somebody else outside of your circle to verify your claims.  Otherwise it's all a load of grade school "nyah nyah nyah nanny-nanny boo-boo"

I've been active on these and the old forums for a fair number of years, and it's pretty easy to substantiate that FunkySwerve has been an admin for the Higher Grounds action server for quite some time.  That server is and has always been well-populated from as far back as I know.  I have witnessed him being actively helpful in the community, especially in the area of security, both here and on the NWNx boards.  I've also seen him trying to squash bugs, plug exploits, and just generally try to give assistance to other community members.

From all I have seen, if I had a question about security in NWN, he is the first person I would ask. In this particular case, I also feel that creating your own player authentication is the way to go, especially going into the future.  At some point, the Master Server could go down for good, and we'll need our own way.

By the way, I'm not sure what you mean by a 'circle', but I have no affiliation with FunkySwerve other than via the forum.

Just my two cents.   Cheers!

Modifié par Khuzadrepa, 01 juillet 2011 - 09:18 .

[Calvinthesneak]

They are right, we've just started implementing all sorts of security via database, because we were having issues with hackers and the master server being down. Checks of IP's, CDKeys, loginnames, so that if things do show up out of sorts we simply are warned and then can perform verification if an account is hacked.

Funky Swerve has continuously given to the community over the years, from teaching NWNx, to letoscript to whatever else people looking to put the game to advanced use asked about. Between work both he and Acaos have done, they have advanced the game and the community. And the only relationship I can claim is that I know Funky via these forums and the old bioware ones.