232 replies to this topic

[ColonelKiel]

Actually the worst that could happen is that it has an embedded keylogger that quietly monitors your key strokes and logs your Internet traffic and gathers it into a nice little data packet and 2 months after its been installed and behaving like a good little application, it suddenly decides to misbehave. It fires off its paydata to some hidden torrent site for the attacker to mine for your bank accounts, credit cards, and Un/PW's for all your other MMO's where you CAN gift/trade/sell your gear to other parties.

They got the keys to your life, but you got some kool stats pages.

War Eagle, I'm not suggesting that you're the kind of ********* that would actually do this sort of thing. But I'm also not saying you couldn't be.

If PGI endorses it then I'm all in.

Till then, it just looks kool.

Safely.

From this side of my firewall.

[ColonelKiel]

Also, the TOS says that if you install 3rd party, non-PGI apps that can interface with MWO, YOU are responsible for their effects.

PGI has no onus or responsibility in saving you from yourself and compensating you for your loss.

Sure, they are a decent bunch of Canucks, who will give you the shirt off their back to help a fellah out, but they don't have to.

[Tyr Gunn]

Amusingly enough, we were just talkin' about this sort of thing last night. We were conceptualizing about what would happen if some griefer got a hold of your account details. It could be bad, and as Kiel pointed out, there is no obligation for PGI to "undo" the damages caused by you giving your login deets to someone. That falls under the category of you being a silly tool.

We went over all the worst possible scenarios. And they're all bad! They could sell all my mechs, spend all my GXP, blow all my MC, then drain my cbills by selling all my gear and buying it back and selling it again till I'm completely drained.

Imagine logging in and finding all your mechs gone. You'd still have your founder mechs, but they could all be completely stripped. What would you do with no cbills, no GXP, no MC, and no mechs. Drive trial mechs till you kill yourself most likely.

Could PGI undo it all? Probably. Would they? Probably not.

[Jman5]

Hey, does anyone know if there is a place where the match stats are stored individually?



This stuff.

[Dazc]

Apologies if this has been asked but is there a way to report on each weapon vs the distance it hit an enemy mech.
Such as I would want to know what distance I tend to engage with certain weapons so that I know whether I am engaging at the correct range.
Thanks

[focuspark]

Dazc, on 11 September 2013 - 06:02 PM, said:

Apologies if this has been asked but is there a way to report on each weapon vs the distance it hit an enemy mech.
Such as I would want to know what distance I tend to engage with certain weapons so that I know whether I am engaging at the correct range.
Thanks

No. Look at your stats data to see what data the app can scrape from the website. If it's not there (and it's not) then the app doesn't have access to the data.

@OP: app looks good, nicely done. I have one significant problem with your implementation: you ask users to store their username + password in clear text on the harddisk. This is very dangerous, and unnecessary. You obviously already know how to pass cookies around to emulate a web browser, and since the cookies are valid for a long time there's little need for keeping the username + password pair around.

If the cookie expires, ask for the username + password again.

Either that, or implement a secure method of storing the pair.

Tyr Gunn, on 11 September 2013 - 04:33 PM, said:

there is no obligation for PGI to "undo" the damages caused by you giving your login deets to someone.

Actually, quite the opposite is true. It's in PGI's best interest to resist helping at all. Otherwise they'll be constantly harassed by scammers.

[Tyr Gunn]

focuspark, on 11 September 2013 - 09:54 PM, said:

Actually, quite the opposite is true. It's in PGI's best interest to resist helping at all. Otherwise they'll be constantly harassed by scammers.

Ya. That's what I said. They have no obligation to render assistance and undo the damage caused by someone giving away the credentials to their account.

Didn't I?

[Egomane]

As far as I know, SjurWarEagle made the sourcecode for the tool available for download. You are free to check yourself if there are any backdoors or routines that will send your credentials to third party websites and to rebuild the tool from scratch if you want to.

I only have an old link available (posted on page two of this very same thread), but I'm sure, if requested, SWE will post the updated code as well.
http://pastebin.com/NzsCxT30

Of course there is no obligation for PGI/IGP to help you (but if you are lucky they will), if you do lose access to your account, because of some third-party tool like this, but SjurWarEagle can't be any more open on what that tool does with your data.

[Tyr Gunn]

To be clear. I'm not actually accusing this guy of being a nefarious super villain. I'm merely reminding everyone of the risks associated with giving over your account details to a 3rd party.

The reality is that while SjurWarEagle might be a decent guy, the next guy might not be. And that next guy has an opportunity here because there is already a bridge of trust associated with this type of back door. Make no mistake; that's what you're providing WarEagle with, a back door to your account. Maybe he won't do anything villainous with it, but the possibility remains. The mere fact that he's made the tool open means anyone with the drive can turn it around for the purpose of evil by whipping up a better functioning or looking tool from its framework.

Again, it's not the creator or the tool I have any issue with. I just want everyone to think about the associated risks. Regarding PGI bailing you out if your account gets hijacked, there is a pretty small chance of that happening. If it happened to one or two, maybe. But dozens, maybe hundred or more? Fat chance. Especially if it was your own damn fault.

Read TOS, section 5, subsection 1. Articles 1 & 2:

Quote

5. Your Account and Account Use. Your use of the IGP Offerings may require an account identifying you as a user (an “Account”). In connection with such accounts,

1. Responsibility—you are solely responsible for

1. your Account and the maintenance, confidentiality and security of your Account and all passwords related to your Account, and

2. any and all activities that occur under your Account, including all activities of any persons who gain access to your Account with or without your permission

"Solely responsible" means you're totally boned if you give your password to someone and they hijack your account. You're more likely to get bailed out if all user accounts got hijacked.

Just sayin', play safe kids! Only you can prevent forest fires.

[Egomane]

Tyr Gunn, on 12 September 2013 - 09:17 AM, said:

Important stuff!

I absolutly agree!

[SjurWarEagle]

Hello together,

I want to drop some lines on the security topic. As already written, I have no interest in your accounts and personally I have no advantage in this, my mechbays contain 13 mechs at elite level and about 17.000.000 c-bill, I bought Phoenix and I'm playing several times a week with friends.
But: Can I prove this and create a comfortable feeling on this topic for you? No.
This is the big disadvantage of the internet, there is so much fraud, it's important to be sceptical. As far as I know there is absolutely nothing I can do about this problem except doing good work and not abuse the little trust there might be.

I'm trying to provide more transparency by moving the project to an open source repository: https://sourceforge.net/projects/mechcollect/
You now are able to track every step in my development.

At the moment I'm not sure if I like this idea, it's not about the fact being some kind of transparent, it's the fact it now is more than a little hobby project. Mechcollect was created because I like statistics and wanted you to be a part of this love. I had several opensource projects wich all died the moment they got too much attention.
I love programming, but I must have the love to do this. Some time I don't have the fun in doing so. At the moment I'm painting my miniatures for a little upcoming dreadball competition with some friends, so I'm not improving mechcollect. Maybe tomorrow I'm doing nothing else but programming. This uncalculated behavior is my way of gooing on with my hobbies and I don't want to change it, just because I'm opening the development to the public - to you.

Please keep in mind, opening the source doesn't automatically provide security. I still could provide a binary containing {Scrap}, but as written, why should I do so. The repository at google contains all scripts for you being able to compile the code by yourself (there is a build.xml in the folder ant).

Feel free to comment.




And now the answers for the individual questions.

Jman5, on 11 September 2013 - 12:20 PM, said:

SjurWarEagle, can you update your first post with the latest version? The one you have there is a few versions old.

done, the label was correct, I didnt know it wouldn't change the link, too...
Now it's correct, thanks for pointing out.

Jman5, on 11 September 2013 - 05:15 PM, said:

Hey, does anyone know if there is a place where the match stats are stored individually? This stuff.

at the moment this data isn't stored individually, but there is already a request of making it available in mechcollect.

Dazc, on 11 September 2013 - 06:02 PM, said:

Apologies if this has been asked but is there a way to report on each weapon vs the distance it hit an enemy mech. Such as I would want to know what distance I tend to engage with certain weapons so that I know whether I am engaging at the correct range. Thanks

As focuspark already wrote, no I cannot do this. But the damage/shot diagram is some indicator of how effective you are. If you are firing the weapons at extreme range, your damage/hit will be less than if you are in optimal range.

focuspark, on 11 September 2013 - 09:54 PM, said:

@OP: app looks good, nicely done. I have one significant problem with your implementation: you ask users to store their username + password in clear text on the harddisk.
This is very dangerous, and unnecessary. You obviously already know how to pass cookies around to emulate a web browser, and since the cookies are valid for a long time there's little need for keeping the username + password pair around. If the cookie expires, ask for the username + password again. Either that, or implement a secure method of storing the pair.

I'll change the way the password is stored in one of the next versions, thanks for reminding me.
When doing this I'll experiment with your idea, this might work, but it only will be an additional way for authentication.
The problem is, if you are using 2 browsers, the session get's invalid. So if you are browsing the forum after refreshing, the session of mechcollect gets killed and it has to reauthentificate.
This would cause a pop-up for logging in very often. But yes, it's an idea worth thinking about.

Edited by SjurWarEagle, 12 September 2013 - 09:56 PM.

[focuspark]

SjurWarEagle, on 12 September 2013 - 08:05 PM, said:

I'll change the way the password is stored in one of the next versions, thanks for reminding me.
When doing this I'll experiment with your idea, this might work, but it only will be an additional way for authentication.
The problem is, if you are using 2 browsers, the session get's invalid. So if you are browsing the forum after refreshing, the session of mechcollect gets killed and it has to reauthentificate.
This would cause a pop-up for logging in very often. But yes, it's an idea worth thinking about.

Completely understood, and I've actually been thinking about how to do this. The best option I've come up with (and some of my ideas have involved complicated keypair solutions) is to have the app keep the password in memory and the username + cookie on disk. So long as a valid cookie exists the app should use it, if there's no valid cookie the app should use the in-memory password if possible, otherwise the app will need to ask the end user for it.

The downside of this model is while surfing the forums, users could be logged out via the app. Having the ability to set the frequency and timing of the logons should help minimize this.

[SjurWarEagle]

But: The moment the app asks for the password, it could virtually do everything, as pointed out.
The only difference would it, that it isn't stored on the disk.

[SjurWarEagle]

There is a new version available at http://sourceforge.n...90.zip/download

This version contains:
1.2
New:
* Battlelog - review your stats of fights long ago
* removed AMS from battle-statistics on right monitor and battelog
* password will be encrypted, if you want to change it, simply enter the new one into the password= line in the config.properties and start the application
Bugfixes:
* removed some bugs when starting with empty database

And here the teaser:

Edited by SjurWarEagle, 15 September 2013 - 11:08 AM.

[Jman5]

You should add that screenshot to the Opening Post. In my opinion that is your biggest seller for this program!

[Jman5]

I think I found a bug. When I have the program running and I open up the mwo forum the program stops recording. I have to close the forums and restart the program to get it going again.

[SjurWarEagle]

Strange, for me it's working fine.
Did you get any messages in the dos-window, did you try to refresh manually?

Oh, or did you start the app after the game started? Then it doesn't get it when the game finishes.

Edited by SjurWarEagle, 16 September 2013 - 09:49 AM.

[Jman5]

SjurWarEagle, on 16 September 2013 - 09:48 AM, said:

Strange, for me it's working fine.
Did you get any messages in the dos-window, did you try to refresh manually?

Oh, or did you start the app after the game started? Then it doesn't get it when the game finishes.

Oh, I think I figured it out. The battlelog is incorrectly putting the games out of order. I think it sometimes screws up AM and PM. Although most of my games are correct. I tried re-clicking the "order by timestamp" button but it does not fix things.

Edited by Jman5, 17 September 2013 - 07:18 AM.

[SjurWarEagle]

Ah, good find, I'll file a bugreport and will have to change it to 24h-display, so ordering works fine.
Every day a new interesting bug

[Jman5]

Got another bug. I wasn't running the program for a day or two and just loaded it up while searching for a game. I clicked the refresh button and it lumped all my previous games into one match. I think this only impacted the battlelog.