Rosio Pavoris a blog

Re: the issue with Muffins! passwords travelling over the network in plaintext: this has been fixed.
The solution involves a nonce, client-side MD5 hashing, and lots of stolen Javascript.

And through the magic of graceful degradation, it will automatically fall back on the old system for people who disabled Javascript. It will also warn these people they should fucking turn on Javascript, because nonces aren’t much fun to implement and if they’re not going to take advantage of them they should go play some other game.

Anyway, the upshot of this is that passwords no longer travel over the network in plaintext (except during registration, which I’m very probably not going to do anything about), so if they get guessed, it’s seriously not my fault.

(Next up, the bruteforce thing. Which is pretty straight-forward: failed log-in attempts are logged, and before it logs you in it checks if there are fewer than, say, three failed attempts in the past fifteen minutes from your IP. If not, it won’t log you in. Shouldn’t bother legitimate users (if it didn’t check IPs malicious users could use it as a denial-of-service attack on users; I guess they sometimes still can through the magic of braindead ISPs), but it makes bruteforce and dictionary attacks completely unfeasible, even for people with very dynamic IPs.
It’ll have to wait until tomorrow, though.)

(Long post! You probably won’t think this is very interesting unless you play Muffins! and have a passing interest in cryptography and/or network security.)

When I started working on Muffins! over two years ago, I was a Japanese language student with no experience in programming or security whatsoever. I had heard about things like packet sniffing, though, and had a vague idea how the internets worked, but my ability to design a log-in system was limited by my ignorance of both PHP and of the possible vectors for attack.
Consequently, when Muffins! was just a blank page with a note saying “Imagine there’s a map here!”, the authentication mechanism sucked. Passwords were stored as unsalted MD5 hashes, and logging in sent your username and password in plaintext to the server, where the password was hashed and compared to the stored hash for your username. The server would then set a cookie with two fields: one for your user ID, and one for your password hash.
With every pageload, the server would look at your cookie and compare it to the contents of the database. If there was something wrong, it’d destroy your cookie and kick you to the log-in page, and that was that.

Read the rest of this entry »

Muffins is back. Seemed right, since it’s two years ago today that it first went online.
Everyone’s been deleted, because I felt like deleting everyone. Development is expected to resume, though probably at a slower pace than two years ago. The only thing changed so far is that accounts are no longer deleted after two months of inactivity.

I took SWBHG down, and it’ll stay down. For “undisclosed vulnerabilities”, is all I’ll say.

(By which I mean, a retarded chimpanzee could code a more secure application.
At least we won’t be going over our allotted webspace as quickly in the future.)

I added a quotefile, because I know people wanted that.

This is very much worth reading. It’s kind of long, but it’s an important point.

Also, apparently a disproportional number of people are finding this blog while googling for a Muffins! auto-adventure script. This would be what you’re looking for. It’s not incredibly well-written, and parts of it may not work anymore, but it’s adequate.

People tell me temperatures here have dropped by 15° (Celsius, not the Fahrenheit) in the past week. They’re still mostly above freezing, but still. Here are some penguins to celebrate.

We had fondue, finally. My dad wished me a happy birthday, but we always have fondue on Christmas Eve, so they still owe me my birthday fondue, really.
Fondue Bourguignonne, that is.

Then we opened presents. My sister wasn’t here for it, but I doubt anyone minded. I got a hat and a stuffed rat. I asked for a cat.
Oh, and monies. Not too many, but more gifts tomorrow, when my aunt comes to visit.

This amuses me.

I implemented some Christmas content in Muffins. Seven new items. I guess it’s better than last year’s rock.

I created a Best Of page. If there are posts you’d like to see on there (or if there are posts on there you don’t think should be), do tell.

Tween sloth.

I dislike writing assembly, especially on paper. Still finished test first, and I’m wiling to bet I was the only one who produced a working program.

Muffins is a year old today. It’s been dead for half of that, but still. I guess everything gets old if you wait long enough.
Anniversary code is working, AFAICT.

Also, midterm elections tomorrow. If you’re in a position to vote, do so.
If Santorum still has a job after this, I’m going to punch a random passer-by.

Also, yes, Saddam Hussein was sentenced to death. If you don’t have a problem with that, you’re probably a hypocrite.
Civilised countries should condemn the US for handing him over to Iraq. Europe has exceptions in its extradition treaties for countries that practice the death penalty. The fact that the US practices it itself doesn’t mean we should be okay with it.
He should’ve been tried before an international court. That’s what they’re for.

Remember this guy?
He changed his IP and made two new accounts, which is fine if you’re not going to bother anyone anymore, but then he managed to get one of those accounts disabled before I even realised it was the same person. Guess what happened.

Yup.

Note that last account. Again. Parents need to watch their kids more closely.
He also needs to get over the idea that we’re trying to be like KoL. Does he think he’s hurting my feelings by pointing out I’m not Jick?

Funny part is, shit like this isn’t even the reason Muffins is no longer in development.

One of our admins is Jewish and a girl. The other is black, asian, emo, and quite possibly a furry. I think “faggot” is maybe the only slur that doesn’t apply to any of us.
So why does it get thrown around so much?

Either way, Terru got to disable four accounts and I got to ban another IP. Great fun.

Edit: Oh, obviously. It’s amazing how many people suddenly have horrible friends when they get banned. Before you feel too sorry for him, though: hah.

(I agree with him as far as the badgers go, BTW. Which is why the reference to it points out it’s a tired pop culture reference. It’s been in the game since last November. This June, KoL implemented the astral badger.)

Northlands finally rolled out. The adventure areas could do with some more content, but that can easily be added later.

I need a nap.

I’m actually getting fair amounts of work done on Muffins. This is the first time in ages I’ve actually enjoyed working on content. I’m reasonably happy with most of the new content, though still vaguely stuck on some bits.

Heat is kind of making my drawerings suck, though.

Not a lot has been going on, as usual, but I haven’t updated properly in months, so the not a lot adds up to a fair bit. Let’s see.

My grandfather’s still in the hospital. Haven’t seen him in ages, but I hear he’s doing well. I guess he just likes it there.

Both my sister and my mom are done with exams now, so I expect a lot less peace and quiet from now on.
My sister already almost managed to throttle our bandwidth by going half a gig over the download limit, but I changed our internet provider plan thing to be less restrictive. I like knowing my parents’ passwords.
They didn’t freak out about when I told them, which vaguely surprised me. Maybe they didn’t know what I was talking about. Either way, monthly fees are the same.

Climate-wise, temperatures are more sane. Still vaguely too hot, but nothing pantslessness won’t solve.

Online drama-wise, I stopped going to #radio-kol because it’s gone to shit and complaints have pretty much been dismissed with “I don’t have a problem with it, therefore there is no problem; suck it up and deal, because clearly you’re just being childish”. Maintaining that the problem isn’t worth addressing when two people who have been regulars for, what, a year and a half now, think it’s serious enough to just leave entirely is a bit retarded. Just a tiny bit.
But yeah, that discussion is essentially over anyway.

Muffins is still up, though I haven’t updated in ages. Despite a fairly huge flood of new registrations a while ago, multi abuse is next to non-existant, which is good.
I guess I really should work on new content. I’m perfectly happy working on code, but thinking of, drawing, and writing new adventures and puzzles and whatnot is meh. The northlands have been on the verge of rolling out for a while now. They mostly need more adventures.

KoL-wise, I’m finishing up my HCO runs before NS 13. Just one more after this. Dunno if I’ll make it, but meh. Moving slowly, but not as slow as all that, really.
Also playing Cawd’s account for a few runs. Doing a lot better than I was on my own at that point. Technically the current run is the last one I’m supposed to do on his account, but I’m not sure he’ll be willing to pick it up again afterwards. I don’t mind either way.

Education-wise, I’m still trying to decide what to do next year. It looks like I’ll be sticking with the KUL, and doing something Computer Sciencey. A lot of the things that bothered me about the PHL don’t exist at the KUL (most importantly the fact that the PHL isn’t within walking distance of a train station, and the amateuristic approach to technology (“WI-FI means the antenna is built in.”), and the near uselessness of the diploma), but the KUL curriculum has some problems of its own (mainly the math bit — I like math in the “solve general problems using your extensive knowledge base and pure logic” sense, not so much in the “know these theorems by heart and be able to recite them hopping on one foot while writing with the pen shoved up your nose” one; granted, I have no idea what college-level math looks like).
Right now, the choice is basically between the Faculty of Science and the Faculty of Engineering. Engineering has less math but more bullshit.
I’ll probably end up flipping a coin for it, but right now, I’m leaning towards Science.

Finally, you know how someone can make you explode with joy just by existing? I didn’t, but I do now.
And I don’t mean that as a euphemysm for ejaculation, though she does that too.

tl;dr, I know. Sorry. :P
I should update more often.

Bandwidth use for May was more sane than April. Not that much more than March, even.

To compare, Muffins used 5.63 GB in March, and 8.13 GB in April.
The lack of new content is mostly responsible, I would guess. Personally, I’d have thought a lot fewer people would still be playing.

Anyway, as a side note, I’d like to know what people are using to read this blog. Are you just using a web browser and checking back every couple of days? Are you using the Livejournal syndication thing Haplo made? Are you using the WordPress RSS feed, and if you are, what program are you using to view it?

The thing about Muffins and new content there, I think, is partially that I lost the habit of working on the game every day after the nubflood, because I spent so much time going through transfer logs then, but also that because a lot more people are playing now, I hold new content to much higher standards.
I would say I want things to be as good as KoL, but between the Observatory and the new booze, I think my idea of KoL’s quality is way too idealised.

Anyway. I think I’m just going to care less about funny and more about game mechanics. I’ll add funny if I happen to come across something that works, but mostly I’m going to go for fun without trying too hard.
I’ve been saying Muffins is a spade’s game, but really, it’s a moron’s playground. Real spades would be, and have been, bored into quitting within days.

I don’t update this enough. This is because I have nothing interesting to say.
Still at home, doing nothing much besides working on Muffins. Lots of new content recently. Not getting any donations anymore, and new registrations are still low. *shrug*

In other news, I love Mai.
Maybe that’s not exactly new, but it’s still true.

Calling people by their real name on the internet. I mean, yes, it shows to other people who are listening in on the conversation that you’re close enough to that person that they’ve told you their real name (or that you’re an effective enough stalker that you found out on your own), but given a choice between calling someone by the name they were given and the name they chose for themselves (and thus, presumably, like better), why would you go for their real name?
That being said, I don’t particularly care about what people call me. It annoys me when nubs who never knew me as Xarn call me Xarn, and it annoys me when morons call me anything at all, but on the Koen/Cairnarvon thing, I don’t give a fuck. Just struck me as odd, is all.

Anyway.
I think I need to advertise Muffins more. Registrations are down quite dramatically, oddly since I rolled out the rabbit hole. Probably a coincidence.
Meh. I guess it buys us some time until we need to go dedicated.

Mai’s coming back from Greece today. Hope she didn’t die.

I should’ve spent this week catching up on sleep, but I didn’t. Instead, I played We Love Katamari and spent more time working on Muffins than I really intended to. Which is a good thing, I suppose.
We’re starting to get donations (and a fair number of them, too), and while I can’t do anything about lag, I can at least do something about the lack of content. I’ve implemented two new companions, the puppy and the dog. Puppy is a donation companion, dog is what it turns into at level 25. Five people have donated for one so far, which is pretty insane. $140 in total in donations so far (all in Mr As, though).

Managed to postpone the university-related annoyance until Monday, at least.

Not much happening anywhere, lately.

Nub flood in #radio-kol a bit ago, which wasn’t nearly as bad as the White Wednesday one. Notably highlights: PVA getting kicked for being a dipshit, PVA bitching about #radio-kol on the radio, PVA creating his own channel, KMD being unable to believe PVA was being a dipshit, Ashallond doing the resigned-but-bitter thing. *shrug*

Implemented a clan stash in Muffins yesterday, because P4UL wanted one. Took a while to get it to work, because coding drunk is painful. Shouldn’t be anything exploitable in it, though. Ricket hasn’t managed to break it yet, but I blame that on the horrible, horrible lag we were having last night. Not sure why. Not our fault, at least. Nobody online on SWBHG, two people on Muffins.

Completed a 9-day hardcore run in KoL today. I’m rather pleased with that, though starting on a Moxie day with canned air and having Crimbo town open for the entire duration of the run doesn’t really count as “regular circumstances”, I guess. I was level 7 on the first day. Now I’m doing a Pastamancer teetotaller run, and I’m level 4 on the first day. Oh well.
Still a week ahead of schedule.

Oh, PhilANThropiSt kicked inari out of the Purple Turtle yesterday, because I asked him to. She claims it doesn’t bother her, of course.
Also had to break the heart of one of her lapdogs. That was fun.

So yeah.

‘nother month done, apparently. No big detailed post about bandwidth use. Let’s just leave it at this: SWBHG used 1.18 GB, but Muffins is definitely catching up, with 1.10 GB.
So yeah. Muffins is pretty popular, despite only being a quarter of a game.

Got my Eurostar tickets this morning, which is awesome. Now I just have to exchange monies, which I’ll probably do next week. Well, which I should do next week at the latest, I guess.

Boo. >.>

Great progress in Muffins. Added another layer of security to the login thing, and made it better in general. This made it so people couldn’t log in for half an hour, but nobody was trying, I don’t think.

Added a bunch of new mechanics today (including stat boosts from items), as well as some new content. New store and two new zones, very heavy on TMBG references.
I wonder how many people will get them. >.>