New FFH2 PBEM?

[Ellimist]

Hi guys, it's been 45 hours: Soon to be 48. Ultimatums were given to Northstar earlier nonwithstanding. Do I have the group's permission to crack Northstar's password and give it to Old Lion?

I have no objection.

[Kragroth]

Hi guys, it's been 45 hours: Soon to be 48. Ultimatums were given to Northstar earlier nonwithstanding. Do I have the group's permission to crack Northstar's password and give it to Old Lion?

I have no objection.

Cracked password has been sent to Old Lion along with the earlier played save (again).

[Northstar1989]

Hi guys, it's been 45 hours: Soon to be 48. Ultimatums were given to Northstar earlier nonwithstanding. Do I have the group's permission to crack Northstar's password and give it to Old Lion?

I have no objection.

Cracked password has been sent to Old Lion along with the earlier played save (again).

You had NO RIGHT.

YOU sent me the save too late on wednesday. My internet was down last night. These things happen. You didn't crack Tasunke's password when he literally disappeared off the grid for a much longer period of time.

[Northstar1989]

Guys,

I'd been waiting for the turn for a while. It was stuck with other players. Then, after you guys collectively held up the save for a considerable time (approximately 48 hours since I last sent it- the same length of time I later had the save myself...) Kragroth sent it to me late on Wednesday night (too late for me to play). Then my internet went down last night. Then, without my permission, Kragroth cracked my password and sent the save to Old Lion.

You need to delete any copy of the save you originally received from Kragroth- both from your computer and e-mail. All players must delete any copy of the save which includes that password. I use that password for other purposes as well, and it *MUST* not remain on any of your e-mails or hard-drives.

Create an ALTERNATIVE branch of the save under a DIFFERENT password if you must, but ALL traces of THAT password have to go for security reasons. I'm NOT kidding about this. If any of you knowingly retain any copy or trace of that password I will seriously be left with no other option than to take legal action. Stealing somebody's personal passwords is considered hacking and a crime, and can be legally prosecuted- and this is what you will be doing if you refuse to delete all traces of that password.


It was wrong for Kragroth to crack that password, and blatantly hypocritical considering he did no such thing to Tasunke when he disappeared for a longer period of time... Technically, since I started this PBEM, if anyone were in charge of it that would be me- so he had no authority to issue ultimatums about cracking my password, and no right to do it either.


Regards,
Northstar

[Ellimist]

You were asked to make a password available to someone.

EDIT:

md5 hashes of pbem passwords are literally encoded into every save file. With the speed that Kragoth solved it, I suspect he either found a collision(not the real password) or else the chosen password wasn't as secure as you think.

[Northstar1989]

You were asked to make a password available to someone.

Does not matter. I was under no compulsion to comply. I was busy and didn't have time to change the password on the save and share a new one yet, and was indecisive about doing so anyways.

Kragroth had no right to crack my password. I started this PBEM, not him. His ultimatum became invalid thanks to Tasunke's going AWOL and messing up the week he was supposed to be monitoring. And most of all, stealing a personal password is a crime- he had no idea what else I might use that password for, which is why doing something like that is illegal.

Delete any copies of that password you might have. Delete any files you might have that could allow you to recreate it (this includes previous saves of this PBEM before the password was cracked- now that I know you guys can't be trusted with this password I will be changing it to something else.) Create an alternative branch under a different password of your own choosing (and delete the ones using the original password if you must)- but no traces of THAT password may remain on your computers...

I'm serious. Kragroth committed a crime. It's illegal to steal personal passwords for ANY reason even in situations like this unless you are a law enforcement agent- for *precisely* this reason, you don't know what else that person may have used that password for... Just because it's been done before here does not mean it was legal. I cannot allow traces of this password to remain that may compromise private information- and will take legal action if necessary if these instructions are not complied with.


You lose absolutely nothing by doing what I have instructed. You can easily create an alternative password for my turn of your own from the cracked save (and then delete the cracked save). I will be sending around a new save with a new password momentarily tonight (and am considering sharing it with Old Lion- as I was probably already going to do *before* you guys cracked my password once I found the time to choose a new password...) The only thing deleting that password and all traces of it does is protect my identity- and protect you from legal action you might otherwise force me to take to protect it.


Regards,
Northstar

[Northstar1989]

EDIT:

md5 hashes of pbem passwords are literally encoded into every save file. With the speed that Kragoth solved it, I suspect he either found a collision(not the real password) or else the chosen password wasn't as secure as you think.

You've just given me reason to never, ever trust you guys with any password I use for *anything* else ever again...


Delete all traces of the previous password (including prior PBEM's to the password-cracking) as soon as possible. Create a new password from the cracked save first if you must.


Regards,
Northstar

[Qgqqqqq]

Yeah, civ4 saves are not secure. You really shouldn't use any important password for one of these games.

That being said, it is probable that the actual password wasn't found, but instead a similar collision. So don't be too worried about the whole thing - IIUC, it won't work for almost anything else.

[Ellimist]

Does not matter. I was under no compulsion to comply. I was busy and didn't have time to change the password on the save and share a new one yet, and was indecisive about doing so anyways.

And we were under no compulsion to keep waiting for you. You disappeared for 48+ hours, after recently disappearing for most of a day. Kragoth waited through two of your assigned windows and there was no turn movement and no notification.

You keep denying that you've been responsible for the abysmal turn pace this game has had so far, but I've monitored the tracker account from even before the tracker webpage was operational. You aren't the only contributor to the awful pace, but you've been the worst one. In my experience, it tends to be contagious. Once one player stops being considerate of PYFT, it gradually spreads to others. Now that the webpage is up, it's easier for everyone to monitor and nothing has changed.

Delete any copies of that password you might have. Delete any files you might have that could allow you to recreate it (this includes previous saves of this PBEM before the password was cracked- now that I know you guys can't be trusted with this password I will be changing it to something else.) Create an alternative branch under a different password of your own choosing (and delete the ones using the original password if you must)- but no traces of THAT password may remain on your computers...

If you're being serious, you need to just change that password on whatever super-important things you are using it for. You have zero ability to determine whether copies of it still exist somewhere. There's just no realistic way to determine the veracity if any of us claim we've deleted it. You shouldn't have used such an important password for a pbem in the first place, it's quite common for people to share their passwords after the game so that others can see the "other side" of whatever action was happening.

I understand you're upset about this, but we're talking about unsalted md5 hashes. Even if legal threats were sufficient to motivate me, you would have zero ability to verify deletion. So just change it.

[Bobchillingworth]

North, if you're actually interested in being security conscious you shouldn't be using the same password for multiple accounts, especially for anything important. If you're worried that someone might use your super-duper secret password to haxor your accounts on other forums, trust me when I say that absolutely nobody cares that much about you.


Please refrain from threatening to sue your fellow forum-goers.