Jump to content

Mainlog.html reveals too much sensitive information


Yekaterina
 Share

Recommended Posts

2 minutes ago, Helicity said:

For me this is the only concern. If someone makes a new account, joins and claims to be of a different skill level to what they actually are, they will mess up the balance. However, I'm totally ok with Stockfish saying: "I change account brb" then coming back is Irland 5 seconds later, as I still know to treat this Irland as Stockfish and balance accordingly.

Ā 

That's certainly how some would feel. I cannot determine the intentions of GOAT, but it could be an expression of his jealousy towards all players who have beaten him or something.Ā 

They put me in the same list as Yekaterina. I played four 1v1 games with her and I won 3 so I think I should be a bit better. Nevertheless, she is a good player and a very good teammate (like Wendy), so I can live with that.

My brother Landau-Lifschitz has not been included in the list. By IP methods, he should have detected activities from my brother and maybe even my father, so it's really shady what GOAT is up to right now.

Ā 

I won't argue forever. Many sentences in the page and basics example as@guerringuerrinmake it crystal clear.

Link to comment
Share on other sites

34 minutes ago, Helicity said:

I cannot determine whether GOAT is tracking anyone's IP at all solely from this list, as using mainlog.html does not leave any visible traces. I also don't even know whether he used the same IP tracking method as me at all. There are more sophisticated tools like WireShark that can trace IPs. However, the chance of him being a host or a frequent player or even a lobby maintainer is high, as the lobby is the way to find player's IPs. He also has to care about the lobby games enough to risk lawsuit to write and defend such a list.

Finding TimidSmurf cannot be explained by anything else than ip + geoloc (unless there is a 0AD guid/hash based on hardware devices also available in mainlog ?!).

Any sentence written and any game played before sanafur detected it. Again no over-interpretation, @G.O.A.T is snooping you.

Link to comment
Share on other sites

14 minutes ago, rm -rf said:

Finding TimidSmurf cannot be explained by anything else than ip + geoloc (unless there is a 0AD guid/hash based on hardware devices also available in mainlog ?!).

He probably also used IP at the same time.

There are other ways. he did mention anonymous reportings and his own observations. If he puts data from these sources onto his list then he will end up with funny results like this.

He could also have been looking at habits and patterns. For example Stockfish's 120 women strategy; Vinme's champion cavalry spam and Decger's unstoppable manual boom. Any spec could be GOAT.

It's scary to think that players are secretly reporting you to GOAT behind your back.

Ā 

Link to comment
Share on other sites

On 24/04/2023 at 9:38 PM, rm -rf said:

Finding TimidSmurf cannot be explained by anything else than ip + geoloc (unless there is a 0AD guid/hash based on hardware devices also available in mainlog ?!).

Any sentence written and any game played before sanafur detected it. Again no over-interpretation, @G.O.A.T is snooping you.

Why sanafur? Why do we think it's sanafur?Ā 

I can't see a link between sanafur and this GOAT anymore. Maybe you have more advanced methods. But this GOAT is definitely violating privacy

Ā 

Now thanks to @HelicityĀ nobody has any IP privacy now. Cheating is trivial because you can read enemy chats and see their IP. wow.

What's the next step? Everyone become a smurf investigator?Ā 

Ā 

Link to comment
Share on other sites

Is there a way to track IP on the forum? So that we can find out who this GOAT really is and who has been feeding him with troll info. @Stan`Ā I think you should do something about this. It's too easy to locate players once you have their IP and port - violation of privacy.Ā 

Now we can just watch which player is from Bangladesh.Ā 

He could even be the DDOSer!

No matter who GOAT really is, he will blow his cover one day and he will turn into goat cheese (Fromage de chevre)

Link to comment
Share on other sites

45 minutes ago, Yekaterina said:

Why sanafur? Why do we think it's sanafur?Ā 

Ā 

I don't think it's sanafur because he just doesn't act like GOAT at all. We can discuss this further in PM if you want.

I don't know to what extent his list is accurate as I have never met the majority of the players or the accounts that he mentioned.

38 minutes ago, Yekaterina said:

Bangladesh.Ā 

The address he gave is fake. It simply doesn't exist, or at least not in Google Map's database. The Sanskrit writing makes it hard to search up the address. So I think he is just a troll and we should ignore him instead of getting emotional or serious about the matter.

Link to comment
Share on other sites

You guys are breaking the game completely... and of course, you are breaking the community and the privacy of the players. If someone is mad at this and reports it to the judges, a lot of fun things will start to happen... You all should stop this and start enjoying the game again, like we all did before.

  • Like 1
Link to comment
Share on other sites

@Stockfish I see the issue is being resolved. In the next update, you will not see things in the mainlog, so all this drama will be over.

The mainlog privacy bug has always existed but I am probably the first one to report it. The tool I made is no more than a highlighter that just tells you the relevant information that has already been written in mainlog.html (since the majority of the log is autociv hotkey settings and keyboard inputs). There was also a chat extractor that helps to to see who said what.

All of the information was already included in the mainlog so for all this time, you could read it quickly and you will know everything that these tools tell you.Ā  The actual violation of privacy is mainlog, not any person. When you turn off 0ad, the mainlog file is not automatically overwritten until the next time you run 0ad. So if you use your computer without running 0ad, you can be considered to be keeping a database of IPs, which might be against GDPR. But for the whole time you never noticed.

I can also argue that this is not a violation of GDPR because you cannot see any real life information to identify the individual at that IP address. All I am doing is seeing some random nickname after a random IP address. I still know nothing about who is at this IP address so you are still anonymous.

For example, I can work out:

StockfishĀ  - Spain - 192.168.0.1:25595 (not your actual IP)

But, I don't know who or what Stockfish is. I have gained no information that can help me to identify this individual behind the username "Stockfish". In fact, I cannot even determine the exact location of Stockfish as his public IP could be shared across a zone. Effectively, I cannot distinguish Stockfish from the rest of the population of Spain, so he is still anonymous. Furthermore he could have been using a VPN in which case I'm just writing something completely random about some completely random IP address, so I'm the fool here and the real human behind Stockfish is not violated. The same applies for any other players.

Ā 

Ā 

Ā 

Link to comment
Share on other sites

This is the GDPR in the UK, I'm not sure about other countries: https://www.gov.uk/data-protection

@rm -rf

image.thumb.png.00f1796b23b21b738c2b9c219d6ad7d5.png

The first sentences say "by organisations, businesses and government". I am none of these three so I do not fall into the category of entities constrained by this law.

I have no information of the types listed as "sensitive information". The title of the thread refers to information that are important to the gameplay but not real life.

In addition, the types of personal data:

image.thumb.png.b5d9d3d313d968ef77fac5c8f11f0738.png

The information in mainlog cannot identify a person at all.

I have:Ā  StockfishĀ  - Spain - IP - <a Spanish city>

Even if everyone in his city stands right in front of me, I still cannot distinguish which individual is THE @Stockfish that I have been playing 0ad with. I don't even know the gender of this player named Stockfish but I use the pronoun "he" for simplicity and convention. The man with a spear on his profile does look like a male to me. Correct me if I am wrong @Stockfish

This goes for any other player who is worried that others can see their personal information.

Ā 

Ā 

Link to comment
Share on other sites

23 hours ago, Helicity said:

ipextractor.py 891 BĀ Ā·Ā 7 downloads

This is a short script to quickly extract all information related to IP from the endlessly long mainlog.html.

In order to use it, copy this .py file to the directory where your mainlog.html is found. Then run it with Python 3. Windows users can just choose "run with python" or "open in IDLE" then run it there; Linux users can cd here in a terminal and type:

python3 ipextractor.py

It will produce a list of connection activities for the current game session. From this list, you should be able to deduce which IP matches which player.

Ā 

i dont support making this public ngl @Helicity, making a tool to extract ip addresses ( the same problem we are trying to avoid ) is somehow wrong. It's like saying "hey, i don't support it but here is the key to it guys, go ahead and extract peoples ip). I get the point and all the awareness you are making and fortunately it seems a ticket has been open for it and hopefully we see a fix in future updates. Keep up the good work , the only thing i disagree here is sharing that script which somehow seem like giving bad actors the very tool they could use to cause problems ( which can be fairly avoided by not sharing it at all ). And to be honest, not everyone knew or knows about the ip addresses and other info in the mainlog. We clearly needs to expect some increase in ddos attacks soon, it has been drastically reduced for the past 2 months and started emerging again as far as i've observed - yesterday

  • Like 1
Link to comment
Share on other sites

7 hours ago, Stockfish said:

Btw Helicity, be careful with those tools you share here.

The main problem is that many people uses this kind of tools nowadays.

I prefer to see this script public and not hidden as the so called darkcity mod shared between a few users.

Link to comment
Share on other sites

On 26/04/2023 at 5:45 PM, Obelix said:

fyi #6794

@Stan`@Obelix I frankly don't understand why IP are shared amongst all players and even worst specs included.

As far as I understand the UDP packets, only host should know all IPs.

Then it would be trivial not to connect to host loving snooping if we care about our privacy.

Ā 

If it helps the community I can write a counter @G.O.A.T's page about people who have proudly & publicly announced there are using geoloc to track you.

Edited by rm -rf
Link to comment
Share on other sites

3 hours ago, rm -rf said:

I prefer to see this script public and not hidden as the so called darkcity mod shared between a few users.

On one hand, defcon says not to share it in public to reduce privacy violations. On the other hand you want it to be public so that everyone can assess its impacts. What should I do? Anyone who wants it can PM me.

But don't get your hopes up; it's not some mind-blowing, overpowered hacker program, it's literally just helping you to read what is already in the mainlog. So it's really not necessary. Just skip autociv configs and map generation and you will arrive at the juicy stuff.

3 hours ago, rm -rf said:

Ā 

If it helps the community I can write a counter @G.O.A.T's page about people who have proudly & publicly announced there are using geoloc to track you.

Ā 

Please do

In addition I think you can make an ego list. That will be wholesome and without privacy violations.

Link to comment
Share on other sites

15 hours ago, rm -rf said:

@Stan`@Obelix I frankly don't understand why IP are shared amongst all players and even worst specs included.

As far as I understand the UDP packets, only host should know all IPs.

Then it would be trivial not to connect to host loving snooping if we care about our privacy.

Ā 

If it helps the community I can write a counter @G.O.A.T's page about people who have proudly & publicly announced there are using geoloc to track you.

They are not. Only the server has all the IPs because itĀ needsĀ to. Here is an example. All three clients connected to the host, but only the host mainlog contains the three ips.

Now your issue right now is people are storing the host ip, and all the client ips that connect to them when they host.

Host.html client2.html client1.html

  • Like 1
Link to comment
Share on other sites

1 hour ago, Stan&#x60; said:

They are not. Only the server has all the IPs because itĀ needsĀ to. Here is an example. All three clients connected to the host, but only the host mainlog contains the three ips.

Now your issue right now is people are storing the host ip, and all the client ips that connect to them when they host.

Host.html 76 kBĀ Ā·Ā 1 download client2.html 56 kBĀ Ā·Ā 1 download client1.html 51 kBĀ Ā·Ā 2 downloads

@Stan` thanks for this data.

@Helicityplease explain the logics used when you broadcasted Inlard's ip and geoloc - he was playing and you spectating. Did you basically leverage obsolete data you got previously by hosting a TG he was playing in? Or do you got this data ingame as spec? If so, how as it shouldn't be via log file as @Stan` just highlighted.

Link to comment
Share on other sites

Ā 

2 hours ago, rm -rf said:

@Helicityplease explain the logics used when you broadcasted Inlard's ip and geoloc - he was playing and you spectating. Did you basically leverage obsolete data you got previously by hosting a TG he was playing in? Or do you got this data ingame as spec? If so, how as it shouldn't be via log file as @Stan` just highlighted.

when you connect to a host you should get the host ip and nobody else, if you are the host you should get everyone that joins your host. More like the host being the captain of a boat, anyone who wants to onboard will send their onboarding tickets (ip) to the captain before the captain (host) allows them into the boat (server/pc). You cant enter the captains boat without providing a valid ticket- and once you are approve to join the boat you receive a welcoming card ( host ip and nobody else's ip is given out)from the captain, the only problem here is logging into mainlog ( which i believe was for devs ). So he must have gotten that whiles he was the host.. This is the most common method used in multiplayer games. the easiest way i can put this whole ip communication thing, hope it helps!

  • Thanks 1
Link to comment
Share on other sites

3 hours ago, rm -rf said:

Did you basically leverage obsolete data you got previously by hosting a TG he was playing in?

Yes. i was hosting, he joined, I saw his IP. As simple as that

Note that Irland is stockfish bir inlard is someone else, not from Spain

Ā 

I must also add that I was the host but also spectating my own server... so I had the IP data of all who tried to join my room. Inlard was one of them who entered unsuspectingly.

Ā 

Link to comment
Share on other sites

1 hour ago, Helicity said:

Yes. i was hosting, he joined, I saw his IP. As simple as that

Note that Irland is stockfish bir inlard is someone else, not from Spain

Ā 

I must also add that I was the host but also spectating my own server... so I had the IP data of all who tried to join my room. Inlard was one of them who entered unsuspectingly.

Ā 

what remains unclear here is that a few players have detected second accounts even they don't host any game.

Would it implicitly mean that the ip database (as you have build @Helicity) is shared amongst several players? Or is there any other exploit of privacy?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...