Alamak Operator Security
 Secure Login
A new secure login has been added for Operators which protects your
login password from packet snooping during login.
There is a problem if you use proxy with secure login. The chat server
now by default prevents IP switching and will kick you out if it seems
you change IP address.
If you have a proxy setting for http which is different from the
https or secure proxy setting, it look to the chat server
like your IP address changes during login as the server switches from
secure to non-secure server.
Solution is to set your https or secure proxy setting the same as your
http proxy setting. Most cases people have put a http proxy setting but
left the https or secure field blank, dont' forget to fill in the port
number too!
Server SG uses a self signed certificate which must be changed once a month.
You must accept this certificate to use the secure pages on alamak.com.sg.
If you accept the cert "until it expires" then it does expire and we rotate it,
you will get some kind of connection error when you try to access the secure server
there again.
The solution, go under your web browser security section, look for web site certificates,
find any that say alamak and delete them. Then try again to access the secure
server and accept the new certificate.
Security notice with secure login?
This is normal, when you are on a secure page and leave to a non-secure page
you get a popup warning. Just click okay. The secure login is setup properly
to use the secure server when transmitting password information. After the first
page it switches to the non-secure un-encrypted page to save processing time.
Secure servers use alot of cpu time and the chat would be incredibly slow we ran
the whole chat through a secure encryption.
New Double Password System
On 11/16/98 we shifted to a DOUBLE PASSWORD SYSTEM to reduce cases of
account hacking and save everyone time and money!
Every OP account now has two passwords, a [login password] and a [permenant password].
The login password is used to login to all of Alamak servers and services. The
permanent password is only used to change the login password. If some unauthorized
person manages to get your login password they will still be unable to reset your
permanent password. If this happens you can use your permanent password to change
login password and thus lock the unauthorized person out of your account.
If you have problem changing your password with the
Secure Change Password Form
or the
Non-Secure Change Password Form,
you can use the appropriate section of the Contact Us Page
to request that we reset your passwords.
Ops Password Security
These is some short notes on protecting your Alamak account and password as well as some
notes on chat hacking and flooding.
DO NOT give your password out by Email, CMAIL or ON THE CHAT to anyone.
If our staff needs to verify account information they will not need
your password to confirm ownership. If ownership is confirmed the
staff will set and give you a new password if needed! You may supply old
password on the Contact Us Page to
help verify account ownership.
There are many people who setup FALSE LOGIN PAGES, FALSE EMAIL ACCOUNTS,
FALSE STAFF NICKNAMES, or will PROMISE YOU WONDERFULL THINGS if you give them your
password. The only thing you will get is a hacked account and it could take a
couple of days before real Staff can fix it. Additionally, the abuser is most
likely to get your account suspended by harrassing the admin.
The only places you should type your password are on the following
machines and subnets. Look closely at the URL at the top of your browser
when you type your password and make sure it's really Alamak / Exclamation Inc!
Emails
@alamak.com.sg ( this is the only one used now )
@www.alamak.com
Web Servers
www.alamak.com / alamak.com
alamak.com.sg / alamak.com.sg
shiok.alamak.com / chat.alamak.com
www5.alamak.com
cyan.alamak.net
chat.alamak.net
Network Addresses
207.66.195.2
207.66.195.4
207.66.195.5
204.201.132.101
204.201.132.102
203.116.3.14
Don't Reveal the Session ID
The chat is designed so that there is a random session id created when you
first login to the chat. This session id is how the chat knows who you are.
It is impossible for anyone to guess the session id, but if you reveal it then
someone could take over your chat session.
Normally you would never know if a person takes over your session unless they speak in public
or change rooms. Meanwhile they can sit there reading all your privates messages, your /mail
and your conversation if you are in a private room.
The best advice is to not do anything not normally intended by the chat program. If you are
just clicking on links and submitting forms you will always be safe. If you start picking
the source code and pasting it to other users, then you have to expect something is going
to happen and only you are responsible for the results.
Worse, the person may abuse and get your account suspended or removed.
While we will try to fix account passwords as soon as possible, it is caused by user error
and we are not responsible. Also, while we are short on staff it may take awhile for us to
correct hacked accounts. Please see the Contact Us Page.
Alamak Security
There are a couple ftp directories for users here and some hackers think they have
stumbled on a real treat when the find the etc directory with what they think is a
password file. This file is not a system password file and is only used by the ftp daemon
to recognize user and group id's. It is not a security hole.
All our servers are protected by a double firewall and password transfers are either by a
internal local area network or pgp encryption. We do not reveal users passwords and the
only way to be hacked is by user error as described above or by sharing your password.
Some rudimentary flood control has been added to the server.
A list of open proxy IP's and blocking of these IP's has been added to the
server.
IP switching is disallowed by default to prevent session ID hacking.
A secure login has been added to the chat to prevent password detection by
packet sniffing.
A double password system has been added. Ops use theor regular password to
login, if this gets hacked, Ops can use the
secure change password page or the
change password page
and their permanent password to change their login password. The only place the
permanent password is used, is to change the login password.
Office administration forms for Operator accounts have had several layers of
security added to prevent access by un-authorized persons and no longer display
passwords of accounts in the account modification fields. Passwords can be changed
by the office but not viewed by this method.
| 
