helpimnotdrowning.net (eternally unfinished)

  • 1 Post
  • 16 Comments
Joined 1 year ago
cake
Cake day: June 9th, 2023

help-circle
  • yes, it’s mostly things like games or software

    though, I have seen more & more reports of people finding malicious disguised LNK files in their downloads and torrents, which will run some arbitrary command if you open that: Windows does not ever show the LNK extension, so a file could be named “<whatever>.mkv.lnk”, and you would only know if you checked the “file type” column in Explorer (which would read “Shortcut” instead of something like “Matryoshka file”), or when you see the cmd.exe window flicker open and close.

    bonus edit: LNK is the native file extension that Windows uses to link app shortcuts, such as the shortcuts on your desktop.


  • This might also become a hassle since basically all residential connections (likely of OPs friends) have dynamic IPs - if someone wants to join while OP is away, but their IP has changed since their last connection, now they have to wait on OP to update the firewall rules.

    Apart from getting your MSA token stolen, there’s not really much that can get around server login (yet). All online-mode logins pass through Microsoft (part of the reason why Xbox service outages seem to affect Minecraft so much).

    If your friends all individually seem to stay within some certain IP ranges (ex, first handful digits always stay the same, 12.34.56.xx), then I’d say go ahead with whitelisting them fully (ex, 12.34.56.xx --> 12.34.56.0/24, CIDR notation). If they jump around unpredictability, I would stick with the username-based whitelisting and online-mode-only.


  • as long you are only forwarding Minecraft’s 25565 port from your router to your server machine, it should be fine. Just make sure to keep Online mode on, use the whitelist, and get your plugins from trusted sources. Otherwise I wouldn’t worry too much.

    I see others recommending VPN solutions like zerotier for your friends to connect to; I don’t personally feel like this is necessary, and (in my experience), making your friends do more technical setup than just connecting to the server is often a big turn-off.

    Bonus: If you ever take a peek at your server logs while it’s running (and exposed to the Internet, if you avoid said VPN solutions), you might notice a lot of weird connections from IPs and usernames you don’t recognize. These are server scanners and threat scanners that look for vulnerable servers to connect to and exploit. This is normal and you’ll be fine as long as you keep that whitelist and stay up-to-date on developments in the server admin space.




  • TLDR; No

    It hasn’t been necessary in a long time, unless you’re a developer who frequently needs to type in filenames in everywhere (since the command line needs extra protection against spaces and other symbols)

    The OS (Windows, Mac, Android, etc) handles thar all for you so you don’t have to worry about it (unless you happen to use a badly-written program that doesn’t understand spaces, but this is super rare to begin with, and more protected against as time goes on)





  • Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like

    • root/admin
    • unlocked bootloader
    • extensions (either bad extensions or something like an Adblock)
    • VPN (potentially “if you have nothing to hide you have nothing to fear”)
    • installed apps (Adblock via DNS like blokada,
    • device emulation
    • TPM (generate secure key to make sure device is “real”)
    • OS state (heavily modified?, untrusted OS?)

    etc. Basically making sure the “environment” is clean and not tampered with (trusted).

    The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).

    Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).