Alamak Logo
by Exclamation Inc
PO BOX 361
Clark Fork, ID 83811

The Original Fun & Friendly Web Chat

Alamak Operator Security

Secure Login

A new secure login has been added for Operators which protects your login password from packet snooping during login.

There is a problem if you use proxy with secure login. The chat server now by default prevents IP switching and will kick you out if it seems you change IP address.

If you have a proxy setting for http which is different from the https or secure proxy setting, it look to the chat server like your IP address changes during login as the server switches from secure to non-secure server.

Solution is to set your https or secure proxy setting the same as your http proxy setting. Most cases people have put a http proxy setting but left the https or secure field blank, dont' forget to fill in the port number too!

Server SG uses a self signed certificate which must be changed once a month.

You must accept this certificate to use the secure pages on alamak.com.sg.

If you accept the cert "until it expires" then it does expire and we rotate it, you will get some kind of connection error when you try to access the secure server there again.

The solution, go under your web browser security section, look for web site certificates, find any that say alamak and delete them. Then try again to access the secure server and accept the new certificate.

Security notice with secure login?

This is normal, when you are on a secure page and leave to a non-secure page you get a popup warning. Just click okay. The secure login is setup properly to use the secure server when transmitting password information. After the first page it switches to the non-secure un-encrypted page to save processing time.

Secure servers use alot of cpu time and the chat would be incredibly slow we ran the whole chat through a secure encryption.

New Double Password System

On 11/16/98 we shifted to a DOUBLE PASSWORD SYSTEM to reduce cases of account hacking and save everyone time and money!

Every OP account now has two passwords, a [login password] and a [permenant password].

The login password is used to login to all of Alamak servers and services. The permanent password is only used to change the login password. If some unauthorized person manages to get your login password they will still be unable to reset your permanent password. If this happens you can use your permanent password to change login password and thus lock the unauthorized person out of your account.

If you have problem changing your password with the Secure Change Password Form or the Non-Secure Change Password Form, you can use the appropriate section of the Contact Us Page to request that we reset your passwords.

Ops Password Security

These is some short notes on protecting your Alamak account and password as well as some notes on chat hacking and flooding.

DO NOT give your password out by Email, CMAIL or ON THE CHAT to anyone.

If our staff needs to verify account information they will not need your password to confirm ownership. If ownership is confirmed the staff will set and give you a new password if needed! You may supply old password on the Contact Us Page to help verify account ownership.

There are many people who setup FALSE LOGIN PAGES, FALSE EMAIL ACCOUNTS, FALSE STAFF NICKNAMES, or will PROMISE YOU WONDERFULL THINGS if you give them your password. The only thing you will get is a hacked account and it could take a couple of days before real Staff can fix it. Additionally, the abuser is most likely to get your account suspended by harrassing the admin.

The only places you should type your password are on the following machines and subnets. Look closely at the URL at the top of your browser when you type your password and make sure it's really Alamak / Exclamation Inc!

Emails
@alamak.com.sg ( this is the only one used now )
@www.alamak.com

Web Servers
www.alamak.com / alamak.com
alamak.com.sg / alamak.com.sg
shiok.alamak.com / chat.alamak.com
www5.alamak.com
cyan.alamak.net
chat.alamak.net

Network Addresses
207.66.195.2
207.66.195.4
207.66.195.5
204.201.132.101
204.201.132.102
203.116.3.14

Don't Reveal the Session ID

The chat is designed so that there is a random session id created when you first login to the chat. This session id is how the chat knows who you are. It is impossible for anyone to guess the session id, but if you reveal it then someone could take over your chat session.

Normally you would never know if a person takes over your session unless they speak in public or change rooms. Meanwhile they can sit there reading all your privates messages, your /mail and your conversation if you are in a private room.

The best advice is to not do anything not normally intended by the chat program. If you are just clicking on links and submitting forms you will always be safe. If you start picking the source code and pasting it to other users, then you have to expect something is going to happen and only you are responsible for the results.

Worse, the person may abuse and get your account suspended or removed.

While we will try to fix account passwords as soon as possible, it is caused by user error and we are not responsible. Also, while we are short on staff it may take awhile for us to correct hacked accounts. Please see the Contact Us Page.

Alamak Security

There are a couple ftp directories for users here and some hackers think they have stumbled on a real treat when the find the etc directory with what they think is a password file. This file is not a system password file and is only used by the ftp daemon to recognize user and group id's. It is not a security hole.

All our servers are protected by a double firewall and password transfers are either by a internal local area network or pgp encryption. We do not reveal users passwords and the only way to be hacked is by user error as described above or by sharing your password.

Some rudimentary flood control has been added to the server.

A list of open proxy IP's and blocking of these IP's has been added to the server.

IP switching is disallowed by default to prevent session ID hacking.

A secure login has been added to the chat to prevent password detection by packet sniffing.

A double password system has been added. Ops use theor regular password to login, if this gets hacked, Ops can use the secure change password page or the change password page and their permanent password to change their login password. The only place the permanent password is used, is to change the login password.

Office administration forms for Operator accounts have had several layers of security added to prevent access by un-authorized persons and no longer display passwords of accounts in the account modification fields. Passwords can be changed by the office but not viewed by this method.

| Alamak Home | Chat Login | Secure Login |
| Games | Contact Us | FrameChat |
| Operator SignUp | Help | Site Map |