I think it may be a good idea to release a compatible patch for this and the other updates in the current Test Patch with the new translation texts that you mention.
Removal of WEB password and GAME password
Hello LFS Racers,
As part of the ongoing security updates, We have made a change which is significant in a way while not technically a big change.
The WEB password is now called simply "password" and you can no longer manually set a GAME password.
The GAME password is now called "unlock code" and is set automatically and sent to you in an email when you click a link on your details page.
In the next few days we will start passing through and zeroing any old GAME passwords that have not been updated for the new system.
As part of the ongoing security updates, We have made a change which is significant in a way while not technically a big change.
The WEB password is now called simply "password" and you can no longer manually set a GAME password.
The GAME password is now called "unlock code" and is set automatically and sent to you in an email when you click a link on your details page.
In the next few days we will start passing through and zeroing any old GAME passwords that have not been updated for the new system.
Last edited by Scawen, .
Further update:
I did repeat the operation for demo racers as well. So, just like licensed racers, all demo racers on the hacker list got an email and their passwords were removed if a match was found. It seemed the right thing to do for their security.
On the continuing security improvements:
- email address can now be changed by two possible methods
1) receive a confirmation email on your old email address and proceed instantly
2) wait 7 days to proceed if you cannot access your old email
[after each of these, the new email address must also be confirmed, as before]
- immediate logout on all browsers when WEB password is reset
- must wait half an hour after 3 failed unlock attempts
I did repeat the operation for demo racers as well. So, just like licensed racers, all demo racers on the hacker list got an email and their passwords were removed if a match was found. It seemed the right thing to do for their security.
On the continuing security improvements:
- email address can now be changed by two possible methods
1) receive a confirmation email on your old email address and proceed instantly
2) wait 7 days to proceed if you cannot access your old email
[after each of these, the new email address must also be confirmed, as before]
- immediate logout on all browsers when WEB password is reset
- must wait half an hour after 3 failed unlock attempts
Turns out this user did a fraudulent payment to obtain their license and the free voucher.
Another update, I've worked all day and evening and finally could take action after enough data processing and testing.
Using an automated script, I have sent an email to all licensed users whose usernames appear in the file.
If they don't have matching passwords, the email is just an advisory and suggestion to check they can still log in and possibly update their passwords. If matching passwords were found, the real passwords have been removed. The emails are adjusted for the action taken.
This drastic action was necessary for all the accounts in the file, with passwords that match real LFS passwords. Unfortunately in some cases we will just be sending an email to someone who has already stolen the account. I hope we will prevent a lot of accounts being taken over and used online.
Maybe I will repeat this action for the Demo accounts tomorrow.
Using an automated script, I have sent an email to all licensed users whose usernames appear in the file.
If they don't have matching passwords, the email is just an advisory and suggestion to check they can still log in and possibly update their passwords. If matching passwords were found, the real passwords have been removed. The emails are adjusted for the action taken.
This drastic action was necessary for all the accounts in the file, with passwords that match real LFS passwords. Unfortunately in some cases we will just be sending an email to someone who has already stolen the account. I hope we will prevent a lot of accounts being taken over and used online.
Maybe I will repeat this action for the Demo accounts tomorrow.
Another update.
This morning I've been detecting which of the listed user names have a password that matches an LFS WEB or GAME password.
Many of the users on the hacked database aren't really LFS users. We know this as around 40% don't have a user name that matches an LFS user name. Around 60% do match an LFS user name, but even then, it's not necessarily an LFS user.
The only way to be fairly certain it really is an LFS user, is if the hacker list username+password matches an LFS username+password (WEB or GAME password). Password matches are a significant minority that we have to deal with because of the security implications. In those cases (password match) we intend to change the password and notify the user (via email) using an automated process.
But I've done a quick test to find out which countries the matching user names come from. This is from the full list of hacker list usernames that match an LFS username, including DEMO accounts.
To be clear, these numbers are too high, because they include some user names that are not really an LFS user (e.g. someone just happened to choose the same username as an LFS user). Also to be clear these are mainly DEMO accounts. I've only shown countries that have more than 100 users listed.
Looking at the numbers below, it seems most likely to me that the source is "LFS Pro" which was a pirate community and master server system based in Brazil.
I'm thinking this because Brazil itself is 2nd on the list and Portugal is 4th, which is higher than expected given the size of Portugal. In my opinion it's because of the language connection to Brazil. Also 3rd on the list is Argentina, probably due to the South American connection.
I'm not really sure why Turkey is on top. Maybe it's because LFS has always been popular in Turkey and LFS seemed expensive there, so a lot of Turks went for LFS Pro. Or possibly the list has come from two separate sources?
TR 7523
BR 3745
AR 1250
PT 1167
BG 737
LT 727
ES 693
US 677
RO 488
PL 438
IN 428
ZA 399
GB 371
HU 337
FR 323
IT 309
DE 275
SA 264
GE 262
PK 245
CZ 236
RS 224
LV 221
CL 213
CO 187
FI 181
UY 167
SE 162
NL 162
GR 150
AE 148
DZ 144
PH 142
EG 141
AU 137
CA 130
ID 125
MX 124
EE 113
DO 110
BA 108
SK 107
MA 106
This morning I've been detecting which of the listed user names have a password that matches an LFS WEB or GAME password.
Many of the users on the hacked database aren't really LFS users. We know this as around 40% don't have a user name that matches an LFS user name. Around 60% do match an LFS user name, but even then, it's not necessarily an LFS user.
The only way to be fairly certain it really is an LFS user, is if the hacker list username+password matches an LFS username+password (WEB or GAME password). Password matches are a significant minority that we have to deal with because of the security implications. In those cases (password match) we intend to change the password and notify the user (via email) using an automated process.
But I've done a quick test to find out which countries the matching user names come from. This is from the full list of hacker list usernames that match an LFS username, including DEMO accounts.
To be clear, these numbers are too high, because they include some user names that are not really an LFS user (e.g. someone just happened to choose the same username as an LFS user). Also to be clear these are mainly DEMO accounts. I've only shown countries that have more than 100 users listed.
Looking at the numbers below, it seems most likely to me that the source is "LFS Pro" which was a pirate community and master server system based in Brazil.
I'm thinking this because Brazil itself is 2nd on the list and Portugal is 4th, which is higher than expected given the size of Portugal. In my opinion it's because of the language connection to Brazil. Also 3rd on the list is Argentina, probably due to the South American connection.
I'm not really sure why Turkey is on top. Maybe it's because LFS has always been popular in Turkey and LFS seemed expensive there, so a lot of Turks went for LFS Pro. Or possibly the list has come from two separate sources?
TR 7523
BR 3745
AR 1250
PT 1167
BG 737
LT 727
ES 693
US 677
RO 488
PL 438
IN 428
ZA 399
GB 371
HU 337
FR 323
IT 309
DE 275
SA 264
GE 262
PK 245
CZ 236
RS 224
LV 221
CL 213
CO 187
FI 181
UY 167
SE 162
NL 162
GR 150
AE 148
DZ 144
PH 142
EG 141
AU 137
CA 130
ID 125
MX 124
EE 113
DO 110
BA 108
SK 107
MA 106
Last edited by Scawen, .
Reason : 4rd -> 4th
Update on leaked passwords (from non-LFS source)
Dear LFS Racers,
An update on the recent thread about a leak of LFS passwords from an unknown source.
After an LFS user admitted having a list of tens of thousands of username + password combinations, after some heated discussion on a thread that has now been removed, the user admitted he shouldn't have done this and decided to send the information, to start to put right the situation.
We are grateful for this action, after the initial disruption, this was the right thing to do.
I have started to analyse the data. I don't want to give exact figures but the user names are in the 10s of thousands.
Of these, roughly 5% are invalid (too short or too long, can't possibly be an LFS user name)
Of the possibly valid names, around 40% are not found in our database.
The other 60% are valid user names. Of these, more than 90% are DEMO and under 10% are LICENSED.
So many user names are invalid, proving that if these names come from a single source, it's not an official LFS source. I believe that people may have used their username somewhere else. Maybe in a pirate community or in some other app that required their user name.
I will do further checks on this data, but wanted to give you an update on the progress so far. Many of the licensed users will need to be contacted in some way, probably by an automated email.
I'll leave the thread closed for now as I don't really think I need more info at this point.
Changes I have made in the past few days regarding security:
- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- GAMEpassword can also only be changed via an email.
So now it should be impossible for you to lose control of your account if you haven't already. Although for all the accounts we have not yet protected, if your password is known to any hackers with this data, they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.
A note on security, even if it may sound repetitive:
- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about
- NEVER ENTER YOUR LFS USERNAME AND PASSWORD INTO ANOTHER WEBSITE OR PROGRAM
- IF YOU HAVE EVER ENTERED YOUR USERNAME AND PASSWORD SOMEWHERE ELSE - CHANGE YOUR PASSWORDS NOW!
Thank you for reading.
An update on the recent thread about a leak of LFS passwords from an unknown source.
After an LFS user admitted having a list of tens of thousands of username + password combinations, after some heated discussion on a thread that has now been removed, the user admitted he shouldn't have done this and decided to send the information, to start to put right the situation.
We are grateful for this action, after the initial disruption, this was the right thing to do.
I have started to analyse the data. I don't want to give exact figures but the user names are in the 10s of thousands.
Of these, roughly 5% are invalid (too short or too long, can't possibly be an LFS user name)
Of the possibly valid names, around 40% are not found in our database.
The other 60% are valid user names. Of these, more than 90% are DEMO and under 10% are LICENSED.
So many user names are invalid, proving that if these names come from a single source, it's not an official LFS source. I believe that people may have used their username somewhere else. Maybe in a pirate community or in some other app that required their user name.
I will do further checks on this data, but wanted to give you an update on the progress so far. Many of the licensed users will need to be contacted in some way, probably by an automated email.
I'll leave the thread closed for now as I don't really think I need more info at this point.
Changes I have made in the past few days regarding security:
- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- GAMEpassword can also only be changed via an email.
So now it should be impossible for you to lose control of your account if you haven't already. Although for all the accounts we have not yet protected, if your password is known to any hackers with this data, they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.
A note on security, even if it may sound repetitive:
- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about
- NEVER ENTER YOUR LFS USERNAME AND PASSWORD INTO ANOTHER WEBSITE OR PROGRAM
- IF YOU HAVE EVER ENTERED YOUR USERNAME AND PASSWORD SOMEWHERE ELSE - CHANGE YOUR PASSWORDS NOW!
Thank you for reading.
I understand the distortion is kind of strange, because it is linear. Although 'correct' in one sense it is sort of wrong in another, related to our perception.
Ideally there could be a distortion shader to make this affect more agreeable but this is not available in LFS.
There is a quite extreme setting you can use. It uses multiple renders to create the main scene.
In Options - View ... there is a setting "Multiple screen layout" and you can set up to 5 left screens and 5 right screens. This can approximate a cylindrical render, created from 11 vertical linear renders per frame.
I'd be interested to know if you get any improvement by using that.
You would adjust the view in that case by "Main screen FOV" and "Screen Angle" which should be a fairly small number.
Ideally there could be a distortion shader to make this affect more agreeable but this is not available in LFS.
There is a quite extreme setting you can use. It uses multiple renders to create the main scene.
In Options - View ... there is a setting "Multiple screen layout" and you can set up to 5 left screens and 5 right screens. This can approximate a cylindrical render, created from 11 vertical linear renders per frame.
I'd be interested to know if you get any improvement by using that.
You would adjust the view in that case by "Main screen FOV" and "Screen Angle" which should be a fairly small number.
Thanks for the report, I've fixed that now.
Thanks, that's some good information. I see, the variety of graphics that could be displayed is something to think about, though as you suggest it seems reasonable to stick to single and flashing colours if that is easier to implement.
It's not fully clear to me about maximum distance between light boards being 250m. It seems a lot, so I'm surprised. The wording doesn't clear that up for me as it seems to state that there must be a marshall post every 250m, but at the end of section 9.2 marshall posts can be:
- Track marshal post
- Flag marshal post
- LED panel controller marshal post
So I'm not sure yet if there must be an LED panel every 250m.
EDIT: YouTube video talking about it, that does seem to support that there is an LED panel at every marshall post.
https://youtu.be/_4UusnCaB6s?t=406
It's not fully clear to me about maximum distance between light boards being 250m. It seems a lot, so I'm surprised. The wording doesn't clear that up for me as it seems to state that there must be a marshall post every 250m, but at the end of section 9.2 marshall posts can be:
- Track marshal post
- Flag marshal post
- LED panel controller marshal post
So I'm not sure yet if there must be an LED panel every 250m.
EDIT: YouTube video talking about it, that does seem to support that there is an LED panel at every marshall post.
https://youtu.be/_4UusnCaB6s?t=406
Last edited by Scawen, .
I don't think the cleanup function could have this effect. It simply deletes mods from your folder. It can't prevent LFS connecting to our website.
To me this issue doesn't seem related to mods specifically, if you can't see an event list either. It looks like some coincidental issue, or possibly antivirus or firewall blocking the connection.
I think it could be good to test a fresh install of LFS if possible, to see if you can do all the expected things with a clean installation.
To me this issue doesn't seem related to mods specifically, if you can't see an event list either. It looks like some coincidental issue, or possibly antivirus or firewall blocking the connection.
I think it could be good to test a fresh install of LFS if possible, to see if you can do all the expected things with a clean installation.
Good to hear you got it working.
Moved posts about HP Reverb issue (now solved) to a separate thread.
https://www.lfs.net/forum/thread/111922
https://www.lfs.net/forum/thread/111922
OpenSharedResource is called to share the D3D9 render target texture with the D3D11 system. I don't know why that would fail. A forum search returns no results, so it seems like a rare issue. Could it be there is something unusual about the Direct3D 9 installation on your computer?
Thanks for the info. It seems your LFS can connect to our servers using the usual connections to the master server and game servers (as you can see a list of hosts and join them successfully) but has an issue when it tries to use HTTP to our web server, to obtain an event list or a mod list.
I can't think of a reason for that. Joining a host or getting a list from our web server both use TCP connections, to servers located in the same data centre. The event and mod lists use HTTP over that TCP connection. Could a firewall somehow be blocking these but allowing the non-HTTP connections to pass through?
When you join a host, do you see skin and mod downloads happening as usual? These also use HTTP connections as the skins and mods come from our web server.
EDIT: Can you try with an original LFS.exe from version F to see if it works as expected?
I can't think of a reason for that. Joining a host or getting a list from our web server both use TCP connections, to servers located in the same data centre. The event and mod lists use HTTP over that TCP connection. Could a firewall somehow be blocking these but allowing the non-HTTP connections to pass through?
When you join a host, do you see skin and mod downloads happening as usual? These also use HTTP connections as the skins and mods come from our web server.
EDIT: Can you try with an original LFS.exe from version F to see if it works as expected?
Last edited by Scawen, .
Thanks. Do you select "Oculus Rift" setting in the Options - View - 3D - VR headset dialog?
I ask as these days it's a bit strangely named in LFS and could possibly cause confusion.
Like: You want to use a "Meta Quest" so select "Oculus Rift".
Well that is strange as I have an event list on the entry screen, no problem viewing the list of mods and can't think of any change in that area.
Do you get the same result in F10? (you can get it by changing the F11 to F10 in the download link)
Do you get the same result in F10? (you can get it by changing the F11 to F10 in the download link)
I'll try to make it clear as I know there are a lot of names flying around.
The quest is a Meta product so I think you have to install Meta or Oculus software to use it. For that, I think you can search the internet.
So then, all being well, you can use the device on your computer and view a demo, etc.
LFS has native Oculus support so I believe it can connect to the Quest using the "Oculus" option in the 3D menu (no need to install SteamVR).
But it's a long time since I installed any Oculus software so although I believe that works, I would like it confirmed if you can try that.
About the OpenVR / SteamVR option:
The OpenVR option in LFS allows support for most headsets in the world, and for that, SteamVR needs to be installed.
It is my understanding that SteamVR also can provide access to an Oculus / Meta headset, for programs that do not natively support Oculus. LFS would try to take that path if you select the OpenVR option.
The quest is a Meta product so I think you have to install Meta or Oculus software to use it. For that, I think you can search the internet.
So then, all being well, you can use the device on your computer and view a demo, etc.
LFS has native Oculus support so I believe it can connect to the Quest using the "Oculus" option in the 3D menu (no need to install SteamVR).
But it's a long time since I installed any Oculus software so although I believe that works, I would like it confirmed if you can try that.
About the OpenVR / SteamVR option:
The OpenVR option in LFS allows support for most headsets in the world, and for that, SteamVR needs to be installed.
It is my understanding that SteamVR also can provide access to an Oculus / Meta headset, for programs that do not natively support Oculus. LFS would try to take that path if you select the OpenVR option.
As far as I know, the Oculus (or is it Meta?) software has to be installed in any case for you to use the Quest, and then I believe that if LFS can connect directly using "Oculus" mode, that should theoretically be better than also going through SteamVR as that is another layer on top.
Assuming headset is installed and tested.
Then in LFS, as versiu said:
Options - View - 3D (at top of screen)
Select Oculus (I think... even if it's a Meta, though OpenVR might also work if SteamVR is installed)
That should be it, would be good to hear if you got it working.
Then in LFS, as versiu said:
Options - View - 3D (at top of screen)
Select Oculus (I think... even if it's a Meta, though OpenVR might also work if SteamVR is installed)
That should be it, would be good to hear if you got it working.
F11:
Search button in mods screen now allows searching by Skin ID or the non-unique 4-character name
Search button in mods screen now allows searching by Skin ID or the non-unique 4-character name
Please describe the exact error messages that come up or what unexpected things you see when you try to enter 3D mode.
And please describe how you are doing it, from the Options - View screen, or by a command line?
EDIT: I recommend Options - View - 3D (button at top of screen)
And please describe how you are doing it, from the Options - View screen, or by a command line?
EDIT: I recommend Options - View - 3D (button at top of screen)
Last edited by Scawen, .
I agree that more control of the existing lights would be good, including the pit exit lights and hopefully any other traffic lights. I didn't know existing lights were slow to react. I can take a look at that.
I'm interested in the LED light boards around the track but I forget if we've discussed them before in public.
I think they should be individually or globally controllable by setting a specific colour or two flashing colours via InSim and using an ID number in some InSim packet.
I guess a global usage would be good, to set all with one packet (e.g, red flag?) but individual would be useful too (blue, yellow flags?).
I'm guessing at this point that monochrome colour for the whole board is enough as it would be much easier to implement than any patterns/
I haven't discussed this with Eric yet (at least recently) though I'm sure he would be interested to see them working.
As some changes might be required in the light objects it would be nice if we could already have these in place before the release, so it's worth a bit of consideration.
Does anyone have any good information about how frequently the LED boards should be placed around the track?
I'm interested in the LED light boards around the track but I forget if we've discussed them before in public.
I think they should be individually or globally controllable by setting a specific colour or two flashing colours via InSim and using an ID number in some InSim packet.
I guess a global usage would be good, to set all with one packet (e.g, red flag?) but individual would be useful too (blue, yellow flags?).
I'm guessing at this point that monochrome colour for the whole board is enough as it would be much easier to implement than any patterns/
I haven't discussed this with Eric yet (at least recently) though I'm sure he would be interested to see them working.
As some changes might be required in the light objects it would be nice if we could already have these in place before the release, so it's worth a bit of consideration.
Does anyone have any good information about how frequently the LED boards should be placed around the track?
Recently I've been working on the timing systems, using the front of the car for start grid alignment and checkpoints. A few complications to solve there, including discovery of new bugs (related to the new line-based timing system in conjuction with the still used path-based position tracking) and highlighting of old bugs (e.g. fluctuating race positions list, originally reported by Degats, I think). Eric has updated some of the grid start boxes that need to be updated on all tracks to align with the new front of vehicle positioning system.
Anyway just so you know this is under control before I comment on another thread.
Anyway just so you know this is under control before I comment on another thread.
OK, the provider has changed some settings and the connection should now be reliable. Please post here if you have any problems.
I have restarted 7 hosts that I stopped during the maintenance.
I don't know why this server location sometimes goes wrong and the provider has to use new settings to fix it.
I have restarted 7 hosts that I stopped during the maintenance.
I don't know why this server location sometimes goes wrong and the provider has to use new settings to fix it.
FGED GREDG RDFGDR GSFDG