TI Gameshelf

[+InsaneMultitasker]

Most of my school friends had the C64, fueled in no smaller part by the huge library of available games and music. I was the only one with a TI-99/4A.   After school we'd go to someone's house to play with their C64, playing for highest score or level on the various arcade-style games or multi-player games like Archon, Pitstop II, MULE.   I eventually bought a second-hand C64 to join in the fun, preferring to collect SID music and cracktros/demos.  I continued to use the TI for programming and schoolwork and eventually, I gave the C64., though some days I wish I had kept it around (for retro).

[1980gamer]

My freshman year of High school, I knew of 5 other kids with TI99's

But one of them also had a C64.  Then one day, Dad came home with a C64...  I still used the TI some, but Compute! etc. stopped covering TI and I slowly crossed over to the C64.

 

Then I really got into it.  By the time I gave it to my nephew 1992 ish I had 3 1541's and thousands of games.  EEPROM burner/Blank Cart board etc.

But I kept my TI99/4A   Still have it today!

 

[Retrospect]

I recall, when I was given my Texas TI99, I had a certain amount of games on cassette, and cartridges.  I had the XB cartridge with some cassettes that used it.  There was never any shops as such that sold TI-99 games in the town I lived, back in 1985/6 ... there was one game myself and my stepfather went out and bought, and that was from someone's house about 30 miles away .... he took us down into his cellar and he had all these games on cassette, lots for the TI99 ... I chose a text adventure called Alpine Quest.  That was literally the only time we bought software for that computer.  We didn't have the memory expansion or the disc drive etc ... there was only one other kid nearby who had a TI99 and he was someone I didn't really like.  However ... Texas Instruments did have some sort of factory or HQ in the UK, in Bedford.  The TI99 was well advertised here in the UK around 1982/83 by Argos, Comet, Curry's etc ... they were known and weren't the most unpopular computer , it's just that their users were spread apart at least in the Wakefield area.  I knew of one kid who was worse off than I was, and he had a Sharp MZ-80A .... there was literally no one else with that computer.  His father must have not really known about computer popularity or he got it cheap.  

[+Vorticon]

The MZ 80A was quite a capable machine with a beautiful super sharp green monitor. My cousin had one and he was a wizard with it. My unexpanded TI felt more like a toy compared to it at the time.

[Retrospect]

12 hours ago, Vorticon said:

The MZ 80A was quite a capable machine with a beautiful super sharp green monitor. My cousin had one and he was a wizard with it. My unexpanded TI felt more like a toy compared to it at the time.

It was a really nice computer to be fair.  Basic loaded from Cassette.  He'd literally load his Basic and get his manual out and type programs in.  The kids at school laughed at his computer but as you say they were capable.  But popular, they weren't for whatever reason.  I think in the UK whatever system had the most "mainstream" games won out.  I didn't see it like that though, I loved Parsec more than R-Type.  

[+Vorticon]

There was a recent discussion about the security certificate of CADD Electronics' website, and it struck me that the TI Gameshelf does not have any kind of security certificate. Do people have any trouble accessing it or is being flagged as unsecure? Frankly, since I am the only one with administrative access and all content is personally checked by me, I never worried about security issues... Should I be?

[SteveB]

I have no problem accessing tigameshelf.net. I think only when you have https and an invalid/revoked/expired certificate you'll have the problem. My lizardware.de has also no certificate and seems to work fine.

[+Schmitzi]

 

The site is reachable without problems, of course, and it is tagged as "insecure" (no valid cert, so no valid https).

The day comes closer when the browsers will deny or making it much harder to surf on unsecure pages.

 

Just see Mozilla FireFox and what sometimes happens when you try to download a file from a non-secure ftp site:

You´ll get a warning, and you have to do some more clicks to finally get the file.

 

This will go on.... so, it´s better to go the https route anyway.

For most providers, this means just "some clicks" in the server config, as they issue/generate the certificates on their own. Best way is to first see in the providers userforum for  the best way to migrate to https with cert.

 

 

[+OLD CS1]

2 hours ago, Schmitzi said:

The site is reachable without problems, of course, and it is tagged as "insecure" (no valid cert, so no valid https).

The day comes closer when the browsers will deny or making it much harder to surf on unsecure pages.

This.  This is the stated goal of all browser developers and Internet security pundits.

 

To two main purposes of a secure certificate are to authenticate the site itself and to encrypt information exchanged between the server and client.

 

Ostensibly, only someone who has control of the domain can obtain a certificate for the website.  Extended validation certificates go even further to validate the identity of the requester and site owner. 

 

Encrypted information means it is virtually impossible for an entity between the client and the server to view or alter the information being passed between them.  This includes the website and data, as well as form information from the user which includes user credentials, cookies, &c.  This also helps prevent injection of malicious content, such as proxy-inserted advertisements or man-in-the-middle injections of malware into the website contents, or other attacks such as redirecting your session to a malicious server which may assault and batter your device or attempt to solicit information from you.

 

Ultimately, I recommend everyone have a secure certificate.  Let's Encrypt offers free three-month certs and automation to replace them.  I work with CAs and one-year certificates (the maximum length allowed thanks to Google and Apple -- three years was just fine, assholes, especially since most renewals just re-submit the same CSR.)

[+Vorticon]

OK I'll have a look. 

The main concern I have is that I keep the site purposefully very simple (if you look at the page source, it does not get any simpler) because I want it accessible from the most primitive machine and browser. There are no running scripts or any external redirection. Perhaps I need to let go of that idea...

[+Vorticon]

As a thought experiment however, how could someone use my site for malevolent purposes given that it accepts no inputs from the user and does not have any external links or adverts, short of hacking the hosting server itself?

[+OLD CS1]

2 hours ago, Vorticon said:

As a thought experiment however, how could someone use my site for malevolent purposes given that it accepts no inputs from the user and does not have any external links or adverts, short of hacking the hosting server itself?

For example, injection of malicious Javascript or redirection to another website while the page is in-transit.  Mid-transit replacement of a downloaded file (harmless to PCs) with an executable which is harmful.

[+Vorticon]

12 minutes ago, OLD CS1 said:

For example, injection of malicious Javascript or redirection to another website while the page is in-transit.  Mid-transit replacement of a downloaded file (harmless to PCs) with an executable which is harmful.

But how does having a security certificate prevent that?

[+Schmitzi]

37 minutes ago, Vorticon said:

But how does having a security certificate prevent that?

 

Because only your own server/site can have/hold the secret private SSL key (only you have the file),

only your server can establish a valid (encrypted) connection with clients.

This is checked by your secret private´s key hash against the public key holded by the issuer/CA.

(I think the puclic key is just a hash from the private key)

 

So the certificate guarantees, that the IP address is your IP, so the client/surfer lands on your server,

and not another server (on another "villain" IP), maybe due to an hacked DNS-server or a compromised DNS-resolution or local HOSTS file. If coming via IP directly to your site, the same, of course.

 

So without SSL, you can secretly (i.e. DNS-)redirect the clients traffic to another (criminal) server (IP),

where the villain i.e. shows you a faked loginpage from your banking account, to fetch your login credentials.

 

Another feature of SSL is to encrypt the transmitted data between server and client.

Note: This should also work if the private key is expired. It´s not marked as secure then, but traffic should be encrypted anyway with that old keys. (This worked some years ago, IIRC)

 

Not sure about, but I think this "injection" just cannot happen into encrypted data (ie from man-in-the-middle),

because on it´s way it is not readable (understandable).

 

 

 

 

 

 

[+Vorticon]

Thanks for the info.

But if I am understanding this correctly, these issues are not related to my site directly, but rather potential vulnerabilities with the server side, correct? Soooo, isn't it the responsibility of the host server to have security up to par?

Sorry if I am belaboring this, but I'm trying to figure out if it's worth it for me to go through the hassle of obtaining a security certificate and keeping up with it...

[+Schmitzi]

1 hour ago, Vorticon said:

Thanks for the info.

But if I am understanding this correctly, these issues are not related to my site directly, but rather potential vulnerabilities with the server side, correct? Soooo, isn't it the responsibility of the host server to have security up to par?

Sorry if I am belaboring this, but I'm trying to figure out if it's worth it for me to go through the hassle of obtaining a security certificate and keeping up with it...

 

 

Yes, in your case, the issue is not really directly related to/against your server, but against your clients,

which can be redirected and do not recognize that without a certificate. (So far my interpretation)

 

Of course, if you use login/passwords for your client users, then a client user could be redirected,

and "they" maybe can fetch his login credentials, and come back later to your server with that,

to "destroy" his account or data with that. (If it´s you with your own, administrative account, then Good Night !)

 

The day will come when you have to go this way (the browsers will decide that)

 

And yes, it is a hassle. It´s big business making money, by generating certs und service as a mass.

I did this about 100 times years ago, on Cisco ASAs, MS IIS, Trendmicro Mailservers and more,

but this small stepp (fetching & installing a cert) is (was?) so much complex that I had to maintain

a to-do-list for this my work, not to totally struggle and breakdown every time. For me, it´s like Linux  

 

 

[+OLD CS1]

2 hours ago, Vorticon said:

But how does having a security certificate prevent that?

This:

2 hours ago, Schmitzi said:

Because only your own server/site can have/hold the secret private SSL key (only you have the file),

only your server can establish a valid (encrypted) connection with clients.

 

1 hour ago, Vorticon said:

Thanks for the info.

But if I am understanding this correctly, these issues are not related to my site directly, but rather potential vulnerabilities with the server side, correct? Soooo, isn't it the responsibility of the host server to have security up to par?

Sorry if I am belaboring this, but I'm trying to figure out if it's worth it for me to go through the hassle of obtaining a security certificate and keeping up with it...

Not directly since you do not handle sessions and you have no authentication for users.  The responsibility of the host is to make sure that the underlying system is secured, as well as any framework they provide (like Drupal, JSP, WordPress, &c.) but the rest is up to you.  Since you own the domain, tigameshelf.net, it is on you to obtain a certificate to encrypt the transport. Or, at least on you to make the provisions.

 

In fact, I just tracked down your web host.

 

https://www.lizardhill.com/index.php?rp=/store/hosting-packages

 

Included with every plan: Free SSL Certificate from Let's Encrypt

 

Looks like you just need to ask.

[+Schmitzi]

 

ah yes sorry, regarding the "hassle" I wrote about, actual webhosters almost need some clicks only (and some bucks) to get a SSL cert working. What I did happened locally on customers machines. (Maybe your hosters administrator is the one in hassle ? but he should be a dedicated professional in all of this SSL work)

 

[+arcadeshopper]

2 hours ago, Vorticon said:

Thanks for the info.

But if I am understanding this correctly, these issues are not related to my site directly, but rather potential vulnerabilities with the server side, correct? Soooo, isn't it the responsibility of the host server to have security up to par?

Sorry if I am belaboring this, but I'm trying to figure out if it's worth it for me to go through the hassle of obtaining a security certificate and keeping up with it...

if you can, use letsencrypt to automatically provide a certficiate.. my hosting provider has that option (DON@WHTech/lizardhill) as part of his hosting service. free..

 

Greg

[+arcadeshopper]

30 minutes ago, OLD CS1 said:

This:

 

Not directly since you do not handle sessions and you have no authentication for users.  The responsibility of the host is to make sure that the underlying system is secured, as well as any framework they provide (like Drupal, JSP, WordPress, &c.) but the rest is up to you.  Since you own the domain, tigameshelf.net, it is on you to obtain a certificate to encrypt the transport. Or, at least on you to make the provisions.

 

In fact, I just tracked down your web host.

 

https://www.lizardhill.com/index.php?rp=/store/hosting-packages

 

Included with every plan: Free SSL Certificate from Let's Encrypt

 

Looks like you just need to ask.

 

just go into your control panel and enable it, if you need help pm me and I'll get on a zoom with you and walk you through

 

Greg

[+OLD CS1]

26 minutes ago, arcadeshopper said:

 

just go into your control panel and enable it, if you need help pm me and I'll get on a zoom with you and walk you through

 

Greg

@Vorticon Booya, baby!

[HOME AUTOMATION]

3 hours ago, Vorticon said:

I'm trying to figure out if it's worth it for me to go through the hassle of obtaining a security certificate and keeping up with it...

Considering the provocative nature of your site's content...

It's potential to incite obfuscation/manipulation...

Destabilize the world economy...

 

...Maybe we should move it over to the DARK-WEB!

[+OLD CS1]

7 minutes ago, HOME AUTOMATION said:

...Maybe we should move it over to the DARK-WEB!

tigameshelf.onion???

[+Vorticon]

OK done. It was really 1 click and totally free.

Now https://tigameshelf.net shows up as secure, but http://tigameshelf.net is still insecure. I thought you could not access a secure site without https. Am I missing something?

 

[+Vorticon]

14 minutes ago, OLD CS1 said:

tigameshelf.onion???

Is there a .onion domain? That would be hilarious!