new user ip display (towards other users)

[GoogleCodeExporter]

due on nemo's first comment on rb7161f00a6caa43a32a19c530e88da259b18423c and a 
discussion we had on irc during that time:

Help players to identify other (harassing/ganking/etc) players by supplying a 
hash that is based on current date and the players IP.

This way actions against short term harassment can be enabled and long term 
stalking specific players can be prevented.

Also no hash shall be shown to players for server admins, as they won't harass 
or impost; while at the same time giving them a chance to play anonymous under 
a different name.
(that name would have a hash ofc, but since the admin account doesn't show a 
hash, people can't "stalk" the admin - or other people using their connection)

Original issue reported on code.google.com by sheepyluva on 24 Jan 2014 at 5:03

[GoogleCodeExporter]

btw, I'd suggest that the server uses a salt loaded from a file (that is not in 
the repo) to generate the hash (otherwise it might be too easy to make a 
rainbow table for all possible IPs for every day, using some VPU)

that and/or repeated hashing (1000 times at least, considering how fast hashes 
and therefore rainbow tables can be generated on modern hardware)

Original comment by sheepyluva on 27 Jan 2014 at 6:06

[GoogleCodeExporter]

Seems reasonable.  Multiple hash loops reasonable too, although presumably in 
conjunction w/ that since a rainbow would still be pretty easy then.
Presumably the salt would consist of the secret + daily rotating part, then, to 
ensure shifting salt.

Original comment by kyberneticist@gmail.com on 27 Jan 2014 at 6:20

[GoogleCodeExporter]

Daily salt in repo? Wat??

My proposition: salt is got from /dev/urandom (dunno, maybe 16 bytes?), ip + 
salt hashed, result is cut to... let's say 16-20 digits. That's it.

Original comment by unC0Rr on 28 Jan 2014 at 7:42

[GoogleCodeExporter]

Sure, why not.  Fetching salt once a day from /dev/urandom is I guess a wee bit 
harder to go after, although it isn't like anyone out there would be trying to 
guess the secret part of a salt.

Both prob have about same effectiveness, although 
"2014-01-29"+"somesecret129047108915y07wef781gut4y1gy" stored in config has 
advantage of skipping that once a day dev read.  Maybe a bit simpler to 
implement too.
*shrug*

Original comment by kyberneticist@gmail.com on 29 Jan 2014 at 8:31

[GoogleCodeExporter]

Already reading /dev/urandom for authentication, and that really is 1 function 
call, so isn't a problem at all

Original comment by unC0Rr on 30 Jan 2014 at 5:18