Saturday, January 28
MOVED TO WORDPRESS
Every now and again, someone tries to go nuclear on me for our reluctance to discuss our anti-cheat systems, "surely it can't hurt ...".
I hacked a few games when I was a kid, but when I reached college I didn't consider myself a "hacker" (in the modern intrusive sense). However, I noticed something trivial and innocent about the college network. It just seemed that if it was for real, then the network security was a facade, the "network" itself would have to be wide open, its security relying entirely on the honorable use of particular commands/tools. The weak link in many security systems is the password file. I'd looked at it before on our network and it was surprisingly sparse. To test my theory, I looked at it using a non-network version of "edit". And voila. The network tools honored a code that said a particular character meant end-of-file. Regular edit did not. And the password file was simply some junk followed by end-of-file and then a simple, clear text list of username:password,username:password,... entries. First in the list was admin:kangaroo.
I spent the next 3 hour lesson reading the network administrator manual and then logged in as admin and left the lecture team an email, bat files and source code for actually making the network secure. I almost got booted out of college for doing it ;)
What unlocked the network for me was a trivial piece of information. It was actually something the admin *didn't* say.
At the end of the day, all of the gaming instructions and data have to be available unencrypted to the CPU at some point and with a lot of determination you can work out what some or all the sequences of those instructions mean or interfere with the sequence/operation of them.
Since the client is not merely a spectator we have to have some confidence in the behavior and operation of the client. Anything we tell anyone about what if, what, how or even when we detect could be that magic piece of the puzzle that allows a hacker/cheater to break through and destroy the game entirely, or it might inspire some honest and genuine player to poke at a hole in disbelief and find themselves able to become invulnerable.
So when you're writing me a snotty-assed email about game security, after railing on me about how crappy you believe our client's security to be, about how clueless we appear to be, you can take your demands to be told how they work and what we know and %*@"£$!'%:%*!>$"£%^&J£!=&***$. And you might want to start by, uh, not sending me the email from a machine with a virus on it. Hard not to laugh my ass off at anything you say about security. Well, on top of your not being able to tell the difference between host and client.
When your security is about protecting your end user from outside interference, you can brag about it. But when your security is there to protect you *from* your customer, you don't want anyone to know anything about it. Ideally you'd prefer them not to even know its there.
But to answer that one question, "why don't you" ... Anything, absolutely anything, we do say about our security is potentially akin to putting a notice on your front door that says "This house is LOCKED! Key is under a rock somewhere in the yard".
I hacked a few games when I was a kid, but when I reached college I didn't consider myself a "hacker" (in the modern intrusive sense). However, I noticed something trivial and innocent about the college network. It just seemed that if it was for real, then the network security was a facade, the "network" itself would have to be wide open, its security relying entirely on the honorable use of particular commands/tools. The weak link in many security systems is the password file. I'd looked at it before on our network and it was surprisingly sparse. To test my theory, I looked at it using a non-network version of "edit". And voila. The network tools honored a code that said a particular character meant end-of-file. Regular edit did not. And the password file was simply some junk followed by end-of-file and then a simple, clear text list of username:password,username:password,... entries. First in the list was admin:kangaroo.
I spent the next 3 hour lesson reading the network administrator manual and then logged in as admin and left the lecture team an email, bat files and source code for actually making the network secure. I almost got booted out of college for doing it ;)
What unlocked the network for me was a trivial piece of information. It was actually something the admin *didn't* say.
At the end of the day, all of the gaming instructions and data have to be available unencrypted to the CPU at some point and with a lot of determination you can work out what some or all the sequences of those instructions mean or interfere with the sequence/operation of them.
Since the client is not merely a spectator we have to have some confidence in the behavior and operation of the client. Anything we tell anyone about what if, what, how or even when we detect could be that magic piece of the puzzle that allows a hacker/cheater to break through and destroy the game entirely, or it might inspire some honest and genuine player to poke at a hole in disbelief and find themselves able to become invulnerable.
So when you're writing me a snotty-assed email about game security, after railing on me about how crappy you believe our client's security to be, about how clueless we appear to be, you can take your demands to be told how they work and what we know and %*@"£$!'%:%*!>$"£%^&J£!=&***$. And you might want to start by, uh, not sending me the email from a machine with a virus on it. Hard not to laugh my ass off at anything you say about security. Well, on top of your not being able to tell the difference between host and client.
When your security is about protecting your end user from outside interference, you can brag about it. But when your security is there to protect you *from* your customer, you don't want anyone to know anything about it. Ideally you'd prefer them not to even know its there.
But to answer that one question, "why don't you" ... Anything, absolutely anything, we do say about our security is potentially akin to putting a notice on your front door that says "This house is LOCKED! Key is under a rock somewhere in the yard".
Tuesday, January 24
MOVED TO WORDPRESS
There seems to be a slow trend away from annoying ring tone songs and towards MP3s of ringing phones... It can be a little annoying - my ringing-tone turns out to be in several TV ads and the desk phones in Law & Order and Law & Order: CSI. In the last month or two I've noticed more phones "ring" than annoying me with some badly digitzed song fragment.
Not been too many updates here lately, Christmas wore me out :) We're beavering away on 1.22 and 1.23 of the game, I'm finally getting over my rash of 18-20 hour days over Xmas, although I seem to have pulled something in my neck, so I'm resorting to sleeping on my lazi-boy as getting out of bed presents a painful physical challenge in the mornings ;)
Not been too many updates here lately, Christmas wore me out :) We're beavering away on 1.22 and 1.23 of the game, I'm finally getting over my rash of 18-20 hour days over Xmas, although I seem to have pulled something in my neck, so I'm resorting to sleeping on my lazi-boy as getting out of bed presents a painful physical challenge in the mornings ;)
Sunday, January 1
MOVED TO WORDPRESS
Actually, it was for a kids charity, but later on when I was calling Gophur to wish him a happy new year, we got to discussing the 1.21 release, I said "the first two weeks, well, week and a half" and he pointed out that 1.21 had only just been out for over a week...It's been a long, hard holiday... I could have sworn its been 3 weeks! :)
Had a ton of fun with all the people I've hung out with during 1.21, new players and old, returning soldiers, hangers on, Axis and Allied. If nothing else, I've worked up a good head of enthusiasm for starting back to working on those rough edges and getting the UI systems working more the way you'd expect them to with all the changes Brigades on Map has introduced...
But I'd swear that if I hadn't had it shaved off, it would all have fallen out anyway.
Happy New Year :)
