Security flaws in MS

[Joost]

http://web.miragesource.com/forums/viewt...=75&t=1500

So editing only client-side, you can walk trough other players. Seems like a vurnable thingy.


Also, I'll use this topic to tell you people you're dumb. I've seen people add really nice secutity to their game, encrypting all packets, and other shit. It's not neccesary. If a server checks if all packets send by the client make sense, you dont need any form of security. Security = waste of memory, bandwith, etc. Proper server is all you need.

[Robin]

lol okay.

[Coke]

http://web.miragesource.com/forums/viewt...=75&t=1500

So editing only client-side, you can walk trough other players. Seems like a vurnable thingy.


Also, I'll use this topic to tell you people you're dumb. I've seen people add really nice secutity to their game, encrypting all packets, and other [edit]. It's not neccesary. If a server checks if all packets send by the client make sense, you dont need any form of security. Security = waste of memory, bandwith, etc. Proper server is all you need.

Well, just to point out a lot of us people can spell... also,

if i send a packet to the server triggering the giveaccess event procedure, how can the server figure out if thats dumb or not? Its in the game so it makes sense.

[Rezeyu]

How does security waste bandwith?

Unless you have packets going back and forth to confirm things, it shouldn't use up any at all.

:roll:

[Spodi]

Depending on the security scheme, it can.

[Dragoons Master]

Just by encrypting your packets, they get very large(sure it depends on the encryption method).

[Spodi]

I probably would never use any encryption on a packet that results in inflation. One example is XOR, which is probably also one of the fastest encryptions. Another is RC4 which is used in SSL and WEP. Though, of course, these are not as secure, but there are plenty others out there. But packet encryption is never something you want to worry about too much - even XOR will hold off tons of people. The most important thing about packet encryption is to randomize the packets so encrypting packet A twice will result in two different packets. This can be done with rotating keys, or if you want to add inflation, rotating salts.

[Matt2]

I'm lost. Why is my tut here?

[Spodi]

I think it is because that tutorial shows that you can easily hack your position via purely the client.

[Matt2]

Oh.

Server-side check, anybody?

Oh well, Joost doesn't understand. n.n

I did say this was a basis. Mine, PDoA's, uses a client/server check before anything is done. =]

[Joost]

Server-side check, anybody?

That's exactly my point. dumbass.

if i send a packet to the server triggering the giveaccess event procedure, how can the server figure out if thats dumb or not? Its in the game so it makes sense.

Server should check if person giving access has the proper authority.

Just like with walking, server should confirm the player is only moving once a sevond, to a nearby tile. Same with attacking. If server confirms EVERY packet possible, you can make your game open source, have no security at all and your game would be unhackable.

[Coke]

Server-side check, anybody?

That's exactly my point. [edit].

if i send a packet to the server triggering the giveaccess event procedure, how can the server figure out if thats dumb or not? Its in the game so it makes sense.

Server should check if person giving access has the proper authority.

Just like with walking, server should confirm the player is only moving once a sevond, to a nearby tile. Same with attacking. If server confirms EVERY packet possible, you can make your game open source, have no security at all and your game would be unhackable.

Thats not true at all, since all of these servers (that i have played thus far) can get boned just by sending a slightly different acc create packet.

[Rezeyu]

Just make sure everything is numeric or string as it's supposed to be, and that each packet contains the right number in the parse array.

If either fails, kick them.
That's how mine are set up.

[Joost]

Thats not true at all, since all of these servers (that i have played thus far) can get boned just by sending a slightly different acc create packet.

And thats why you should doublecheck all packets serverside. Like the guy above me said.

[Coke]

If you send a 9 byte sep char end char thingie the server goes nuts. Don't ask me why, but it does =P

[Matt2]

I like how I'm a target.

And how Joost is a royal prick.

At any rate, I don't care. It's not like any of you play PDoA.

Problem solved.

[Joost]

The tutorial wasn't bad. It was just a way of showing a security flaw without even downloading MS. Not your mistake. And my complaint was valid. You can act like a 13 yo, and turn away, or you can go do something usefull and increase your game's security.

Even though Im a prick, I'm right often. Go deal with it.

[Coke]

Even though Im a prick, I'm right often. Go deal with it.

Well, your half right :roll:

[Matt2]

Quid?

I'm confused. Why am I still a target here?

Dude, grow a penis. And some balls.

You're seriously just acting like a big baby here.

Go point out flaws in the hundreds of other tuts that exist.

Honestly. You're annoying,

[Joost]

Quid?

I'm confused. Why am I still a target here?

Dude, grow a penis. And some balls.

You're seriously just acting like a big baby here.

Go point out flaws in the hundreds of other tuts that exist.

Honestly. You're annoying,

You made yourself a target by being a crying little fag.

Point out flaws in other tutorials? There was no flaw in the fucking tutorial, you stupid moron. Ive told you that before, idiot. The security issues has NOTHING to do with your tutorial. Stop thinking like a fucking monkey. You're an inferiour being. Humans evolved thousands of years ago, so you should too.

Considering I didn't try to dodge the swear filter, I assume this post wont get deleted because of harsh language.

[Robin]

No, but the thread has gone far enough.