FAQ Search
Memberlist Usergroups
Profile
  Forum Statistics Register
 Log in to check your private messages
Log in to check your private messages
Moonpod Homepage Starscape Information Mr. Robot Information Free Game Downloads Starscape Highscore Table
Guid, Software Security questions
Goto page 1, 2  Next
Post new topic   Reply to topic    Discussion Pod Forum Index -> Independent Game Development View previous topic :: View next topic  
 Author
Message
starscape junkie



Joined: 15 Jun 2003
Posts: 177
Location: The Thirteenth Colony



PostPosted: Tue Apr 05, 2005 2:40 am    Post subject: Guid, Software Security questions Reply with quote

Most of my ventures in programming are more for the learning experience than making a completed product, so i have a lot of half finished projects lying around (this has a lot to do with artistic talent Cool , when it takes a long long while messing with photoshop to make one graphic, theres really no inspiration to make a full game's graphics )

Anywho, after growing increasingly frustrated with attempting network coding (what a nightmare) i decided to back off for a few days and work on something else for a change of pace. I ended up with the idea to try to make something like your verification system since it wouldn't require any heavy artwork.I figured since your auth system was close to what i was thinking of, id ask you(plus this doesnt seem to be very heavilly tutorialled) Onto the questions Very Happy

1. Im currently using an obscure windows function Confused which slips my mind at the moment to obtain the mac address for a viable GUID. Are there any moral implications to this, such as a way for a mac address to be used malicously, and/or is there another way to reliably get something that resembles a GUID, constant from day to day, but different from computer to computer? i haven't done exaustive searching, but this seems to be the only reliable way i've found.

2. Theoretically, what is the best way to ensure against mem editing and other variable freezing, comparing the auth keys every few hundred frames seems a bit excessive and processer intensive but seems more tamper proof than if(authkey==true).

3. To prevent external file tampering i've made the program check all dependant sized files and compare them to hardcoded data, and if they aren't equal then it quits and gives an error message stating such and such a file has been modified...yadayadayada....Good in theory, but how do you think it would work in practice with a game with possibly hundreds of dependant files? Admittedly missing something during testing would be nigh impossible to do Razz

4. Are there any super easy to program but super hard to crack ways of encrypting the auth key. Currently my system goes something like:

a. Run through enigma cypher-1 (im using a base 36 system for my auth keys)
b. Do separate math functions on each of the 14 integers (yay messy Very Happy )
c. Run through enigma cypher-2
d. compare to the comparison auth code


I think thats it, thanks for any help/info anyone can give me, if not, no problem, this is just an experiment by which i hope to learn some new skills (and already have Smile )
Back to top
View user's profile
OvermindDL1



Joined: 29 Mar 2004
Posts: 138



PostPosted: Tue Apr 05, 2005 4:59 am    Post subject: Re: Guid, Software Security questions Reply with quote

starscape junkie wrote:
1. Im currently using an obscure windows function Confused which slips my mind at the moment to obtain the mac address for a viable GUID. Are there any moral implications to this, such as a way for a mac address to be used malicously, and/or is there another way to reliably get something that resembles a GUID, constant from day to day, but different from computer to computer? i haven't done exaustive searching, but this seems to be the only reliable way i've found.
Nothing morally bad about that, but getting a processor identifier (not type, all modern cpu's have a unique key that is unique per cpu, get that) with a hash of the windows key is generally a far better method.

starscape junkie wrote:
2. Theoretically, what is the best way to ensure against mem editing and other variable freezing, comparing the auth keys every few hundred frames seems a bit excessive and processer intensive but seems more tamper proof than if(authkey==true).
Not really any good way, you could try changing the memory location dynamically often, but anyone worth their salt would find the source pointer and use it, you could always do what a couple games do, and md5 verify the memory, problem is that it slows the game down too much if done too often, but not done often enough is inaccurate. No really good method, just a lot of little ones with pro's and con's...

starscape junkie wrote:
3. To prevent external file tampering i've made the program check all dependant sized files and compare them to hardcoded data, and if they aren't equal then it quits and gives an error message stating such and such a file has been modified...yadayadayada....Good in theory, but how do you think it would work in practice with a game with possibly hundreds of dependant files? Admittedly missing something during testing would be nigh impossible to do Razz
It would be better to get the crc or MD5 of the files, not just checking size, just checking sizes is really worthless because almost all hex edits are the same size as the original code. Expect longer startup times.

starscape junkie wrote:
4. Are there any super easy to program but super hard to crack ways of encrypting the auth key. Currently my system goes something like:

a. Run through enigma cypher-1 (im using a base 36 system for my auth keys)
b. Do separate math functions on each of the 14 integers (yay messy Very Happy )
c. Run through enigma cypher-2
d. compare to the comparison auth code

Use a 1024 bit cypher, and change it every patch. First of all it'd be near impossible to break it, second, its even harder to break a changing spec.

Just my few cents...
Back to top
View user's profile Visit poster's website
Poo Bear
Pod Team
Pod Team


Joined: 14 Oct 2002
Posts: 4121
Location: Sheffield, UK



PostPosted: Tue Apr 05, 2005 5:15 am    Post subject: Reply with quote

I don't know of anything malicious you could do with a MAC address, a lot of security systems are based on it, it seems pretty standard.

The whole issue of securing a game is a nightmare, a lot of very clever people in a range of different countries seem to spend an awful lot of time and energy cracking games so others can steal them. They do it for the challenge and to score brownie points on newsgroups, I doubt they even like the games they hack. They don't consider the companies behind the software and the people they are hurting (the employees). With someone like EA the damage isn't too great as they sell through every shop in the world, but for an indie it can be very bad as their only oulet is the net. The truth is you cannot stop them, there are just too many of them.

What you can do is prevent casual copying, if a game is downloadable then by its very nature it should be small and portable. If it has no protection at all or the key is also portable then you are almost encouraging people to pass it around. You should not encourage people do something that is wrong, that just isn't fair on them. A unique key tied to the MAC address solves that problem.

Professional hacking is a much smaller problem, the only downside is that if you totally ignore it then within a few months cracks will start appearing on all the major search engines (why google/yahoo/msn/etc ignore this shocking missuse of their technology I don't know). If you get in a situation where an internet search for your game lists a crack on the first page then you are in trouble. The way to defeat that is to release regular updates that along with adding excellent new content also change the unlock system. It will only take hackers a day or two to make a new crack but it will take months for that crack to circulate around websites and search engines.
Back to top
View user's profile Visit poster's website
OvermindDL1



Joined: 29 Mar 2004
Posts: 138



PostPosted: Tue Apr 05, 2005 6:41 pm    Post subject: Reply with quote

MAC Address wouldn't work well though in my opinion. For example, I have something like 50 network cards, with like 20 beside me right now. The network card in my computer has a tendency to change because I may take my comp somewhere, someone need a nic, so I give em mine and put another in when I get home. The only thing that doesn't change in my comp that often is the motherboard, cpu, ram, sound card, and video card, everything else changes, sometimes weekly.
Back to top
View user's profile Visit poster's website
starscape junkie



Joined: 15 Jun 2003
Posts: 177
Location: The Thirteenth Colony



PostPosted: Wed Apr 06, 2005 1:33 am    Post subject: Reply with quote

Well, there are a couple advantages to using the MAC address over cpu identifier. For one, universality, since you have to have a network card to connect to the internet, you are pretty much guaranteed that the user will have a mac address compatible card in their computer. However a user is not guaranteed to have a compatible cpu type, and supporting different types (intel, athalon, etc) could possibly mean excess coding.

However you do bring up a valid point, the customer should not be punished for changing a piece of hardware. Perhaps a hybrid would be the best solution, have two separate parts to the auth code, and if one part is changed, have it revert to the unchanged means of gaining a GUID, meaning that they would only have to re-auth once as long as they didn't change the second piece of hardware as well.

As for the search engines and their blind-eyeing the situation, i see it as two parts: revenues and impossible to police. If they remove the ability to search for such things, a.) they lose money because less pirates use their search engine and b.) people will try and find ways around it, kinda like our security situation here Cool sadly there will always be someone more committed to breaking the rules than someone enforcing them.

-Edited for Spelling (spellchecker works nice Very Happy) -
Back to top
View user's profile
Poo Bear
Pod Team
Pod Team


Joined: 14 Oct 2002
Posts: 4121
Location: Sheffield, UK



PostPosted: Wed Apr 06, 2005 4:28 am    Post subject: Reply with quote

I think it might be possible to disable the CPU ID in the bios with Intel chips, saw that mentioned on TomsHardware but i'm not certain. Using a range of id's is a very good idea though. Only problem is the final code will tend to get bigger, but that doesn't matter if the whole process is automated and people do not have to type things in.

//begin soapbox rant

As to search engines being unable to police their own databases and keep up with their own users I think that is an easy excuse too many companies have used. Google for one are a billion dollar company employing hundreds of staff, they could easily put together a small team permanently assigned to adjusting their search algorithms and web crawlers filtering out illegal content (not just piracy). Sure people would find ways around it but a dedicated team can keep shutting the doors.

What if people will just use some underground search engine? I say good! The harder it is to acquire illegal material the better. If people want to buy illegal software or stolen goods they cannot get them from the corner shop, but they can easily find them at markets and car boot sales and at the local shady pub. So why bother? Making it easy to do things that are illegal is not fair on people, they should not be tempted like that. There will always be people who don't care about the rules and find ways around things, that's inevitable and understandable. Their activities must be kept as far away from the innocent man on the street as possible. The billion dollar companies behind legitimate search engines and newsgroups could easily do this if they wanted to, but they know it will harm profits and they wont do it unless they are forced.

//end soapbox rant
Back to top
View user's profile Visit poster's website
Weeble
Starscape Jedi
Starscape Jedi


Joined: 25 Apr 2003
Posts: 1143
Location: Glasgow, Scotland



PostPosted: Wed Apr 06, 2005 7:01 am    Post subject: Reply with quote

Content illegal in which countries? What counts as content? Downloads? Links to sites that have downloads? Source code? Sites which advocate illegal activities? Those that advocate legalisation of illegal activities? How do you make a clear distinction?

It's one thing for these matters to be decided in court on a case-by-case basis, with all the checks and balances that brings. It's another for it to be decided in private with no warning or recourse for the affected web-masters. For these reasons, Google don't filter out any site except in response to specific complaints, such as via the legal procedures in the DMCA in the case of copyright infringement (in which case there is some opportunity for the site in question to defend itself), or at the request of government bodies in the case of various racist sites removed from google.de and google.fr.

Google is in a position of great power, and that places upon them great responsibility. They really have to go out of their way to keep both hands in the open. If they started pro-actively removing sites from their index they would leave themselves very open to accusations of bias, and confidence in the impartiality of their system would fall. Not only that, but having set the precedent, they would be inundated with demands to remove whole classes of web-sites (as opposed to individual sites), starting with the morally and politically repugnant, and then the morally and politcally extreme, and finally just anything that anybody didn't like.

In short, I do not believe that censorship is ever as easy or simple as it seems.
Back to top
View user's profile Visit poster's website MSN Messenger
Poo Bear
Pod Team
Pod Team


Joined: 14 Oct 2002
Posts: 4121
Location: Sheffield, UK



PostPosted: Wed Apr 06, 2005 7:23 am    Post subject: Reply with quote

Aren't you confusing censorship with abiding by the law and conforming to legal responsibilities? Censorship is bad news, but all i'm saying is that Google is a US registered company and as such it should abide by US law as it pertains to copywright infringement and other laws to do with certain extreme pornographic material, hate speech, etc.

Google isn't Sweden, it has no legal claim to impartiality, it is a US company. So far they have been using certain loopholes in the law i.e. claiming they just link to a site and are not responsible for what the site contains just like ISP's do with newsgroups. This is starting to change as legislation is created to ensure certain criminal data and images cannot be linked to and forces people like Google to act responsibly. Search engines constantly scan websites in great detail to maintain their databases using web bots that have some very clever code behind them, so there is no way they can claim they don't know what is on the site.

I'd like to see Google/yahoo/msn/etc and all other legitimate search engines be compelled to enforce all appropriate laws that apply in the country that the company is registered.

Here's how it would work:
1. Google web crawl your site to build their database records very frequently.
2. Filters work out what if any laws your site is breaking.
3. If a problem is detected the registered site owner is emailed a warning.
4. If the problem persists on the next scan then the site is temporarily removed from the database and the owner emailed again.
5. The site continues to get scanned to see if the info is removed.

Another shocking point - i've seens illegal sites actually carrying adverts by google and to rub it in even more those self same adverts were for copywright infringing material themselves! How ridiculous is that, the law needs enforcing in my opinion, we don't need new laws (maybe the odd update) or censorship we just need it to be applied fairly to companies that are registered in that country.
Back to top
View user's profile Visit poster's website
Weeble
Starscape Jedi
Starscape Jedi


Joined: 25 Apr 2003
Posts: 1143
Location: Glasgow, Scotland



PostPosted: Wed Apr 06, 2005 8:08 am    Post subject: Reply with quote

I'm not saying that censorship is inherently bad, but I am saying that removal of sites from Google's index is inherently censorship.

> 2. Filters work out what if any laws your site is breaking.

As a programmer, does this not seem to you somewhat... uhh... optimistic? If it's difficult for courts to decide whether Grokster is breaking the law, how's a search engine supposed to do it? Do we include "how to make a bong" sites in this purge? What about libel? Fraudulent impersonation? Trademark infringement? Patent infringement?

> 3. If a problem is detected the registered site owner is emailed a warning.

Do you mean the owner of the domain name? Or just whoever's email address can be found in the site? This does not seem an easy process to automate.

> 5. The site continues to get scanned to see if the info is removed.

How is compliance measured if the site owner claims that the material as it stands is not illegal? Is it wise to create a system where Google can demand changes in a site by means of threatening to drop that site?

How about Microsoft has its compilers refuse to compile code that it suspects of infringing patents? Microsoft is a big, rich company. They can afford to assign a group of people to that.
Back to top
View user's profile Visit poster's website MSN Messenger
Poo Bear
Pod Team
Pod Team


Joined: 14 Oct 2002
Posts: 4121
Location: Sheffield, UK



PostPosted: Wed Apr 06, 2005 10:07 am    Post subject: Reply with quote

I know it is far from easy to fix and mistakes are unavoidable, but we cannot ignore our own laws. Anyway, what happens currently is a DMCA notification is sent to google where someone specifies exactly what material is copyright infringing. They then warn the owner or take the site off google and notify the owner of why. This is what should happen in theory anyway, search engines don't always respond to DMCA notifications as they should.

In practice it would mean dedicating a lot of time to constantly checking Google, it would be better if someone could just send in the names of cracks/hacks as they crop up and Google maintain a database of that info which is fed into their web crawling technology. You're right in that it is probably too difficult to automatically work out that something is illegal, too prone to error, better to base it on author reported crack/hack details.

BUT - what if someone claims infringement when there isn't any? Well that could happen and probably does happen right now! Presumably the site owner contacts google after the warning and then a dispute takes place over the offending material which is resolved one way or the other.

So the law already seems to be in place, people are already using it to force ISP's and search engines to remove illegal content. The problem is the process is too inefficient at the minute to be effective, the search engines could fix that if they put their minds to it. You are right though that improvements have to be made carefully.
Back to top
View user's profile Visit poster's website
Weeble
Starscape Jedi
Starscape Jedi


Joined: 25 Apr 2003
Posts: 1143
Location: Glasgow, Scotland



PostPosted: Wed Apr 06, 2005 11:35 am    Post subject: Reply with quote

Cue lots of new spam:

"Attenti0n moonpod.com, we have detected illegaI warez on your site, and it will be remooed from our index at Google unless you click on this link immediatly to verify you're details: http://www.googIe.com/herelittlephishies.html"

Pessimist? Me?

EDIT - Err... the board is autolinking that fake URL. It's not supposed to be real. (You'll note that's an "I" and not an "L" in the domain name.)
Back to top
View user's profile Visit poster's website MSN Messenger
Poo Bear
Pod Team
Pod Team


Joined: 14 Oct 2002
Posts: 4121
Location: Sheffield, UK



PostPosted: Wed Apr 06, 2005 12:18 pm    Post subject: Reply with quote

Oh no, don't get me started on unsolicited email and viruses. Even though we have about 3 layers of filtering I still have to sort through about 20 heavily disguised emails a day. How many emails do we lose because the filters are a bit too active or I mistake something real for spam and delete it. It's too easy to just say "well, buy some more anti-spam/anti-virus software and accept you will lose an hour a day sifting through it".

Why shouldn't yahoo (or whoever) be held responsible somehow and compelled to do something about it? Why is it if I turn off my firewall I immediately get port scanned and molested by people who I KNOW are on the same ISP as me never mind the rest of the net. Why can people register www.idodffefopd.com and use it spam 5,000,000 people before being stopped and instantly moving to another gobbledigook url? Why can people fake moonpod as an emails source and then send people viruses and spam that appear to come from us.

Why don't companies operating the Internet act responsibly and comply with the intent of the law as applied in their country. Money. It isn't technology, it isn't the lack of applicable laws, it isn't complexity, it's just money and the desire to get as much as possible for doing as little as possible.

Why do people cheat in Wolfenstein matches and ruin the game for everyone or complain because i've got a cheap kill using a perfectly valid weapon i.e. the rocket launcher.

Why...

Oh hang on i've gone mad (again) ..... Twisted Evil
Back to top
View user's profile Visit poster's website
Fost
Pod Team
Pod Team


Joined: 14 Oct 2002
Posts: 3734



PostPosted: Wed Apr 06, 2005 1:50 pm    Post subject: Reply with quote

Hang on though - spam can be a good thing! - today for instance, I've been sent special offers on take out sushi in Moscow.

see - useful! Crying or Very sad

Here's another controversial idea - you know that 'Seti@home' thing? How about something similar, 'DOSATTACK@home' ?

essentially, a screensaver that downloads a maintained list of spamming ips and executes denial of service attacks on them.

Ok - more than likely illegal, and prone to abuse, it'd be nice to have any means to fight back at spammers though.
Back to top
View user's profile Visit poster's website
Poo Bear
Pod Team
Pod Team


Joined: 14 Oct 2002
Posts: 4121
Location: Sheffield, UK



PostPosted: Wed Apr 06, 2005 2:12 pm    Post subject: Reply with quote

They make you jump through hoops, but it can be done:

http://www.google.com/dmca.html#notification
Back to top
View user's profile Visit poster's website
Weeble
Starscape Jedi
Starscape Jedi


Joined: 25 Apr 2003
Posts: 1143
Location: Glasgow, Scotland



PostPosted: Wed Apr 06, 2005 7:23 pm    Post subject: Reply with quote

Fost wrote:
How about something similar, 'DOSATTACK@home' ?

It's been done.
Back to top
View user's profile Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Discussion Pod Forum Index -> Independent Game Development All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group