Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Fuzzy Avatars Solved! Please re-upload your avatar if it was fuzzy!

Modders, Hackers, Scripters, and Security...

2

Comments

  • TaldierTaldier Camp Hill, PAPosts: 235Member
    Originally posted by GrayGhost79

    I've explained what I want, I want MJ or someone from CSE to explain why I shouldn't concern myself with DDOS attacks on chat systems that are fully accessible outside of game. 

    Im going to suspend my disbelief for a moment and just give in to all of your arguments.

    If we assume for a moment that DDOS attacks would work against an opposing guild's chat.  Any minor strategic advantage would be countered out by the difficulty of what you are proposing and the penalties for being caught.  Why would anyone bother?  Seriously, every guild has voice chat now.

    Better go warn Ventrillo too about DDOS attacks existing, since you apparently think that youre the only one whose ever heard of them.

     

    Seriously, these guys have been designing online games for years, but "oh noes!! they gonna get pwned by DDOS attacks!!!1".  They arent any more of a target than anyone else.

  • LaeeshLaeesh Münster, ARPosts: 90Member

    this one made me think as well.. But honestly i think we can´t really tell what this exactly means in the future, but jeah this could turn out really aweful if handed the wrong way. This said, it even could turn out very well, it´s the people who decide which way they use these given tool´s, miss-use them or use them the "right" way.. and jeah obviously there will be people who think it´s funny to destroy the fun... in exchange for there personal entertaining. =/

    image
  • ArcherBullseyeArcherBullseye Ellwood City, PAPosts: 77Member
    Originally posted by Taldier

    Originally posted by GrayGhost79

    I've explained what I want, I want MJ or someone from CSE to explain why I shouldn't concern myself with DDOS attacks on chat systems that are fully accessible outside of game. 

    Im going to suspend my disbelief for a moment and just give in to all of your arguments.

    If we assume for a moment that DDOS attacks would work against an opposing guild's chat.  Any minor strategic advantage would be countered out by the difficulty of what you are proposing and the penalties for being caught.  Why would anyone bother?  Seriously, every guild has voice chat now.

    Better go warn Ventrillo too about DDOS attacks existing, since you apparently think that youre the only one whose ever heard of them.

     

    Seriously, these guys have been designing online games for years, but "oh noes!! they gonna get pwned by DDOS attacks!!!1".  They arent any more of a target than anyone else.

     



    he thinks that because of how they are opening up the game, that they will be more vulnerable to DDOS attacks.. but he keeps neglecting the intermediary and the token system. Its been stated that you will only have access to your info(and that's limited) so how he makes the jump to a different realm is beyond me.

    image

  • GrayGhost79GrayGhost79 Webster, MAPosts: 4,813Member
    Originally posted by ArcherBullseye
    Originally posted by Taldier
    Originally posted by GrayGhost79

    I've explained what I want, I want MJ or someone from CSE to explain why I shouldn't concern myself with DDOS attacks on chat systems that are fully accessible outside of game. 

    Im going to suspend my disbelief for a moment and just give in to all of your arguments.

    If we assume for a moment that DDOS attacks would work against an opposing guild's chat.  Any minor strategic advantage would be countered out by the difficulty of what you are proposing and the penalties for being caught.  Why would anyone bother?  Seriously, every guild has voice chat now.

    Better go warn Ventrillo too about DDOS attacks existing, since you apparently think that youre the only one whose ever heard of them.

     

    Seriously, these guys have been designing online games for years, but "oh noes!! they gonna get pwned by DDOS attacks!!!1".  They arent any more of a target than anyone else.

     

    he thinks that because of how they are opening up the game, that they will be more vulnerable to DDOS attacks.. but he keeps neglecting the intermediary and the token system. Its been stated that you will only have access to your info(and that's limited) so how he makes the jump to a different realm is beyond me.

    Yes, I think that by allowing in game chat being fully accessible outside of game and chat servers having specific public addresses it makes DDOSing said chat servers easier. 

    I'm also making the asumption that if a company as large and as security minded as Sony can get DDOSed then a company like CSE with limited resources is easier to DDOS especially considering how open they have decided to make their chat systems. 

     

    I appologize for these concerns but after engaging in online gaming for well over a decade I feel I have reason to be concerned about it. You know, history and all that jazz. 

     

    Something as simple as "We don't actually have the chat system fully linked to the ouside chat system. It simply relays the messages between the two servers (Outside and inside) so if the out of game chat server goes down it won't effect the in game chat server" would go a long way to squashing this one issue. 

  • HjamnrHjamnr Madison, WIPosts: 163Member
    Originally posted by GrayGhost79
    Originally posted by ArcherBullseye
    Originally posted by Taldier
    Originally posted by GrayGhost79

    I've explained what I want, I want MJ or someone from CSE to explain why I shouldn't concern myself with DDOS attacks on chat systems that are fully accessible outside of game. 

    Im going to suspend my disbelief for a moment and just give in to all of your arguments.

    If we assume for a moment that DDOS attacks would work against an opposing guild's chat.  Any minor strategic advantage would be countered out by the difficulty of what you are proposing and the penalties for being caught.  Why would anyone bother?  Seriously, every guild has voice chat now.

    Better go warn Ventrillo too about DDOS attacks existing, since you apparently think that youre the only one whose ever heard of them.

     

    Seriously, these guys have been designing online games for years, but "oh noes!! they gonna get pwned by DDOS attacks!!!1".  They arent any more of a target than anyone else.

     

    he thinks that because of how they are opening up the game, that they will be more vulnerable to DDOS attacks.. but he keeps neglecting the intermediary and the token system. Its been stated that you will only have access to your info(and that's limited) so how he makes the jump to a different realm is beyond me.

    Yes, I think that by allowing in game chat being fully accessible outside of game and chat servers having specific public addresses it makes DDOSing said chat servers easier. 

    I'm also making the asumption that if a company as large and as security minded as Sony can get DDOSed then a company like CSE with limited resources is easier to DDOS especially considering how open they have decided to make their chat systems. 

     

    I appologize for these concerns but after engaging in online gaming for well over a decade I feel I have reason to be concerned about it. You know, history and all that jazz. 

     

    Something as simple as "We don't actually have the chat system fully linked to the ouside chat system. It simply relays the messages between the two servers (Outside and inside) so if the out of game chat server goes down it won't effect the in game chat server" would go a long way to squashing this one issue. 

    Squashing the paranoia, you mean?   It is very easy to infer from AM's statements, about the local java library and no direct xmlhttp access, that the chat would be functioning in a similar secure fashion.

  • TaldierTaldier Camp Hill, PAPosts: 235Member
    Originally posted by GrayGhost79

    ...security minded as Sony...

    Im sorry, but this line just made me LOL.

  • GrayGhost79GrayGhost79 Webster, MAPosts: 4,813Member
    Originally posted by Taldier
    Originally posted by GrayGhost79

    ...security minded as Sony...

    Im sorry, but this line just made me LOL.

    I hope not, because MJ has less money to put towards security and is opening up access a great deal more than Sony does. Keep in mind that PvP centric games tend to bring on more of this kind of attention that PvE games. If your laughing at the level of security that Sony has I would hate to see what you think of the level of security CSE can afford with that sole 5mil for everything. 

  • AeodoAeodo Le Plessis-RobinsonPosts: 61Member

    press@citystateentertainment.com

    Ask your question here if you want an answer from CSE.

  • GrayGhost79GrayGhost79 Webster, MAPosts: 4,813Member
    Originally posted by Hjamnr
    Originally posted by GrayGhost79
    Originally posted by ArcherBullseye
    Originally posted by Taldier
    Originally posted by GrayGhost79

    I've explained what I want, I want MJ or someone from CSE to explain why I shouldn't concern myself with DDOS attacks on chat systems that are fully accessible outside of game. 

    Im going to suspend my disbelief for a moment and just give in to all of your arguments.

    If we assume for a moment that DDOS attacks would work against an opposing guild's chat.  Any minor strategic advantage would be countered out by the difficulty of what you are proposing and the penalties for being caught.  Why would anyone bother?  Seriously, every guild has voice chat now.

    Better go warn Ventrillo too about DDOS attacks existing, since you apparently think that youre the only one whose ever heard of them.

     

    Seriously, these guys have been designing online games for years, but "oh noes!! they gonna get pwned by DDOS attacks!!!1".  They arent any more of a target than anyone else.

     

    he thinks that because of how they are opening up the game, that they will be more vulnerable to DDOS attacks.. but he keeps neglecting the intermediary and the token system. Its been stated that you will only have access to your info(and that's limited) so how he makes the jump to a different realm is beyond me.

    Yes, I think that by allowing in game chat being fully accessible outside of game and chat servers having specific public addresses it makes DDOSing said chat servers easier. 

    I'm also making the asumption that if a company as large and as security minded as Sony can get DDOSed then a company like CSE with limited resources is easier to DDOS especially considering how open they have decided to make their chat systems. 

     

    I appologize for these concerns but after engaging in online gaming for well over a decade I feel I have reason to be concerned about it. You know, history and all that jazz. 

     

    Something as simple as "We don't actually have the chat system fully linked to the ouside chat system. It simply relays the messages between the two servers (Outside and inside) so if the out of game chat server goes down it won't effect the in game chat server" would go a long way to squashing this one issue. 

    Squashing the paranoia, you mean?   It is very easy to infer from AM's statements, about the local java library and no direct xmlhttp access, that the chat would be functioning in a similar secure fashion.

    Would be if they didn't say they its the exact same chat system. Fault me for asking for clarification all you want, I don't really care. This is one of my concerns. Regardless of whether you or others feel its baseless or not does not change it is one of my concerns. I do think its funny you refer to it as paranoia when similar things have happened in countless PvP focused games MMO and Non with less access granted to the systems. What makes you think MJ has magically found a cure for this issue that has plauged numerous others? Is this magical cure so amazing that he can open up access to such a degree when other larger companies can't manage to with lesser access for users? 

  • TaldierTaldier Camp Hill, PAPosts: 235Member
    Originally posted by GrayGhost79
    Originally posted by Taldier
    Originally posted by GrayGhost79

    ...security minded as Sony...

    Im sorry, but this line just made me LOL.

    I hope not, because MJ has less money to put towards security and is opening up access a great deal more than Sony does. Keep in mind that PvP centric games tend to bring on more of this kind of attention that PvE games. If your laughing at the level of security that Sony has I would hate to see what you think of the level of security CSE can afford with that sole 5mil for everything. 

    You seem to be under the mistaken belief that Sony put any money or effort into customer security.  Theyve gotten hacked (repeatedly) by a bunch of kids using SQL injection.  Anyone who has taken an introductory database course could learn to do that.

    Its not just a matter of having money.  It's a matter of giving a damn when you write the code in the first place.

  • mklinicmklinic Pottstown, PAPosts: 1,435Member Uncommon

    For DDoS'ing the chat server, has it been stated that guild chat 'servers' would be isolated from each other or that it would be more like IRC in that you have 'chatrooms' all on one server/cluster/etc? DDoS'ing as a form of metagame against opponents would seem like shooting yourself in the foot if the latter. DDoS'ing from an outside source for some other motivation (or just for lulz as it were) would still be a risk, but using a niche game for example, didn't EvE have to deal with that problem as well? I don't really see any way of completely avoiding that risk or that exposing certain functionality inherently increases the risk.

    That said, have specifics like this even been ironed out. My take on everything is that they've basically been saying "here is our idea!". As I understand it, development wasn't going to happen unless KS funded (though we have seen some dev in the engine/network/smackhammer-game) so I inferred that details, such as security and what not, would be ironed out post-funding. By this, I mean that something like security is a big thing to get right. I don't think it's practical to throw together a quick demo of security as that would only lead to every armchair admin/programmer/rodent-of-unusual-size claiming how inadequate/incomplete/etc the security measures were. Conversely, a quick demo showing a lot of characters on a screen or multiple people running around in a networked environment might be adequate for displaying base functionality of a game.

    I certainly agree that security needs to be a big concern, but personally, I'd be satisfied hearing they understand that and their product will be designed with security in mind (once development starts in earnest). I understand if that doesn't satisfy you (or anyone else really), but just giving my perspective.

    -mklinic

    "There's a point I think we're missing.
    It's in the air we raise our fists in."
    -from Behind Closed Doors by Rise Against

  • jandrsnjandrsn Minneapolis, MNPosts: 187Member
    Maybe we ought to all let this game just sit in the oven and cook a little more before we get too into analyzing it so much. Auction houses, dungeon finders, security... Nobody here has any idea what the specifics on this stuff will be. Not even MJ. It's too far out still. All we have are a few scraps of info and supposition at this point. Debating gameplay stuff, I can see that though.
  • GrayGhost79GrayGhost79 Webster, MAPosts: 4,813Member
    Originally posted by jandrsn
    Maybe we ought to all let this game just sit in the oven and cook a little more before we get too into analyzing it so much. Auction houses, dungeon finders, security... Nobody here has any idea what the specifics on this stuff will be. Not even MJ. It's too far out still. All we have are a few scraps of info and supposition at this point. Debating gameplay stuff, I can see that though.

    Normally I would be all for waiting until development is well under way before asking these kinds of questions. The problem is that MJ is asking for our money up front before we get a chance to let things sit in the oven and cook a little more. If we don't pay now, we don't get a game. If we don't have the details now, we don't know what we are paying for. 

  • EllyaEllya leylandPosts: 99Member
    Originally posted by ArcherBullseye
    Andrew answered many of those questions. I will try to find that post for you since the search function seems to be broken on this site.

    Edit: You can read the whole thread but Andrew starts at #33

    http://www.mmorpg.com/gamelist.cfm/game/926/view/forums/thread/381408/page/4

     

    "First, don’t expect to make XMLHttpRequests directly from your own JavaScript if you want to run within the game. We plan to implement a lightweight JavaScript library to act as an intermediary. When running standalone on the web, this library will still speak AJAX and WebSockets... On the other hand, when your (or our) code is running in the game and using that library, for performance reasons some calls will be redirected into the client rather than actually making an HTTP request. We’ll encourage — and very likely enforce — that everyone use that library rather than going directly to our server. That will ensure UI mods can be as responsive as possible by using data the client has already cached locally, while still preserving the ability to work standalone."

    He is mostly talking about speed.. but this gives you an idea how it will be networked into the system to prevent hacks/mods/DOS/etc...

    The key thing, I believe, is the use of the phrase "lightweight library".  You're only going to be able to change the things via the library they give you access to.

  • TsaboHavocTsaboHavoc PinheiralPosts: 351Member
    i think u fanboys should be worried until clarification, instead of attacking the poster, its a valid concern and worth looking since u cant understimate hackers and damage they  can do to an PvP centric game.
  • ArcherBullseyeArcherBullseye Ellwood City, PAPosts: 77Member
    Originally posted by GrayGhost79
    ~$

    Yes, I think that by allowing in game chat being fully accessible outside of game and chat servers having specific public addresses it makes DDOSing said chat servers easier. 

    I'm also making the asumption that if a company as large and as security minded as Sony can get DDOSed then a company like CSE with limited resources is easier to DDOS especially considering how open they have decided to make their chat systems. 

     

    I appologize for these concerns but after engaging in online gaming for well over a decade I feel I have reason to be concerned about it. You know, history and all that jazz. 

     

    Something as simple as "We don't actually have the chat system fully linked to the ouside chat system. It simply relays the messages between the two servers (Outside and inside) so if the out of game chat server goes down it won't effect the in game chat server" would go a long way to squashing this one issue. 

     

    I feel like he has already said that they are separate.  It has been stated in this thread.

    The bigger the company the harder they fall.  Sony was an easy well known target.   I am not saying that CU will not get attacked, they will..  But everyone does.  Thousands or cyber attacks happen every day, your computer could be DDOS'ed right now, or being used for one and you might not even know. (since your asking, I assume you could spot one on your computer)  What I am trying to say, is that security is in the forefront of everyone's mind these days and I ASSUME Andrew has the competence to address that.  Also it may not be a perfect system, but I think they will work out some of those bugs as it goes along.

    I hope you don't feel that we are attacking you personally.   We are just trying to fill in with the information we have; and that is limited.  For all we know Andrew has not decided how they plan on securing it... since the game is 2 years+ out.  I would love the answer to what you asked, but I also understand it is not likely to be answered, and posting it here seems to be of little help since you have done your own research.

    image

  • ArcherBullseyeArcherBullseye Ellwood City, PAPosts: 77Member
    Originally posted by TsaboHavoc
    i think u fanboys should be worried until clarification, instead of attacking the poster, its a valid concern and worth looking since u cant understimate hackers and damage they  can do to an PvP centric game.

     

    If you didn't know.. hackers are everywhere... scary I know.   The good ones tend to do large things.. sony, google, credit card companies, etc.. 

    image

  • TsaboHavocTsaboHavoc PinheiralPosts: 351Member
    Originally posted by ArcherBullseye
    Originally posted by TsaboHavoc
    i think u fanboys should be worried until clarification, instead of attacking the poster, its a valid concern and worth looking since u cant understimate hackers and damage they  can do to an PvP centric game.

     

    If you didn't know.. hackers are everywhere... scary I know.   The good ones tend to do large things.. sony, google, credit card companies, etc.. 

    u want to keep them at minimum and dont give them any tools.

  • ArcherBullseyeArcherBullseye Ellwood City, PAPosts: 77Member
    Originally posted by TsaboHavoc
    Originally posted by ArcherBullseye
    Originally posted by TsaboHavoc
    i think u fanboys should be worried until clarification, instead of attacking the poster, its a valid concern and worth looking since u cant understimate hackers and damage they  can do to an PvP centric game.

     

    If you didn't know.. hackers are everywhere... scary I know.   The good ones tend to do large things.. sony, google, credit card companies, etc.. 

    u want to keep them at minimum and dont give them any tools.

    First of all, they have all the tools they need.  Telling the world how they plan on securing the game, gives them a head start.

    image

  • skyexileskyexile MelbournePosts: 692Member

    Im gonna bust out with my script and crit everybody in los for 2,000,000 damage...oh it wont work, because the server wont authorise it because that much damage at that distance is impossible for my character...well there goes that plan...

    SKYeXile
    TRF - GM - GW2, PS2, WAR, AION, Rift, WoW, WOT....etc...
    Future Crew - High Council. Planetside 1 & 2.

  • GrayGhost79GrayGhost79 Webster, MAPosts: 4,813Member
    Originally posted by skyexile

    Im gonna bust out with my script and crit everybody in los for 2,000,000 damage...oh it wont work, because the server wont authorise it because that much damage at that distance is impossible for my character...well there goes that plan...

    http://wow.joystiq.com/2012/10/07/reports-entire-cities-dead-on-certain-realms/

    "This afternoon, Paris time, something very strange happened on various realms. Argent Dawn's forums have a long thread about it, but to cut a long story short, everyone in Stormwind and Orgrimmar was killed, NPCs included. It's also been happening on Tarren Mill, Ragnaros, Draenor, Twisting Nether, and no doubt other servers.

    Of course, rumors abound as to just exactly what happened. Most people point towards it being a hack, and there's some videos out there floating around that give credence to this theory. Has it happened on your realm? What on earth is going on? And what do you think is causing it?"

     

    I would think that the servers weren't supposed to allow that type of thing in WoW either, but with less interaction allowed with the servers by players and a much bigger budget for security measures and such... well it was apparently possible. 

  • TaldierTaldier Camp Hill, PAPosts: 235Member
    Originally posted by GrayGhost79
    Originally posted by skyexile

    Im gonna bust out with my script and crit everybody in los for 2,000,000 damage...oh it wont work, because the server wont authorise it because that much damage at that distance is impossible for my character...well there goes that plan...

    http://wow.joystiq.com/2012/10/07/reports-entire-cities-dead-on-certain-realms/

    "This afternoon, Paris time, something very strange happened on various realms. Argent Dawn's forums have a long thread about it, but to cut a long story short, everyone in Stormwind and Orgrimmar was killed, NPCs included. It's also been happening on Tarren Mill, Ragnaros, Draenor, Twisting Nether, and no doubt other servers.

    Of course, rumors abound as to just exactly what happened. Most people point towards it being a hack, and there's some videos out there floating around that give credence to this theory. Has it happened on your realm? What on earth is going on? And what do you think is causing it?"

     

    I would think that the servers weren't supposed to allow that type of thing in WoW either, but with less interaction allowed with the servers by players and a much bigger budget for security measures and such... well it was apparently possible. 

    I wish media outlets would stop using the word "hack" for everything involving a computer.  People just use that word for everything now because they dont know how computers work.

    Those "hackers" (lol) used an exploit in the game to kill everyone.  They werent hacking into the server.

    None of that has anything to do with what type of UI your client has.

  • GrayGhost79GrayGhost79 Webster, MAPosts: 4,813Member
    Originally posted by Taldier
    Originally posted by GrayGhost79
    Originally posted by skyexile

    Im gonna bust out with my script and crit everybody in los for 2,000,000 damage...oh it wont work, because the server wont authorise it because that much damage at that distance is impossible for my character...well there goes that plan...

    http://wow.joystiq.com/2012/10/07/reports-entire-cities-dead-on-certain-realms/

    "This afternoon, Paris time, something very strange happened on various realms. Argent Dawn's forums have a long thread about it, but to cut a long story short, everyone in Stormwind and Orgrimmar was killed, NPCs included. It's also been happening on Tarren Mill, Ragnaros, Draenor, Twisting Nether, and no doubt other servers.

    Of course, rumors abound as to just exactly what happened. Most people point towards it being a hack, and there's some videos out there floating around that give credence to this theory. Has it happened on your realm? What on earth is going on? And what do you think is causing it?"

     

    I would think that the servers weren't supposed to allow that type of thing in WoW either, but with less interaction allowed with the servers by players and a much bigger budget for security measures and such... well it was apparently possible. 

    I wish media outlets would stop using the word "hack" for everything involving a computer.  People just use that word for everything now because they dont know how computers work.

    Those "hackers" (lol) used an exploit in the game to kill everyone.  They werent hacking into the server.

    None of that has anything to do with what type of UI your client has.

    Okay lol, I don't know why you are bringing up the UI when discussing this. Why would you even think that the UI modding would have anything to do with this? 

     

    In any case, with this particular concern I am referring to things like the below statements... 

    "Access to characters? Statistics for your realm? The state of the war and frontiers? All there."

     

    "But as a general rule, your entire in-game social life and much of your economic life will be accessible from anywhere, in any modern web browser, without plugins, in exactly the same form as when you’re running our big shiny standalone 3D desktop client."

    "Our web API is our first and foremost API. That means that anything you can access in-game, you can access and display on your own website, running your own code."

     

    The UI issues I was referring to are a seperate issue. The UI customizations allow for scripts that are frowned upon at the very least in a PvP game. Zymurgeist covered these pretty nicely in post #25

     

    The DDOS concern was about the ability to access the full chat system outside of the game. 

     

    I don't know if you are intentionally trying to "confuse" things or if you are honestly having trouble understanding my concerns. In either case I hope this cleared things up. 

     

    In any case, the "Hack" in WoW was done with a script and distributed. The poster I was replying to tried to be funny and say he was going to use a script to get massive crits on people and then said he wouldn't be able to due to the server not allowing it. I showed him an example of a script used in WoW to kill entire zones instantly. Of course the whole article for CU was discussing modding and scripting opportunities in CU lol. I'm sure you can see the relevance now... 

  • TaldierTaldier Camp Hill, PAPosts: 235Member
    Originally posted by GrayGhost79

    Okay lol, I don't know why you are bringing up the UI when discussing this. Why would you even think that the UI modding would have anything to do with this? 

     In any case, with this particular concern I am referring to things like the below statements... 

    "Access to characters? Statistics for your realm? The state of the war and frontiers? All there."

     

    "But as a general rule, your entire in-game social life and much of your economic life will be accessible from anywhere, in any modern web browser, without plugins, in exactly the same form as when you’re running our big shiny standalone 3D desktop client."

    "Our web API is our first and foremost API. That means that anything you can access in-game, you can access and display on your own website, running your own code."

     

    What about this concerns you?  You have real time statistics about whats going on.  Its like having inquiry access, but not update.  You actually cant change any of those statistics.

    You have access to everything you have while inside the game.  Not more than you do inside the game.  If you cant do something within the game, you cant do it through the web API.

    The quotes that you are picking out as scary and dangerous are really inocuous basic stuff.

  • gigatgigat Minneapolis, MNPosts: 604Member Uncommon

    I like the idea, but there's definitely some concerns.  One of the most important rules of programming and designing software systems is "Never trust the user."

    CSE would need to make damn sure that they have locked down every possible security vulnerability, otherwise they'll have a mess on their hands.

     

    I can see allowing us to access an API via HTML and CSS.  But allowing anything beyond that could get ugly

    "Lose the helmet sis, we can't prove that you're retarded." - Dennis Reynolds

2
Sign In or Register to comment.