Java-Gaming.org    
Featured games (79)
games approved by the League of Dukes
Games in Showcase (475)
Games in Android Showcase (106)
games submitted by our members
Games in WIP (530)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Starting my first game - general questions  (Read 5023 times)
0 Members and 1 Guest are viewing this topic.
Offline DrQuincy

Junior Member




Vwls hv bn bnnd!


« Posted 2005-08-15 18:35:26 »

I'm about to start a simple 2D networked game and have some questions.

 - The game is going to be based on an old Atari ST game.  What are the copyright issues here?  Other than trademarks I read that games are only protected by patents and that you can make a similar game (like all those Breakout and Tetris clones) without breaking the law.  Is this true?  Are they any guides on making clones?

 - I want 2 - 4 players to be able to play without anything running on the server.  It's a turn based game - how can I do this?  As long as I have each players IP address can I send the data through sockets to each player after every turn?

 - I want to send and recieve data to my website through HTTP (for a global score board and so players can "wait" for other players to join).  I know how to do this just by using post or get.  Is there a better, more secure way?

Thanks.
Offline Jeff

JGO Coder




Got any cats?


« Reply #1 - Posted 2005-08-15 21:13:19 »

I'm about to start a simple 2D networked game and have some questions.


 - The game is going to be based on an old Atari ST game.  What are the copyright issues here?  Other than trademarks I read that games are only protected by patents and that you can make a similar game (like all those Breakout and Tetris clones) without breaking the law.  Is this true?  Are they any guides on making clones?

Im goign to answer tyhis from the point of veiw of US lawe.
(1) IT IS ILLEGAL IN  THE UNITED STATES FOR ANYONE NOT LICENSED AS AN ATTORNEY TO GIVE LEGAL ADVICE.  Thats very important.  I am not a lawyer.  Everything I say from here on out is not to be considered legal advice.  if you want an opinion you can in any way rely on to protect yourself, you should consult a  proper IP attorney.  The following is just the understanding of a studied amature.

(2) Having said that, there are a number of different issues. 

The first and biggest is Copyright.  Any original intellectual work fixed in a tangible medium is subejct to US copyright law in so far as the work IS original.  SO, for instance, the image of a Space Invader is protected by Copyright.  Soa re the sounds the game makes as it advances.  Beyond that it gets into grey territory.   The one clear place that is NOT protected is the abstract concept of gameplay.  This has been specifically clarified by the copyright office.  So a line of things marching back and forth down the screen at the player while he shoots is fair game, but not if they look or sound like space invaders.

There is a second kind of Copyright infringement called a "defivative work".  If a work can be sene to be derived froma copyrighted work, then it is at lpeast aprtially owned by the creator of the originalcopyrighted work.  So you cant just chnage a few pixels on the space invader graphic and claim its your own.  If it looks like a space invader to the average eye, your in violation.

Copyrights eventually expire.  It used to be something like 75 years or the life of the Copyright holder +25 years.  Thats why most classical music is out of Copyright by now.  HOWEVER coproations threw a monkey-wrench into thsi as COpyroight hodlers since Corporations never die. Again it used to be that corporations were limtied to 100 years BUTin recent years some Corporatiosn that depend on Copyright (noitably Disney) have gotten that extended and extended... 

Note that in the classical music case, while the music is no longer under Copyright protection, a given performance is stil lCopyright to that performaer and cannot be legally copied until the Copyright on that peformance expires.

In parctice, this means that you can take a piece of older music and put a performance you create in your game,  but you can't just lift one of a CD.   A cheap dodge I've come up with is this:
(1) Copyright free musical work
(2) Public Domain MIDI score of the work
(3) MIDI rendering (either in game or ahead of time and saved to a music file)

Obviosuly it soudns like MIDI, but at least its free and clear legalities-wise.

(2) Patent law is the second way software is covered in the US. Patent Law however is a very bad mechanism in that there is NO way to protect yourself short of a full, expensive, patent search.  I n copyright, ignorance is a defense-- if you come up with something that looks lieka  Space Inavder but you can prove you never saw a space inavder (good luck in that particualr case) then you are safe.  In Patent, ignorance of the Patent is NOT a defense.  The only good news is that Patents expire fairly  quickly.  Thats of limited usefulness to those of us doing individual works Im afraid.

Big corporations handle this witha kind of "cold war".  Each keeps a large patent library and ASSUMES that they will infringe each others patents.  Since they assume they are alrady in infringement, they wont sue the other for infringement.

Again thats of little help to the smal ldeveloper.  Basically, today, small developers are screwed in the Patent front which is why its a bad law.   You really just need to not purposefully infringe any patents you knwo of and otherwise just pray you are too small for the big patent holders to even ntoice or care about.

(3) Trademark.  Trademark is MOSTLY a red herring.  Most people do not udnerstand Trademarks at all and think theya re like COpyrights.  They are not at a;ll like Copyrights.  Trademarks are not about limiting the copying of artwork,ideas, etc.  They are ONLY about an invidual's or company's right to identify itself unambiguosly to its customers.

A trademark is infringed is and only if it is used in a way that would confuse an average consumer as to the origin of a product or service.

What does this mean?  This means I can't call my game "Space Invaders" as that might confuse the customwr into thinking I am Atari.  but I CAN call my game "Space Hunter:  A Space Invaders Clone"  becaus eits celar that thsi is NOT the original Space Invaders and I am not claimign to be its originator.

See?

Quote
- I want 2 - 4 players to be able to play without anything running on the server.  It's a turn based game - how can I do this?  As long as I have each players IP address can I send the data through sockets to each player after every turn?

Your biggest issu here is consumer foirewalls.  As logn as you don't have firewalls inj the aqy, your fine and can do whatever you want between the two players

You cannot do UDP (what java.net calles DtagramSocket) between two firewalled players without a sever to help.  SImialrly, you generally cannot accept an incoming TCPIP connection (what java.net calls a "ServerSocket') through a consumer firewall without doing something called "port mapping."  This is a configuration thing one player (the "host") needs to do on their firewall. 

So your chocies really are:
(a) TCPIP (java.ne.socket and java.net .ServerSocket) and potentially make the hsot map a TCPIP port to make it work

OR

(b) a server of some kind

Thats really all you can do.

For a turn based game (or for UDP punch-through too, I suppsoe), you could write a Servlet that operates as a server and try to find somplace to host that...

Quote
- I want to send and recieve data to my website through HTTP (for a global score board and so players can "wait" for other players to join).  I know how to do this just by using post or get.  Is there a better, more secure way?
HTTPS is prety secure as a pipe.  Is that what youa re asking about? or do you have other security concerns?


Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline DrQuincy

Junior Member




Vwls hv bn bnnd!


« Reply #2 - Posted 2005-08-16 00:34:02 »

Hi Jeff

Thanks for your detailed reply.

I understand what you're saying about things such as graphics and sound (i.e. tangible things) being bound by copyright.  That means I should be okay with this game as I'll be doing all the sound and graphics myself.  It's only the idea I'm basing on (the grey area of gameplay!) so I'm happy to go ahead with it.

Regarding the network protocol I had written off UDP.  Since there is not much data to transmit, only a maximum of four clients and the accuracy of the data is paramount I'd taken it as a given that it would be TCP over UDP.  I've never really done Java network programming before but I have been programming in PHP for the last 3 years so I have limited understanding on the matter but would this work? (see below)

Fundamentally, the game can be represented as a serialised 2D array of about 12 by 12 and data only needs to be sent from 1 client to a maximum of four other clients after is turn is made.  So, very little data needs to be exchanged between the clients.  Can I exchange data by sending the serialised variable as HTTP post or get?  Would this eliminate the worry of getting through a firewall and having to code a server application?  I could default it to port 80 and then let the user change it if their setup is different - would this work?

Finally, HTTPS is not enabled on my server unfortunately.  I suppose it doesn't matter too much if I send it unencrpyted...
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Jeff

JGO Coder




Got any cats?


« Reply #3 - Posted 2005-08-16 04:12:24 »

Hi
Fundamentally, the game can be represented as a serialised 2D array of about 12 by 12 and data only needs to be sent from 1 client to a maximum of four other clients after is turn is made.  So, very little data needs to be exchanged between the clients.  Can I exchange data by sending the serialised variable as HTTP post or get?  Would this eliminate the worry of getting through a firewall and having to code a server application? 

Yes and no.

Yes, you could be just about positive  that the sender could initate a conenctio nthrough their firewall, either directly or indriectly through a proxy.

But no, it doesnt solve the problem of receievinbg that incoming HTTP request.  AN HTTP request is really a TCP connection and the same issues apply.  In order tor eceieve the HTTP request you need to open a ServerSocket and wait for connection on a well known port BUT the firewall has to allow (actually foward) connections to that port in order for you to receieve them. So your still stuck with having to map a port  on the host.

Quote
I could default it to port 80 and then let the user change it if their setup is different - would this work?

I thin kIanswered this above Smiley  My answer was assuming port 80. if your nopt on port 80 or 8080 then you likely wont be able to go through proxies on really tight networks, even to get the request out to begin with,.
(Most home users networks arent this tight-- they allow all outgoing TCP.  Thsi is really an issue just in business/corporate environments that may have higher security.)

Quote
Finally, HTTPS is not enabled on my server unfortunately.  I suppose it doesn't matter too much if I send it unencrpyted...

Not entirely sure what you mean here. do you HAVE a web server already? If so see my suggestion of doing your game server as a servlet.

But you can do HTTPS from client to client directly, it just means that the "host" client ahs to act like a tiny web server.

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline DrQuincy

Junior Member




Vwls hv bn bnnd!


« Reply #4 - Posted 2005-08-16 11:27:08 »

My point is though if the clients are all exchanging data by HTTP get or post through the HTTP port as far as firewalls are concerned isn't each client just acting as a browser sending data by HTTP and thus allowed through any firewall that allows HTTP?

I don't have my own web server, I pay for hosting on a shared server and the package doesn't include HTTPS.
Offline Jeff

JGO Coder




Got any cats?


« Reply #5 - Posted 2005-08-17 02:39:46 »

My point is though if the clients are all exchanging data by HTTP get or post through the HTTP port as far as firewalls are concerned isn't each client just acting as a browser sending data by HTTP and thus allowed through any firewall that allows HTTP?

Who is on the other end of that POST?  You need a server to receieve those POST attempts and to give oen user's data top the otherkm and vice versa.

Quote
I don't have my own web server, I pay for hosting on a shared server and the package doesn't include HTTPS.

Are you planning on writing a Servlet that you run on that server to act as your game data server?

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline swpalmer

JGO Coder




Where's the Kaboom?


« Reply #6 - Posted 2005-08-17 03:14:25 »

SImialrly, you generally cannot accept an incoming TCPIP connection (what java.net calls a "ServerSocket') through a consumer firewall without doing something called "port mapping."  This is a configuration thing one player (the "host") needs to do on their firewall.

I was thinking about this recently, and I thing you can use UPnP to auto-config the firewall in some cases to map the port.  I was going to look into this further but didn't find any good (something that wasn't as cryptic as your typical IETF  RFC).  My next attempt was going to look at the source for Azureus (the Java bittorrent client) to see how they do it.

Offline Jeff

JGO Coder




Got any cats?


« Reply #7 - Posted 2005-08-17 07:02:50 »

SImialrly, you generally cannot accept an incoming TCPIP connection (what java.net calls a "ServerSocket') through a consumer firewall without doing something called "port mapping."  This is a configuration thing one player (the "host") needs to do on their firewall.

I was thinking about this recently, and I thing you can use UPnP to auto-config the firewall in some cases to map the port.

Indeed you can.

So can any virus.

Which is why most everyone who knwos anything disables this feature on their firewalls Smiley

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline Alan_W

JGO Knight


Medals: 8
Projects: 3


Java tames rock!


« Reply #8 - Posted 2005-08-17 09:00:47 »

My point is though if the clients are all exchanging data by HTTP get or post through the HTTP port as far as firewalls are concerned isn't each client just acting as a browser sending data by HTTP and thus allowed through any firewall that allows HTTP?

I don't have my own web server, I pay for hosting on a shared server and the package doesn't include HTTPS.

It depends on whether there is any Network Address Translation (NAT) going on.  Most corporate nets use this to save on the number of public IP addresses they need.  Cable & DSL routers for connecting multiple home computers to a single broadband connection also use it.

NAT exposes only a single IP address to the internet.  You may wonder what happens if more then one computer behind the NAT-router puts out a request from the same port to a server on the internet.  How does the remote server send data back and ensure it is routed to the correct computer behind the router?  This is achieved by a process called port mapping.  When a computer sends a packet out through the NAT router, the senders IP address is replaced with that of the NAT router.  The senders port number is replaced with an unused port number on the NAT router.  The router places this mapping in a table and will maintain it in that table for an unspecified but large number of minutes.  Meanwhile the packet goes to the server, which processes it & then sends it back to the exact IP:port that it came from.  The NAT-router receives it, looks up the mapping in it's routing table and replaced the 'to' IP:port combo with that from the table.  It can then forward the packet to the computer than originally sent the request.

That is how an HTTP request originating behind a NAT router gets to a webserver & how the reply gets back to the sending computer.  Note that it is only the webserver that receives requests on port 80.  The client uses any port above 1024 for the outgoing request & this in turn is modified by the router.

The key thing about this protocol is that for data to get from the internet to a particular computer behind the NAT-router, there must be an entry in the routing table.  An entry can only get there if:
i) The interchange was initiated by the client (as discussed above)
ii) The user has manually made a permanent entry in the table.  This is called port forwarding.
iii) The application running on the client makes an entry in the routing table.  This uses Universal Plug and Play (UPnP)

This means that if you have two clients, each behind a NAT-router then they cannot directly initiate communications.  This is why a NAT-router functions as a basic firewall.  It protects the computers behind it from unsolicited connections.  However this really breaks the peer-peer (client to client) communication model.  There are four basic solutions:

i) You can run all communication through a server which isn't behind a NAT router (or if it is, use port forwarding to force an entry in the routing table).  For turn based games, you could run this on a webserver using PHP & mySQL, clients would have to poll the server regularly (say once a second) to see if it was their turn yet.  A dedicated server would allow custom server software which could maintain a continuous connection, which is more flexible, but costs more.  NB. Real time games need a higher polling rate, which means the PHP/mySQL combo is not a realistic option.  You might also look at java servlets.  These are mostly used as a backend to serving webpages, but you might be able to do more with them.  Cost is more than PHP, but less than a dedicated server.

ii) You can run peer-peer using UDP packets (TCP doesn't work with this) by implementing a simple server which just keeps a list of IP addresses, port numbers for each client & sends the list to any other client that requests it.  This is called UDP punchthrough.  The key thing with this simple server (called an Introducer) is that it must also listen using UDP.  Thus you cannot use a normal webserver to run this service.  That potentially puts the cost up of the implementation as you need a dedicated server.

iii) The client uses UPnP to automatically configure the NAT-router to do port forwarding.  However this is a very complex protocol to implement and most routers have it switched off anyway as it is a security risk.  If a virus got onto your computer, it could use uPnP to open a port on your NAT-router to allow incoming connections, making it useless as a firewall.  This is therefore a non-starter.

iv) Accept that your program doesn't work with clients behind routers.  You can ask the user to do manual port forwarding on his or her router (if they have one), to get round the problem.

If you want your application to "just work" it really comes down to option i) or ii).

If you are running a business with a permanently on internet connection, then these are easily possible (especially i) ).  However if this is a home project, then to keep costs down, you either need to implement a server using PHP/mySQL and use polling to get game state (only suitable for turn based games) or you need a dedicated server (either to do i) or ii) ). A cheap (but not 100% reliable) solution to getting a dedicated server is to run it on your own broadband connection at home.  However you have to watch the bandwidth usage.  If there is only a small amount of client-client data communication then the client-server architecture works well and allows you to implement game logic in a central location as well.  However if there is a lot of client-client communication, routing it through your server is slower & uses a lot of your bandwidth, in which case peer-peer using UDP Punchthrough is more attractive.

Note that in this case you lack a central server, which means all the game logic has to be in the clients.  This can be a problem in some sorts of games.  Also note that if you do multiplayer peer-peer, the bandwidth required by the client rises more quickly as more players are added, compared to a client-server architecture.  Shouldn't be a problem with one-on-one type games though.

As you noted, UDP is not a reliable protocol.  Thus if you use UDP punchthrough & need reliable transfer, you need to write your own layer on top to do the queuing and retries.

For a simple turn based game, you are probably best off with option i) above.  A dedicated server would be easiest, but you might be able to do something using PHP/mySQL (or a servlet) by having each client poll at a given rate (not to fast) to get current game state.

Alan

Time flies like a bird. Fruit flies like a banana.
Offline c_lilian

Senior Member


Projects: 1


Java games will probably rock someday...


« Reply #9 - Posted 2005-08-17 10:38:57 »

What about JXTA ? (java peer to peer)

has someone investigated it from a gaming point of view ?

I know there are some IM soft based on it, so it might be suited for non-realtime games...

any insight is welcome.

Lilian


Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline DrQuincy

Junior Member




Vwls hv bn bnnd!


« Reply #10 - Posted 2005-08-17 11:19:53 »

Thanks all for taking the time to reply!

The game is only something I'm doing as a learning experience (I've programmed in Java but not done any network programming) but at the same time I'd like to make it my first proper game, play it with my friends and put it on my website for people to download and play if they wish to.

Real-time is really not an issue; even it it took several seconds to update each player's board it would not be the end of the world.  As much I as I understand how I could store the data in MySQL and serve the data to the clients that way I'm trying not to do it this way because I'd like to try something new!  I'm not too bothered about the games "just working" - if the user needs to do a little configuration themselves then so be it.  Since this is my first venture in Java network programming I think it would be a little too ambitious to attempt option three.

So, let's go with option four.  Does this mean that clients that aren't going through a router just need to make sure that their firewall will let the connection through on whatever port I use?  And if they are behind a router they must manually set up port forwarding?

How are turn-based games usually implemented?  Do you usually have a server?  Do realtime games generally use UDP?

Thanks again for your replies and for helping out a newbie - it is appreciated!
Offline Alan_W

JGO Knight


Medals: 8
Projects: 3


Java tames rock!


« Reply #11 - Posted 2005-08-17 19:51:25 »

Quote
So, let's go with option four.  Does this mean that clients that aren't going through a router just need to make sure that their firewall will let the connection through on whatever port I use?  And if they are behind a router they must manually set up port forwarding?

Yes, although you've still got the problem of matching players (and their IP addresses).  If you're testing it with friends you can manually provide the data while in IRC chat, email or even over the phone.  Otherwise you need some sort of web based player matching system.

Quote
How are turn-based games usually implemented?  Do you usually have a server?

TCP with a server would be a good choice, as the server can control who's turn it is next.  TCP/IP gives reliable transfer, which is needed otherwise commands can get lost resulting in the game hanging.  Also you only need to store the game state in one place.

Quote
Do realtime games generally use UDP?

Usually.  In realtime you care more about timely arrival of data rather than reliable transfer.

Time flies like a bird. Fruit flies like a banana.
Offline Jeff

JGO Coder




Got any cats?


« Reply #12 - Posted 2005-08-17 20:11:26 »

What about JXTA ? (java peer to peer)

has someone investigated it from a gaming point of view ?

I know there are some IM soft based on it, so it might be suited for non-realtime games...

any insight is welcome.

Lilian



Short answer... interesting for turn-based games.

Too much overhead for anything else.


Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline Jeff

JGO Coder




Got any cats?


« Reply #13 - Posted 2005-08-17 20:16:56 »

Generally agree with thsi, a few odd comments,...

Quote
So, let's go with option four.  Does this mean that clients that aren't going through a router just need to make sure that their firewall will let the connection through on whatever port I use?  And if they are behind a router they must manually set up port forwarding?

Yes, although you've still got the problem of matching players (and their IP addresses).  If you're testing it with friends you can manually provide the data while in IRC chat, email or even over the phone.  Otherwise you need some sort of web based player matching system.

Doesnt have tobe web based.  A simple matchmaking server is pretty easy to whip up in straight Java code.

Quote
How are turn-based games usually implemented?  Do you usually have a server?

As mentioned above, you need a way to find each other.  Sometiems thi is done with matchmaking, sometiems other ways. (Ive seen turn based games that actually do all their communication through email!)

You have a lot of options since latency isnt a factor for you.

 
Quote
Quote
Do realtime games generally use UDP?

Usually.  In realtime you care more about timely arrival of data rather than reliable transfer.

There is a lot of debate over how much of this is really technical necssity and how much of this is just prejudice and misunderstanding.

Back at TEN we got great DukeNukem3D play over pure TCP on 14.4 modems!

TCP is mreo compelx then UDP and requires you to udnertsnad mroe abotu the ent to tune it, which is oen of the reasons why game develoerps have often shied away from it.

UDP is definitely faster for unreliable communciation.  Once you start needing to communicate reliably though there are strong arguments that TCP and/or TCP/UDP hybrids are goign to perform better the n tryign to reinvent TCP over UDP.

 

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline swpalmer

JGO Coder




Where's the Kaboom?


« Reply #14 - Posted 2005-08-19 05:26:05 »

I was thinking about this recently, and I thing you can use UPnP to auto-config the firewall in some cases to map the port.

Indeed you can.

So can any virus.

Which is why most everyone who knwos anything disables this feature on their firewalls Smiley

If the virus code is already running on your computer, what is left to lose?

I think disabling UPnP is a little paranoid.  If you have a virus scanner that works disabling the UPnP feature isn't going to offer you much in the way of additional protection.   These days it is much more risky to simply launch Internet Explorer or Outlook Express.. and if you aren't running Windows - What virus? :-).

Offline Jeff

JGO Coder




Got any cats?


« Reply #15 - Posted 2005-08-20 07:36:57 »

I was thinking about this recently, and I thing you can use UPnP to auto-config the firewall in some cases to map the port.

Indeed you can.

So can any virus.

Which is why most everyone who knwos anything disables this feature on their firewalls Smiley

If the virus code is already running on your computer, what is left to lose?

Your bak account.

Your credit card numbers.

Your pay pal password.

etc

A maleficient program that cannot contact its creator is not a security risk.  One that can, is.

One that can take incoming contact can also become a paltform for the launching of attacks on other systems.  If you really want the FBI confusicating your computer that was used as a jump-point to attack a bank's system fine.  I dont.

All these are reasons why ZoneALarm has been so successful.

Quote
and if you aren't running Windows - What virus? :-).

Thats good for 3-5 percent of the computing world.  I wouldnt want to limit my marekt that much.

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline swpalmer

JGO Coder




Where's the Kaboom?


« Reply #16 - Posted 2005-08-21 22:03:00 »

I was thinking about this recently, and I thing you can use UPnP to auto-config the firewall in some cases to map the port.

Indeed you can.

So can any virus.

Which is why most everyone who knwos anything disables this feature on their firewalls Smiley

If the virus code is already running on your computer, what is left to lose?

Your bak account.

Your credit card numbers.

Your pay pal password.

etc

A maleficient program that cannot contact its creator is not a security risk.  One that can, is.

But that has nothing to do with enabling UPnP.   Once the code is running on your PC nothing is going to stop it from phoning home to port 80 on some server with an HTTP request.

Disabling UPnP is a paranoid way to pretend you are reducing risk, after the fact.

Quote
One that can take incoming contact can also become a paltform for the launching of attacks on other systems.  If you really want the FBI confusicating your computer that was used as a jump-point to attack a bank's system fine.  I dont.

A valid point, but again addressing already compromised systems.  Run a virus scanner and avoid the initial problem in the first place - I know they aren't perfect, but combined with good surfing practices that is really the ONLY thing that will save you.  The second malicious code gets to run on your machine it is usually too late to protect *your* security.  You might stop your machine from being a zombie to attack others.

Offline Jeff

JGO Coder




Got any cats?


« Reply #17 - Posted 2005-08-22 05:42:34 »

But that has nothing to do with enabling UPnP.   Once the code is running on your PC nothing is going to stop it from phoning home to port 80 on some server with an HTTP request.

A good firewall can, depending on how you configure it.

I will grant you that many users don't have that good a firewall, which is a crime since Zonealarm is free.

Quote
Disabling UPnP is a paranoid way to pretend you are reducing risk, after the fact.

Sorry I dont agree. Disabling UPNP reduces risks by limiting what a program can do

Enabling UPNP remvoes ANY outbound proitection.  And every securiy expert Ive ever talked to agrees.
 

Quote
One that can take incoming contact can also become a paltform for the launching of attacks on other systems.  If you really want the FBI confusicating your computer that was used as a jump-point to attack a bank's system fine.  I dont.

A valid point, but again addressing already compromised systems.  Run a virus scanner and avoid the initial problem in the first place - I know they aren't perfect,
Quote

They are far from perfect.  If you hecvnt tried the experiment in a while I suggest you put a virus scanner on an average user's system and count the minutes til you see your first infection.  I gave up and moved my wife to LInux to solve the problem as it was the only solution I ever found that worked for any lenght of time.

And again, with UPNP disabled once you have that virus it can (and has in the past) be used to launch DOS attacks on arbitrary systems at arbitrary ports.  WIth UPNP disabled, the worst it can do is attack web servers.


Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline swpalmer

JGO Coder




Where's the Kaboom?


« Reply #18 - Posted 2005-08-25 01:44:43 »

Disabling UPnP is a paranoid way to pretend you are reducing risk, after the fact.

Sorry I dont agree. Disabling UPNP reduces risks by limiting what a program can do
Ok, I agree diabling UPnP reduces "risks" by some amount.  I'm only arguing that the risks that it reduces are very insignifcant relatively speaking, since it is offering protection to a system that already has malicous code running on it and so the BIG risk has already happened.  Your system is screwed, your data is already lost or stolen and now you are locking doors after knowing that the burgler is already inside.

That might buy you something, but at that point I'm already mad and can't get much madder :-).
Quote
Quote
Run a virus scanner and avoid the initial problem in the first place - I know they aren't perfect,

They are far from perfect.  If you hecvnt tried the experiment in a while I suggest you put a virus scanner on an average user's system and count the minutes til you see your first infection.
Sure, but disabling UPnP isn't going to help you not get that virus.

Quote
And again, with UPNP disabled once you have that virus it can (and has in the past) be used to launch DOS attacks on arbitrary systems at arbitrary ports.  WIth UPNP disabled, the worst it can do is attack web servers.

Key words "once you have that virus" - i.e. it is useful AFTER a succesful attack to possibly limit damage to other systems.  I could be altruistic and say I want to protect every other system in the world, while causing a pain in the butt for myself by disabling a useful feature... but I dont' care that much about the other systems :-)  they have their own protection.

Also UPnP, at least on my system and using the default config of the firewalls that I have used, is not going to prevent OUTGOING connections.  That's already allowed.  Only incoming connections are blocked by default.   So the worst case is that a zombie can use UPnP to open a port to allow incoming connections to the zombie can receive instructions.  The problem being of course, that the Zombie could easily get instructions by polling some other server with outgoing requests, so you are simply locking the back door while leaving the front door wide open.

I still believe that in the grand scheme of things disabling UPnP isn't helpful.  Virus scanners that catch email attachments and scan downloads are certainly not perfect, but much more likely to protect your system from an actual threat than disabling UPnP.

The only good protection is a careful user.  How many times have you downloaded a game from these forums and fired it up?  Unless you ran it in the Web Start sandbox* each one could easily have installed a virus or deleted your files.  Your only real protection would be to disassemble it and check what it really does.

*another great reason to use Web Start and one that Sun should be promoting to end users more.

Offline Alan_W

JGO Knight


Medals: 8
Projects: 3


Java tames rock!


« Reply #19 - Posted 2005-08-25 04:54:08 »

I fall into the leaving uPNP off camp, since it stops your computer being configured as an open smtp relay.  I agree that a virus can poll for instructions, but this location to poll must be hardcoded in the virus & hence can be shutdown once the virus is discovered.

However, more importantly, routers are usually configured with uPnP off by default, so you can't assume it's available for publicly distributed applications, which is really where it would be most useful.  Asking the user to configure uPNP on their router is likely the flumux the majority of joe public.  The minority who can, probably won't want to for security reasons.

Alan Smiley

Time flies like a bird. Fruit flies like a banana.
Offline Amos Wenger

Senior Member




Everything's possible, but not everything's fun...


« Reply #20 - Posted 2005-08-25 15:12:32 »

What virus? :-).

 Grin Grin Grin

(I *LOVE* linux..)

"Once you start working on something, don't be afraid of failure and don't abandon it. People who work sincerely are the happiest"
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #21 - Posted 2005-08-25 22:30:55 »

But that has nothing to do with enabling UPnP.   Once the code is running on your PC nothing is going to stop it from phoning home to port 80 on some server with an HTTP request.

A good firewall can, depending on how you configure it.

You mean "a good interactive firewall". There is no way for a "normal" firewall to do this. IMHO you're talking about a small subset of firewalling.

Quote
Quote
Disabling UPnP is a paranoid way to pretend you are reducing risk, after the fact.

Sorry I dont agree. Disabling UPNP reduces risks by limiting what a program can do

Not according to the field of Security Engineering:

Threat: someone wants to get info from inside your LAN out
Measure: you have to stop info being read, or stop it from being transmitted

Evaluation: UPNP is only one of many ways that it can be transmitted. Others that are arguably easier include:
 - piggyback on some well-known program that is bound to get run sooner or later. IM clients are good for this, assuming you are too lazy to go read up some of the Outlook hacks
 - set your process name to "internet explorer" and dial-out. I'd consider this the easiest by far. ZoneAlarm says "internet explorer is trying to access a site". What do you think most people will do?

Quote
Enabling UPNP remvoes ANY outbound proitection.  And every securiy expert Ive ever talked to agrees.

You didn't have any in the first place; be diligent and methodical, look at the attacks and the counter-measures and you'll see this is de facto true, unless you have put many other things in place (several of which are going to prevent the UPNP class of attacks anyway, at which point the whole UPNP issue becomes moot. )

I don't want to put a fine point on this, but I can only say your security expert friends differ substantially in their opinions from my "security expert" friends, people such as Ross Anderson.

malloc will be first against the wall when the revolution comes...
Offline Jeff

JGO Coder




Got any cats?


« Reply #22 - Posted 2005-08-26 07:49:42 »

By that argument, to put it simply, since your going to die anyway if something, you migth as well smoke and drink to excess.  Or more directly ,noone shoudl have a firewall, period, because there are other security risks besides the one it covers.

Pretty clearly and obviously faulty reasoning.


Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline swpalmer

JGO Coder




Where's the Kaboom?


« Reply #23 - Posted 2005-09-08 06:19:56 »

By that argument, to put it simply, since your going to die anyway if something, you migth as well smoke and drink to excess.  Or more directly ,noone shoudl have a firewall, period, because there are other security risks besides the one it covers.

Pretty clearly and obviously faulty reasoning.

No, that's twisting my words.  I was saying "You are already dead.  A few more bullets aren't going to make a difference."

But part of it rings true... a chain is only as strong as the weakest link.  Firewalls DO help, but in my opinion they are far overrated.  People treat them like some magic bullet but they are no better than the virus scanners and that you found so ineffective..

Offline Jeff

JGO Coder




Got any cats?


« Reply #24 - Posted 2005-09-12 23:37:01 »

By that argument, to put it simply, since your going to die anyway if something, you migth as well smoke and drink to excess.  Or more directly ,noone shoudl have a firewall, period, because there are other security risks besides the one it covers.

Pretty clearly and obviously faulty reasoning.

No, that's twisting my words.  I was saying "You are already dead.  A few more bullets aren't going to make a difference."

But part of it rings true... a chain is only as strong as the weakest link.  Firewalls DO help, but in my opinion they are far overrated.  People treat them like some magic bullet but they are no better than the virus scanners and that you found so ineffective..


I disagree to some degree.  yes there are limits to firewalls but the big advantage they have is that they run on seprate uncompromisable hardware (a dedicated box.)

The same is NOT true of any virus scanner or firewall that runs on the target machine.

That probably makes my oibjection to UPnP the clearest as with UPnP the firewall CAN now be compromised by mal-ware running on the target machine.  SO I agree with you they are no better then the virus scanner IF you allow UPnP, but they are a lot more secure if you dont.

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline swpalmer

JGO Coder




Where's the Kaboom?


« Reply #25 - Posted 2005-09-13 01:51:09 »

So there is malicious code on my machine and it uses http: and connects to port 80 of an external server to share my secrets (hardly a limitation).  Getting an outbound connection from behind the firewall is rarely a problem.  Once the connection is made the information flows in BOTH directions.  How will UPnP protect me from that?

Offline Jeff

JGO Coder




Got any cats?


« Reply #26 - Posted 2005-09-13 07:24:35 »

So there is malicious code on my machine and it uses http: and connects to port 80 of an external server to share my secrets (hardly a limitation).  Getting an outbound connection from behind the firewall is rarely a problem.  Once the connection is made the information flows in BOTH directions.  How will UPnP protect me from that?

Depends on how tight your fiewalll is.

You dont have to let any 80 tcp connection out.  You can proxy web connections through a proxy server (which is what we do at SSSun for our corporate network).  Besides, you are still ignoring the use of your machine to launmch attacks on  OTHER systems.  That generally requires an inbound connection.  UPnP makes it possible for malware to open op your firewall and allow that inbound connection.

Nothing ia 100% secure, the question is how many  threats do you want to be secure against?  If you enable UPnP youve made the answer to that "none".

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline swpalmer

JGO Coder




Where's the Kaboom?


« Reply #27 - Posted 2005-09-13 23:43:04 »

So there is malicious code on my machine and it uses http: and connects to port 80 of an external server to share my secrets (hardly a limitation).  Getting an outbound connection from behind the firewall is rarely a problem.  Once the connection is made the information flows in BOTH directions.  How will UPnP protect me from that?

Depends on how tight your fiewalll is.

You dont have to let any 80 tcp connection out.

Not many home users use a proxy server.  And even if they did, I'm not sure it would solve the problem without making a lot of sacrifices to the whole surfing experience.

Quote
 Besides, you are still ignoring the use of your machine to launmch attacks on  OTHER systems.
Yes, intentionally.  That's a secondary effect that only comes about AFTER my computer is compromised.  If I protect my computer from being compromised, then I eliminate that threat as well.

Quote
That generally requires an inbound connection.
Keyword "generally", that is, until someone takes four or five minutes and writes some code to find instructions (and lists of servers in case the main one gets taken down) using polling, it wouldn't have to poll frequently.

Quote
UPnP makes it possible for malware to open op your firewall and allow that inbound connection.
Not JUST malware, useful stuff that I WANT to run.  I tend to avoid running malware Smiley so that leaves UPnP as a useful feature for the stuff I want to run.

Quote
Nothing ia 100% secure, the question is how many  threats do you want to be secure against?  If you enable UPnP youve made the answer to that "none".

"none" ?

Enabling UPnP means you will be secure against absolutely NO threats whatsoever? Disabling UPnP is the ONLY thing protecting your computer?

A bit of a stretch don't you think?

You are more likely to get your machine taken over by visiting a web site with I.E., or opening an email in Outlook Express that has HTML content.  Unless you've configured I.E. and Outlook to not be able to access the internet... but that is hardly useful.

Are you saying that most OS's come with malware pre-installed that will use UPnP to open up the ports and turn my machine into a zombie?  You DO have to get that malware on your machine in the first place of course, and that is the basis of my point.  You need to protect your system as much as you can so that the malware can't get installed. Once the system is compromised, whatever barriers you have left are going to offer you significantly diminishing returns... to the point where I feel disabling UPnP is not worth the inconvenience.

Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

Riven (4 views)
2014-07-23 21:16:32

Riven (6 views)
2014-07-23 21:07:15

Riven (6 views)
2014-07-23 20:56:16

ctomni231 (40 views)
2014-07-18 06:55:21

Zero Volt (36 views)
2014-07-17 23:47:54

danieldean (30 views)
2014-07-17 23:41:23

MustardPeter (32 views)
2014-07-16 23:30:00

Cero (47 views)
2014-07-16 00:42:17

Riven (48 views)
2014-07-14 18:02:53

OpenGLShaders (38 views)
2014-07-14 16:23:47
HotSpot Options
by dleskov
2014-07-08 03:59:08

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:58:24

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:47:22

How do I start Java Game Development?
by ra4king
2014-05-17 11:13:37

HotSpot Options
by Roquen
2014-05-15 09:59:54

HotSpot Options
by Roquen
2014-05-06 15:03:10

Escape Analysis
by Roquen
2014-04-29 22:16:43

Experimental Toys
by Roquen
2014-04-28 13:24:22
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!