Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (481)
Games in Android Showcase (110)
games submitted by our members
Games in WIP (548)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: 1 [2]
  ignore  |  Print  
  Secure highscore submission over HTTP  (Read 3994 times)
0 Members and 1 Guest are viewing this topic.
Offline delt0r

JGO Knight


Medals: 27
Exp: 18 years


Computers can do that?


« Reply #30 - Posted 2010-10-28 12:21:20 »

Try doing some hacking on your own. Learn the tools you need to secure against. You will quickly discover why cheating is prevalent in online games, and why its so hard to combat.
 

I have no special talents. I am only passionately curious.--Albert Einstein
Offline krasse
« Reply #31 - Posted 2010-10-28 12:31:52 »

Not really - all the hacker has to do it make the client run at half or quarter speed. From the recorded keystrokes it'll look like they're playing really well. Similarly a hacker could put a memory image save/restore and so 'incrementally' play a perfect game.


Solution to this "subproblem": You could have a timestamp for the game you play so the result is only valid for a limited time. This limits the damage for recorded keystrokes.

Hacker counter: Save a whole play with recorded input and send to server.

Solution to this counter: Randomize start state


A bot that can run in real time is however more difficult and it doesn't even have to run as a process in the target system.
In practice, when money is involved, suspicious users can be banned for no other reason than being just suspicious. No actual proofs are needed.


Offline Mordan

Junior Member





« Reply #32 - Posted 2010-10-28 17:23:13 »

It's not about thinking outside the box .. I can respect that you have this blissful fantasy that securing the client is possible .. we've all been there, you just haven't yet crashed into the wall of realization.

That's a different problem. It is technically feasible with the correct inputs to post funds to your account from someone else's account. That information is usually obtained through social engineering.

But the point is the entire "state" of an account is handled on the server - the client can only request transactions to be made, which the server will always validate. But that doesn't solve the problem of someone usen valid (but stolen) information to post a valid transaction.

To make a game analogy .. you could use a similar strategy with a game of Checkers. The server generates a game state and hands it off to the client. The client can then tell the server move-by-move what it wants to do. The server maintains the game state and validates each move.

But even this is not securing the client - it's just computing game state on the trusted end. Anytime you have a game where the state is exclusively maintained on the client side, you've already lost. It will be possible to cheat.

(you could also cheat at the "Checkers" strategy with a bit of AI).

unless the state is there for all the see. Map Hacks lose their purposes if game is played with no fog of war.

about emoney I meant cards where money state is stored on the card. They used to call it Proton here, Solo on the UK though i never used that one.

So while I agree that in theory state on the client side makes it possible to cheat, like I said, paper money is state on the client side. Money laundering does happen. But try to launder money using big fat notes of 500 euros? Doesn't happen very much.
So for highscores, nobody cares if people cheat for scores lower the Top 10. Alll you have to do is monitor the top ten scores using the above techniques and then some. For me, that's practical client security. Make recorded games and let the community check on those top ten highscores.

Now your point is one bright hacker would be able to masquerade even then. Well even the best money fakers are caught. They are playing "Catch me if you can"
What about your income history // highscore history. Maybe client security is also about how you design the community surrounding your game highscores.

That's why I wrote "real life ways" to achieve client security.
Pages: 1 [2]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

atombrot (26 views)
2014-08-19 09:29:53

Tekkerue (24 views)
2014-08-16 06:45:27

Tekkerue (23 views)
2014-08-16 06:22:17

Tekkerue (14 views)
2014-08-16 06:20:21

Tekkerue (20 views)
2014-08-16 06:12:11

Rayexar (59 views)
2014-08-11 02:49:23

BurntPizza (38 views)
2014-08-09 21:09:32

BurntPizza (30 views)
2014-08-08 02:01:56

Norakomi (37 views)
2014-08-06 19:49:38

BurntPizza (67 views)
2014-08-03 02:57:17
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!