 |
|
Oct 04, 2007, 11:41 AM // 11:41
|
#21 | |
|
Grotto Attendant
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
|
Quote:
http://www.gnu.org/philosophy/can-you-trust.html Any MMO game can (and should be) designed in a way that makes client-side tampering impossible. Presearing exploit is example where anet developers messed up and added functionality supposed to be in server to client. Long time ago, regen/degen was handled client side, resulting in ludicrous godmode cheats. Stuff like duping was server side error, and that intel thingie would have done NOTHING against that. So, local anticheat = fail. |
|
|
|
|
Oct 04, 2007, 11:46 AM // 11:46
|
#22 | |
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
This measures are perfectly normal. Security was, is and always will be an arms race. Companies propose security systems (I would agree that TC is a much more sensitive technology than AV and FW) and hackers (bear in mind, now they no longer do it for the fun or reputation, we're talking millions in real money here, with links with mafia and other traffics) push through it, which force companies to fix until a certain point where they have to move to the next security paradigms. I guess everyone would agree that when TJX's laptop were stollen and many customer information were available to hackers, fixing this issue would be welcome, right? Well, to fix this, you have to encrypt, and to make encryption work, you have to protect the key, and there are NO completely secure way to do that. Until you add hardware control (policy enforcement), which the most difficult and costly way to break (the hacker has to physically get at your computer, much more difficult than sending a trojan, isn't it?). And since the gaming industry is the biggest one (more than movie and music, which makes people's scare about DRM very relative!), you can expect something big to happen here. I know that Intel's proposals in the last 2 years have been rejected due to their high cost (change in the way PCI works), but they are finding new innovative ways to improve the situation. As can be seen from the /report system in GW, such features will be received by people shouting messages of "we're doomed" and "it won't work". Until they start to see it works. Which does not mean that this one will work, but at least they try. And if you have a BETTER solution, please apply for a job at Intel. If it's really better, you'll get a very well paid job! |
|
|
|
|
|
Oct 04, 2007, 11:52 AM // 11:52
|
#23 |
|
Academy Page
Join Date: Jul 2006
Location: UK
Guild: Moon Unit Carby
Profession: R/Me
|
So this is how Intel are going to push their hardware DRM?
|
|
|
|
|
Oct 04, 2007, 11:54 AM // 11:54
|
#24 | ||
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
http://en.wikipedia.org/wiki/Trusted_computing They even have a nice video for those who think that a complicated technology can be summarised with a nice video. Most of this stuff has been debunked in the scientific community, has been implemented by companies and is currently rolled out in the business world (where the highest loss are seen, see health and banking records being stollen). Quote:
What scares people is that the same technology that can be used to prevent cheating (well, it's all relative, people can still create scams and phishing, but this is a social engineering attack on the persons, not the computer) can also be used to enforce DRM. And then no more free games, videos and music. |
||
|
|
|
|
Oct 04, 2007, 11:56 AM // 11:56
|
#25 | |
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
(something tells me I'm going to have a very hard time fighting the wrong ideas here ... please read all my messages before you post a reply, thanks!) Last edited by Fril Estelin; Oct 04, 2007 at 12:09 PM // 12:09.. |
|
|
|
|
|
Oct 04, 2007, 11:59 AM // 11:59
|
#26 | |
|
Banned
Join Date: Jan 2007
Location: Drazach Thicket
Guild: Temple of Zhen Xianren [Sifu]
|
Quote:
Take me back to the old PSO way any day. I doubt I would have enjoyed PSO as much if it hadn't been hacked to hell and back. Sega unfortunately didn't like it much.... but it did make the game more interesting. Plus there was a sense of satisfaction to teaching those without the hack-disks to exploit glitches in the game in order to defend themselves against the hackers. It was the kind of anarchy I can only dream of these days.... but it worked wonders. |
|
|
|
|
|
Oct 04, 2007, 12:14 PM // 12:14
|
#27 | |
|
Grotto Attendant
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
|
Quote:
--- ASAP programer tries to weasel out from making mess by claiming that mistakes are inevitable, its time to fire him on spot. Amount of possible attacks on software is finite. All it takes is decent data entry filter and bam! Inpenetrable software. OFC, this is simple model. Its not cheap or anything, but guess what? If you dont do it, security chip wont save your ass because it can do nothing about rogue systems. Its time for you to call buddies that work for banks. Believe me, they know better than "we cant fix all holes, yadada yadada". Also, you really cant believe that DRM can be saved by that chip. Its defective by design: For enuser to access content, he must have key, sw to decrypt AND ciphertext. You can make it complicated, but you can never get around this simple fact. FYI, before you start with "you have no idea..."... I work as software consultant. For banks. |
|
|
|
|
|
Oct 04, 2007, 12:26 PM // 12:26
|
#28 | ||||
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
http://cm.bell-labs.com/who/ken/trust.html Quote:
BTW, do you know the only OS that have a CC EAL4? Quote:
Quote:
(I taught software engineering in 1st year of a computing science university, we teach such things; I'm also working on formal methods, the only thing you could call close to safe computing in SE, look at EAL7 ...) Last edited by Fril Estelin; Oct 04, 2007 at 12:30 PM // 12:30.. |
||||
|
|
|
|
Oct 04, 2007, 01:02 PM // 13:02
|
#29 | |
|
Academy Page
Join Date: Jul 2006
Location: UK
Guild: Moon Unit Carby
Profession: R/Me
|
Quote:
Also, Intel specifically made mention of it as usable as hardware DRM back four and a bit years ago when the project was kinda widely picked up by the internet, and again highlighted when Apple announced it was going to start using Intel chips. There are a ton of google entries dated around 2004-2005 which clearly show Intel trying not to say what the hardware was supposed to do, before admitting that it was 'forward-looking DRM'. If Intel want to argue now that the direction of the project has changed, fine. But DRM was one of the fundamental purposes of that technology. I would be very surprised if it wasn't destined to end up being used in this fashion. |
|
|
|
|
|
Oct 04, 2007, 01:04 PM // 13:04
|
#30 | |
|
Krytan Explorer
Join Date: Jul 2006
|
Quote:
|
|
|
|
|
|
Oct 04, 2007, 02:18 PM // 14:18
|
#31 |
|
Desert Nomad
Join Date: Feb 2006
Location: North Carolina
Profession: N/Me
|
Hardware or not it's still not going to work. Even if the majority of the code is kept server side all someone has to do is find the code that tells the bits of hardware on your end to report to the server. In other words you have program A sitting on a computer telling server B anything that is out of the ordinary. This means the actual monitoring is done client side but reported server side.
They already have this in network security. It's just a behavioral monitoring program put on a chip and it can be defeated. All you have to do is gather a baseline set of readings for normal operation and basically have another program report those to the reporting software while you do whatever you like. to that end you don't even need to know the server side code. All you need to know is the client side code and the normal parameters it checks for, which would also be in the codebase. Then you can design a program that does nothing but lie to the reporting software causing it to send false reports to the server. The PoC of this has been around for over a year now. It's a simple macro virus that uses Excel features to attack your computer. It slipped past Symantec security and behavioral monitoring software because it was designed to search for and lie to those programs. It did it rather elegantly by taking a digital "snap shot" of the operating system at the moment of installation. It then fed those values to the behavioral monitoring software over and over and over again while it opened up excel and made your computer do bad things. Security software didn't know any better because the virus was sending it data that said everything was functioning normally. Last edited by Str0b0; Oct 04, 2007 at 02:21 PM // 14:21.. |
|
|
|
|
Oct 04, 2007, 02:36 PM // 14:36
|
#32 | |
|
Furnace Stoker
Join Date: Jun 2005
Location: United States
Guild: Dark Side Ofthe Moon [DSM]
Profession: E/
|
Quote:
The more that "hardware" does things like scan / check stuff or ... it can check for "unlicensed media files or pirated media files and notfiy X" at the hardware level, this should really be controlled at the software level. The problem is you can have a "box" that between keyboard and usb/ps2 port that can use macro's to simluate keyboard strokes that pc will not be able to detect. Then they can use the arugment must come up with a "standard" to encrypt keyboard to pc communcation... which could also be broken. Build a better mouse trap, get better mice. |
|
|
|
|
|
Oct 04, 2007, 03:10 PM // 15:10
|
#33 | |||
|
Grotto Attendant
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
|
Quote:
Were talking service, with well defined API and input. There, your attacks are injection ... or injection. Quote:
how does phishing come to this debate, but whever. z/OS V1R8 for example? Is this googling contest anyway? Some linux distros aim for L5 btw. EAL7 is possible. Not worth required money for public sector. Quote:
HW still needs key inside, still needs it processed, and is prone to tampering. But whatever. |
|||
|
|
|
|
Oct 04, 2007, 03:44 PM // 15:44
|
#34 | |
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
|
|
|
|
|
|
Oct 04, 2007, 03:50 PM // 15:50
|
#35 | |
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
This is NOT, to my knowledge, the way they plan to implement it. Just one possible scenario. |
|
|
|
|
|
Oct 04, 2007, 03:55 PM // 15:55
|
#36 | ||
|
Grotto Attendant
Join Date: Apr 2007
|
Quote:
At any rate, such a system would be easily defeated by a hardware dongle. It's not like we haven't had third-party hardware devices to spoof user input since the first "turbo" controller for the NES or anything.... If you wanted to get really fancy, you could give your dongle an additional USB connector and feed it the (complex, situation-dependent) output from a macro to feed back into the keyboard input. Moreover, the unit is going to need a driver, either in windows or in firmware, which leaves open the possibility of disabling it with a "patched" driver. So... Quote:
While their implementation isn't always perfect, a-net's anti-cheating philosophy is -- Presume the client is infinitely hackable; Move everything that isn't "mere I/O" to the server; Make sure your input is coming from the right user (session encryption ftw); Sanity check you input (The pistol-turned-machine gun in the FoxNews <shudders with disgust> report could be easily dealt with by implementing a max refire rate for the gun.. duh...); And don't send any output to the client that you don't want the user to know (D2 maphack ftw). |
||
|
|
|
|
Oct 04, 2007, 03:57 PM // 15:57
|
#37 | |||
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
Quote:
 . Impenetrable SW does not exist in any way. You' have a good example of why in Ken Thomson's paper. Or when you realise that any SW runs on the processor, which the SW has no control over.Quote:
|
|||
|
|
|
|
Oct 04, 2007, 04:19 PM // 16:19
|
#38 | |||
|
Grotto Attendant
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
|
Quote:
Quote:
Point here is that you can not make software secure if there is physical access to machine which runs it (that procesor of yours helps, but does not stop it.). But you can secure remote server enough to be inpenetrable /unless you got some social engineering going on, but nothing expect common sense helps against that./. Quote:
|
|||
|
|
|
|
Oct 04, 2007, 04:30 PM // 16:30
|
#39 |
|
Lion's Arch Merchant
Join Date: Apr 2006
Profession: W/
|
The problem with this sort of thing is that we're going to get into a situation where Guildwars (etc) only runs on PCs with all the latest "trust" hardware from a "trusted" group of hardware vendors all of which probably charge a premium.
If you've got a PC thats a couple of years old, or if you don't want to pay for trust hardware you'll be flagged as a likely hacker, or banned from playing at all. If MMOs think they have to rely on these sort of things, they should just do everyone a favor and run on consoles instead. |
|
|
|
|
Oct 04, 2007, 04:43 PM // 16:43
|
#40 | |
|
So Serious...
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
|
Quote:
This thread reminds me of the one on the /report feature. The only vocal people are the ones complaining, and sometimes whining (those that can no longer play nasty and get pleasure from annoying other people). The ones that have no problem with the system don't talk. |
|
|
|
|
 |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| What's involved in getting FOW armour? | techo | Warrior | 16 | Aug 02, 2006 07:48 AM // 07:48 |
| falz | Buy | 1 | Oct 09, 2005 04:51 PM // 16:51 | |
| A.Net/NCSoft too Involved | Lu Cheng Ying | Sardelac Sanitarium | 53 | Aug 27, 2005 03:55 PM // 15:55 |
All times are GMT. The time now is 11:55 PM // 23:55.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("