Something that might help would be to ask high score candidates to type in the letters depicted on a garbled image - so at least then you know that the bot has to recognise characters.
Paul ----- Original Message ----- From: Michel Scoz To: [email protected] Sent: Wednesday, May 28, 2008 12:45 PM Subject: RES: [flexcoders] Re: The "High Score" Problem About the client side (swf file), you could always try to encrypt the swf file with "SWF Encrypt". people won't be able to decompile and use it as their own. Actually it will decompile but without any usable and/or compilable code. Of course this does not solve the network sniffer problem, but one of your concerns is gone. Cya, Michel. ------------------------------------------------------------------------------ De: [email protected] [mailto:[EMAIL PROTECTED] Em nome de kenny14390 Enviada em: terça-feira, 27 de maio de 2008 15:27 Para: [email protected] Assunto: [flexcoders] Re: The "High Score" Problem > > There is no such thing as Flash application security? > > Against what ? > How much is the value of the prize ? > Who is attacking you ? Why ? The prizes are pretty big, so there is a justified concern for security. The "attackers" would be facebook users, so they will usually be 18-25. --- In [email protected], Tom Chiverton <[EMAIL PROTECTED]> wrote: > > On Tuesday 27 May 2008, kenny14390 wrote: > > Is the simple conclusion that Flash applications are inherently > > transparent? > > Yes, same as a HTML application, in a sense. This is the bane of client/server > computing, and *banks* haven't cracked it yet either. > However, there are less people with the skills to decompile a Flex app than a > JavaScript one. But maybe all they need to do is sniff the network traffic... > > > Does SSL patch any of these risks? > > No, because the user can configure an SSL proxy and see the plain text of the > session. But, again, less people will be able to do this. > > > There is no such thing as Flash application security? > > Against what ? > How much is the value of the prize ? > Who is attacking you ? Why ? > > Until you answer those questions, how can you evaluate any of the various > mitigation's ? > For instance, if your attackers are all under 10 (because your app is used in > a closed environment, i.e. a school class room, and the login is tied to the > attendance list and O/S logged in user) then you probably don't need to do > anything else. > > > How can a "high score" problem be overcome? > > Some sort of CAPTCHA type test should prove there is a user sat at the > computer, but I'm not aware of anyway to verify they're using your client and > not another one they built themselves. > Given they can intercept your 'calculateChecksumOfYourself()' (or whatever) > and just send back the 'right' answer. > > A lot of the time, raising the bar fairly high (require login, SSL) is > probably good enough. > In your case, I'd probably want to require unique, verified email address too. > Maybe postal too as people tend to have fewer throw away postal address' that > actually work :-) > > -- > Tom Chiverton > > **************************************************** > > This email is sent for and on behalf of Halliwells LLP. > > Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. > > For more information about Halliwells LLP visit www.halliwells.com. >
