Re: [Flashcoders] Highscore submit security with independent library
Hi, If you are looking for a nice place to start with "how to do a high score system" that gives a good example and tips on how to improve it, then Jobe Makar's Flash MX Game Design Demystified has such an example. I am not sure if the book that covers MX2004 has an AS2 version, but the examples in the MX books are simple enough to build on. For the "make it secure and stop people cheating", there are probably many ways to build on that - like someone else said, how secure does it have to be? One idea I have used to stop people spamming HTML email forms posting to a single form processor is the idea of a "stamp". The HTML form has some PHP code to ask the server for a "stamp" that is used as an identifier for the email. This stamp is a hash based on certain parameters and changes regularly. You could do something similar with your high score routines to generate a key that is used to encrypt the score data - like in Jobe's book. The trick here is to keep changing the key so that someone can decompile your Flash, but the key generating system is on the server, so they have to guess how that works. How strong you make that is upto you. Good luck. Glen ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] Highscore submit security with independent library
Not exactly. You would also provide a set of server side routines that allow them to specify the legal transaction flows. I suppose that you also give them the client side routines that facilitated the communications. You might want to look at the open source game servers for Flash to see if you can either use their facilities or add extensions to support single user games. Ron Tjeerd Boerman wrote: Thanks Ron, this is response really helped me! Translating to the library thing, the only way to create a semi-secure highscore submitting system is by coding it myself, and never giving anyone the source? That would mean what I envisioned (users creating their own games with this library to use on the site) is impossible, since every game would need custom security code so I can validate the game flow on the server, to achieve some security, correct? Cheers! T. Boerman Ron Wheeler wrote: On-line gambling applications are possible where single transactions are worth significant amounts of money. You need to think very carefully about the design and be sure that the server can validate the score independently of the client. One possible line of thinking is to send the server regular progress indications and validate the users path through the game. The next transaction not only has to be valid in itself but also has to be valid in terms of all previous transactions. If the sequence of progress points gets broken, then you refuse to accept the final score. This is a simple state engine on the server. Keeping part of the game logic on the server is the best way to ensure that access to the client code is not enough to break the game. ie. send a transaction to the server and get back the outcome, mark the result on the server and let the client setup the game to the state returned by the server for the next interaction. This way, a fake client can not simply send a sequence of transactions. You can also enforce a minimum amount of time between transactions and steer someone to a dead end position if they play too fast (ie use an automatic transaction generation system). If the user already has a winning path through the game and has recorded how to do it, you may get a lot of high scores from 1 person. That is another problem. If you randomize the outcomes on the server side, you can make sure that each game must follow a different path. Just as every security measure has a successful hack, every hack can be countered. Welcome to the battleground. Vigilance is one of the big expenses in real casinos. The best on-line gaming companies recognize that they always have to be looking for evidence of new hacks, for gamers finding new way to collude and for all kinds of fraud that they have not foreseen. Ron Tjeerd Boerman wrote: Hey, Thanks for your response So you are saying I can't start a serious ladder for these games, with reasonable amounts of security? PS: I'm not following a flash course here, thats for sure ;) Greets, Tjeerd Weyert de Boer wrote: Hi Tjeerd, Never period, as long you have access to the files in use by the game or any applications. You can cheat period. Sometimes it's harder to get around... I would expect you have learned all the tricks in Enschede! Yours, Weyert de Boer ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figle
Re: [Flashcoders] Highscore submit security with independent library
Translating to the library thing, the only way to create a semi-secure highscore submitting system is by coding it myself, and never giving anyone the source? No, as Weyert already said, SWFs can be decompiled. I don't know how decompilers react to non-Flash-IDE compilers, like MTASC or haXe -- maybe they could make it more difficult. But even if you do your algorithms with flasm, it would only make it harder for the attacker, not impossible. If all they can win is a T-shirt, they probably won't bother (and if they do anyway, they deserve it). If it was be a widely used library, however, then the effort would pay. Mark ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] Highscore submit security with independent library
It does not mean that you can't distribute actionscript source, just that the logic can't all be in the client side AS. In general, relying on the secrecy of the algorithm is not good security. On Oct 29, 2006, at 2:51 PM, Tjeerd Boerman wrote: Thanks Ron, this is response really helped me! Translating to the library thing, the only way to create a semi- secure highscore submitting system is by coding it myself, and never giving anyone the source? That would mean what I envisioned (users creating their own games with this library to use on the site) is impossible, since every game would need custom security code so I can validate the game flow on the server, to achieve some security, correct? Cheers! T. Boerman Ron Wheeler wrote: On-line gambling applications are possible where single transactions are worth significant amounts of money. You need to think very carefully about the design and be sure that the server can validate the score independently of the client. One possible line of thinking is to send the server regular progress indications and validate the users path through the game. The next transaction not only has to be valid in itself but also has to be valid in terms of all previous transactions. If the sequence of progress points gets broken, then you refuse to accept the final score. This is a simple state engine on the server. Keeping part of the game logic on the server is the best way to ensure that access to the client code is not enough to break the game. ie. send a transaction to the server and get back the outcome, mark the result on the server and let the client setup the game to the state returned by the server for the next interaction. This way, a fake client can not simply send a sequence of transactions. You can also enforce a minimum amount of time between transactions and steer someone to a dead end position if they play too fast (ie use an automatic transaction generation system). If the user already has a winning path through the game and has recorded how to do it, you may get a lot of high scores from 1 person. That is another problem. If you randomize the outcomes on the server side, you can make sure that each game must follow a different path. Just as every security measure has a successful hack, every hack can be countered. Welcome to the battleground. Vigilance is one of the big expenses in real casinos. The best on- line gaming companies recognize that they always have to be looking for evidence of new hacks, for gamers finding new way to collude and for all kinds of fraud that they have not foreseen. Ron Tjeerd Boerman wrote: Hey, Thanks for your response So you are saying I can't start a serious ladder for these games, with reasonable amounts of security? PS: I'm not following a flash course here, thats for sure ;) Greets, Tjeerd Weyert de Boer wrote: Hi Tjeerd, Never period, as long you have access to the files in use by the game or any applications. You can cheat period. Sometimes it's harder to get around... I would expect you have learned all the tricks in Enschede! Yours, Weyert de Boer ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] Highscore submit security with independent library
Thanks Ron, this is response really helped me! Translating to the library thing, the only way to create a semi-secure highscore submitting system is by coding it myself, and never giving anyone the source? That would mean what I envisioned (users creating their own games with this library to use on the site) is impossible, since every game would need custom security code so I can validate the game flow on the server, to achieve some security, correct? Cheers! T. Boerman Ron Wheeler wrote: On-line gambling applications are possible where single transactions are worth significant amounts of money. You need to think very carefully about the design and be sure that the server can validate the score independently of the client. One possible line of thinking is to send the server regular progress indications and validate the users path through the game. The next transaction not only has to be valid in itself but also has to be valid in terms of all previous transactions. If the sequence of progress points gets broken, then you refuse to accept the final score. This is a simple state engine on the server. Keeping part of the game logic on the server is the best way to ensure that access to the client code is not enough to break the game. ie. send a transaction to the server and get back the outcome, mark the result on the server and let the client setup the game to the state returned by the server for the next interaction. This way, a fake client can not simply send a sequence of transactions. You can also enforce a minimum amount of time between transactions and steer someone to a dead end position if they play too fast (ie use an automatic transaction generation system). If the user already has a winning path through the game and has recorded how to do it, you may get a lot of high scores from 1 person. That is another problem. If you randomize the outcomes on the server side, you can make sure that each game must follow a different path. Just as every security measure has a successful hack, every hack can be countered. Welcome to the battleground. Vigilance is one of the big expenses in real casinos. The best on-line gaming companies recognize that they always have to be looking for evidence of new hacks, for gamers finding new way to collude and for all kinds of fraud that they have not foreseen. Ron Tjeerd Boerman wrote: Hey, Thanks for your response So you are saying I can't start a serious ladder for these games, with reasonable amounts of security? PS: I'm not following a flash course here, thats for sure ;) Greets, Tjeerd Weyert de Boer wrote: Hi Tjeerd, Never period, as long you have access to the files in use by the game or any applications. You can cheat period. Sometimes it's harder to get around... I would expect you have learned all the tricks in Enschede! Yours, Weyert de Boer ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] Highscore submit security with independent library
On-line gambling applications are possible where single transactions are worth significant amounts of money. You need to think very carefully about the design and be sure that the server can validate the score independently of the client. One possible line of thinking is to send the server regular progress indications and validate the users path through the game. The next transaction not only has to be valid in itself but also has to be valid in terms of all previous transactions. If the sequence of progress points gets broken, then you refuse to accept the final score. This is a simple state engine on the server. Keeping part of the game logic on the server is the best way to ensure that access to the client code is not enough to break the game. ie. send a transaction to the server and get back the outcome, mark the result on the server and let the client setup the game to the state returned by the server for the next interaction. This way, a fake client can not simply send a sequence of transactions. You can also enforce a minimum amount of time between transactions and steer someone to a dead end position if they play too fast (ie use an automatic transaction generation system). If the user already has a winning path through the game and has recorded how to do it, you may get a lot of high scores from 1 person. That is another problem. If you randomize the outcomes on the server side, you can make sure that each game must follow a different path. Just as every security measure has a successful hack, every hack can be countered. Welcome to the battleground. Vigilance is one of the big expenses in real casinos. The best on-line gaming companies recognize that they always have to be looking for evidence of new hacks, for gamers finding new way to collude and for all kinds of fraud that they have not foreseen. Ron Tjeerd Boerman wrote: Hey, Thanks for your response So you are saying I can't start a serious ladder for these games, with reasonable amounts of security? PS: I'm not following a flash course here, thats for sure ;) Greets, Tjeerd Weyert de Boer wrote: Hi Tjeerd, Never period, as long you have access to the files in use by the game or any applications. You can cheat period. Sometimes it's harder to get around... I would expect you have learned all the tricks in Enschede! Yours, Weyert de Boer ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] Highscore submit security with independent library
Hi Tjeerd, The problem is that you can decompile flash movies with something like ActionScript Viewer. Meaning you can just easily browse the code. In readable form, by my knowledge you would always have a bit of the algoritmn in the flash movie to make it all. Meaning you can see how they send the data over. For example, you can find out how the 'salt' is generated within the movie, or any other verification 'bits'. It's hard. That's all. Yours, Weyert ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] Highscore submit security with independent library
Hey, Thanks for your response So you are saying I can't start a serious ladder for these games, with reasonable amounts of security? PS: I'm not following a flash course here, thats for sure ;) Greets, Tjeerd Weyert de Boer wrote: Hi Tjeerd, Never period, as long you have access to the files in use by the game or any applications. You can cheat period. Sometimes it's harder to get around... I would expect you have learned all the tricks in Enschede! Yours, Weyert de Boer ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] Highscore submit security with independent library
Hi Tjeerd, Never period, as long you have access to the files in use by the game or any applications. You can cheat period. Sometimes it's harder to get around... I would expect you have learned all the tricks in Enschede! Yours, Weyert de Boer ___ [email protected] To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
