Cyanide Dice Hacks

Be it FUMBBL, PBeM, the Cyanide Computer Game, VASSAL or whatever - talk about online play here.

This is also the place for discussing the various tools for managing leagues, teams and so on.

Moderator: TFF Mods

User avatar
VoodooMike
Emerging Star
Emerging Star
Posts: 434
Joined: Thu Oct 07, 2010 8:03 am

Re: Cyanide Dice Hacks

Post by VoodooMike »

TuernRedvenom wrote:That's why you take such an algorithm and change it a little bit. If a vulnerability comes to light (MD5 was widespread but is now considered insecure) a "default crack tool" won't cut it right away and gives the developer some time to make a better implementation.
Like they did with their Mersenne Twister since day one? Yeah, fat lot of good that does. Really, if your security measures rely on the obfuscation of the method then you're doing it wrong. That is the cardinal rule of security in general - if the only thing you have going for you is that people don't know the truth, then you're just biding your time until you get creamed. There's a reason the government holds open contests to create the new standard for encryption when one is needed, and subjects the algorithm to widespread public scrutiny before adoptiing it.
TuernRedvenom wrote:I agree that writing the file seems redundant, but are you sure it's not just a backup? It could send it from memory but write the file for diagnostic purposes anyway.
I'm quite sure, yes. Do keep in mind that they DELETE the .db file after using it - there's no "backup" use in that case. The most likely case is that they use an open source SQLite library for all the relevant game data, and don't know how to work with the databases without writing them to disk first. It's not even that uncommon, but it IS corner cutting.

Reason: ''
Image
User avatar
TuernRedvenom
Legend
Legend
Posts: 2051
Joined: Wed Apr 07, 2004 10:39 am
Location: Argueing the call...

Re: Cyanide Dice Hacks

Post by TuernRedvenom »

VoodooMike wrote:
TuernRedvenom wrote:That's why you take such an algorithm and change it a little bit. If a vulnerability comes to light (MD5 was widespread but is now considered insecure) a "default crack tool" won't cut it right away and gives the developer some time to make a better implementation.
Like they did with their Mersenne Twister since day one? Yeah, fat lot of good that does. Really, if your security measures rely on the obfuscation of the method then you're doing it wrong. That is the cardinal rule of security in general - if the only thing you have going for you is that people don't know the truth, then you're just biding your time until you get creamed. There's a reason the government holds open contests to create the new standard for encryption when one is needed, and subjects the algorithm to widespread public scrutiny before adoptiing it.
Ofc you don't rely on obfuscation alone. It is an extra hurdle the hacker needs to navigate. Would-be hackers using standard tools would probably give up at this point. If nothing else, it buys you more time for very little effort.
TuernRedvenom wrote:I agree that writing the file seems redundant, but are you sure it's not just a backup? It could send it from memory but write the file for diagnostic purposes anyway.
I'm quite sure, yes. Do keep in mind that they DELETE the .db file after using it - there's no "backup" use in that case. The most likely case is that they use an open source SQLite library for all the relevant game data, and don't know how to work with the databases without writing them to disk first. It's not even that uncommon, but it IS corner cutting.
Yup, that doesn't look to good.

Reason: ''
Un bon mot ne prouve rien. - Voltaire
User avatar
VoodooMike
Emerging Star
Emerging Star
Posts: 434
Joined: Thu Oct 07, 2010 8:03 am

Re: Cyanide Dice Hacks

Post by VoodooMike »

TuernRedvenom wrote:Ofc you don't rely on obfuscation alone. It is an extra hurdle the hacker needs to navigate. Would-be hackers using standard tools would probably give up at this point. If nothing else, it buys you more time for very little effort.
If you alter the well-established and widely-tested algorithm "a little bit" then it is no longer that algorithm - it is now an untested algorithm, and you'll have thrown away the benefit of using one that the smartest people in the security community have thus far been unable to conquer.

Also, what exactly are "standard tools" in this case?

Reason: ''
Image
Post Reply