Talk Fantasy Football

TuernRedvenom wrote:That's why you take such an algorithm and change it a little bit. If a vulnerability comes to light (MD5 was widespread but is now considered insecure) a "default crack tool" won't cut it right away and gives the developer some time to make a better implementation.

Like they did with their Mersenne Twister since day one? Yeah, fat lot of good that does. Really, if your security measures rely on the obfuscation of the method then you're doing it wrong. That is the cardinal rule of security in general - if the only thing you have going for you is that people don't know the truth, then you're just biding your time until you get creamed. There's a reason the government holds open contests to create the new standard for encryption when one is needed, and subjects the algorithm to widespread public scrutiny before adoptiing it.

TuernRedvenom wrote:I agree that writing the file seems redundant, but are you sure it's not just a backup? It could send it from memory but write the file for diagnostic purposes anyway.

I'm quite sure, yes. Do keep in mind that they DELETE the .db file after using it - there's no "backup" use in that case. The most likely case is that they use an open source SQLite library for all the relevant game data, and don't know how to work with the databases without writing them to disk first. It's not even that uncommon, but it IS corner cutting.

VoodooMike wrote:

TuernRedvenom wrote:That's why you take such an algorithm and change it a little bit. If a vulnerability comes to light (MD5 was widespread but is now considered insecure) a "default crack tool" won't cut it right away and gives the developer some time to make a better implementation.

Like they did with their Mersenne Twister since day one? Yeah, fat lot of good that does. Really, if your security measures rely on the obfuscation of the method then you're doing it wrong. That is the cardinal rule of security in general - if the only thing you have going for you is that people don't know the truth, then you're just biding your time until you get creamed. There's a reason the government holds open contests to create the new standard for encryption when one is needed, and subjects the algorithm to widespread public scrutiny before adoptiing it.

Ofc you don't rely on obfuscation alone. It is an extra hurdle the hacker needs to navigate. Would-be hackers using standard tools would probably give up at this point. If nothing else, it buys you more time for very little effort.

TuernRedvenom wrote:I agree that writing the file seems redundant, but are you sure it's not just a backup? It could send it from memory but write the file for diagnostic purposes anyway.

I'm quite sure, yes. Do keep in mind that they DELETE the .db file after using it - there's no "backup" use in that case. The most likely case is that they use an open source SQLite library for all the relevant game data, and don't know how to work with the databases without writing them to disk first. It's not even that uncommon, but it IS corner cutting.

Yup, that doesn't look to good.

TuernRedvenom wrote:Ofc you don't rely on obfuscation alone. It is an extra hurdle the hacker needs to navigate. Would-be hackers using standard tools would probably give up at this point. If nothing else, it buys you more time for very little effort.

If you alter the well-established and widely-tested algorithm "a little bit" then it is no longer that algorithm - it is now an untested algorithm, and you'll have thrown away the benefit of using one that the smartest people in the security community have thus far been unable to conquer.

Also, what exactly are "standard tools" in this case?