What about security tests in PA

Discussion in 'Planetary Annihilation General Discussion' started by killerzwelch, June 7, 2013.

  1. killerzwelch

    killerzwelch New Member

    Messages:
    2
    Likes Received:
    0
    Hi,

    just asking me what the developers thinks of security checks. i.e. Is it possible to hack a game, send ingame messages...?
    I personally have only very limited experience in hacking but whats your point of view? Maybe there is the one or another guy who has some experience...
    Should the tester also have a look at this point? Is it allowed to startup some wireshark and analyze the packets?
    Would not appreciate having it like WoW where bots can send messages, invitations...

    rgds
    killerzwelch
  2. BulletMagnet

    BulletMagnet Post Master General

    Messages:
    3,263
    Likes Received:
    591
    Anything a player can do, a bot can do too.

    No game can be designed/secured that well.

    But, there's no loot to be farmed and sold. If you think PA is an MMO, you're sorely mistaken.
  3. firebladed

    firebladed New Member

    Messages:
    7
    Likes Received:
    0
    without knowing how communications work protocol wise, and no access to client yet, its hard to tell where you would start

    assuming the client is relatively dumb, most "hacks" would have to be against the server as it does the majority of the work (i.e simulation), apart from the standard attacks against any server (I'm not going to give hacking lessons) there might be ways of persuading the server to do things it shouldn't by manipulating communications to alter the simulation.

    BUT until you can get a copy of the server trying anything like that would likely be ILLEGAL, so i wouldn't try it, without explicit written permission (read CEO of who ever owns server hardware).

    you could fire up wireshark (you can monitor anything going in or out of you computer), but don't know what that would tell you at this point. if is a custom protocol could spend ages analysing it, dependent on what is based on.

    security wise as a principle you should start testing as soon as possible as it should be built in from the start, not tagged on later.

    there are things you can try with the client memory altering etc. to persuade the server to do things, that would, if done outside permitted testing, (read cheats/exploits) would be likely be EULA violations (breach of contract) if done when not running your own server.

    ill Ignore bots as those are automation rather than hacking

    personally i think that attitude is what can lead to your passwords (and other details) getting stolen, if the server can be hacked, to get command line/root access that can often be used to get to other things. All it can need is one security hole in the wrong place and your entire network gets compromised.
  4. drewsuser

    drewsuser Active Member

    Messages:
    316
    Likes Received:
    139
    Any multiplayer game can be hacked fairly easily, but I wouldn't worry. With the amount of people playing this at release, theres not much chance you'll get stuck in a hacked server.
  5. thetrophysystem

    thetrophysystem Post Master General

    Messages:
    7,050
    Likes Received:
    2,874
    As far as hacks go, it is entirely something that can be set up later.

    C&C Renegade was the most easy to hack game when it came out, all the client's damage was dealt from what it says in his own objects.ddb file. Later, they simply added an "additional" program than you run with the server called "dragonguard", that confirmed damages being dealt from clients. All damage in the game was read to dragonguard for accuracy of what they should be doing.

    player1 did 10 damage with the assault rifle, fine. player1 did 10 damage with the assault rifle 30 times in 10 seconds, that is the correct rate of fire so fine. player1 did 200 damage with the ramjet to the torso, correct...

    ...but the second he hits the torso and gets headshot damage his damage is either readjusted and he is warned, or he is kicked, depending on how the program is set.
  6. SXX

    SXX Post Master General

    Messages:
    6,896
    Likes Received:
    1,812
    I don't think anybody run game servers with root privs. :mrgreen:
  7. killerzwelch

    killerzwelch New Member

    Messages:
    2
    Likes Received:
    0
    Maybe I just think about it thus I'm software developer in a bank - and there security is always a big topic...

    But there is any. Apart from that if you want to host an own gameserver I would be pretty keen of knowing if I just started the best trojan horse you could get or if that is a secured software.
    yes... and Microsoft has the best secured OS in the world... :lol:
  8. SXX

    SXX Post Master General

    Messages:
    6,896
    Likes Received:
    1,812
    I'm Linux user, but anyway when we talk about servers used OS doesn't make lot of sense, because there is really few remote exploits for Microsoft products. It's only question how secure Uber code is. At least there is low chance for buffer overflow attacks which are most popular on Windows software.

    And I doubt Uber use Windows for servers because I think they don't use own hardware, but virtualized cloud instances. And Windows pretty expensive and non-efficient when you need to run 100 instances fast.

    PS: Probably Uber (like any other developers) won't comment such thread on public forum because there is lot of legal issues and probably they have no in-house lawyer to consult with. But if you got something to report you just need to send this information direct to Uber and they fix problems. ;)
    Or give it to me and i report that, because i don't care about legal issues. :D
  9. antillie

    antillie Member

    Messages:
    813
    Likes Received:
    7
    I'm sorry but this just isn't true. Windows and Linux are both equally fast and capable running as VMs in a cloud on a massive scale. Windows wins on price if you compare it to Red Hat Enterprise Linux but it looses out to other distros in this area. However if you add SQL to the mix then the price advantage goes to Red Hat. Really its more about what platform you need and what your development team is comfortable working with than anything else.

    In my experience both platforms are equally secure/insecure. In the enterprise space admin and developer competence are far more important to security than what OS you are running.

    This is arguably not the case for home users but that really just boils down to the bad guy's going for a target audience and doesn't really have much to do with the OS's themselves. Linux used to have an advantage by here by not running as root all the time but this was more about admin competence and between Ubuntu adding every user to sudoers by default and Windows implementing UAC this difference is now pretty negligible.
  10. SXX

    SXX Post Master General

    Messages:
    6,896
    Likes Received:
    1,812
    I probably can't talk about "massive scale" because I don't have such experience, but when I worked with game sever hosting OpenVZ worked really. On game hosting with lot of virtual machines is usually have lot of idle instances and with OpenVZ there is really small overhead on RAM/CPU/HDD usage for them.
    Microsoft platforms doesn't have any tech like OvenVZ, only commercial one which also need special Windows license.

    If we talk about hardware virtualization windows instances usually need more RAM, so even if they iddleing most of time you need to pay for it.

    I don't think you need RHEL for game servers hosting, imho. :roll:
    Even if we talk about EC2 windows is much expensive:
    http://aws.amazon.com/ec2/pricing/

    Totally agree with it. :cool:
  11. antillie

    antillie Member

    Messages:
    813
    Likes Received:
    7
    This is more a function of the hypervisor you are running than the guest OS. MS's own hypervisor isn't the best in the world but if you go with some other hypervisor such as VMWare or OpenStack then its really a wash between Linux and Windows as the guest OS.

    What you are using the VM for matters much more than what OS it is running. There is very little difference between a stripped down Linux install and a stripped down Windows Server install. Especially if you use Windows Server Core. Windows 2008 R2 runs just fine with only 512 megs of RAM, and that's with the GUI installed. Windows Server Core will run with only 256. Sure you can run Linux on only 256 but what are you really going to do with any server that only has 256 or 512 megs of RAM?

    And once you are running servers with 32-512 gigs of RAM the memory overhead of the OS's just doesn't matter any more compared to the other differences between the platforms.

    True RHEL is not expressly needed for games but it is often the only viable Linux choice in the enterprise world due to the support options it provides. So it really comes down to how important is the up time of your game servers? I would wager that in most cases up time for a game server will not be important enough to go with RHEL over Ubuntu.

    However the if the server admin is more familiar with Windows than the ease of administration of Windows over Linux may be worth the cost of the OS. Look at the Windows 2008 R2 firewall compared to iptables to see what I mean. And if you are managing a large number of servers it can be pretty hard to beat Active Directory sometimes without writing a bunch of custom scripts. Admin hours cost an awful lot more than OS licenses and support contracts for either platform.

    I'm not trying to say that Windows is better, because its not. Linux is a great server OS and even a good desktop OS for most people. Neither is really categorically "better" than the other. I'm just saying that the choice between Windows and Linux is rarely a simple one.

Share This Page