Jump to content

  • Log In with Google      Sign In   
  • Create Account


rip-off

Member Since 16 Mar 2005
Online Last Active Today, 01:20 AM

#5169486 Hiring people to create a game for you

Posted by rip-off on 27 July 2014 - 07:49 AM


Don't worry about ideas and designs. Nobody is going to steal them.

Why do people say this? Remember facebook?

People don't steal ideas. Most ideas are worthless by themselves.

 

It is when you've executed an idea that it becomes vulnerable, as someone can take your execution and either clone it directly or create an improved version of it. Execution itself is the hard bit, no interesting idea ever becomes fact without significant discoveries and changes in the process. The gap between the idea and the implementation can be narrowed by experience, but is never small.

 

In any case, the solution would be to get a lawyer to write a contract that prevents the situation you're worried about. Developing any game, even a small one, is expensive. You're going to want to protect that significant investment legally at some point, it might as well be from the beginning.




#5169350 'pass through member function'

Posted by rip-off on 26 July 2014 - 12:15 PM

Seems reasonable to me. Is there something about this approach that you're unhappy with? One can over-think things like this.




#5168733 Sending and receiving UDP packets to character status need be encrypted?

Posted by rip-off on 23 July 2014 - 03:15 PM


 I suppose I'm having a very large overhead because of the encryption/decryption AES. 

You should measure first, before deciding what the issue is.




#5166540 questions about graphics programming

Posted by rip-off on 13 July 2014 - 04:57 AM

I'm not sure I understand your question, but generally you would write your program in a high level language against an API such as Direct3D or OpenGL. This hides the specific details from you, although if you need to maximise the amount of detail when rendering you'll need to be very familiar with how to use the API and the hardware in an optimal fashion.

It is possible to write programs that are mostly agnostic to the CPU architecture and GPU specifics. Most popular languages in use today are portable with either little or some effort (depending on how low level they are). It is also possible to write programs that work across different operating systems by choosing libraries that already support the platforms you wish to target.


#5165205 encryption my password

Posted by rip-off on 07 July 2014 - 01:48 AM

It is spelled "encrypted" and "client". I understand you might have some difficulty with English, but take particular care with technical terminology as deviating too far can make it incredible difficult to read and understand your posts. Try using a spell-checker configured to English if you're not doing so already.

Right now there is no encryption, just hashing. These are very different things, even though the end result appears to be scrambled data. Encryption is reversible, that is the server can tell exactly what the client originally sent it. Hashing is not reversible, as multiple inputs can map to the same output (though for passwords, some inputs are more likely than others). An important security property of proper encryption is that the scrambled data is different each session even if the same data is exchanged.

If you hash on the client side, and send that hashed value over an unencrypted link, then an attacker only has to sniff and replay the hashed value to authenticate. I've mentioned this earlier in the thread.

If you use SSL, then the network connection is actually encrypted, which renders it infeasible for an attacker to merely sniff the network and get access to the credentials.

So using SSL is the solution, and hashing on the client is not the solution. Securing such a system is a well known, solved problem. You don't need to design this yourself. It is unfortunately all too easy to design a system that users encryption and hashing but actually remains vulnerable to all sorts of inventive attacks. Use the tried and tested best practise instead.


#5165123 how to use or ||

Posted by rip-off on 06 July 2014 - 04:00 PM

But the sound keeps playing even if temp is below zero.

Are you 100% sure the temperature actually goes below zero? Does the code work as expected with the other conditions?


#5165071 encryption my password

Posted by rip-off on 06 July 2014 - 10:49 AM

It appears you don't understand how this works. You're calling the method to save a new password. The first thing it does is generate some random bytes, to be used for the salt.

In order the generate the value in the database, you have to lookup the database first and split the saved string into the salt and hashed password. In order for the client to do this, it would first have to send the username to the server, and the server would have to send the salt for that user (if it exists). This means that an unauthenticated client can essentially query the server for usernames and salts, which would generally be considered insecure.

Do you understand how Joomla is authenticating? Do you understand salting? Do you understand the threat it mitigates against, and how? Why do you want the client to hash the password? Is there a reason you don't want to use SSL? What part of the explanations and suggestions you've got so far are you having difficulty with?


#5165053 STL Map and SDL2 Texture segfault

Posted by rip-off on 06 July 2014 - 09:15 AM

The map is in fact, a map<std::string, SDL_Texture>. that filename.c_str() is local, but isn't it just calling the characters that make up that string, and storing it into map?

Ok, the code is fine then, though a little inefficient (requires a new std::string to be constructed). What it appeared to us was that you might have std::map<const char *, SDL_Texture>, which is where the problems would occur.

What should I be doing instead of filename.c_str() when trying to pass my filename path to the loadTexture function; and then saving it as a key on the map?

For storing it in the map, you can just use:
textureLibrary[filename] = newTexture;
The c_str() function is when you need to pass the contents of the string to a C API like SDL.

Yeah, I do intend on going back and doing error checking...

That's OK, just mentioning it.


#5165044 STL Map and SDL2 Texture segfault

Posted by rip-off on 06 July 2014 - 08:28 AM

Entity newEntity(textureLibrary["raindrop.png"]);
gameVec.push_back(&(newEntity));
This could be dangerous. Storing a pointer to a local variable in a member variable is similar to BitMaster highlighted with std::string::c_str(). It might work for the time being given that your game loop is in your Game constructor (which wouldn't be recommended), but could break easily if you're not careful.

It appears you're not quite on top of memory management yet, so you should probably do some more work on that before you continue writing your game. There is nothing more frustrating than trying to understand obscure pointer crashes in C++ - one of my first medium sized projects fell victim to something like this when I was starting out, and I just didn't have the skills to fix it.

I also see a lot of calls to SDL that don't appear to be checking for errors, and the one place you do check for errors you just shutdown SDL without exiting the program. Your program should be full of proper error checking, when something goes wrong at the very least log it to stdout, stderr or a log file, and try to handle it so that your program ends cleanly (e.g return from main() use an exception or at least call std::exit or std::abort). You'll thank yourself a few weeks from now when you make a typo in a texture name and get a nice error message rather than a crash.


#5165042 encryption my password

Posted by rip-off on 06 July 2014 - 08:17 AM

Can mitigate the chances of a successful man in the middle attack.

I realize I'm being a bit pedantic, but I do feel that people should understand the potential issues that currently exist with our existing SSL implementations...

Unfortunately, in the modern SSL environment there is no real means of preventing a man in the middle attack, what with the proliferation of hacked CAs and the ability of many of our world governments being able to request wildcard certificates and such from CAs under gag orders to prevent disclosure of such issuance...

While I'm not disagreeing with you, generally attackers of such sophistication and resources are not part of the threat model for most developers here. But yes I worded that a bit too strongly. I believe an earlier draft of the post used the word "infeasible", but it was lost in a re-write.

@Landi20, you still haven't explained what is or isn't happening. You've posted code, and you have posted what appears to be two hashed passwords, one of which presumably is in the Joomla database and another is generated from your C# code somehow. Did you write the C# code yourself? If not, where did you find it? Can you post a unit test or short sample program that shows how you are using this code? Be very clear on which plain text passwords you are using and which hashes they correspond with.

but i can´t have the same password everytime change when send to the server

This indicates that you're probably not using the correct method. If the hashed password is not the same, then you're probably using the method for saving new passwords, not checking existing ones.

To check an existing password on the client, the client would have to know the salt, which you should not be sending to the client (you cannot trust that it even is a legitimate user). If you want to use the same database as Joomla, you'll have to conform to their mechanism, which is that the server must receive the plaintext password (delivered securely using SSL) and the server then validates this.


#5164960 encryption my password

Posted by rip-off on 05 July 2014 - 05:46 PM

Are you saying that you want to authenticate against an existing database schema, particularly that of joomla 2.5.22? Some quick Googling indicates they may have an API to help you.

i want hash my password in client side and send to server verify a hash is the same i have in database

Is there a reason you want to do this? It isn't necessarily more secure. If you send a hash of a password, then that hashed value effectively is the "real" password. Yes, an attacker in the middle might have difficulty determining the plaintext password, but they don't need it - they can re-send the hashed value they sniff on the network and the server can't tell they don't know the real value.

Used correctly, SSL solves the problem of a Man in the Middle attack.


#5164768 encryption my password

Posted by rip-off on 04 July 2014 - 11:59 AM

I don't really understand your question, but I'll explain this in general.

There are two parts to this. First is account setup:
  • User creates an account somehow, or is changing an existing account
  • Username and password are securely submitted via SSL to the server
  • Server generates a large random string called a "salt" for this user
  • The salt and user password are concatenated and hashed using a secure algorithm (e.g. bcrypt)
  • Username, salt and hashed password are saved into the database
I'm ignoring email authentication and other common steps here, and focusing on the credentials.

Then, when a client wants to authenticate:
  • Client uses SSL to securely send credentials to the server
  • Server checks if this username has had many recent failed logins (e.g. > 3 in ten minutes)
  • If so, an error message is displayed
  • Otherwise, server uses the username to lookup the hashed password and "salt" value
  • If this record is not found, a generic "Incorrect username or password" message is displayed
  • Client submitted password and the salt in the database are concatenated and hashed using the secure hashing algorithm
  • If the hash output matches the existing salt in the database, the client is authenticated as that user
  • Otherwise the same generic error message is displayed and the failed login attempt is recorded
An important objective here is to give a potential attacker no information about which usernames are valid.

Other protection mechanisms can be used such as detecting patterns of failed login attempts on different usernames from a particular IP address, and blocking further attempts (e.g. trying a common password such as "password1" on lots of users).

Obviously, the usual precautions against SQL injection are applied at any step that accesses the database.


#5164651 iterator output not in sync

Posted by rip-off on 03 July 2014 - 03:17 PM

Glad it is working for you now. Just to point out that this is why I was urging you to post the actual, full code that you thought you had corrected that still wasn't working. There was probably some minor mistake in your initial attempt that we may have caught earlier.


#5164522 sdl_image load tga fails on Windows

Posted by rip-off on 03 July 2014 - 03:38 AM

What is the error message?


#5164408 iterator output not in sync

Posted by rip-off on 02 July 2014 - 03:43 PM

i added the code below becus it was suggested by @wooh..

vector3D v = vecIterator.next();
System.out.println("iterator list output " + v.x + " " + v.y + " " + v.z);

This is the correct code, and should work. If this isn't working for you, you'll have to post that code so we can see why it isn't. We're not psychic, to help you, we'll need to see the full code, not just isolated snippets. If there are errors, please post them. If the output is unexpected, please note how and post it.




PARTNERS