Sign in to follow this  
PortGalaxy

Best Security?

Recommended Posts

Hello,

I am currently managing a game development. We are building a game, with a Java Server, that communicates with a Flash Client. In all we use, Flash, MySQL, PHP, HTML, and Java. I could use some advice on how to prevent people from using packet sniffers, or other methods, to eventually reverse engineer our game & create a copy of it. Obviously, there is encryption however that only works to a point.

The game will be a browser based MMO/Virtual World. I have been looking into virtualization and cloud computing to see if its possible to host both the client & server both on the dedicated server and just have it displayed via a plugin on their browser, though I cant find much about that method, and I am unsure if that is a good idea.

So please, any advice you can offer would be great. We will also be offering future job opportunities to help secure the game, but first would like to find the best method.

Thankyou,
Riley

Share this post


Link to post
Share on other sites
If your users never have access to your code it would be very hard to reverse engineer. Even if they figure out the packet protocol, that is just a communication system, it tells them nothing of the actual game. I am not a security expert, but I don't think that a game that is entirely hosted on a server is at much risk.

Share this post


Link to post
Share on other sites
Well, the server side, database, and images will be stored on the dedicated server and communicate with a flash client on a seperate web server. I have seen similar games completely copied and released as 'private servers' and I dont fully understand how people are able to do that with multi-million dollar game developments...which makes me worried about how to prevent that from happening.

Share this post


Link to post
Share on other sites
Browser games are trivial to code. They did not reverse engineer it, they just wrote the same game from scratch.
"multi-million dollar game developments" are you sure we are talking about browser games? You can order a custom game (only code, no art assets) of this kind for 50-70k USD.

Share this post


Link to post
Share on other sites
Add value. Release new, minor version updates relatively frequently. A rolling target is hard to match, particularly if your updates contain new features or content that people want. Virtual worlds thrive on the size of their population, these private servers will probably be inconsequential if you can keep the bulk of the players moving with you. You can even try to build in game mechanics that only work with large populations, though you could compromise your overall design by over-indulging this. Make the server contain as much of the logic as possible, which means less can be reverse engineered and would need to be written from scratch.

You can make it hard for third party client/servers to be developed by detecting and rejecting protocol errors. You might randomly delay the disconnect for some number of seconds after the protocol error so the developer cannot reliably link the last message sent to the disconnect. You would have to be careful about things like this as they could impact regular users if you ever release a buggy version yourself.

You can make it more difficult through client obfuscation and protocol encryption, but at some level the client will generate something in memory that a determined adversary can read and interpret before it gets encrypted. You [b]cannot[/b] prevent it, but you can discourage it, make it hard to do and marginalise those who choose to play on private servers. Finally, you can take legal action against any private community hosters if they start getting to a significant size. Ensure your EULA contains whatever clauses your lawyer believes necessary so you can legally act against such communities if you want to.

Share this post


Link to post
Share on other sites
If you want to reverse engeneer such game you don't need any "packet sniffers" because to make such a game from scratch you don't even need to know what a packet is :D The most sophisticated thing you would ever need might be AJAX, and that's it...

I don't know, maybe they indeed had stolen their server code. But I wonder what for? How long would it take for a lone programmer to code something like Habbo Hotel (apart from gfx assets and assuming single server architecture only and ignoring code optimization). A month? Two?
Assume you could obscufate the code of your game perfectly and secure your server against hacking perfectly. Would it make any difference? How many clones of Travian or Ogame are there already? Hundreds?

The key problem is gfx, you can't easily create it from scratch. But also it is impossible to prevent the theft of it...

Share this post


Link to post
Share on other sites
So, is it easier to protect the graphics? If they cant find the location of each of the images then how else would they get the images? Can they pull them from the SWF?

In regards to programming this type of game, I've hired over 5 different programmers, and its taken over a year now, and we still havent got it completed. Each person I've hired has been a "professional" freelancer so either I've hired the wrong people or it takes longer than you'd imagine.

Share this post


Link to post
Share on other sites
2D graphics can be captured by simple screen-shots. 3D models are harder, but can also be done. As far as programmers go, did you hire the programmers sequentially? Starting from the work of a previous person is often difficult, especially as the project gets large.

Share this post


Link to post
Share on other sites
I think it would be hard to capture each frame of everything happening without a bunch of players in the environment, etc. It started out sequentially because one programmer couldnt finish the job, then the next couldnt, then eventually we started from scratch and its been worked on from that... But its certainly taken a lot longer than a month and I was hiring who I believed to be professionals...

Share this post


Link to post
Share on other sites
If somebody told you they were going to do a Flash based MMO in a month then you should have ran away. It took our team of eight nearly eight months of fulltime work to get ours "done". And done is used rather loosely as new game features are being added by us and by requests from players.

The server and PHP you don't really need to worry about since players don't have direct access to them. If the server does get leaked then you should have some legal recourse as that kind of thing is generally covered in a contract. Javascript I'm not sure there is really anything you can do about it since the entire code is downloaded to the client computer. SWF is more or less an open format so there is really nothing stopping somebody from decompiling unless you use some kind of SWF obfuscator. You aren't going to stop people from copying your game if they want to. What you can do is continually offer new items and areas so your game is better then any of the copies and get a lawyer to craft a EULA that forbids reverse engineering so you can take legal action against people that do copy it. If the copy protection on a game like Assassins Creed 2 is broken within hours (something that had hundreds of thousands of dollars invested in) then something for a Flash MMO isn't going to stop a determined hacker. Worry more about spending the money to make the game fun.

Share this post


Link to post
Share on other sites
[quote name='PortGalaxy' timestamp='1298320973' post='4777197']
In regards to programming this type of game, I've hired over 5 different programmers, and its taken over a year now, and we still havent got it completed. Each person I've hired has been a "professional" freelancer so either I've hired the wrong people or it takes longer than you'd imagine.
[/quote]
What kind of freelancers?

And if they are expected to be sole developer, then you are looking at senior/lead type of level which don't come cheap, unless you can adequately manage outsourced work with all the pitfalls it involves. The hourly rate is usually in 3 digits for this type of work. Outsourcing managers usually cost even more since they have to juggle a lot of risk.

Programming the rough skeleton from which one can iterate should not take more than two weeks full-time. This involves full vertical stack, deployed and testable with placeholders. Setting this up is almost certainly high-level work. Once such infrastructure is in place, incremental additions can be made where freelance work is more suitable.

One advice when dealing with this type of work - agree on completion date. Make sure each piece can be completed in a week. If it's not, walk away. Don't renegotiate, don't discuss, don't elaborate, reschedule, etc... Agree on one week of work, what will be completed. Make sure you both agree it's doable in a week. After this agreement is made, features can no longer be added, so unless something is a show stopper, the plan is not changed. If a show stopper is encountered it may be simpler to abandon entire task and start from scratch.

This way you don't waste months on nothing. Less than a week is not viable since it leaves no room for variation. Changes and renegotiation on this type of work will devastate the project, so plan small, move fast and instantly kill anything that isn't working without thinking or sunk costs will kill the project.

Also, if hiring from various bargain sites, give first, simple and identical task to 5 people. After a week, pay them all, but choose the one that completed on time and closest to scope. Usually, finding one in five is quite hard. Perhaps repeat second time. Once you have one or two proven candidates, go with real work, but stick with weekly plans.

[quote]If somebody told you they were going to do a Flash based MMO in a month then you should have ran away. It took our team of eight nearly eight months of fulltime work to get ours "done". And done is used rather loosely as new game features are being added by us and by requests from players.[/quote]
Eight months for completed project.

Without full plan, arguing what is completed is pointless. Full plan means Gantt chart of every feature broken down to <day tasks, assigned to known pool of developers best matched for their specialty.

First, the two weeks, is scaffolding. One week for client, one week for server. It must not take that long, Flash provides everything. This gives you a working project where people can log in. It's not optimized, nice or good, but it's something touchable.

Then you go from there.

The biggest mistake that people make is that they work for 8 months without producing anything. See above. One year for nothing.

Very few projects are ever "completed" so rather than trying to do it right, move in small steps from day one.

One thing, especially when it comes to Flash is that developers that start such projects simply have no understanding of what it takes. Implementing server/client system is really not rocket science (Club Penguin, Zynga, etc...) as long as someone knows that they are doing. It cannot take months, we're talking days to few weeks. Especially since at this point discussing scalability and similar without a robust market analysis (which simply doesn't exist) cannot be done. But using accepted best practices will get you results fast.

This is the proverbial difference between 10x or 100x productivity in programmers. Web development has gotten fairly standardized, professionals will set you up a store and everything in under a day. Your neighbor kid who "knows computers" will take one week to clobber together a Django monstrocity.

The rest is then the details, content, etc., but that is not something programmers do. They will be improving on existing base to allow all of that to work.

Share this post


Link to post
Share on other sites
You brought up Zynga, which reminds me that there are games similar to mine which haven't been copied. How do you think Zynga has prevented people from making copies of their games such as FarmVille, or YoVille?

Share this post


Link to post
Share on other sites
[quote name='PortGalaxy' timestamp='1298401237' post='4777636']
You brought up Zynga, which reminds me that there are games similar to mine which haven't been copied. How do you think Zynga has prevented people from making copies of their games such as FarmVille, or YoVille?
[/quote]
They don't, they are the one who [url="http://www.sfweekly.com/2010-09-08/news/farmvillains/?repost"]is doing the copying[/url]. Today they could probably just sue anyone trying to copy.

But Zynga's true value lies in data. They measure everything, every click, every crop grown and so on. The rest simply doesn't matter, it's having access to this data that allows development of products. They might as well be selling tomatoes. This is where value of the web lies.


Lesson to take away is - if someone wants to copy what you have, they'll just throw 5 million and 800 people at it.

Share this post


Link to post
Share on other sites
[quote name='Antheus' timestamp='1298396907' post='4777599']
Eight months for completed project.

Without full plan, arguing what is completed is pointless. Full plan means Gantt chart of every feature broken down to <day tasks, assigned to known pool of developers best matched for their specialty.

First, the two weeks, is scaffolding. One week for client, one week for server. It must not take that long, Flash provides everything. This gives you a working project where people can log in. It's not optimized, nice or good, but it's something touchable.

Then you go from there.

The biggest mistake that people make is that they work for 8 months without producing anything. See above. One year for nothing.

Very few projects are ever "completed" so rather than trying to do it right, move in small steps from day one.
[/quote]

"Done" for us is a game that is making quite a bit of money and more projects in the pipe then we know what to do with. Because of the nature of Facebook games you have to continually add new features or lose paying customers. So I don't think there any truly "done" Facebook games (well any ones that are interested in long term profit).

To be honest, I don't think I've used a Gantt chart in my life. We kind of just wing things which undoubtedly has added development time to our projects. But for the most part the team followed your general outline. A working client/server was completed very early in the project and then new features were done as vertical slices. For MMO stuff agile/vertical slice type stuff is the way to go or you will just get bogged down in feature creep.

As for Zynga, once your company is worth multi hundreds of millions of dollars then sicking the lawyers on anything that steals your game is pretty trivial. Antheus already posted the link, but Zynga is well known from taking other game ideas and crunching the data to make the game sell lots of items. Data mining is the true key to the success of Zynga's games. Spending a bunch of money on advertising didn't hurt either.

While the type of piracy you are worried about happens I don't think its as big of a deal as you think it is. Private servers generally suck because there is nobody around and they don't have the latest features. To repeat my last post, make sure you protect yourself with a good EULA and worry more about making a fun game. People won't support your game just because its there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this