Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[trog]

i am 100$ Monopoly Rich Beta

[Haxton Sale]

Good to know.

[MedO]

Hi everyone, and belated congratulations. You are all winners! Or something.

Sorry about the long delay in bringing the new rewards into the game, I promised that to Elkondo ages ago. As NAGN has already said, I started on a new job and have been pretty busy with that, but I'll take some time tomorrow to finally add your hard-earned shinies.

[Oktoberfest!]

Hi everyone, and belated congratulations. You are all winners! Or something.

Sorry about the long delay in bringing the new rewards into the game, I promised that to Elkondo ages ago. As NAGN has already said, I started on a new job and have been pretty busy with that, but I'll take some time tomorrow to finally add your hard-earned shinies.

Any hints as to what these shinies are?

[KORgibsSEXING]

 

Hi everyone, and belated congratulations. You are all winners! Or something.

Sorry about the long delay in bringing the new rewards into the game, I promised that to Elkondo ages ago. As NAGN has already said, I started on a new job and have been pretty busy with that, but I'll take some time tomorrow to finally add your hard-earned shinies.

[MedO]

I added the new sprites today, but didn't write the authentication system yet. The crypto fetishist in me insisted on developing a secure protocol this time to prevent people from stealing these rewards, since the old system was cracked in three independent ways (which is impressive, even though I knew the system wasn't secure).

That new protocol is worked out now (couldn't resist) and it's even relatively simple, but it would still be less effort to extend the old one. So what do you think? Should I continue with the old system where people can figure out the reward code with some minor effort (and possibly unlock reward levels they didn't earn), or implement the new one that is ridiculously secure? I should be able to finish either within the next week.

[Orpheon]

I added the new sprites today, but didn't write the authentication system yet. The crypto fetishist in me insisted on developing a secure protocol this time to prevent people from stealing these rewards, since the old system was cracked in three independent ways (which is impressive, even though I knew the system wasn't secure).

That new protocol is worked out now (couldn't resist) and it's even relatively simple, but it would still be less effort to extend the old one. So what do you think? Should I continue with the old system where people can figure out the reward code with some minor effort (and possibly unlock reward levels they didn't earn), or implement the new one that is ridiculously secure? I should be able to finish either within the next week.

Old system, and do something else instead.

:V


No honestly, I don't care. Just do the easier one. You're going to maintain it anyways.

[I_am_awesome]

I added the new sprites today, but didn't write the authentication system yet. The crypto fetishist in me insisted on developing a secure protocol this time to prevent people from stealing these rewards, since the old system was cracked in three independent ways (which is impressive, even though I knew the system wasn't secure).

That new protocol is worked out now (couldn't resist) and it's even relatively simple, but it would still be less effort to extend the old one. So what do you think? Should I continue with the old system where people can figure out the reward code with some minor effort (and possibly unlock reward levels they didn't earn), or implement the new one that is ridiculously secure? I should be able to finish either within the next week.

Well, nothing is uncrackable...

I honestly don't see how you can prevent moded servers from phishing the code from a winner if he joins.

[MedO]

I honestly don't see how you can prevent moded servers from phishing the code from a winner if he joins.

The new system uses a challenge/response protocol (this time, one that actually does something). The server sends a challenge code to the client, who uses a (personalized) secret key to create an answer that is only valid for this challenge code (and only for this server). Then the server verifies this answer by connecting to a simple python script running on ganggarrison.com, which has access to the secret master key. There are a few more things to it, but this should be enough to answer your question. The server can't phish the reply because it can't predict which challenge it will get from another server, and because the answer will not work for a server with a different IP.

[Dusty]

I honestly don't see how you can prevent moded servers from phishing the code from a winner if he joins.

The new system uses a challenge/response protocol (this time, one that actually does something). The server sends a challenge code to the client, who uses a (personalized) secret key to create an answer that is only valid for this challenge code (and only for this server). Then the server verifies this answer by connecting to a simple python script running on ganggarrison.com, which has access to the secret master key. There are a few more things to it, but this should be enough to answer your question. The server can't phish the reply because it can't predict which challenge it will get from another server, and because the answer will not work for a server with a different IP.

Sounds neat.
I'd like it.

[MedO]

Working on this today. Preliminary progress: Implemented hmac-md5 in GML (on top of our existing md5 script), which means that all the required crypto stuff is here now. Next step will be to get the server component working (which is just one page of Python), then I can add the actual authentication to the GG2 server code (which will be slightly more complicated again).

Edit: Server component is working, and I can already use it from GM.

[Haxton Sale]

I have sent a special PM to all the haxxy runner-ups (not the winners).
If you are a runner-up, and haven't received it, please notify me. If you're a 1st place winner and did receive it, please disregard the message.

[Haxton Sale]

To clarify, or rather to award better stuffmakers more, if you're a runner-up in multiple categories, you're eligible for multiple prizes, one per each win.
1st place winners do not apply here, again. You're all getting even bigger prize.

[MedO]

Aaand done. This took a bit longer than anticipated (3:30am here, but due to the switch to winter time 1.5 hours ago that's equivalent to 4:30am...), but everything seems to be working

In case anyone is interested, the commit with today's work is on Github.

[Haxton Sale]

In case anyone is interested, the commit with today's work is on Github.

I'm not seeing Q/C. Is this intentional?

Yeah, I forgot about them, but let's say it is.