Widget signing gadget (request)

[Caydr]

Yeah, you can definitely put an RSA module in the widget handler, but show me a mod maker that wants to generate a key pair and sign widgets...

If you're interested in code search for my post a while back on video, it makes md2 hashes and verifies via RSA.

I have no real clue what this means, but I'd be willing to do pretty much anything to prevent cheating. Generating a hash of each included widget's not a big deal, I already use programs to generate/verify hashes of downloads. I wouldn't mind doing that if there was engine-side verification support.

As everyone's so fond of reminding me, yes, it could be bypassed by compiling a custom Spring exe or hex editing the Spring exe, but these are both things that an average user won't have an easy time with. If compiling the Spring source is anything like I remember, it's a minefield hellmess to try and get all the required files and such...

Editing hex or binary is also not the simplest thing in the world.

[Nemo]

You only need one person competent enough to do it. After that people just click "download".

[lurker]

It does nothing for or against cheating. Instead of including every approved widget, you can have a system to sign widgets to put in spring folders. The only benefit is new widgets without a new AA release.

One person who's competent *and* thinks widespread cheating is a good thing.

[Andrej]

So what you want is basically this except in lua instead of python?:
http://www.mediafire.com/download.php?wxyrkrnon5o
./python genkeys.py (modmaker runs this, key_pub.txt gets included in mod)
./python sign.py widget.py (to allow a 'widget', whoever wrote it sends it to modmaker who runs sign xxx.py, sends the xxx.py_sig file back)
then
./python qqcheck.py (checks 'widget' signature, if it was modified fail)

I tried to make a lua version but ragequit halfway or we:
http://www.mediafire.com/download.php?ekznddtntuc
(notice this is a normal lua script not Spring-ready)
./lua5.1 sign.lua widget.lua
./lua5.1 qqcheck.lua
there is no genkeys.lua because i cant figure out how to do it QQ

HOW THE FUCK DO YOU PEOPLE MANAGE TO DO ANYTHING IN THIS SHITTY LANGUAGE

[Caydr]

Lua authors won't put up with that and if Lurker's summary was at all accurate it's useless as tits on a bull.

[REVENGE]

HOW THE FUCK DO YOU PEOPLE MANAGE TO DO ANYTHING IN THIS SHITTY LANGUAGE

Magic!

[lurker]

import ezPyCrypto as epc

You're blaming the language because it doesn't have a fancy lib you like? I already put together lua code for similar use, if anyone wants this poke me and I'll throw something together in 15 minutes.

[SpliFF]

You know this whole conversation is remarkably similar to the DRM debate. It won't work for the same reasons. Regardless of anything an official Spring release does, regardless even if it were closed-source, the game involves untrusted peer connections.

A "player" or "client" is simply an abstraction, a set of commands sent across a network. There is no possible way of guaranteeing that the remote end is a Spring client being controlled by a human. If the remote end was a god-like being made of pure energy absorbing the game data through the space-time continuum there would be no way of knowing. It could even be an official Spring client being controlled by an android, or more realistically, an AI with a virtual keyboard and screen interface, a rebuilt Spring or a network proxy/sniffer.

There is already macro software like AutoIT which is capable of sending key/mouse clicks to another program. Sniffing traffic is simple.

In truth the only protection your mod has against bots/automation is your ability to disconnect a player from the game. This means the responsibly falls on you to define cheating (as it applies to your mod only) and devise ever-smarter ways of detecting it. This could include:

* detecting player reactions to unseen units (indicating map hacks)
* detecting "inhuman" response/order times. Like giving two distinct orders simultaneously or 100 unique orders per second.

Obviously there is a high risk of mistakes, either missing cheats or penalising skillful humans. Either way an arms war develops with better cheats overcoming your protections.

One thing is for sure. If Spring ever went the "PunkBuster" approach and started running resident on my system with administrative privileges scanning memory, I'd never install it.

[Forboding Angel]

One thing is for sure. If Spring ever went the "PunkBuster" approach and started running resident on my system with administrative privileges scanning memory, I'd never install it.

That makes two of us. This whole fear of "Cheating" has gotten way out of control.

[Caydr]

That's cheater talk. If you're not cheating, what have you got to hide?

[REVENGE]

That's cheater talk. If you're not cheating, what have you got to hide?

Not really, PunkBuster is just fucking retarded.

Kind of like StarForce.

[CarRepairer]

That's cheater talk. If you're not cheating, what have you got to hide?

Not really, PunkBuster is just fucking retarded.

Kind of like StarForce.

This is proof that you're a punk. What have you got to hide?

[==Troy==]

Tbh. Lately I am only playing open source games, only because they do not have all of the DRM stuff, such as PB, or any other authentication.

It was always fairest way to decide if player cheats or not by spectating him and judging yourself (hoster/admin). Nothing else will work. Hey, I might want a cheat game on YOUR mod. And I doubt anyone will be able to do much about it.

[rant]
For the same reason I personally prefer hacked games, because installation of those doesnt take freaking hours and hours of typing in CD keys, phoning the company, having your PC scanned for all possible whoever knows whats and then get something that runs at 1 fps just because there is a resident process monitoring it so that it wont get hacked.

World is going insane enough already. Just google RIAA as a top example.

[/rant]

Please do not make anything more complicated than what we have now - white/black list of widgets. It clearly shows to the player if it is allowed to use that widget or not. Thats all. You should not go any further than that.

Simply because the more you try to restrict, the more incentive there is to break the locks. [rant] I would personally code the "cheat" client if this system will make me uncomfortable. [/rant]

[REVENGE]

That's cheater talk. If you're not cheating, what have you got to hide?

Not really, PunkBuster is just fucking retarded.

Kind of like StarForce.

This is proof that you're a punk. What have you got to hide?

My penis?

[Caydr]

Kind of hides itself, doesn't it?