Security...again

On 2/23/06, Dave Mennenoh <dmennenohwi.rr.com> wrote:
>
> Here's what I do - in the PHP page, I include my key
generator .php which
> creates the $key variable based on the current time.
That is then placed
> as
> the sw9 parameter. When the game starts sw9 is read in 
- and then a
> validation script is called which generates a second
key based on time.
> The
> value from sw9 and the second key are compared... if
the same the game
> plays.
>
> I'm not getting somethine here - since you're deep
linking to my php page,
> the code is being embedded into sw9 just as if it were
on my server...
> where
> am I going wrong?



How often does the sw9 key change? Daily? If so, then
someone CAN deep link
to your game. But as soon as the day changes, and the key
changes with it,
then it won't work anymore. So they can deep link to it,
test it to see it
works, and then it will stop working when the day changes
because their sw9
tag is yesterday's key and your server returns today's
key.

I actually like this. Because the pirate will be satisfied
that they stole
your game and move on. The next day the game stops working
but they usually
don't realize this for a long time. By the time they do,
they don't remember
what they did to get your game, so they probably just remove
the game page
and forget about it.

On the other hand, if they get immediate feedback that they
can't deep link
to the game, then they may be tempted to try harder.

Also, don't put up a message like "This game has been
stolen!" This just
will make them want to work harder to steal the game.
Instead, no message
(redirect using gotoNetPage) or a message like "Error
897483475" makes them
think that they just broke the game somehow.


--
Gary Rosenzweig
CleverMedia
rosenzclevermedia.com
_______________________________________________
dirGames-L mailing list  -  dirGames-Lnuttybar.drama.uga.edu
http://nuttybar.drama.uga.edu/mailman/listinfo/dirgames
-l

Thursday, February 23, 2006, 6:45:38 PM, Gary wrote:

GR> On 2/23/06, Dave Mennenoh <dmennenohwi.rr.com> wrote:
>>

>> I'm not getting somethine here - since you're
deep linking to my php page,
>> the code is being embedded into sw9 just as if it
were on my server...
>> where
>> am I going wrong?

GR> How often does the sw9 key change? Daily? If so, then
someone CAN deep link
GR> to your game. But as soon as the day changes, and the
key changes with it,
GR> then it won't work anymore.

Most of the discussion so far has revolved around creating
dynamically changing keys which are embedded in the html.
This works fine in most cases, and protects against both the
first and second option on my 'thief test' page* (the
first option being absolute urls, the second being relative
urls via the BASE tag). The third option on my test page
however, uses a few fairly simple regular expressions to
extract ALL the object/embed tags from the target page. It
does this each time the page is requested, so the tags
(including the time-sensitive code) are always up to date
and generate a valid response from the security check
script.

The way I protect against this is to include the dynamically
generated code, the IP adress of the remote user that
requested the page. Then, when the game reads this and
passes it back to the security script for confirmation, the
IP is checked. These should match, however if the tags have
been dynamically 'ripped' from the source page, the server
that ripped the tags will have its own IP embedded in the
dynamically generated security code. When the game itself
passes the code back however, the net request originates
from the IP player's machine. It is this difference in IP
addresses that allows you to detect if the object/embed tags
have been ripped.


* http://robotduck.net/d
crthief/

- Ben

_______________________
 duck_at_robotduck.com 
   www.robotduck.com   


_______________________________________________
dirGames-L mailing list  -  dirGames-Lnuttybar.drama.uga.edu
http://nuttybar.drama.uga.edu/mailman/listinfo/dirgames
-l

On 2/23/06, Duck <duckrobotduck.com> wrote:
>
> The third option on my test page however, uses a few
fairly simple regular
> expressions to extract ALL the object/embed tags from
the target page. It
> does this each time the page is requested, so the tags
(including the
> time-sensitive code) are always up to date and generate
a valid response
> from the security check script.


Wow. Is there some site actually doing this? Seems like a
lot of work for
someone looking for "and easy way to get free
games". Which site uses this
technique?

Seems that you can simply block the IP address of that
server from accessing
anything on your site.

The way I protect against this is to include the dynamically
generated code,
> the IP adress of the remote user that requested the
page.


So, basically, make sure that the IP requesting the .dcr is
the same as the
IP requesting the page. Nice.

--
Gary Rosenzweig
CleverMedia
rosenzclevermedia.com
_______________________________________________
dirGames-L mailing list  -  dirGames-Lnuttybar.drama.uga.edu
http://nuttybar.drama.uga.edu/mailman/listinfo/dirgames
-l

Duck wrote:
> The way I protect against this is to include the
dynamically generated code, the IP adress of the remote user
that requested the page. Then, when the game reads this and
passes it back to the security script for confirmation, the
IP is checked. These should match, however if the tags have
been dynamically 'ripped' from the source page, the server
that ripped the tags will have its own IP embedded in the
dynamically generated security code. When the game itself
passes the code back however, the net request originates
from the IP player's machine. It is this difference in IP
addresses that allows you to detect if the object/embed tags
have been ripped.
>   
Sweet.

Did you ever find someone doing this, or did you just want
to beat them 
to it? 

Bye, Lucas
_______________________________________________
dirGames-L mailing list  -  dirGames-Lnuttybar.drama.uga.edu
http://nuttybar.drama.uga.edu/mailman/listinfo/dirgames
-l

Thursday, February 23, 2006, 8:50:39 PM, Gary wrote:

GR> Wow. Is there some site actually doing this? Seems
like a lot of work for
GR> someone looking for "and easy way to get free
games". 

No, I haven't actually seen this used "in the
wild" yet, however considering it was pretty trivial
to set up, I think it's worth assuming it would emerge soon
as the prevalence of protecting against the base tag
increases. While smaller leech sites may give up at a low
bar of difficulty, the larger sites (which are the ones to
worry about, in terms of bandwidth impact) seem to be more
determined as they obviously stand to profit a lot more from
leeching games. And if one of these sites *does* embed your
game, you can very quickly get a large bandwidth bill for
the privelige of driving visitors to their ads!


- Ben

_______________________
 duck_at_robotduck.com 
   www.robotduck.com   

_______________________________________________
dirGames-L mailing list  -  dirGames-Lnuttybar.drama.uga.edu
http://nuttybar.drama.uga.edu/mailman/listinfo/dirgames
-l