How Mir Could STOP Hackings Forever

[MrSam]

Any online game could stop hackings really. I don't understand why none do.

This isn't something I'm suggesting to server owners (or something any of us could do) -- but it is on the subject of Mir, so I thought I'd post here.


There's two parts to it:

1) The Login Bit
Passwords that aren't lost through giving them away or typing them into a website etc (stuff you can't stop, but can avoid) are lost through keyloggers. These are the vast majority of hackings.

We could have an ID, a password, and a 4 digit pin that we click not type.

When the password field has been selected, also, the application could fire loads of random keypress events. It itself ignores any keypress events during the precise times that it's sending false keypress events. Very occasionally you might have to type one letter of ur pasword twice... not a big price to pay.

Then use encryption that encrypts packets based on the time of the event, the IP, or both, so even with a keysniffer replicating the exact packet flow, you couldn't get access.



This really wouldn't be hard to do. I could code a PHP version of this myself.



The Second Bit
Most people play on broadband. You should be able to set an option in your account to have access only for your IP (or PC serial code, or both).

Changing this option requires some additional varification that obviously you don't use on a day to day basis.




Maybe if we all emailed Mir/Wemade, they'd get something like this put in. Tired of pointless hackings.

 

[Far]

for the login, i think a good idea to do would not input your whole password.

you get a random question. "please type in the first and third letters of your password". that way even if you are being keylogged, they cant do anything, and will never know which sequence the letters belong in the password.

its what alot of high security places do. if possible i think it would work well.

 

[NickAKAVexus]

This would require online features wich 1.4 and 1.9 don't have lol.. unless you made the accounts manually.

er if you mean for official games then ok my bad.

 

[ipixel]

with the ledu client, which the basic j mir 1.9 up[grade has atm, when you click the account and password box, you get a little on-screen keyboard to click the letters in case of keyloggers

doesnt mean us Judgement Mir server players are all cheaters btw, just that its only in basic 1.9 atm after being upgraded from 1.4

and sam you have some interesting ideas, there, im sure some clever scripting fella could figure it all out

and that IP idea is rather complex especially for some people whos IP changes everytime they logon to there pc, unless (and there probably is) a way to detect this

sorry if i sounded stupid, but great ideas sam

/kud irl

 

[MrSam]

sorry if i sounded stupid, but great ideas sam

/kud irl

Lol not at all, wot ur saying = true.


The IP thing... The packets cud be encrypted around this every time NP, but yeah a load of people change their IP every time.

The idea was that if you use broadband you could tell Mir to ask security questions for everyone who's from a different IP or something. Doesn't help dialup users, but even just helping 70% of people it's very worthwhile making an option.



Nothing anyone could do for Mir tho. Unless... *has idea*. I'm gonna write up my idea and post it a bit later... lol.

 

[MrSam]

Ok it's not perfect, but one little thing Mir ppl COULD do:

A script that fires on login:


It checks a flag to see if the player has turned this protection on or off. If it's off, it just exits, otherwise it asks the player to input a 4 digit code. (By clicking the numbers).


This is doable. I was going to code it myself (using a PHP loop to write it, making the repetition easier), but then I realised i cba. :P

Anyway, it gives you a minute to enter the correct code, otherwise teleport to 'hackroom' which basically requires a GM to get you out of. (Or entering correct code into an NPC there.)

If anyone can be bothered, it would be great if you only had to enter the number once per night? Rather than every time you lag out.




Anyway, if anyone wants to try and make the (long) NPC script. Here's a few things about how I would do it:

1) A variable keeps track of which number it is that's being entered.
2) Each of the 4 numbers requires 4 flags to store (obviously the numbers different to the ones i'm using):

[001] = Check if the number is between 1 and 4. (1 = yes)
[002] = Check if the number is between 5 and 8 (1 = yes)
[003] = Check if first half or second half. (0 = first)
[004] = Check if first quarter or second quarter. (0 = first)


Eg:
#IF
check [001] 1
check [003] 0
check [004] 0
#SAY
The number's 1.


For each thing, if the number is correct, increase the variable tracking which number you're looking for by one. Anything wrong just goes back to @entercode - so you enter and see same screen until you get it right. Obviously you don't do anything daft like say "First number correct, enter second number:" - lol.


This would be a pain in the ass, but some users would probably choose to have it on, because it is invulnerable to keyloggers.





Because I'm nice, here's how each number would look stored. The 4 numbers after the colon are the 4 flags. An x means that flag is irrelevant to that number and doesn't need checking.



1: 1,x,0,0
2: 1,x,0,1
3: 1,x,1,0
4: 1,x,1,1
5: 0,1,0,0
6: 0,1,0,1
7: 0,1,1,0
8: 0,1,1,1
9: 0,0,0,x
0: 0,0,1,x

 

[LeoCrasher]

What you suggest is do-able MrSam (I've sketched it all out before), and a heck of a lot easier than you've planned. However the problem I always have when developing an application is usage. From experiance, I would say such a system would require a least a little intelligence to operate, which coincidentally is something I believe a lot of serverteams lack.

Yes you can play with the GUI to make it toddler friendly, but believe it or not someone will still get confused. Its hard to make powerful applications that any joe-blogg can operate, while still maintaining security and efficency. Why should I/we poor much time into testing and development, if the potential usage is so small?

Personally, I'd only develop said system if at least 4 servers that have been up 3weeks+ ASKED for the system. Now if only I get get rid of this headache so I could sleep ><

/Leo

 

[Martyn]

in the ledu client thingy? it has a password pop up bit,( when you got to type in your password). to hide your password from keyloggers.. isnt there anway to get that to pop up to enter the password.. there for.. password can be anything you see on your keyboard... even caps.. making it alot harder for any hacker...

maybe using a system ID.. every PC has its own ID * of course *..

maybe find a way to register using that... there for only that account / PC can connect to that account??

 

[Atomicide]

Awesome ideas for once, i can see these having a "long term solution" effect, but as much as i would like i dont think any idea is ever completely failsafe. Even with all these measures in place there will still be people who use "Apple" as their password, and will get hacked by a Cracking Program. Jonny Age 5 (real age 17 but on AOL) will still have a secret Q&A which is "whats my favcourite colour LOL"

and so on. Its s shame the inteeligent plans only protect the inteeligent minority, who can more or less already protect themselves. but Point for the awesome ideas.

 

[Ripman]

if ur smart enought don`t accept exe`s from internet, scan ur pc every day for virusez and u will be never hacked.
is simple.

 

[Biohazard]

Or.....we could just not download keyloggers? Gg.

 

[MrSam]

The original suggestions were obviously never intended to be within the reach of server owners, they're just how game dev companies could do it.


But the other thing (I, and indeed, Leo, can't of been the only people to think of it) could be done.

Forgot to mention, make the 'hackroom' or whatever you call it 1 space big, so nobody can trade in it.

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

Sorry, but all those ideas will do is boost development costs and be broken shockingly fast.

Your 'pin grid' will have a handle. My 'mouselogger' gets the bounds of the grid, and the buttons, and then intercepts the mouseclicks, recording the position.

That's the ENTIRE idea of virtual keyboards gone.

Now for the next one. The 'unqiue' encryption. Reverse engineering solves this problem rather quickly. Infact, with a careful bit of debugging, you can fool your client into believing it's somewhere else. Not really that hard a feat.

As for the IP thing, that's totally insane. Most UK/European ISPs do not provide a static IP these days. It's FAR too expensive to do so.

--

There's only one way to stop pointless mir hackings - blacklist the idiots who download keyloggers and those thayt use weak passwords.

Simply by enforcing strong passwords, you would get a far better effect than all of these exotic protections.

 

[LeoCrasher]

The idea I've always is had is that each PC is given a unique generated code, and that code is associated with one account. The code would still be able to be reverse engineered yes, but then there is still the problem of working out which account and password belongs to the code. Also when thats finally done, if a user becomes a problem, all the company need do is blacklist the gencode of the machine so they need not worry about that user in future.

Sticking a exotic password on the account would help too, but face it. If they're smart enough to reverse engineer a encrypted unique code (and transmit it from their own location), they should be smart enough to find the username and pass.

/Leo

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

The idea I've always is had is that each PC is given a unique generated code, and that code is associated with one account. The code would still be able to be reverse engineered yes, but then there is still the problem of working out which account and password belongs to the code. Also when thats finally done, if a user becomes a problem, all the company need do is blacklist the gencode of the machine so they need not worry about that user in future.

Sticking a exotic password on the account would help too, but face it. If they're smart enough to reverse engineer a encrypted unique code (and transmit it from their own location), they should be smart enough to find the username and pass.

/Leo

Aside from the small issue of a non-standard BIOS, which would render a system such as that completely useless.

New, open-source biosses allow you to use Windows 2000 these days, and so all of my previously mentionned tools will still work.

And then you just capture the packets from that client, to see their gencode. You reverse-engineer the algorithm that generates the code, and use OpenFirmware (or equivalent), and bang, that one is gone too.

--

I'll stick with what i said. The best defense is common sense. A complicated password and an up-to-date virus scanner work wonders in stopping 'trivial' hackings.

 

[MrSam]

Lol.

Because something can be beaten by a VERY good specifically made worm doesn't mean it's not worth doing. 99% of hackings are by script kiddies who get out of the box keyloggers. (Sometimes literally using commercial keyloggers.)

Something like this may eventually be hacked (whatever you do) by some uber cracker, but it would stop 99% of current stuff.


Obviously I don't know much about it tho. Just seems like people could do so much more.


The we'll-never-beat-it-totally-so-why-stop-it-at-all attitude doesn't make much sense to me. You're never going to stop anything totally, it's still worth trying. Why have condoms at all if there are still some instances of unwanted pregnancies, etc?


As for the Mir code-thing - it might be worth trying on some servers. I'd put it on mine if I had one (as an optional thing). It would stop quite a lot of the worms people use.

 

[MrSam]

Just to re-enter this theoretical anti-hacking discussion tho:

Encryption with a key is generally quite hard to crack? Ie. Even if you have the source code you still need that number which it's all based off.

Although I suppose someone could always obtain that key if it's locally stored. We're getting into some very complex specialist programs here though...


Encrypted packets too. :P

 

[Biohazard]

AMG! Is like no one reading the posts that say "Don't download .EXE's from strangers!"?

 

[LeoCrasher]

@Auron: I never mentioned anything to do with a BIOS, so I'm not sure where you've picked that up from. My idea for a gencode would come about from a combination of different sources which allow the system to be uniquely identified. Yes its not completely crack proof, but it stops the little people from getting anywhere. I would have thought that the majourity of 'hackings' were from the unprofessional type, and these are not hard to protect against. I stick by my thought that a single account associated to one unique machine is a lot safer (and a lot less accessable/usable) than simply a username and password.

@Sam: The ideas are there, the people that can make it are here. However the serverteams with the capability to operate it are not.

/Leo

 

[Demix]

Thing is everyones talking like most of the hackers know what there doing... 3/4 of them probly dont have a clue.. they just have keyloggers etc