Sierra shutting down master servers

17810121323

Comments

  • thats a given though, right?
    lol
  • I'm learning the basics of C++... I'm enjoying it thus far... now how do I pull tacks from my eyes when I'm done?

    (some fun creational editing... thanks for being a good sport Mike... what... Micheal Bloomberg just edited law and gets a third term as Emporer of NYC!)

    Seriously though... Thyth... I missed it i know... where client side is the xml communications needed or used... or is that for it to talk across the internet?
  • Ehh, C++ isn't that bad to be honest with you. :)
  • Assembly ftw!
  • Yeah, Assembly isn't bad at all either. I'm looking into mod development or taking advantage of the Crystal Space engine.
  • Ehh, C++ isn't that bad to be honest with you. :)
    But anything you can do in C++, you can do faster and more efficiently in C :)
  • i wonder how thyth is doing... im eagerly awaiting this patch but... unless all t2 players agree universally to thyths patch... i cant help but wander if it going to be noticed, that said, ill help spread the word anyway i can
  • I can't help but wonder if it's going to get noticed.
    Of course it will!
    Together we'll spread the word :) (Not MSWord)
  • I have a group of people already preparing to announce Thyth's solution once it's released.
  • My server (and a few others I'm sure) will run exclusively on Thyth's new solution. I'm sure it will be more than noticed.
  • OpenDHT doesn't meet my expectations for reliability (somewhere in the order of 90% failure rates for queries), so I'm making the decision to dump interfacing to it. Krash will provide a set of server side scripts for those purposes, essentially identical to the ones we've used before, but with an auth-server and auto-update lookup that I'll be able to move around as necessary.

    I'll dedicate a few hours to polishing UIs tomorrow.
  • Hey i looked on the download section of Tribes next website and it says you can download it already Is it for real?
    nvm i tried downloading it and it just takes me to a blank page...
    Does this mean you guys are close?
  • Hey i looked on the download section of Tribes next website and it says you can download it already Is it for real?
    nvm i tried downloading it and it just takes me to a blank page...
    Does this mean you guys are close?

    Whoops, sorry, you weren't supposed to get linked to the downloads page yet. Was just working on putting some forums together for it and forgot to remove it on the live page.
    It should be coming along soon enough, though. :heart:
  • the download was just a link to nothing anyway, why remove it? lol
  • I hope you guys have a "lite" installer that does the necessary modifications to 25834 and don't require a complete download of a 500MB+ file.
  • it wont require it, but the option of the fully updated version is there in any case

    EDIT: krash should sticky this as people seem very keen to know whats going on (Seemingly checking back every day or so)
  • guys i found this gem confirming they have not been told a thing... ill lurk their forums untill they do but i doubt it http://rftribes.com/forums/index.php/topic,119.0.html
  • they have heard of this thread but it skips to page 15 where elec previously disproved his system... something really was up after all http://rftribes.com/forums/index.php/topic,122.0.html
  • Thyth,

    How are you preventing active MITM attacks? If I run a rogue server that pretends to authenticate clients, but actually passes messages back and forth between a rogue client connecting to a different server, how will you detect this?

    Although it'd be difficult to impersonate a specific person with this kind of attack, it may be possible to authenticate as whatever random user you can trick into connecting to your rogue server -- and that's all one of the asshole griefers who've been boring us since the auth servers went down would need.

    This is the only attack I haven't been able to prevent to my satisfaction with a pure TorqueScript auth implementation, and it's still a tricky problem to solve if you involve crypto.
  • I hope you guys have a "lite" installer that does the necessary modifications to 25834 and don't require a complete download of a 500MB+ file.

    25034*

    Yep, the main file that will be released is just a patch. The files that it adds are all our own work, and the patch will make the necessary changes to existing files on the end user.

    After it's out, I will be putting together a full installer package with some additional content that runs the patch, but that won't be up right away.


    @Rain: Have you viewed this diagram?
  • Surprise, surprise, warlovr has become a popular name choice for cheaters on no-login servers. Grrrr....

    Any chance of devising a system to reserve warrior names and GUIDs?

    Wouldn't be the end of the world if many of us lose our warrior names, but it'd sure be nice if I didn't have to ban warlovr from Rebels servers when the auth server comes on line.

    Whatever.

    Thanks again for all your efforts on behalf of T2!
  • they have heard of this thread but it skips to page 15 where elec previously disproved his system... something really was up after all rftribescommm/forums/index.php/topic,122.0.html
    NO this is wrong he told us to start reading from page 10 in a massive email he sent to everyone that was registered at the forums want me to post his email on here just so you dont think im making stuff up?
    How do you think i was pointed to this forums...?
    I saw how Thyth disproved his drawing that he made up in 10 mins... do you really think he worked all the kinks about the system in a 10 min drawing ...?
    you guys took that drawing like it was a blue print to his system when it really wasn't it was just something he made so he could give a better understanding to his argument which you guys didn't even gave a chance. All he is trying to do is that Thyth doesn't get in trouble for doing what hes doing. check out all his posts on rftribes and you'll understand all hes trying to do especially the one that Admin put up explaining it in normal english so you knuckle heads can understand.
  • Thyth,

    How are you preventing active MITM attacks? If I run a rogue server that pretends to authenticate clients, but actually passes messages back and forth between a rogue client connecting to a different server, how will you detect this?

    Although it'd be difficult to impersonate a specific person with this kind of attack, it may be possible to authenticate as whatever random user you can trick into connecting to your rogue server -- and that's all one of the asshole griefers who've been boring us since the auth servers went down would need.

    Please take a look at the crypto diagram that I posted, and that Krash has linked in his post above mine. In a sentence: it is not an issue with my design.

    It is critical to note that the game servers never communicate with the authentication server. The modified executable includes a hard coded RSA public key for the authentication server, and this public key half can be used to verify an authentication server signature on an account. It is, for all practical purposes, impossible to generate an account certificate without knowing the one authentication server's private key. If a game server attempts to verify the client provided certificate and it finds a mismatch, the connection attempt is terminated (See step 8 of the diagram).

    Secondly, the owner of an account never sends their private key anywhere, and as a result, only the owner of an account can decrypt a message sent encrypted to that account (see step 10 of the diagram).

    I have the game servers issue a challenge where half is randomly generated on the client side, and half is randomly generated generated on the server side. The server encrypts this challenge with the account owner's public key (which is inside the auth server's signed certificate). The server expects its half of the random challenge to be sent back by the client (step 11).

    Since each challenge is used only one time, and it includes a random component from the client, it is impractical for a rogue server to make any malicious use over a stored challenge result. The rogue server would need to build up all 2^128 possible challenge/response pairs, which would require more energy than boiling the oceans.

    Here are all possible attacks, their complexity, and roughly how much time a high end computer would require to complete:
    1) Generate a valid account certificate containing arbitrary data by factoring the authenticaton server's auth_n and generating auth_d.
    - This would require approximately 2^4095 operations in naive factoring. The fastest known method (general number field sieve) would require all of the computational capabilities of all computers on earth thousands of years to accomplish.
    2) Generate a valid account certificate by generating random RSA keys and performing a targeted collision attack against SHA-1.
    - This would require approximately 2^160 random RSA key generations. Assuming you can do 3000 of these operations per second, you are looking at 1.5838509559783158619040487939514e+37 years, to find your targeted collision.
    3) Determine a player's private exponent (player_d) by factoring player_n. -Accounts will be 512 bits to 1024 bits in size, depending on what the player chooses during account creation. 512-bits do fall into the range of unsafe key lengths, since it is within the reach of a high end home cluster and a few months of computation. RSA-768 on the same type of cluster would require over a decade. You can forget about cracking RSA-1024 in less than two centuries on the same sort of cluster.
    4) Use a malicious server to collect challenge/response pairs for a player.
    -Challenges are up to the player's keylength in bits (128 bytes for RSA-1024), with responses of 64-bits (8 bytes). There are a maximum of 2^128 possible challenges, so you would require 136*(2^128) bytes to store all of those possibilities. That comes to somewhere in the order of 40140115104391984316416 EB of data storage. You would also need the player to connect to your server more than 2^128 times to collect the data (other attacks are more practical).

    Once the numbers are big enough, anyone who thinks they will be successful in these attacks is nuts.
    This is the only attack I haven't been able to prevent to my satisfaction with a pure TorqueScript auth implementation, and it's still a tricky problem to solve if you involve crypto.
    And that is why I'm not using a pure TorqueScript auth implementation. It isn't possible to do it with this level of security, since it isn't possible to implement asymmetric crypto in TorqueScript.
  • What if I have a quantum computer?
  • NO this is wrong he told us to start reading from page 10 in a massive email he sent to everyone that was registered at the forums want me to post his email on here just so you dont think im making stuff up?
    How do you think i was pointed to this forums...?
    I saw how Thyth disproved his drawing that he made up in 10 mins... do you really think he worked all the kinks about the system in a 10 min drawing ...?
    you guys took that drawing like it was a blue print to his system when it really wasn't it was just something he made so he could give a better understanding to his argument which you guys didn't even gave a chance. All he is trying to do is that Thyth doesn't get in trouble for doing what hes doing. check out all his posts on rftribes and you'll understand all hes trying to do especially the one that Admin put up explaining it in normal english so you knuckle heads can understand.

    dont lie that address targeted page 15... why dont you try that link out and get back to me
  • ooo interesting turns out we were both wrong lol pp isnt the page numer it seems it links to page 3 but in any event why not just page one?
  • Ok guys, I thought this was over with on your turf. So you found me. Drag me into a conversation I bowed out of on your turf. I was letting people I know read my results in relation to further considerations. Even when I feel the need to reflect upon what I feel is the ways are going, someone would need to obviously find my stuff to review my thoughts..... But please notice that I ditched out on your turf other than some fun conversations and stayed polite.

    Yet as for the system… in relation to MITM situations, I feel it can be mitigated using clear text. So long as the “knowns” are shared between client, server and auth, and some salted “un-knowns” are included and authed as well, designed to time out, thus requiring a re-login if not used in a certain amount of time. I have seen this used in RSA methodologies too (cards and key-chains?). And improvements will be factored in over time using Agile type methodology on Vent or TS type Scrum Sprints.

    That little diagram I posted, was not the end all, it was a quick and dirty and I did it to start asking certain questions and to answer some questions. I stated it had flaws and was not complete. I also stated that I needed people to help on the T2 scripting side as it is not my forte.

    As for my consideration, I know it can work. And the idea is to post ONLY T2 script for a game server and a game client. The login server is of course proprietary. Even then, by viewing the by-products of my system you will be able to peer into the script and initial token all day long. No problem. I simply do not feel comfortable packing copy-written executables or dynamic link libraries, no matter is it is packed to inject info or to point to new code. Nor am I comfortable posting executables I am unsure of in some situations… that is my choice. Although a doubt virus signatures will be inadvertently made, some people (no all) have been known to put payloads in executables (I’m sure others are more comfortable in their integrity than to feel I am accusing anyone). Using T2 script a person may peer into it with notepad. But (sorry, again) back to the laws, for each that exists, there are others, and more lawyers. I feel my idea sticks more to the accepted modding methodology. And, personal feeling again, I feel that packing or replacing compiled, copy-written works are like taking a person’s car, painting it, and giving it to others because to sell it is illegal and the rest of the acts will never be approached by owners because no money changed hands, versus borrowing it as was agreed upon.

    So until then, I posted a no-login server for people to play on, believing in the good of people to remain honest for a bit, and not justify hacking or faking as others as ethical.

    Finally, in the time it took me to write, Thyth posted a long one I did not fully read. I will at some point. But, WarLovR made a good point in a FINAL system… a community can work to ensure people stay who they are… on this system. That is one of the main goals, even if I have not described EVERYTHING… Thyth, you build your system and I will build mine with help from others. Why not? The more the better and while I will no doubt be second to the world, people could vote with their usage. I would just hope that, like the browser wars, innocent players don’t have code from one system disabled by another. Loading two copies for two systems would not be fair. I doubt this to be the case, although unless agreed upon, game servers would have to commit.
  • uh... i might have started something again >_<
  • Hehe... not really... though I did have a few points of clarification of my earlier thoughts... i feel i will do well with others, as will thyth... ;)
  • Hehe... not really... though I did have a few points of clarification of my earlier thoughts... i feel i will do well with others, as will thyth... ;)

    good to hear... one the reason i came here was to try and keep the peace, but thanks to suck huge ass posts... i cant =/ anyhow i hope you do well with the others but in some ways people here might be a bit off of you we know elec has tonnes of experience and we have faith in him i think it was that fact that some of the posts you made were faith crushers that started it off, even though you had best interest at heart for that im sure that we thank you, but please consider some the affects of what you say

    EDIT: not because i or the others dont want you to have your say, but more because its an issue in terms of the manner of said thigs, i cant provide evidence of you causing upset, different people react differntly all the time... and in any event i think it'd be a push to get 6 billion possibilitys LOL ;)
Sign In or Register to comment.