Technical Note - 2014.02.27 - No more stars and changes in groups

[TopperHarley]

This is actually a little "problem" in any forum but it will always be so.
Me as an example, i visit the forum every day and read almost all threads but posting not so much. Only when i think my input are useful or on an interesting discussion.

Sometimes it is better if a few players reporting as if many players reports (to) much ;-)

[Xiemas]

Sometimes it is better if a few players reporting as if many players reports (to) much ;-)

Yea like for Rasmus it saves a lot of stress I think. Because the buggs come not all at one and he can reply on them and fix thim with the person that noticed the bugg.

[Mello Tonin]

I'm thinking that adding achievements in the game wouldn't really be that much of a security risk when it gets ported over to Steam. I'm not 100% sure how the interactions occur for games on there which have achievements, but I would assume that Steam developers and admins are responsible for maintaining that system. They may even have an API for signaling their system, so while the game itself would require a database, or maybe just a flat file that gets updated by the game say after you clear 1000 gold nodes [Gold Digger lvl 1] that flags that achievement as cleared. Then the game could update that on Steam's side for public viewing. Again, not sure how they work at Steam for this, but I don't really see this as a major issue.

[Sebt]

Yea, Steam could solve our problem and what's more could help us with integrating players with forum even if they haven't register or been on the forum.

Here: http://classic.battle.net/war3/ladder/w3...ame=a1m80t you have an example how Blizzard is storing player stats (it's a ladder actually) from the game and present these stats on their website.

Well, I see similar system that we could use in Dwelvers and we could use Steam Web API if we would use Steam, but if we don't have game on Steam the idea of how could my idea work is the same:

- There is a one, safe server and one and only database on it which contains everything - user personal data (if we have our own shop / Steam shop) and user data from the game (multiplayer) and it's achievements and forum data and it's achievements (So user could store it's Social Achievements and Game Achievements that are stored in one database together) - for everything you have only one account (Dwelvers Game account / Steam account) - and you use the same that one account in the game, on the forum everywhere account is needed.

- The only way to register to the forum is signing into it through the Dwelvers Game account / Steam account, if someone has Dwelvers Game account / Steam account already he/she could just login in to the forum without any additional registration. Automatically when you register through the Dwelvers Game account / Steam account you have access to the Dwelvers forum - doesn't matter if you buy a copy of Dwelvers or not.

- If Steam forum would be fully customizable we could even make Steam forum as the one and only, but I don't know it's possible...let's stay it's not, so we can do it with our Dwelvers Game account. What do? Make a script that could show our achievements gathered on the forum and from the game (and that these are stored in that one mentioned earlier database) in users profile, so and specific images of achievements under their avatar.

If security is the problem we need to learn how to manage to make everything secured.

[Mello Tonin]

I think this will be easier to determine once we nail down what will be the achievements here. I think the game can wait until a later time and should really be a different topic all together, and like I was saying since this is going to Steam at some point, that may be the best time to discuss game achievements.

As far as forum achievements, I think you laid out a pretty decent outline to follow from Sebt, and really they are going to be a mix of things that can and can't be scripted from a web server perspective. I would like to put together a full outline on this myself if I can get the time to. I'm thinking of something in an image instead of just text on the forum post which can be difficult to follow or read if too long.

[Seriously Unserious]

Yea, Steam could solve our problem and what's more could help us with integrating players with forum even if they haven't register or been on the forum.

Here: http://classic.battle.net/war3/ladder/w3...ame=a1m80t you have an example how Blizzard is storing player stats (it's a ladder actually) from the game and present these stats on their website.

Well, I see similar system that we could use in Dwelvers and we could use Steam Web API if we would use Steam, but if we don't have game on Steam the idea of how could my idea work is the same:

- There is a one, safe server and one and only database on it which contains everything - user personal data (if we have our own shop / Steam shop) and user data from the game (multiplayer) and it's achievements and forum data and it's achievements (So user could store it's Social Achievements and Game Achievements that are stored in one database together) - for everything you have only one account (Dwelvers Game account / Steam account) - and you use the same that one account in the game, on the forum everywhere account is needed.

- The only way to register to the forum is signing into it through the Dwelvers Game account / Steam account, if someone has Dwelvers Game account / Steam account already he/she could just login in to the forum without any additional registration. Automatically when you register through the Dwelvers Game account / Steam account you have access to the Dwelvers forum - doesn't matter if you buy a copy of Dwelvers or not.

- If Steam forum would be fully customizable we could even make Steam forum as the one and only, but I don't know it's possible...let's stay it's not, so we can do it with our Dwelvers Game account. What do? Make a script that could show our achievements gathered on the forum and from the game (and that these are stored in that one mentioned earlier database) in users profile, so and specific images of achievements under their avatar.

If security is the problem we need to learn how to manage to make everything secured.

As far as security goes, the main issues I see are:
1- hackers infiltrating the achievements system and adding malicious code to it to cause it to send additional data to another database, such as personal data or keylogger data

2- hacker sends data to the database from an unauthorized location or application that causes Dwelvers to act as a trojan horse downloading malware onto the victim's computer.

The best defense against that is to implement a good authentication system to prevent data from coming from any source other then authentic site admins and Dwelvers games, and from the game, only valid achievement data. From the user end, Dwelvers could also have an authentication system in place to verify that any updates or data it must extract from an online database is authentic and comes from that database and is valid data. That should make it reasonably secure against the types of attackers who'd be most likely to target a game like Dwelvers, namely low end attackers looking for an east target of convenience. If Dwelvers is to have any online components then this would provide a layer of security that attackers may not expect from an indie game produced on a low budget by a small team. Such algorithms can be bought for inclusion in Dwelvers for no more then a few hundred dollars, and some are even available for free. Symantec sells one such authentication algorithm geared mainly for email authentication/security, but there are other versions out there for other uses.

[Rikus Khan]

WHAT???
SU as a forum mod?
Why he doesn't even have a nice shirt!

A guy gets 16 gold on a table and suddenly he is a forum mod?

Did I show you my 8000 fish?
I should be running the server!

[Seriously Unserious]

Ahh, but that was just one table, in one store room. I posted a wider area pic in http://forum.dwelvers.com/showthread.php?tid=580 I had hundreds of gold in that game.

SU as a forum mod?
Why he doesn't even have a nice shirt!

When did I get Mod privilages? Did someone make me a mod and forget to tell me about it?

Well, then RK, you'd better be more careful what you say, otherwise I'll cast you into the Pit of the Damned!

[Rasmus]

The best defense against that is to implement a good authentication system to prevent data from coming from any source other then authentic site admins and Dwelvers games, and from the game, only valid achievement data. From the user end, Dwelvers could also have an authentication system in place to verify that any updates or data it must extract from an online database is authentic and comes from that database and is valid data. That should make it reasonably secure against the types of attackers who'd be most likely to target a game like Dwelvers, namely low end attackers looking for an east target of convenience. If Dwelvers is to have any online components then this would provide a layer of security that attackers may not expect from an indie game produced on a low budget by a small team. Such algorithms can be bought for inclusion in Dwelvers for no more then a few hundred dollars, and some are even available for free. Symantec sells one such authentication algorithm geared mainly for email authentication/security, but there are other versions out there for other uses.

The problem as I see it is this, if I make it so that the game can edit, add, remove from a database then anyone can do it. The game itself will have the code that allows the game to mod the database, and even if this code is hidden in binary code a good hacker could get their hands on it somehow.
Anything I put in the code can be extracted from the game, so if I put a password or encryption key in there that would allow the game to reach the database then all that is needed is that password or encryption key to hack the database.
One way to solve this is having it so that when the game communicates with the database and wants to change anything the game will send the user password and username with what he wants to change, making it only possible to hack his own account.

[Seriously Unserious]

Which is why I brought up the whole authentication part. Also, you can protect the codes from hackers reasonably well using public key encryption, there are algorithms that are effectively immune to brute force attacks (would take in the order of millions of years for the best supercomputers we have today to find the key, and there are algorithms where it's exceedingly hard to crack the key by Cryptanalysis. Not saying it's foolproof, but anything you do should be more then enough for Dwelvers. I'd say the odds of someone attacking Dwelvers are remote, and would most likely come from someone looking for an easy, unprotected target, so would be foiled by any decent defenses you put in there. As for the ones that could break in, they would be unlikely to bother with Dwelvers. They'll be more interested in hacking Apple, Microsoft or EA to bother with an indie company that's made one game so far. Once you grow big enough to attract that sort of attention, you ought to be able to afford to hire some good network security specialists to keep them out as much as possible.

BTW, where are all these comments about me being a mod coming from?

[Sebt]

I think this is the safest solution - to change everything database would require password / encryption code. Rasmus and SU pointed out the problems we need to challenge and he authentication system and I'm sure this work the same as in Blizzard or Steam (especially that Steam has it's own wallet and shop!) or Google Play for Android systems. We need to know so, how to do it, with which tools and knowledge.

SU - I don't know about anything that say about you as a mod too. :p

[Seriously Unserious]

Not that I'd have anything against being a mod...

For encryption, you could use SSL (Secure Socket Layer) which is included in the TCP/IP protocols. For authentication, adding a digital signature to all data transfers and username/password combos would both help, as would controlling what different levels of users can access, and what Dwelvers itself has permissions to access in the database.

[Rasmus]

Not that I'd have anything against being a mod...

This is good to know

For encryption, you could use SSL (Secure Socket Layer) which is included in the TCP/IP protocols. For authentication, adding a digital signature to all data transfers and username/password combos would both help, as would controlling what different levels of users can access, and what Dwelvers itself has permissions to access in the database.

I think I got a good idea of what to do here if I was to implement something like this. If I only let Dwelvers access the database to change the users own data then I think it would not matter if someone wanted to hack the database, because all they could hack is their own achievements.

[Seriously Unserious]

That is a valid way to protect data, however it doesn't protect against an attacker masquerading as a legitimate user, or even taking over your account, which I'm assuming would act as a superuser with full access to everything. The best defense against that is a good authentication system to verify that each user is who they claim to be and that each message sent do the database comes from who it claims to come from. There are good authentication algorithms out there that would make your system secure enough that anyone who could hack it, wouldn't find it worthwhile to bother.