Get's my vote!...trevor wrote:I'm gonna take a look, if it's not simple I'm going to punt to 1.3 for a "real" fix.
1.2 Status Update
Moderators: dorpond, trevor, Azhrei
Yeah, 1.2 is surely ready for a release now. I understand that the chat issue is an issue but surely not something to stop release of 1.2?
There can't be that many people using this tool who use it as a VTT (not at the tabletop) and who also don't trust their players enough to report correct dice rolls, surely? At least not so many as to force the release to be put back further?
I deffo agree it need fixing, but I don't see it as a showstopper...
Cheers!
Blakey
There can't be that many people using this tool who use it as a VTT (not at the tabletop) and who also don't trust their players enough to report correct dice rolls, surely? At least not so many as to force the release to be put back further?
I deffo agree it need fixing, but I don't see it as a showstopper...
Cheers!
Blakey
The guy in the green hat.
-
dLANbandit
- Dragon
- Posts: 636
- Joined: Wed Dec 13, 2006 10:43 pm
I posted the following in another thread as a response to some other user's concern over server side rolling, not allowing inline rolling. But I felt that my reply ended up encompassing issues that touched on this thread.
server side rolling, and inline rolling are NOT mutually exclusive. It won't be technically challenging to do server side rolling, but that alone doesn't solve the problem of forgery.
Server side rolling would prevent, me from running a modified client, and generating modified roll results, as the server would parse rolls, and push them to clients. So if I modified the client to fake rolls, others simply wouldn't receive the roll from the server, it would show up as a chat message.
The second issue, is display forgery. Display forgery, would be something like the exploits shown earlier, where you specially craft chat input to look like a roll. This is easily done right now, because the chat is just an HTML renderer, and there is a million and one ways to do the same thing in HTML. You could put an image in the message, that would make it harder to fake, because it would force people to modify the client to insert the fake image. But it would stop the simple text modifications of the chat input.
Combined, using something other than html rendering and server side rolling, would remove the ability to modify the client on one machine and exploit the others software. The cheater would have to modify the server, in order to pull off their trick.
So my proposal for 1.2, is to DISABLE all HTML input from the typed chat box, and DISABLE copy/paste. This would disable some minor html formatting, thus breaking the client side chat cheat. But not prevent the modified client cheat.
In 1.3 I recommend we look at moving all rolling and chat parsing to the server, which would also move us closer to the chat settings controls that have been requested. At the same time we could either change the rendering of the chat, or add some visual validation effects which are shown outside the chat rendered pane. This would stop the modified client cheat, and re-enable the font effects without enabling html result faking.
server side rolling, and inline rolling are NOT mutually exclusive. It won't be technically challenging to do server side rolling, but that alone doesn't solve the problem of forgery.
Server side rolling would prevent, me from running a modified client, and generating modified roll results, as the server would parse rolls, and push them to clients. So if I modified the client to fake rolls, others simply wouldn't receive the roll from the server, it would show up as a chat message.
The second issue, is display forgery. Display forgery, would be something like the exploits shown earlier, where you specially craft chat input to look like a roll. This is easily done right now, because the chat is just an HTML renderer, and there is a million and one ways to do the same thing in HTML. You could put an image in the message, that would make it harder to fake, because it would force people to modify the client to insert the fake image. But it would stop the simple text modifications of the chat input.
Combined, using something other than html rendering and server side rolling, would remove the ability to modify the client on one machine and exploit the others software. The cheater would have to modify the server, in order to pull off their trick.
So my proposal for 1.2, is to DISABLE all HTML input from the typed chat box, and DISABLE copy/paste. This would disable some minor html formatting, thus breaking the client side chat cheat. But not prevent the modified client cheat.
In 1.3 I recommend we look at moving all rolling and chat parsing to the server, which would also move us closer to the chat settings controls that have been requested. At the same time we could either change the rendering of the chat, or add some visual validation effects which are shown outside the chat rendered pane. This would stop the modified client cheat, and re-enable the font effects without enabling html result faking.
I'm okay with this as long as it's a server option.dLANbandit wrote:So my proposal for 1.2, is to DISABLE all HTML input from the typed chat box, and DISABLE copy/paste. This would disable some minor html formatting, thus breaking the client side chat cheat. But not prevent the modified client cheat.
We use a lot of HTML for coloring of text to indicate weapons, attacks, skill rolls, etc. and make the game easier to look at. Seems reasonable if you wanted to sacrifice some of the benefits to ensure you have a secure environment it could be a temporary option in 1.2 until we have a better fix.
I know I kind of missed this bit of the thread, but my 1.3 wishlist has to be:
1. Elevation support - all my players fly and I like 3D terrain.
a. Multilevel VBL - was there ever a resolution on this?
b. Elevation calculations for 3D movement (definitely not a major priority as this just means keepig a calculator handy at the moment)
2. Individual player views - I like splitting up parties.
3. Vision/light interaction. Dynamic vision is *so* cool and I would love to see it taken to the next step.
But basically I'm up for more of the same. You do a great job and allow me to play games with friends from home even though the Atlantic is in the way. All news is good news in my opinion.
1. Elevation support - all my players fly and I like 3D terrain.
a. Multilevel VBL - was there ever a resolution on this?
b. Elevation calculations for 3D movement (definitely not a major priority as this just means keepig a calculator handy at the moment)
2. Individual player views - I like splitting up parties.
3. Vision/light interaction. Dynamic vision is *so* cool and I would love to see it taken to the next step.
But basically I'm up for more of the same. You do a great job and allow me to play games with friends from home even though the Atlantic is in the way. All news is good news in my opinion.
-
trevor
- Codeum Arcanum (RPTools Founder)
- Posts: 11311
- Joined: Mon Jan 09, 2006 4:16 pm
- Location: Austin, Tx
- Contact:
Update:
OK, took a peek at the rolling verification. There is a regular expression that was intended to prevent a user from typing code that would make a roll line, but it broke when we moved to the << >> chars (instead of [..]).
I've updated the code and done some testing, it seems to work alright (I couldn't spoof it with the methods listed previously anyway).
I'll plan on doing a build tonight and let you guys try to break it.
Keep in mind that it is intended to prevent spoofing by honest players, anyone with skills in java could easily circumvent the cheat prevention by downloading the source and tweaking the code. But who wants to play with those people
This should be Good Enough for 1.2
OK, took a peek at the rolling verification. There is a regular expression that was intended to prevent a user from typing code that would make a roll line, but it broke when we moved to the << >> chars (instead of [..]).
I've updated the code and done some testing, it seems to work alright (I couldn't spoof it with the methods listed previously anyway).
I'll plan on doing a build tonight and let you guys try to break it.
Keep in mind that it is intended to prevent spoofing by honest players, anyone with skills in java could easily circumvent the cheat prevention by downloading the source and tweaking the code. But who wants to play with those people
This should be Good Enough for 1.2Dreaming of a 1.3 release
-
trevor
- Codeum Arcanum (RPTools Founder)
- Posts: 11311
- Joined: Mon Jan 09, 2006 4:16 pm
- Location: Austin, Tx
- Contact:
#1 has been requested several times recently, especially by one or two of the rpteam members, so look for some introductory support for it soontorstan wrote: 1. Elevation support - all my players fly and I like 3D terrain.
2. Individual player views - I like splitting up parties.
3. Vision/light interaction. Dynamic vision is *so* cool and I would love to see it taken to the next step.
#2 is planned
#3 will be improved iteratively over time
Dreaming of a 1.3 release
-
Emryys
- Dragon
- Posts: 780
- Joined: Tue Jan 31, 2006 9:01 pm
- Location: Beneath the Aurora Borealis
- Contact:
lol... yeah I hate playing with coders... they remind me of rule lawyers... all technical and stuff...trevor wrote:Keep in mind that it is intended to prevent spoofing by honest players, anyone with skills in java could easily circumvent the cheat prevention by downloading the source and tweaking the code. But who wants to play with those people
Ban Coders!... No wait...
Game On!
(kind of off topic rant)
personally, I never really understood cheating at a game. To be honest with you, I could never understand why my nephews would buy a video game for 50 bucks, and use cheat codes right away to beat it in one day.
Man, if that isn't just stupid!
I have so many memorable moments of beating a game - they stay with me as a warm cozy reminder that my hard work and efforts result in a sense of accomplishment. I just feel good winning - being a real winner; in life - in everything you do in life...
I just don't understand cheaters and to be completely honest here, if I knew a friend of mine was cheating, I really don't think he would be a friend of mine because not only did he cheat himself, he cheated all of us at the same time.. I don't need friends like that. If you cheat yourself that easily, then you are probably cheating others in some other manner..
So to all you cheaters out there who are listening - start feeling good about yourself - try for once in your life and feel how good it is to be a winner. It is like crack -once you get a hit, you will always want more
(resuming regular broadcast)
personally, I never really understood cheating at a game. To be honest with you, I could never understand why my nephews would buy a video game for 50 bucks, and use cheat codes right away to beat it in one day.
Man, if that isn't just stupid!
I have so many memorable moments of beating a game - they stay with me as a warm cozy reminder that my hard work and efforts result in a sense of accomplishment. I just feel good winning - being a real winner; in life - in everything you do in life...
I just don't understand cheaters and to be completely honest here, if I knew a friend of mine was cheating, I really don't think he would be a friend of mine because not only did he cheat himself, he cheated all of us at the same time.. I don't need friends like that. If you cheat yourself that easily, then you are probably cheating others in some other manner..
So to all you cheaters out there who are listening - start feeling good about yourself - try for once in your life and feel how good it is to be a winner. It is like crack -once you get a hit, you will always want more
(resuming regular broadcast)
-
dLANbandit
- Dragon
- Posts: 636
- Joined: Wed Dec 13, 2006 10:43 pm
That is great trevor! So if I try to type in those previous cheats what sort of feedback do I get as a user? Does it let me know my message was stopped and why? Do the other players get notified of my attempt? Maybe that should be added. I would like to know if someone tried to craft a text cheat.trevor wrote:Update:
OK, took a peek at the rolling verification. There is a regular expression that was intended to prevent a user from typing code that would make a roll line, but it broke when we moved to the << >> chars (instead of [..]).
I've updated the code and done some testing, it seems to work alright (I couldn't spoof it with the methods listed previously anyway).
I'll plan on doing a build tonight and let you guys try to break it.
Keep in mind that it is intended to prevent spoofing by honest players, anyone with skills in java could easily circumvent the cheat prevention by downloading the source and tweaking the code. But who wants to play with those people
The only way to fix the coder cheat that I know of is to do server side, roll parsing. Do you know of another way?
Last edited by dLANbandit on Wed May 23, 2007 10:10 am, edited 1 time in total.
-
dLANbandit
- Dragon
- Posts: 636
- Joined: Wed Dec 13, 2006 10:43 pm
I completely agree with you on the subject of cheating. However, right now most of us are using this tool for FUN only. I think in the future as more wargaming features are implemented and as online conventions start happening more, we may see the rise of competitions with prizes using this tool. At that point I would hope we have built in some good cheat prevention, and hopefully some cheat detection.dorpond wrote:(kind of off topic rant)
personally, I never really understood cheating at a game. To be honest with you, I could never understand why my nephews would buy a video game for 50 bucks, and use cheat codes right away to beat it in one day.
Man, if that isn't just stupid!
I have so many memorable moments of beating a game - they stay with me as a warm cozy reminder that my hard work and efforts result in a sense of accomplishment. I just feel good winning - being a real winner; in life - in everything you do in life...
I just don't understand cheaters and to be completely honest here, if I knew a friend of mine was cheating, I really don't think he would be a friend of mine because not only did he cheat himself, he cheated all of us at the same time.. I don't need friends like that. If you cheat yourself that easily, then you are probably cheating others in some other manner..
So to all you cheaters out there who are listening - start feeling good about yourself - try for once in your life and feel how good it is to be a winner. It is like crack -once you get a hit, you will always want more
(resuming regular broadcast)
At another level a small percent of us are attempting to use the tool to game with people we have never met with online. I think that group of people will grow as MapTools, gets more community features in place, (like online, open game lists, and observer modes) That community will have a section of it populated by lame people, who have the ability to code and cheat. I would hope we can help those people not have their games ruined by cheating drama, or false accusations prevented by robust cheating prevention, and detection.
Again just my $0.01