hacking maptool

DieHard · Post by **DieHard** » Mon Aug 25, 2008 3:31 am

well maptool is great program but has a problem
hacking is possible the launch of dice

for resolve this problem is think one idea

censoring commands list campaign

very simple implementation

only put a list of regular expression in campaign settings and only the commands than not resolve regular expression is possible to launch

opinions?

thx

Mr. Pokeylope · Post by **Mr. Pokeylope** » Mon Aug 25, 2008 4:08 am

There are a number of problems with MapTool from a security perspective, and actually making it secure would be a pretty significant undertaking. The existing cheat detection method catches simple attempts to fake rolls, but there are ways around it. You can also do fun things like spoof messages from other players. And this is assuming an unmodified client; if a player compiles their own version of the client, they can sent pretty much whatever data they want, and the server has no way of knowing it's not valid. Fixing that would require a major overhaul of the MapTool architecture (basically, making the server do a lot of the work that the client currently does, like doing rolls and executing macros).

So, yes, making MapTool more secure is a good idea, but actually doing it successfully will be a lot of work.

DieHard · Post by **DieHard** » Mon Aug 25, 2008 5:15 am

Mr. Pokeylope wrote:There are a number of problems with MapTool from a security perspective, and actually making it secure would be a pretty significant undertaking. The existing cheat detection method catches simple attempts to fake rolls, but there are ways around it. You can also do fun things like spoof messages from other players. And this is assuming an unmodified client; if a player compiles their own version of the client, they can sent pretty much whatever data they want, and the server has no way of knowing it's not valid. Fixing that would require a major overhaul of the MapTool architecture (basically, making the server do a lot of the work that the client currently does, like doing rolls and executing macros).

So, yes, making MapTool more secure is a good idea, but actually doing it successfully will be a lot of work.

the idea of listing expressioni regular and easy to implement (they are a programmer java:)) I am sure that a expert maptool programmer

in 3 days could deploy, in a generic way solve all possible hacking.

es.
Campaign Table Invalid command

N Rule | message | regular expression
1 hacking dice command

Add edit remove

1 modify: implement table
2 modify: add tag campaign file for table censor
3 modify: read table and control if one of all regular expression match otherwise the command is ok

one question: but in maptool the client trasmit command or the resolved command?

Post by **trevor** » Mon Aug 25, 2008 12:55 pm

Mr. Pokeylope is correct, the only real solution would be to have the server handle pretty much everything, which isn't impossible, just a significant change from the way it works now.

The hope is that the players you choose to play with are honest and are there for the fun times, not to beat the system by cheating.