Pages: [1] 2 3 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:07:00 -
[1]
In order to prevent external sniffing applications from being used to cheat in eve (Virus scanners etc), I would call that all Traffic is encrypted to some level to prevent this snooping.
Please?
|
yumike
|
Posted - 2011.03.27 13:14:00 -
[2]
not all data needs to be encrypted (too much worthless cpu overhead. especially on the server(s))
All sensitive data is already encrypted between the client and server. Don't post for things until you know what your talking about please.
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:16:00 -
[3]
Originally by: yumike not all data needs to be encrypted (too much worthless cpu overhead. especially on the server(s))
All sensitive data is already encrypted between the client and server. Don't post for things until you know what your talking about please.
Considering they are sniffing out names that are in local via network traffic and having the virus scanners shut down the client. So you propose 2 call streams, one unencrypted and one encrypted or just fudge the data returned in the calls and use non SSL streams?
Either way works for me as long as nobody can use external applications to see RPC data and use that to cheat automatically as they are doing today.
|
Stinky Minky
|
Posted - 2011.03.27 13:20:00 -
[4]
Wireshark will set you free
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:21:00 -
[5]
Edited by: Miilla on 27/03/2011 13:21:41
Originally by: Stinky Minky Wireshark will set you free
Also useless against client server SSL traffic unless ofcourse you happen to run a profiler inproc of eve :)
|
yumike
|
Posted - 2011.03.27 13:25:00 -
[6]
Originally by: Miilla
Considering they are sniffing out names that are in local via network traffic and having the virus scanners shut down the client. So you propose 2 call streams, one unencrypted and one encrypted or just fudge the data returned in the calls and use non SSL streams?
Either way works for me as long as nobody can use external applications to see RPC data and use that to cheat automatically as they are doing today.
Alright, Let's say you did that encrypt local. The key (Dynamic?) would still have to be sent to the client and pass through any virtual network adapter, firewall, virus scanner - bot. ANY peice of software can rebuild the routing table to go through it first. So at most encrypted or not, whatever peice of software between eve and the server would be compromised already. (Since in the case of a bot, it would just need a couple changes to keep working. and then voila it can still sniff network traffic for local.)
Encryption in this case is not a viable solution. That's why the current standard for pretty much any mmo i've seen (including eve) is just to XOR encrypt passwords etc. It's easily broken if you have the key which both the client and the server must have.
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:27:00 -
[7]
Edited by: Miilla on 27/03/2011 13:28:38
Originally by: yumike
Originally by: Miilla
Considering they are sniffing out names that are in local via network traffic and having the virus scanners shut down the client. So you propose 2 call streams, one unencrypted and one encrypted or just fudge the data returned in the calls and use non SSL streams?
Either way works for me as long as nobody can use external applications to see RPC data and use that to cheat automatically as they are doing today.
Alright, Let's say you did that encrypt local. The key (Dynamic?) would still have to be sent to the client and pass through any virtual network adapter, firewall, virus scanner - bot. ANY peice of software can rebuild the routing table to go through it first. So at most encrypted or not, whatever peice of software between eve and the server would be compromised already. (Since in the case of a bot, it would just need a couple changes to keep working. and then voila it can still sniff network traffic for local.)
Encryption in this case is not a viable solution. That's why the current standard for pretty much any mmo i've seen (including eve) is just to XOR encrypt passwords etc. It's easily broken if you have the key which both the client and the server must have.
You discovered a universal exploit to hack all SSL connections? You should post your whitepaper immediately, the entire banking industry is in chaos and e-commerce is dying.
|
Karak Terrel
As Far As The eYe can see Chained Reactions
|
Posted - 2011.03.27 13:36:00 -
[8]
K, i'm confused. What has a Virus Scanner to do with cheating/sniffing? -- please consider to visit our w-space system, cake will be served immediately. |
yumike
|
Posted - 2011.03.27 13:38:00 -
[9]
Edited by: yumike on 27/03/2011 13:38:03 I wrote out a response but the forum ate it, Can't be buggered to write it again. All i'll say is any time the client or the server is already compromised, It doesn't matter what type of encryption you use as it will be worthless. RSA, AES, SSL and its big brother TLS, it doesnt matter.
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:38:00 -
[10]
Originally by: Karak Terrel K, i'm confused. What has a Virus Scanner to do with cheating/sniffing?
They use it to search out strings in traffic between applications and if an enemy name appears, they shut down the eve client.
In other words, go offline so their bot ratter miner wont get ganked.
|
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:40:00 -
[11]
Originally by: yumike Edited by: yumike on 27/03/2011 13:38:03 I wrote out a response but the forum ate it, Can't be buggered to write it again. All i'll say is any time the client or the server is already compromised, It doesn't matter what type of encryption you use as it will be worthless. RSA, AES, SSL and its big brother TLS, it doesnt matter.
Please link me your whitepaper, the entire banking industry and e-commerce vendors will love to see it and probably comment and thus make the internet business safe for all.
Thanks in advance for your hard work into this internet security issue.
No doubt billions and trillions of banking infrastructure and online businesses will have to spent to fix this.
I can see this appearing on slashdot any moment now. CHAOS IN THE INTERNET!
|
Furb Killer
Gallente
|
Posted - 2011.03.27 13:42:00 -
[12]
Edited by: Furb Killer on 27/03/2011 13:43:41 Indeed, encryption is kinda useless if the client computer is 'compromised', then you can just read it directly from the memory. Not to mention since bots log for every neutral/red that jumps in that they put 330k char names in their virus definitions, risking pretty much every program randomly shuts down, when you can also read the screen way easier (yes i know miila is just a troll).
Encryption is used to make sure you cannot sniff the stuff via routers in the middle, packet sniffers that sniff wireless connections, etc. If your client is compromised you cannot hide your data, it needs to be unencrypted in the memory otherwise the user can never use it.
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:43:00 -
[13]
Originally by: yumike not all data needs to be encrypted (too much worthless cpu overhead. especially on the server(s))
Don't post for things until you know what your talking about please.
Can you please link me the investigation you did into this issue on the Eve Cluster, I would like to see numbers and some pretty colourful charts graphs, perhaps even a slidedeck too for the audience for peer review.
|
Kerfira
Kerfira Corp
|
Posted - 2011.03.27 13:44:00 -
[14]
Originally by: Miilla You discovered a universal exploit to hack all SSL connections? You should post your whitepaper immediately, the entire banking industry is in chaos and e-commerce is dying.
You're making a comparison that is not valid.
SSL traffic is no more safe than EVE encrypted traffic would be given the same access.
SSL is considered secure ONLY in the case where the snooper doesn't have access to either the server or the client. If you have that access, and spend the time reverse engineering that server/client internals to retrieve the encryption codes, then SSL is in no way secure.
That is the scenario we have with EVE, since the snooper in this case has FULL access to the client. For the client to decode a coded stream from the server, it has to have to decryption key in memory, and it's a fairly simple (though sometime time consuming) matter of retrieving that key, and then using it in your bot script.
Encrypting the streams will make the bot writing a bit more troublesome, but once broken CCP would have to completely re-architect their code to make it resistant again... And they'd have to do it again, and again, and again, and again....
It is not the solution to the problem.
Originally by: CCP Wrangler EVE isn't designed to just look like a cold, dark and harsh world, it's designed to be a cold, dark and harsh world.
|
Karak Terrel
As Far As The eYe can see Chained Reactions
|
Posted - 2011.03.27 13:44:00 -
[15]
Originally by: Miilla
Originally by: Karak Terrel K, i'm confused. What has a Virus Scanner to do with cheating/sniffing?
They use it to search out strings in traffic between applications and if an enemy name appears, they shut down the eve client.
In other words, go offline so their bot ratter miner wont get ganked.
Ah, you mean a compromised virus scanner. If your comp is compromised no encryption will help you. That still such a big problem with all the malware stuff on windows? -- please consider to visit our w-space system, cake will be served immediately. |
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:46:00 -
[16]
Originally by: Karak Terrel
Originally by: Miilla
Originally by: Karak Terrel K, i'm confused. What has a Virus Scanner to do with cheating/sniffing?
They use it to search out strings in traffic between applications and if an enemy name appears, they shut down the eve client.
In other words, go offline so their bot ratter miner wont get ganked.
Ah, you mean a compromised virus scanner. If your comp is compromised no encryption will help you. That still such a big problem with all the malware stuff on windows?
No, one just with setting to shut down eve traffic if "shield" detects this string. Not compromised at all. Even if your computer is compromised, your client is secured with the server, end to end. Sure you can read memory but that requires attaching an application to read it, which will be detected in future.
|
Terrolph Trick
|
Posted - 2011.03.27 13:48:00 -
[17]
Originally by: Miilla Lalalalalalla
Posting in another Miilla thread. How are you feeling today? Nice concepts you have there. I'm not feeling threatened yet, but I'll just prepare my tinfoil hat just in case. If this gets worse I will have to turn off my computer to protect my stuffz against further threats from the internets.
|
Karak Terrel
As Far As The eYe can see Chained Reactions
|
Posted - 2011.03.27 13:49:00 -
[18]
and how does it get that setting to search for that string? -- please consider to visit our w-space system, cake will be served immediately. |
yumike
|
Posted - 2011.03.27 13:49:00 -
[19]
Edited by: yumike on 27/03/2011 13:50:16 I refuse to believe your this lack-of-intelligence. No white paper required, when your client is compromised all your keys are seen and any software-level encryption won't matter. Infact theres half a dozen ways you can even do it at that point!
So i'm gonna give you 3/10 for a little bit of effort.
Quote: Even if your computer is compromised, your client is secured with the server, end to end.
I laughed. Thank you for that.
|
Badger Molester
The Greater Goon Clockwork Pineapple
|
Posted - 2011.03.27 13:49:00 -
[20]
Just shut up, you are the worst poster (worse than me).
|
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:50:00 -
[21]
Originally by: yumike I refuse to believe your this lack-of-intelligence. No white paper required, when your client is compromised all your keys are seen and any software-level encryption won't matter. Infact theres half a dozen ways you can even do it at that point!
So i'm gonna give you 3/10 for a little bit of effort.
Sure it is, you have to back up your statements with facts. Numbers, charts, graphs. Measurements.
You said the Eve Cluster cannot handle the load, I would love to see the numbers to back this up.
All I am asking is for your numbers, you're the one who made the claims, not me.
|
yumike
|
Posted - 2011.03.27 13:56:00 -
[22]
Originally by: Miilla
Sure it is, you have to back up your statements with facts. Numbers, charts, graphs. Measurements. You said the Eve Cluster cannot handle the load, I would love to see the numbers to back this up. All I am asking is for your numbers, you're the one who made the claims, not me.
I said it would create overhead thus more stress. Any server can handle it, Don't try to strawman me. However one would have to question the sanity of any developer who would ever think of encrypting every single packet between a client and a server in this sort of situation since as already said, any form of encryption wouldnt really matter as its see-through.
You'd effectively be completing extra instructions for no benefit. Way to optimize your code there buddy.
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 13:57:00 -
[23]
Originally by: yumike
Originally by: Miilla
Sure it is, you have to back up your statements with facts. Numbers, charts, graphs. Measurements. You said the Eve Cluster cannot handle the load, I would love to see the numbers to back this up. All I am asking is for your numbers, you're the one who made the claims, not me.
I said it would create overhead thus more stress. Any server can handle it, Don't try to strawman me. However one would have to question the sanity of any developer who would ever think of encrypting every single packet between a client and a server in this sort of situation since as already said, any form of encryption wouldnt really matter as its see-through.
You'd effectively be completing extra instructions for no benefit. Way to optimize your code there buddy.
So, you don't actually have any measurements do you?
|
yumike
|
Posted - 2011.03.27 13:59:00 -
[24]
Originally by: Miilla
Originally by: yumike
Originally by: Miilla
Sure it is, you have to back up your statements with facts. Numbers, charts, graphs. Measurements. You said the Eve Cluster cannot handle the load, I would love to see the numbers to back this up. All I am asking is for your numbers, you're the one who made the claims, not me.
I said it would create overhead thus more stress. Any server can handle it, Don't try to strawman me. However one would have to question the sanity of any developer who would ever think of encrypting every single packet between a client and a server in this sort of situation since as already said, any form of encryption wouldnt really matter as its see-through.
You'd effectively be completing extra instructions for no benefit. Way to optimize your code there buddy.
So, you don't actually have any measurements do you?
36c
|
Rakshasa Taisab
Caldari Sane Industries Inc. Initiative Mercenaries
|
Posted - 2011.03.27 13:59:00 -
[25]
Originally by: yumike not all data needs to be encrypted (too much worthless cpu overhead. especially on the server(s))
All sensitive data is already encrypted between the client and server. Don't post for things until you know what your talking about please.
Nor should you... CPU overhead is low for encryption of such low-bandwidth connections, and even if it was a problem adding more servers would be easy.
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.03.27 14:00:00 -
[26]
Originally by: yumike
Originally by: Miilla
Originally by: yumike
Originally by: Miilla
Sure it is, you have to back up your statements with facts. Numbers, charts, graphs. Measurements. You said the Eve Cluster cannot handle the load, I would love to see the numbers to back this up. All I am asking is for your numbers, you're the one who made the claims, not me.
I said it would create overhead thus more stress. Any server can handle it, Don't try to strawman me. However one would have to question the sanity of any developer who would ever think of encrypting every single packet between a client and a server in this sort of situation since as already said, any form of encryption wouldnt really matter as its see-through.
You'd effectively be completing extra instructions for no benefit. Way to optimize your code there buddy.
So, you don't actually have any measurements do you?
36c
Well, I didn't mean your asscup size did I.
|
Karak Terrel
As Far As The eYe can see Chained Reactions
|
Posted - 2011.03.27 14:03:00 -
[27]
Originally by: Rakshasa Taisab CPU overhead is low for encryption of such low-bandwidth connections, and even if it was a problem adding more servers would be easy.
But it is still the wrong solution because the problem here are people that are just to dump and install every crap on their machines and not a lack of encryption. -- please consider to visit our w-space system, cake will be served immediately. |
Badger Molester
The Greater Goon Clockwork Pineapple
|
Posted - 2011.03.27 14:03:00 -
[28]
Originally by: Miilla Well, I didn't mean your asscup size did I.
n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro n1 bro
|
yumike
|
Posted - 2011.03.27 14:03:00 -
[29]
Originally by: Rakshasa Taisab
Originally by: yumike not all data needs to be encrypted (too much worthless cpu overhead. especially on the server(s))
All sensitive data is already encrypted between the client and server. Don't post for things until you know what your talking about please.
Nor should you... CPU overhead is low for encryption of such low-bandwidth connections, and even if it was a problem adding more servers would be easy.
lol. of course its low. I don't recall saying it would be hefty.. Until you start having 1k people in local and every single packets encrypted like the OP seems to think would be viable. Because you know, the server doesn't lag already or anything. Let's just add in more worthless checks for no benefit.
|
Rakshasa Taisab
Caldari Sane Industries Inc. Initiative Mercenaries
|
Posted - 2011.03.27 14:17:00 -
[30]
Originally by: yumike lol. of course its low. I don't recall saying it would be hefty.. Until you start having 1k people in local and every single packets encrypted like the OP seems to think would be viable. Because you know, the server doesn't lag already or anything. Let's just add in more worthless checks for no benefit.
Encryption, and even just plain old unencrypted connections, are handled by a front-end load-balancing server. So the 'lag' you're imagining is just in your head, as the sol node won't even know there's encryption involved.
Please learn stuff before posting.
|
|
|
|
|
Pages: [1] 2 3 :: one page |
First page | Previous page | Next page | Last page |