It's not just about the CAPTCHA! Tools, Techniques and Technology to help make the game better - Page 2 - Ragnarok Online Community Chat - WarpPortal Community Forums

Jump to content


Photo
* * - - - 5 votes

It's not just about the CAPTCHA! Tools, Techniques and Technology to help make the game better


  • Please log in to reply
36 replies to this topic

#26 M22T

M22T

    Amateur Blogger

  • Members
  • 135 posts

Posted 24 February 2011 - 02:16 PM

3 times
  • 0

#27 Kadelia

Kadelia

    Rainbow Sparkle, Go!

  • Members
  • 14312 posts
  • LocationVirginia, USA
  • Playing:Ragnarok Online
  • Server:Chaos/Renewal

Posted 24 February 2011 - 02:48 PM

I would like to see the evidence linking typos to intelligence.
  • 0

#28 Hacks

Hacks

    Awarded #1 Troll

  • Members
  • 534 posts

Posted 24 February 2011 - 03:48 PM

the issue here isnt securing gravity's network against attack, and belive me when i tell you i doubt it's 100% secure, the issue here is plain old TCP client/server communications. without going into extreme detail of the tech involved here, the simple fact of the matter is no matter what method is used to authenticate a user as "real", eventually it can all be emulated or immitated by the bots because they arent running the RO client.

the botters have the upper hand in all this since they actually have access to source code, any wall thrown up in their way can easily be counteracted and they compile a new binary and botting continues. iRO (obviously) does not have access to souce code, had they access to it they wouldnt need to contact kRO for fixes for everything. i suspect those who beg for captchas are doing it for personal gain (stockholders,employees,etc.).

i'll be honest here, my stubborn opposition to captchas is solely out of my own laziness. every other game i've played that has required them when logging in or randomly throughout gameplay i've quit and never looked back on. it's a serious annoyance, many would not even allow use of the keyboard, instead requiring entry via mouse from an on-screen keyboard that is also randomized after each entry. we're talking 3+ minutes of hunting down letters on a randomized keyboard just to log in. from the time i start my iRO client to the time i get in game is about 10 seconds, any longer than that is too long.

the simple fact of the matter is in a client/server environment, theres just no sure-fire way to ensure the connecting client really is what it claims to be without completely breaking everything that makes this all work. you could completely rewrite the client and server from scratch, have players log into warpportal to download their own personal client with their own personal communications encryption key hard-coded into the binary generated by server-side scripting just for this session, require login via the hated method above, put 5 captchas in there and require a finger scan. doesnt make a lick of difference. after some time has passed, a new bot will come out that logs into warpportal claiming to be IE8, downloads it's client file and greps the encryption key right out of it, solves the captchas or forwards them to chinese sweatshop workers, loads a saved fingerscan file and rotates it +/- 5 degrees just to make it look different from the last time, completes login and runs it's own bot script as normal.

without having complete control of the client machines, theres just no assurance anything is as it claims. having a capcha at login only serves to piss actual users off every time they log in. $1 worth of WPE per account isnt too much to ask, coding bots to do free offers would be an exercise in frustration as they change far more frequently than we recieve patches and they IP block you after you collect so much.
  • 1

#29 Xellie

Xellie

    Valkyrie

  • RO Fungineering
  • 18610 posts
  • Twitter:@nekoxellie
  • LocationValhalla
  • Playing:Ragnarok Online
  • Server:Europe ban!

Posted 24 February 2011 - 03:50 PM

I would like to see the evidence linking typos to intelligence.


if you repeatedly make the same "typo" you can't be that smart.
  • 0

#30 Markus

Markus

    Amateur Blogger

  • Members
  • 209 posts

Posted 24 February 2011 - 04:04 PM

The only solution to bots is something that changes regularly. Anything else means pretty much nothing after a week. Pretty much everything here is extremely easy to get around when you can fluidly change how your bot works. That means that you have be able to fluidly change how the anti-bot security works.
  • 0

#31 meoryou2

meoryou2

    Too Legit To Quit

  • Members
  • 1176 posts
  • LocationAFK in Ymir pront
  • Playing:Ragnarok Online
  • Server:Ymir

Posted 24 February 2011 - 07:21 PM

1.) Blocking IP's isn't a sliver bullet just like how giving a person Acetaminophen for a fever doesn't CURE their aliment, it makes it more manageable for the patient... IP Bans never solve the problem it only prevents the current problem from exasperating.


2.) By no means do I mean this in a disrespectful way, but you don't have any Networking or Cisco Certifications or Degrees let alone actual REAL working experience as a Network Technician or Administrator. There is a big difference between reading about HOW to circumvent Cyber Security Protocols and actually PREFORMING AND PREVENTING. The proof isn't in what your next response is, it will be in weither you can prove true to your concept and defy an industry which makes BILLIONS through successful protecting of their clients and data. Seriously it's time to stop crap responses like this.


Better yet remember the DNS attack that happened to Master Card a few months back in connection to WikiLeaks? Yeah they've already caught the people involved.

-Almost for got the most important thing; Unless you have the financial backing or preform the attacks from sovereign/non-extradition soil, but mailing the money, you're going to get caught.



But in all honesty, if you already know all of the technical aspects of network administration and security, why aren't you pointing out and discussing other applications, programs, setups and procedures that Gravity could use to secure their network just as other Company's, financial institutions and Governments do as well? Or are you going to continue to reply project negativity with comments that only fuel the notion of not investing in ANY security applications or protocols to protect a network... because they wont work?


Funny, I could have sworn that I had my own network consulting business for the last.... 11 years. And that I have done contract work for fortune 500 companies....

You are correct in stating I don't have CCNA certs since I don't need em. My years of real world experience count for more than some monkey that managed to memorize some book learning and pass a test or two.

As for why I am not pointing out how Gravity can secure their network blah blah blah two reasons.
Reason One: they are running an inherently less secure server setup - quite possibly why they have DB trouble as well, since MSSQL is just as slow and buggy as the rest of their products are. I use Windows as absolutely as little as I possibly can get away with.

Reason two: your post isn't about securing the network to begin with, your post is about securing access to the network. You will never be able to restrict access to the network enough to prevent botting in a way that will NOT also piss off legit users, not in the U.S. anyways. The only reason it worked for jRO is because their whole culture is based more on respecting authority figures.... not something that a great amount of U.S. people do, especially the last few generations.
  • 2

#32 Sera

Sera

    Too Legit To Quit

  • Members
  • 4831 posts
  • Locationthis evil world
  • Playing:Ragnarok Online
  • Server:iRO Chaos

Posted 24 February 2011 - 07:24 PM

Urahaha is back, haven't seen him around in a while. Missed his great drag costumes.

But yeah, I think we need more digital mantraps. For catching digital men and stuff.
  • 0

#33 TheUraharaShop

TheUraharaShop

    Awarded #1 Troll

  • RO Fungineering
  • 962 posts
  • Playing:Nothing
  • Server:My Dreams + Loki

Posted 24 February 2011 - 08:27 PM

So... you said...

  • your post isn't about securing the network to begin with, your post is about securing access to the network. You will never be able to restrict access to the network enough to prevent botting in a way that will NOT also piss off legit users, not in the U.S. anyways.
  • they are running an inherently less secure server setup - quite possibly why they have DB trouble as well, since MSSQL is just as slow and buggy as the rest of their products are. I use Windows as absolutely as little as I possibly can get away with.
Yeah you hit the nail on the head so after 3 years of Gravity playing around and trying to figure out how to fix this, you've done it in what... 224 words. You may not realize this, but in the field of science satisfaction doesn't come from knowning all the answers but helping others find those answers. You honestly need to realize that yes they're not paying you, but you didn't spend those 11 years just to let all of that information stagnate, most of what you know can help not just Gravity but other players who are tired of the failed attempts of it being fixed, just like you are.
  • 0

#34 SamuelAdams

SamuelAdams

    Awarded #1 Troll

  • Members
  • 720 posts
  • Playing:Nothing

Posted 24 February 2011 - 09:43 PM

Only trouble with RagDefend is its quite harsh and some OS e.g. 64-bit may not work with it or stuff like FRAPS etc. Unless jRO has changed that since because that page is many years old now. 3 years later Doddler mentioned bots are still low on jRO and population high (40k+).

Fraps or no bots... Hmm... Now that is a very hard decision.
I think this should be looked into maybe? D:
  • 0

#35 Markus

Markus

    Amateur Blogger

  • Members
  • 209 posts

Posted 24 February 2011 - 09:54 PM

Fraps or no bots... Hmm... Now that is a very hard decision.
I think this should be looked into maybe? D:

It might not be legal in the US anyways. Some of the best bot prevention software isn't, and a lot of them tend to mess up other programs that are running besides what they are trying to protect.
  • 0

#36 Kadelia

Kadelia

    Rainbow Sparkle, Go!

  • Members
  • 14312 posts
  • LocationVirginia, USA
  • Playing:Ragnarok Online
  • Server:Chaos/Renewal

Posted 25 February 2011 - 06:50 AM

if you repeatedly make the same "typo" you can't be that smart.


I don't think he's actually dumb enough to think "silver" is actually spelled "sliver". It has to be a typo in this instance. Perhaps he has issues with the order he touch types certain keys and transpositions their order. I regularly make the same typos with vowels because I reach for the 'e' key and some other vowels quicker than most consonants, so I end up regularly making the same typos.
  • 0

#37 TheUraharaShop

TheUraharaShop

    Awarded #1 Troll

  • RO Fungineering
  • 962 posts
  • Playing:Nothing
  • Server:My Dreams + Loki

Posted 25 February 2011 - 08:00 AM

When logic doesn't prevail there are always typoes to prove your're write.

But if they create a special encryption for iRO or maybe even possibly through WarpPortal (once they release it officially, its still in beta) couldn't that be deciphered similarly to how GameGuard and HackSheild are now?

I remember at one point Gravity released a Packet change that caused the generic bot farms and spammers to be unable to connect for about 10 to 12 days. They were scrambaling around waiting for OK to release an update for their application. Could preforming similar packet changes, then once they release their own update to the changes made, just modify the packet causing everyone working on the open source code to ware out preforming the same mundane task of figuring out what the changes were and should be?

Focusing directly on the Client Side application, are the clients (iRO in particular) able to be modified to track to see where the player is aiming, looking or where the mouse is relative on the screen and use as an input? Similar to: http://download.orac...n-Tutorial.html But it would be more in line to how a couple of years ago during a Counter Strike Tournament, they implemented software that at random times took a screen shot of where the cross hairs of a player was located. At the same time more similar to how Kinetic and Wii work where the user has to either move the remote(for us it would be the cursor) in desired shape such as a circle or hold the cursor still in a specific location for X amount of seconds. I'd think that could be pushed through the clients it could be implemented at random intervals during a loading screen an only taking seconds of the players time.


Edit
Or if it possible to have the Clients work similarly to how an OEM installation is?

When an OEM is installed it is tied to the piece of hardware it is sold with. Now it is exploited quite often because it doesn't always need an activation key or it's updates can be managed through another valid domain name or controller. For iRO it would be quite straight the opposite and straight forward.

So when a person downloads and installs an iRO client it should be able to create a key which is unique to the machine it is installed on. It should be based on the serial numbers or unique identifies of the hardware which are rare to be replicated AND do not contain really personal information.

The hardware that could be used:

Hard Drive
RAM
Sound Card
Graphics Card
Processor
Other pieces of hardware which are very seldom changed or removed

http://social.msdn.m...4-7e8c6662f343/

We could also possibly do the same with creating a Application that can do something similar for a USB creating a Key or Passcode when a user wants to log on they need to insert it. (Some one posted this on another thread). Although these can be craked or deciphered, but it becomes more difficult and timely based on the bit size.

Once the player installs the software, it will create this code and submits this code, their application will only then connect to the iRO servers with that unique identifier so if there has been a hardware change the software will not proceed to connect. AND the server is only accepting a connection from that unique identifier from that application. Because this identifier is unique, hard to spoof and can be verified with out the need of an IP (Thank you meoryou2) it is not easier to mange and detect who is using the application and which accounts are logging on through it. With out the unique code, anyone trying to connect to the server would be rejected.

Working on a away to reduced the redundancies if this is being used by a computer cafe. It could be just simply restrict it to the US at first and request the cafe's Tax ID to help create the unique code.

Edited by TheUraharaShop, 25 February 2011 - 09:42 AM.

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users