shrug Maybe they were trying to scare the dev team in to working harder. Seems to me they aren’t particularly stressing over finishing the game… they’ve potentially had, what, five years now? Six?
About the only value they’d get out of that is to stress-test it for free. They could have done that with a Counterstrike update if they’d so chosen (and in fact they HAD done it with a CS update. :) ).
Otherwise Steam was even more of an embarassment than the delay of the game could ever be.
Really? You mean you can provide well written, well commented code to anyone and still have have it secure to malicious attempts?[/quote]
Having the source code open hardly makes it more secure, but if you look at OpenBSD, FreeBSD, Linux and various OSS software you will see that some of them are more secure than Windows and closed source Windows software. They aren’t flawless or anything, the point is just that having the source code closed should be a minor benefit in terms of security, real security must be in the protocols and methods.[/quote]
That’s because of fundamental differences in implementation. You can make BSD or Linux as insecure as Windows and vice versa. Linux and BSD having a lot in common with Unix used the locked door approach. Everything is locked (for the most part) until you make it otherwise. This requires knowledge and training on some level. Windows starts with an open door and requires you to lock it. It makes it easier for someone to get a basic network running, but is insecure as hell. There are lots of flaws in OSS operating systems, they just don’t get the attention (by security experts and virus writers/hackers) because it’s easier to crack a Windows OS (dor reasons stated above) and there are more potential targets.
Besides, most “exploits” these days come after the patch that fixes them comes out. Not too impressive to code a published exploit.
Does that mean you didn’t like the PnP game, or that a video game can’t capture the fullness of the tabletop version? If the latter, I agree with you. However, I don’t think D&D computer games capture the PnP version very well either. You can’t really roleplay in them, and even those that give you meaningful choices (BG2, KOTOR) are still very restricted because of the game parameters. Still, I enjoy playing the D&D games because they capture SOME of the PnP experience and because they offer new things in their own right. I am hoping Vampire can do this. The last Vampire PCgame was not very good, IMO, but I only played the demo. It seemed too combat oriented, which may be a fault of the medium. The great thing about the PnP Vampire was that you could play a whole session without getting in ANY fights and still have a great time.
Thanks for all the replies to my question about security.
You have to if its going to be liscensed to other people.
I would have guessed the engine is more of a collection of libraries with instructions on how to call all functions in them. No need for the uncompiled code in the libraries is there? It doesn’t work that way?
Really? You mean you can provide well written, well commented code to anyone and still have have it secure to malicious attempts?[/quote]
Uh, yes? This is kind of the point of best practices secure development.
Why would they tell us? :D
I get the impression from the encryption community that they think they’re just sticking their names on pre-existing NSA discoveries.
Yeah. I’ve always (well, almost always) played Vampire as a very political, very very character driven game. A lot of the disciplines and clans I most enjoy probably won’t translate over well. I truly fear how they’re going to deal with Malkavians, please resist the urge to fish-malk…
However, I don’t think D&D computer games capture the PnP version very well either. You can’t really roleplay in them, and even those that give you meaningful choices (BG2, KOTOR) are still very restricted because of the game parameters. Still, I enjoy playing the D&D games because they capture SOME of the PnP experience and because they offer new things in their own right. I am hoping Vampire can do this. The last Vampire PCgame was not very good, IMO, but I only played the demo. It seemed too combat oriented, which may be a fault of the medium. The great thing about the PnP Vampire was that you could play a whole session without getting in ANY fights and still have a great time.
Most of my D&D tabletop experience has been mostly as dungeon crawls, though I’ve had some good non-combat sessions as well. So the limitations for a PC D&D don’t get to me quite as much as they do for Vampire. But I can’t imagine anything worse than a PC Exalted. The biggest rule, stunts, would have to be cut out entirely, and the entire philosophy of the game can’t be carried out with PC restrictions. So I dread it.
I still think the delay has more to do with Steam issues than anything else. I guess this HL2 delay means TF2 is delayed again also? :lol:
I know there are fundamental differences, but that was part of my point. If the point wasn’t clear I’ll put it this way: the openness of the source is not very relevant in itself, keeping the source closed might be a benefit but it is not something that you should rely upon. An open source project like OpenBSD might have a lot fewer security problems than Windows simply because they’ve made different design choices, and have a different target audience, just like you say.
It is pretty widely understood that the NSA invented differential cryptanalysis probably in the 1960s or 1970s, a long time before it was known by the public (which was around 1990 or so).
Uh, yes? This is kind of the point of best practices secure development.
It’s kind of sad that you flip off your mouth without understanding the problem they are attempting to solve.
They are attempting to secure the client from the user. This is very different from attempting to secure the client from an attack which is external to the client machine (usually buffer overruns).
The only way to secure the client from the user, given the current installed technology, is obscurity.
It’s weird that they had to cancel their release due to this breach. I would assume that they are implementing their security via implementing an in house obfuscating compiler. I mean that’s how everyone else does it. Who would care if the source to HL2 itself was released so long as their compiler secrets remained secret?
Nope, Visual Studio 6, service pack 5. I don’t know of anybody using such obfuscation techinques in the game industry. Perhaps some of the MMO folks have dabbled, but I doubt it.
Gamedev magazine had some “anti-cheat” tips from, I think, Ensemble. The obfuscation mainly involved using lots of pointers and dynamic memory allocation to frustrate the simple “change this memory address to get more $$$” cheats.
But an obfuscating compiler? Google sure doesn’t know much about those… Would that be run after compilation into object code or after linking or what?
Basically, an obfuscating compiler adds a bunch of stuff to the output code. The idea is that it randomly changes the output code with extra branches and whatnot, but it has the same function that it would with a regular compiler. Which wouldn’t do too much if someone gets ahold of the actual source.
Which wouldn’t do too much if someone gets ahold of the actual source.
Well I would not say that it wouldn’t do much good, but you are right it would reduce the effectiveness that is certain. Unless they also obfuscate the data flow. But that’s harder.
Would that be run after compilation into object code or after linking or what?
Depends upon the technology. Some go before compiling some work on object code, and some work on both.
I don’t know of anybody using such obfuscation techinques in the game industry.
I have to agree with you there. I don’t know of anyone in the game industry doing this. I think it costs too much money to develop in house. And for some reason no company that has tried to sell this to the game industry has been successful. More than likely it is a cost issue. And there is the performance issue these things generally have a very negative impact on performance although to be fair there is usually a performance/obfuscation tradeoff.
Really? You mean you can provide well written, well commented code to anyone and still have have it secure to malicious attempts?[/quote]
Most encryption algorithms fulfill this requirement - the ones that don’t are almost never used. So do most Unix-type open-source operating systems.
[/quote]
Silverlight beat me to it, but security by obscurity is just an illusion. For something to really be secure you have to be able to assume your adversaries know your algorithms and still can’t (easily) break them. Just to pick an everyday example, SSL works this way – everyone (who cares) knows the algorithm, but it is still generally secure. Openssl code is downloadable but very widely used (now that the RSA patent has expired).
Fair point, although they can also move key pieces to a server they control. But the client still leaves an opening.
But, if you have to rely on obscurity, it will be cracked if folks are really interested in doing so.
Really? You mean you can provide well written, well commented code to anyone and still have have it secure to malicious attempts?[/quote]
Yes you should be able to. Thats the idea from all those open source zealots.[/quote]
There’s open-source e-commerce software? I wasn’t aware of any.
re: security through obscurity – People get hung up on this phrase and somehow assume that obscurity is bad. There’s a difference between security THROUGH obscurity (where you rely solely on obscurity), and security INCLUDING obscurity, which any real-world security force will tell you is an absolute no-brainer.
There is no such thing as an absolutely secure system (though that 256-bit AES is some strong stuff!). There’s only raising the bar. And making your code both inherently secure AND obscure is the best way to make the bar as high as possible.
Besides, there are some things that you almost certainly can’t do with regards to security in a fast-paced multiplayer online game.