get out gsc team and fight get out gsc team and fight get out gsc team and fight get out gsc team and fight get out gsc team and fight get out gsc team and fight get out gsc team and fight get out gsc team and fight
I was using that as an example of open encryption. Everyone who has the desire to learn how WPA2 works can. It's an open specification.WPA2 has nothing to do with netbattle, what in the world are you talking about?
We are changing the encryption method for alot of things anyways.
You're relying on security through obscurity rather than security through secure mechanisms. This is the point I was making. A truly secure system isn't broken by source code leaks.In the Diamond Pearl patch that my team and I are making, all "security holes", (which were all just because of source code leaks) have been fixed.
There is no way for anything to be guaranteed secure. Security isn't a final product so much as an ongoing process. You don't put something out and say "This is secure!". You make things as secure as possible, and then fix flaws as they're found. It's like what Moltke the Elder said: "No battle plan survives contact with the enemy.".Why is there no way for NB to be garanteed secure?
How do you identify a flood, though? So you block X number of concurrent connection attempts. They do a Distributed Denial of Service attack to go around any filtering by IP or SID by having the attack come from several computers all around the globe. So you implement some heuristic to determine spam (tons of people sending the same message is probably spam), so they write a better spam bot. You find a way to counter that and they abuse your method of establishing a connection to take down your server with the extra processor overhead associated with powerful spam-detection heuristics. It's a constant cat-and-mouse game, you can't just say "OK we've solved security.".There was a firewall made for netbattle a long time ago (by Wizard, don't know if you guys know/remember him), and we have a firewall that is built in, we are coding it to auto-block floods.
"DDoS" does not do anything to netbattle servers, the programs that "flood" are programs made almost specifically for netbattle. *Cough Jashdias' boah bots**Cough Connection-SpamBots*. They will flood your server anyways, therefore the build-in firewall will block and rendering it useless.
My idea of security isn't that it only works when people are doing what's expected. The point of a secure program is to take into account the fringe cases where people are stretching the program to its limits.Why would a battle even last 1024 turns? Obviously we will patch this up but that is a horrible excuse to say it is not "Secure".
Also I remember AA had a log of all the netbattle bugs while the archive was still around, (of like ancient threads), but now that it is gone I don't know what the bugs are, besides stuff like Sub blocking spin when it isn't supposed to and Blaze kick burns fires, if you happen to have a bug-log that would be much appreciated.I was using that as an example of open encryption. Everyone who has the desire to learn how WPA2 works can. It's an open specification.
When the guys who came up with AES (Advanced Encryption Standard) were looking for the method of encryption to use, one of the requirements is that it not be a trade secret / closed source. The cipher chosen, Rijndael, has articles explaining absolutely everything in it.
Or, more topically, consider TLS (Transport Layer Security, formerly SSL, Secure Sockets Layer. This is what you're using when your browser says "https://..." instead of just "http://..."). It's a method of creating secure communication from endpoint to endpoint such that no one (not even your ISP) is able to view the contents of your message (unless one of the endpoints is compromised, for instance, with a virus).
Why does this matter?
http://en.wikipedia.org/wiki/Transport_Layer_Security#How_it_works
TLS is an open protocol. Why this is all relevant to my previous post is simple:
Point taken.
"A method of encryption that requires people to not understand it for it to work is a poor method of encryption."
It doesn't have to be "non understandable", tbh I do not know why Ian did that. However due to some things I've seen people do whilist not even having the source, and just using WPE pro, a "non understandable" encryption method was the way to go.
Of course we can try an "understandable" ecryption method, but unfortunately this will lead people to be able to make their own source codes/patch up old encryptions from old codes, which is what we do not want in the update, because of old ordeals the past, and we want to keep it a closed source (once again)(or atleast till late stages).
You're relying on security through obscurity rather than security through secure mechanisms. This is the point I was making. A truly secure system isn't broken by source code leaks.
Before source code leaks, the only "security issue" was DoS (not DDoS) attacks (By programs made specifically for netbattle, not just any DoS or DDoS programs). Once Masamune gave the first source code leak to some people, thats when the first crash packets were discovered.
There is no way for anything to be guaranteed secure. Security isn't a final product so much as an ongoing process. You don't put something out and say "This is secure!". You make things as secure as possible, and then fix flaws as they're found. It's like what Moltke the Elder said: "No battle plan survives contact with the enemy.".
We are not claiming the update to be a 100% secure thing, crash packets/exploits will be almost always found and used.
How do you identify a flood, though? So you block X number of concurrent connection attempts. They do a Distributed Denial of Service attack to go around any filtering by IP or SID by having the attack come from several computers all around the globe. So you implement some heuristic to determine spam (tons of people sending the same message is probably spam), so they write a better spam bot. You find a way to counter that and they abuse your method of establishing a connection to take down your server with the extra processor overhead associated with powerful spam-detection heuristics. It's a constant cat-and-mouse game, you can't just say "OK we've solved security.".
Like I said, netbattle normally does NOT only get DDoSed, it is almost always just a DoS (1 person). Netbattle gets [D]DoSed by programs made specifically for netbattle, aka netbattle-spambots. If you load any DDoS tool (Lets say LOIC just as an example), it will do slim to nothing. The spambots only "crash" by connecting in miliseconds, clogging up the sockets, leaving people unable to connect and delivering horrible lag. They also don't spam the same socket, they go in a numerical-order from least to greatest. Only 1 person made a bot that spams the same connection, but he made that with the netbattle source code, and covering something that spams the same socket is not hard.
Anyways for a bot to do anything it atleast has to "spam" at a rate of under 100ms, and it has to be made specifically for netbattle, because netbattle uses packets, and a normal [D]DoS tool will not be able to spam the packets, just a connection at like 1 connection every 1-2 seconds.
12:19:03 PM - Connect request received
12:19:03 PM - Request connected on slot 6
12:19:04 PM - Connect request received
12:19:05 PM - Request connected on slot 7
12:19:05 PM - Connect request received
12:19:05 PM - Request connected on slot 8
12:19:06 PM - Connect request received
12:19:06 PM - Request connected on slot 4
A different DoS tool is being used here, LOIC just flat out fails
Besides the fact you can manually block the IP address (is it 1 d or 2 d's?), it takes a while before the bot actually rapes your server, granted you have a decent computer/connection.
My idea of security isn't that it only works when people are doing what's expected. The point of a secure program is to take into account the fringe cases where people are stretching the program to its limits.
There are only very slim instances where the program is stretched to its limits, and these are being patched up (it is basically bots flooding connections and the battle's lasting 1024 turns, if you know any other thing like this please let me know
"0.9.7 release notes:We are not claiming the update to be a 100% secure thing, crash packets/exploits will be almost always found and used.
This is a lie, since the source code was made public, if anyone has the time to crack the encryption then the same problem will occur."0.9.7 release notes:
- Servers can't be crashed any more;"
I personally can never trust the security of any program I am unable to audit.