If you want an image, it does.Kill3rZ wrote:My solution was much simpler: 1 npc waiting at the birth place asking every newborn to insert the code and kicking the newborn if he fails to do so in 1 minute. And it still seems to require client update (lack of compatibility with older clients).
TMW hacking problems
Forum rules
This forum is for feature requests, content changes additions, anything not a Bug in the software.
Please report all bugs on the Support Forums
Re: TMW hacking problems
Re: TMW hacking problems
I wasn't thinking about a JPG. I understand that could require extra-coding and could create compatibility issues. I was thinking about ASCII art images (http://en.wikipedia.org/wiki/ASCII_art). The bot-check code could be written in ASCII art (distorted but readable for a human user).
I'm pretty sure the client can handle that (it's just text) unless it's the same problem as the storage NPCs (versions 28 and earlier can't see or use those)
I'm pretty sure the client can handle that (it's just text) unless it's the same problem as the storage NPCs (versions 28 and earlier can't see or use those)
-
- Novice
- Posts: 70
- Joined: 05 Oct 2009, 23:27
Re: TMW hacking problems
It can be done with just a new map and a new NPC, which don't require a client update, to my best knowledge. It doesn't necessarily have to be as I described it either. Another idea I just had could be a house replacing the current birthplace that you can't enter once you leave. Anyone inside of it for more than five minutes would be autokicked.Kill3rZ wrote:My solution was much simpler: 1 npc waiting at the birth place asking every newborn to insert the code and kicking the newborn if he fails to do so in 1 minute. And it still seems to require client update (lack of compatibility with older clients).
I suppose my idea goes off of the assumption that it is easier to kick everyone in one map specially made for this situation than it is to selectively kick people from a map that people often traverse when they are playing the game.
As for ascii art, I think the default NPC window is too small. Plus it can be resized, which would break the ascii art due to linewrapping. Also, I don't think the spacing on the default font is the same for every character.
I also think regular players would be inclined to ignore a popup message from an NPC and then get kicked themselves, even though they have every right to be there.
Last edited by GARRETTtheGREAT on 18 Oct 2009, 15:51, edited 1 time in total.
Re: TMW hacking problems
Linewrapping isn't an issue if you use newlines.GARRETTtheGREAT wrote:I think the default NPC window is too small. Plus it can be resized, which would break the ascii art due to linewrapping. Also, I don't think the spacing on the default font is the same for every character.
-
- Novice
- Posts: 70
- Joined: 05 Oct 2009, 23:27
Re: TMW hacking problems
I was thinking more of the situation where the window is made smaller, but as you said, bigger is not a problem.jaxad0127 wrote:Linewrapping isn't an issue if you use newlines.GARRETTtheGREAT wrote:I think the default NPC window is too small. Plus it can be resized, which would break the ascii art due to linewrapping. Also, I don't think the spacing on the default font is the same for every character.
Re: TMW hacking problems
The bot check should be made ONCE and that is when a new character is born. It's very unlikely for a newcomer to ignore a popup that appears the second he gets connected for the first time ever.
Basically, our attacker has a client which creates characters and makes them just stay there and lag the server or attack players with whispers. If they appear every 8 seconds or so, as Delasia said, and each gets kicked after 1 minute we'll have a total of 7-8 lagging bots at a time which is a joke compared to the 400 we used to have lately.
Making a NPC give you instructions when you are born is also a joke. What will it say? Go up 2 steps, sit, go left and say "hello"? It's really easy to "train" a bot to follow this kind of instructions.
Really, if ASCII art is possible in this state of the server, it might be our best bet right now. We don't even need a new NPC. Right after asking for a language the Constable (who will contact the player immediately after spawn, not after the first step) can perform the bot check. Not answering the language question in a minute should also result in a kick.
Basically, our attacker has a client which creates characters and makes them just stay there and lag the server or attack players with whispers. If they appear every 8 seconds or so, as Delasia said, and each gets kicked after 1 minute we'll have a total of 7-8 lagging bots at a time which is a joke compared to the 400 we used to have lately.
Making a NPC give you instructions when you are born is also a joke. What will it say? Go up 2 steps, sit, go left and say "hello"? It's really easy to "train" a bot to follow this kind of instructions.
Really, if ASCII art is possible in this state of the server, it might be our best bet right now. We don't even need a new NPC. Right after asking for a language the Constable (who will contact the player immediately after spawn, not after the first step) can perform the bot check. Not answering the language question in a minute should also result in a kick.
Re: TMW hacking problems
I see only one problem in this, maybe it's not even a problem but here it goes
so you have some of those ascii thingies where you type in the shown letters just usually that's only a few random "words" appearing. So you can also train the bot (after you checked how many they are and which exactly) to just try every of the "words" until it hits the right one. Also some people have real problems reading that thing. So this with time limit is problematic... also for those who don't write on the keyboard often, they have to search the keyboard for the right letters and numbers...
so you have some of those ascii thingies where you type in the shown letters just usually that's only a few random "words" appearing. So you can also train the bot (after you checked how many they are and which exactly) to just try every of the "words" until it hits the right one. Also some people have real problems reading that thing. So this with time limit is problematic... also for those who don't write on the keyboard often, they have to search the keyboard for the right letters and numbers...
As long as it's not about my eye...
CAUTION! Do not look into laser with remaining eye.
CAUTION! Do not look into laser with remaining eye.
-
- Novice
- Posts: 70
- Joined: 05 Oct 2009, 23:27
Re: TMW hacking problems
I don't know why you're getting all bent out of shape about it, we're trying to solve the same problem. I'm not just going to pat you on the back and say you created the best solution ever and there's no possibility there's any flaw in it. I thought the point of having a discussion is to combine resources, not diminish those around you. If I can point out a weakness in your plan, then maybe you can find a way to fix it.Kill3rZ wrote:The bot check should be made ONCE and that is when a new character is born. It's very unlikely for a newcomer to ignore a popup that appears the second he gets connected for the first time ever.
Basically, our attacker has a client which creates characters and makes them just stay there and lag the server or attack players with whispers. If they appear every 8 seconds or so, as Delasia said, and each gets kicked after 1 minute we'll have a total of 7-8 lagging bots at a time which is a joke compared to the 400 we used to have lately.
Making a NPC give you instructions when you are born is also a joke. What will it say? Go up 2 steps, sit, go left and say "hello"? It's really easy to "train" a bot to follow this kind of instructions.
Really, if ASCII art is possible in this state of the server, it might be our best bet right now. We don't even need a new NPC. Right after asking for a language the Constable (who will contact the player immediately after spawn, not after the first step) can perform the bot check. Not answering the language question in a minute should also result in a kick.
I also don't know how my idea is any less natural than a NPC asking you to look at his ascii art. Another problem is you'd have to create a database of hundreds of ascii art "images" to make this a robust solution. The attacker just needs to save the ascii string along with an answer in his own database and when the message pops up, the attacker's program reads the string, matches an answer, and then passes the bot check. With an image, changing even 1 pixel would make it unmatchable. I know of many programs to make image CAPTCHAs and none to make ascii CAPTCHAs so I think it will be tremendously difficult to do this.
Re: TMW hacking problems
It doesn't have to be a long code. 4-6 characters to type in a minute should not be a problem even for slow typers. As far as I know, there are softwares which can turn any picture into ascii art. We can have a reasonably long list of bot check ascii codes and make the Constable kick the player after 3 missed attempts to insert the code. It's not fool proof, but it will seriously slow down the attacker.
Re: TMW hacking problems
Ok, sorry. The problems about the solution with a new map + npc are the following:
- A bot can follow instructions received from the npc.
- make a "birth house" which kicks every player who doesn't exit it and within 3 hours after you insert it in the game, the bots will know how to exit it one by one
- unless you make something subjective enough (like reading a distorted text) a bot can be programmed to do it, whatever "it" is: walking, repeating a phrase, answering a question... anything
- it's easier to modify an already existing NPC than it is to create a new map + npc. The new birth map could have an aesthetic value, but it has little to do with server security.
- A bot can follow instructions received from the npc.
- make a "birth house" which kicks every player who doesn't exit it and within 3 hours after you insert it in the game, the bots will know how to exit it one by one
- unless you make something subjective enough (like reading a distorted text) a bot can be programmed to do it, whatever "it" is: walking, repeating a phrase, answering a question... anything
- it's easier to modify an already existing NPC than it is to create a new map + npc. The new birth map could have an aesthetic value, but it has little to do with server security.
-
- Novice
- Posts: 70
- Joined: 05 Oct 2009, 23:27
Re: TMW hacking problems
http://thephppro.com/products/captcha/
This looks like to me what you want to do.
I think I have another problem to solve, however. Currently, is it possible to type a message to an NPC? I thought you could only be presented a list of options to select. In which case, the bot would have a fixed chance of being correct, even at a random guess. How long could the list become before it's too cumbersome? A list of 10 is pretty long, but that gives the attacker a 10% chance of being right. At the rate of the last attack, that would mean approximately 30-50 chars an hour would be added still.
Thanks for your input
I think the problem we're having is we both assume the bot knows how to defeat these measures. We've never seen the bot move, nor interact with the NPC. We can't say that either solution is perfect, but right now either would break the bot. I think we can agree though, that an image CAPTCHA on signup or on creation would be the best possible solution that could be implemented when we are ready to stop supporting old versions of the client.
This looks like to me what you want to do.
I think I have another problem to solve, however. Currently, is it possible to type a message to an NPC? I thought you could only be presented a list of options to select. In which case, the bot would have a fixed chance of being correct, even at a random guess. How long could the list become before it's too cumbersome? A list of 10 is pretty long, but that gives the attacker a 10% chance of being right. At the rate of the last attack, that would mean approximately 30-50 chars an hour would be added still.
Thanks for your input
I think the problem we're having is we both assume the bot knows how to defeat these measures. We've never seen the bot move, nor interact with the NPC. We can't say that either solution is perfect, but right now either would break the bot. I think we can agree though, that an image CAPTCHA on signup or on creation would be the best possible solution that could be implemented when we are ready to stop supporting old versions of the client.
Re: TMW hacking problems
Yes because it didn't have to.GARRETTtheGREAT wrote: We've never seen the bot move, nor interact with the NPC.
But it can't be so difficult to make the bot move or do whatever needed.
I think nothing is 100% foolproof.
As long as it's not about my eye...
CAUTION! Do not look into laser with remaining eye.
CAUTION! Do not look into laser with remaining eye.
Re: TMW hacking problems
Oh, my client can do lots of weird move combinations if I only press a button. It's easy to code and you can bet that our attacker knows how to do that.
We currently have a NPC who asks for your name and makes you guess her favorite number (both have to be typed in) - Andra (north-west from Hurnscald) so yes, typing in a code to a NPC is already possible
We currently have a NPC who asks for your name and makes you guess her favorite number (both have to be typed in) - Andra (north-west from Hurnscald) so yes, typing in a code to a NPC is already possible
-
- Novice
- Posts: 70
- Joined: 05 Oct 2009, 23:27
Re: TMW hacking problems
so I suppose the remaining problem is displayability.
1) Will the current font look ok with the "image?"
2) Will a reasonably sized "image" fit in the current default window size?
1) Will the current font look ok with the "image?"
2) Will a reasonably sized "image" fit in the current default window size?