TMW hacking problems

Got something on your mind about the project? This is the correct place for that.
Forum rules
This forum is for feature requests, content changes additions, anything not a Bug in the software.
Please report all bugs on the Support Forums
User avatar
Jaxad0127
TMW Adviser
TMW Adviser
Posts: 4209
Joined: 01 Nov 2007, 18:35
Location: Internet

Re: TMW hacking problems

Post by Jaxad0127 » 18 Oct 2009, 16:03

Kill3rZ wrote:My solution was much simpler: 1 npc waiting at the birth place asking every newborn to insert the code and kicking the newborn if he fails to do so in 1 minute. And it still seems to require client update (lack of compatibility with older clients).
If you want an image, it does.
Image
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 18 Oct 2009, 16:29

I wasn't thinking about a JPG. I understand that could require extra-coding and could create compatibility issues. I was thinking about ASCII art images (http://en.wikipedia.org/wiki/ASCII_art). The bot-check code could be written in ASCII art (distorted but readable for a human user).

I'm pretty sure the client can handle that (it's just text) unless it's the same problem as the storage NPCs (versions 28 and earlier can't see or use those)
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 18 Oct 2009, 16:35

Kill3rZ wrote:My solution was much simpler: 1 npc waiting at the birth place asking every newborn to insert the code and kicking the newborn if he fails to do so in 1 minute. And it still seems to require client update (lack of compatibility with older clients).
It can be done with just a new map and a new NPC, which don't require a client update, to my best knowledge. It doesn't necessarily have to be as I described it either. Another idea I just had could be a house replacing the current birthplace that you can't enter once you leave. Anyone inside of it for more than five minutes would be autokicked.

I suppose my idea goes off of the assumption that it is easier to kick everyone in one map specially made for this situation than it is to selectively kick people from a map that people often traverse when they are playing the game.

As for ascii art, I think the default NPC window is too small. Plus it can be resized, which would break the ascii art due to linewrapping. Also, I don't think the spacing on the default font is the same for every character.

I also think regular players would be inclined to ignore a popup message from an NPC and then get kicked themselves, even though they have every right to be there.
Last edited by GARRETTtheGREAT on 18 Oct 2009, 16:51, edited 1 time in total.
User avatar
Jaxad0127
TMW Adviser
TMW Adviser
Posts: 4209
Joined: 01 Nov 2007, 18:35
Location: Internet

Re: TMW hacking problems

Post by Jaxad0127 » 18 Oct 2009, 16:40

GARRETTtheGREAT wrote:I think the default NPC window is too small. Plus it can be resized, which would break the ascii art due to linewrapping. Also, I don't think the spacing on the default font is the same for every character.
Linewrapping isn't an issue if you use newlines.
Image
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 18 Oct 2009, 16:42

jaxad0127 wrote:
GARRETTtheGREAT wrote:I think the default NPC window is too small. Plus it can be resized, which would break the ascii art due to linewrapping. Also, I don't think the spacing on the default font is the same for every character.
Linewrapping isn't an issue if you use newlines.
I was thinking more of the situation where the window is made smaller, but as you said, bigger is not a problem.
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 18 Oct 2009, 16:54

The bot check should be made ONCE and that is when a new character is born. It's very unlikely for a newcomer to ignore a popup that appears the second he gets connected for the first time ever.

Basically, our attacker has a client which creates characters and makes them just stay there and lag the server or attack players with whispers. If they appear every 8 seconds or so, as Delasia said, and each gets kicked after 1 minute we'll have a total of 7-8 lagging bots at a time which is a joke compared to the 400 we used to have lately.

Making a NPC give you instructions when you are born is also a joke. What will it say? Go up 2 steps, sit, go left and say "hello"? It's really easy to "train" a bot to follow this kind of instructions.

Really, if ASCII art is possible in this state of the server, it might be our best bet right now. We don't even need a new NPC. Right after asking for a language the Constable (who will contact the player immediately after spawn, not after the first step) can perform the bot check. Not answering the language question in a minute should also result in a kick.
User avatar
Jaxad0127
TMW Adviser
TMW Adviser
Posts: 4209
Joined: 01 Nov 2007, 18:35
Location: Internet

Re: TMW hacking problems

Post by Jaxad0127 » 18 Oct 2009, 16:54

Making a minimum size isn't a problem.
Image
User avatar
Leela
Novice
Novice
Posts: 488
Joined: 23 Aug 2009, 14:12
Location: New New York in the year 3000

Re: TMW hacking problems

Post by Leela » 18 Oct 2009, 17:07

I see only one problem in this, maybe it's not even a problem but here it goes
so you have some of those ascii thingies where you type in the shown letters just usually that's only a few random "words" appearing. So you can also train the bot (after you checked how many they are and which exactly) to just try every of the "words" until it hits the right one. Also some people have real problems reading that thing. So this with time limit is problematic... also for those who don't write on the keyboard often, they have to search the keyboard for the right letters and numbers...
As long as it's not about my eye...
CAUTION! Do not look into laser with remaining eye.
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 18 Oct 2009, 17:09

Kill3rZ wrote:The bot check should be made ONCE and that is when a new character is born. It's very unlikely for a newcomer to ignore a popup that appears the second he gets connected for the first time ever.

Basically, our attacker has a client which creates characters and makes them just stay there and lag the server or attack players with whispers. If they appear every 8 seconds or so, as Delasia said, and each gets kicked after 1 minute we'll have a total of 7-8 lagging bots at a time which is a joke compared to the 400 we used to have lately.

Making a NPC give you instructions when you are born is also a joke. What will it say? Go up 2 steps, sit, go left and say "hello"? It's really easy to "train" a bot to follow this kind of instructions.

Really, if ASCII art is possible in this state of the server, it might be our best bet right now. We don't even need a new NPC. Right after asking for a language the Constable (who will contact the player immediately after spawn, not after the first step) can perform the bot check. Not answering the language question in a minute should also result in a kick.
I don't know why you're getting all bent out of shape about it, we're trying to solve the same problem. I'm not just going to pat you on the back and say you created the best solution ever and there's no possibility there's any flaw in it. I thought the point of having a discussion is to combine resources, not diminish those around you. If I can point out a weakness in your plan, then maybe you can find a way to fix it.

I also don't know how my idea is any less natural than a NPC asking you to look at his ascii art. Another problem is you'd have to create a database of hundreds of ascii art "images" to make this a robust solution. The attacker just needs to save the ascii string along with an answer in his own database and when the message pops up, the attacker's program reads the string, matches an answer, and then passes the bot check. With an image, changing even 1 pixel would make it unmatchable. I know of many programs to make image CAPTCHAs and none to make ascii CAPTCHAs so I think it will be tremendously difficult to do this.
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 18 Oct 2009, 17:17

It doesn't have to be a long code. 4-6 characters to type in a minute should not be a problem even for slow typers. As far as I know, there are softwares which can turn any picture into ascii art. We can have a reasonably long list of bot check ascii codes and make the Constable kick the player after 3 missed attempts to insert the code. It's not fool proof, but it will seriously slow down the attacker.
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 18 Oct 2009, 17:37

Ok, sorry. The problems about the solution with a new map + npc are the following:
- A bot can follow instructions received from the npc.
- make a "birth house" which kicks every player who doesn't exit it and within 3 hours after you insert it in the game, the bots will know how to exit it one by one
- unless you make something subjective enough (like reading a distorted text) a bot can be programmed to do it, whatever "it" is: walking, repeating a phrase, answering a question... anything
- it's easier to modify an already existing NPC than it is to create a new map + npc. The new birth map could have an aesthetic value, but it has little to do with server security.
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 18 Oct 2009, 17:50

http://thephppro.com/products/captcha/

This looks like to me what you want to do.

I think I have another problem to solve, however. Currently, is it possible to type a message to an NPC? I thought you could only be presented a list of options to select. In which case, the bot would have a fixed chance of being correct, even at a random guess. How long could the list become before it's too cumbersome? A list of 10 is pretty long, but that gives the attacker a 10% chance of being right. At the rate of the last attack, that would mean approximately 30-50 chars an hour would be added still.

Thanks for your input :)

I think the problem we're having is we both assume the bot knows how to defeat these measures. We've never seen the bot move, nor interact with the NPC. We can't say that either solution is perfect, but right now either would break the bot. I think we can agree though, that an image CAPTCHA on signup or on creation would be the best possible solution that could be implemented when we are ready to stop supporting old versions of the client.
User avatar
Leela
Novice
Novice
Posts: 488
Joined: 23 Aug 2009, 14:12
Location: New New York in the year 3000

Re: TMW hacking problems

Post by Leela » 18 Oct 2009, 17:58

GARRETTtheGREAT wrote: We've never seen the bot move, nor interact with the NPC.
Yes because it didn't have to.
But it can't be so difficult to make the bot move or do whatever needed.

I think nothing is 100% foolproof.
As long as it's not about my eye...
CAUTION! Do not look into laser with remaining eye.
Kill3rZ
Novice
Novice
Posts: 200
Joined: 17 Jun 2009, 12:45

Re: TMW hacking problems

Post by Kill3rZ » 18 Oct 2009, 18:03

Oh, my client can do lots of weird move combinations if I only press a button. It's easy to code and you can bet that our attacker knows how to do that.

We currently have a NPC who asks for your name and makes you guess her favorite number (both have to be typed in) - Andra (north-west from Hurnscald) so yes, typing in a code to a NPC is already possible
GARRETTtheGREAT
Peon
Peon
Posts: 70
Joined: 06 Oct 2009, 00:27

Re: TMW hacking problems

Post by GARRETTtheGREAT » 18 Oct 2009, 18:19

so I suppose the remaining problem is displayability.

1) Will the current font look ok with the "image?"
2) Will a reasonably sized "image" fit in the current default window size?
Post Reply