Page 3 of 7

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Wed Nov 03, 2010 9:32 am
by Haze
We've been over this with encryption before.

MAME is open source, anything you link it to must be open source. In order to play it back it must be possible to decrypt it, that code must be available. In order to record it, it must be possible to encrypt it.

Admittedly recording with a 'daily encryption key' would prevent casual cheating, but it wouldn't be hard for somebody determined enough to write a program which simply re-encrypts with the required key. It's not a bad idea, nor is simply requiring a specific input sequence (although the people playing would have to have daily internet access to check for the 'current' key) but it's not foolproof.

The main issue with encryption is you once again start to produce inps which are a pain to playback, and definitely won't work in the mainline builds, because you're just bloating up the system in ways that MAME doesn't need.

End of the day you're relying on the good sportsmanship and honesty of the players involved. If 'show your cards at the last minute' is their preference, and they're absolutely determined to do this, then there will always be ways. I think it's just the nature of the competition.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Wed Nov 03, 2010 11:55 am
by gameboy9
Well Haze, I fear that you're absolutely right. While Spectaculator is closed source (I think), which makes 99.9% honest competitions possible, it is a big issue that MAME has to be open source. It's understandable that it is open source, but it doesn't help if we want to run a 99.9% honest competition. Well, the only way we can get around that, then, is to completely write a new emulator from scratch. Obviously, that's quite unfeasible.

This being said, I should be a realist and ask myself this: how many times do you really think that recordings are being hacked? This answer... well, if it's not zero, it's probably very close to it.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Wed Nov 03, 2010 5:47 pm
by mahlemiut
FUSE is open-source, however, including libspectrum, which provides RZX functionality and the 'digital signing' done using libgcrypt.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Wed Nov 03, 2010 6:22 pm
by shoesama
If for some reason we end up using this, would the encryption keys be downloaded files or would they be codes that we input?

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Wed Nov 03, 2010 6:54 pm
by MJS
Haze is right, it is (and will always be) possible to cheat the 24h rule whatever we do.

That's why I wouldn't bother doing anything sophisticated to prevent cheating. Something very simple like entering special initials is enough, IMO.
It shouldn't bother honest players, and it should at least make it more difficult for someone trying to submit an old replay (now you only have to change the date of your computer, it's ridiculously easy).

It's not like there are thousands of cheaters among us (if anyone) but ONE cheater can ruin the tournament for everyone, and that sucks.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Wed Nov 03, 2010 7:31 pm
by Kale
Maybe you aren't getting the point that Barry is issuing.

RZX is an open-source encryption library, that is used to avoid this kind of cheating on Spectrum emulators. You can freely put this kind of encryption inside the emulator and live happily with it.

And ... I really don't believe that an idiot like Neill Corlett wants to crack the encryption on this, mainly because, well, it's effing complex and not worth the time spent plus you can always call the authors if whatever hole in their security would be found.

For more info -> http://www.worldofspectrum.org/RZXformat.html (check in particular part 3: security)

Finally, as my POV as an official MAMEdev, I state that a secure cheatproof inp system must be inside the official binary too ... but will see how Barry will implement this then we decide, since my encryption/decryption skills are basically near to –273°C :P

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Wed Nov 03, 2010 9:14 pm
by MJS
Kale wrote:Finally, as my POV as an official MAMEdev, I state that a secure cheatproof inp system must be inside the official binary too
That would be awesome :D of course this is better than my proposal (and we can always do both things if we want)

Btw, great work on MAME and MESS Kale!

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 12:12 am
by The_Pro
I forfeit, little time and game just pisses me off.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 10:51 am
by gameboy9
Kale wrote: And ... I really don't believe that an idiot like Neill Corlett wants to crack the encryption on this, mainly because, well, it's effing complex and not worth the time spent plus you can always call the authors if whatever hole in their security would be found.
While I'm not one of the fans of Neill Corlett, especially with what he did to AlphaMAME, I should think in a more neutral light: I actually think we should welcome such contributions... at least if he's helpful... which I guess is the $64USD question.

Anyway, the RZX thing should work very well. Hopefully we'll be able to give it a go. :)

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 11:20 am
by Haze
Kale wrote:Finally, as my POV as an official MAMEdev, I state that a secure cheatproof inp system must be inside the official binary too ... but will see how Barry will implement this then we decide, since my encryption/decryption skills are basically near to –273°C :P
It won't happen, it's not a goal of MAME. The code should be simple, and functional, not obfusicated and overloaded with encryption to hide how it works etc.

The goals of MAME and an 'anti cheating system' are completely opposite to each other.

There is _no such thing_ as a cheat-proof encryption scheme if your emulator is fully open source. You can make the code difficult for people to understand, and therefore harder to hack (there is commercial software that does exactly this, converthing entire source codes to random symbolic macros and such) , but that goes against the very nature of an open source project like MAME. The RSX thing provides no *real* security as long as the code is open. There is a paragraph that as much as admits that (relying on emu authors to implement a hard to hack signing system) That implies something which MAME would not want to do, because it implies obfusicating the code *on purpose*.

Any signing of the emulator can be faked, re-recording can be hacked in, and any unsecure inp and be re-recorded as a secure one with _very_ little effort if somebody was to want to do it. It you're talking about old pre-rawinput versions of MAME you could even run a 2nd copy of hacked MAME to feed the inputs into the main one without even altering the 'secure' binary *at all*

The MAME rules on including any closed source libs are very strict, exactly to prevent people doing things like this with closed libs, the idea of an open project is that things will always be open and always reusable and there is no platform / library lockdown where a depdencey on somebody else's (license incompatible, or closed) library is created.

At the end of the day your 'special initials' system is a lot more effective than any technological measure, although if somebody forgets after the joy of getting a high score, they're going to be mighty pissed off with even that.

I still applaud Neill Corlett for what he did with AlphaMAME, simply for proving that such solutions are unworkable, and the only thing you're creating is a very false sense of security, and hoops for everybody else who wants to use the system normally. This might not be a popular opinion here, but the only thing you can do is trust your users.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 11:39 am
by sikraiken
Some security is good, after some point it isn't anymore helpful than less encryption is, though. You cannot develop a cheat-less system, it will always be possible to use hardware or software macros which are completely external to the system and are undetectable. The only fool proof system would be one where everyone played live in front of each other.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 12:35 pm
by MJS
The problem with the special initials is that you are showing proof that the game was played that day at the end of the gameplay (can be faked).

If somehow we could show the proof at the beginning of the gameplay, and it would affect the gameplay (enemy behaviour, random stuff, etc) then we have solved the problem.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 1:06 pm
by gameboy9
Haze wrote: The MAME rules on including any closed source libs are very strict, exactly to prevent people doing things like this with closed libs, the idea of an open project is that things will always be open and always reusable and there is no platform / library lockdown where a depdencey on somebody else's (license incompatible, or closed) library is created.
... and, if you think about it, that's sad that they will give zero consideration to creating something secure for competition purposes. Perhaps understandable, to be fair, but sad.
Haze wrote: I still applaud Neill Corlett for what he did with AlphaMAME, simply for proving that such solutions are unworkable, and the only thing you're creating is a very false sense of security, and hoops for everybody else who wants to use the system normally. This might not be a popular opinion here, but the only thing you can do is trust your users.
I think, if my memory serves me correctly, that it wasn't Neill's actual hacking that rubbed us(or at least me) the wrong way, that part could have easily been appreciated, rather it was how he handled the incident on our forums and our IRC channel. Now, this being said, this was something that happened seven years ago, so it's probably best for us to move on. :)
sikraiken wrote:The only fool proof system would be one where everyone played live in front of each other.
That, unfortunately, is also true. Can't do much about that, can you? Except perhaps filming on a camera... which is also unfeasible. Guess the initials may be the way to go, but the issues of accidental error surely are too great. So I refer myself back to the "how often are our recordings hacked" question. I also ask myself how often we play for prizes here... and my serving memory tells me that that answer is not often at all, especially recently.

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 2:33 pm
by shoesama
There's prizes? Can I have a prize if I submit my inps early?

it could be called something like

DUMB SUBMISSION AWARD

Re: K8 - Round 2 - Puzzle Bobble 2 (pbobble2j)

Posted: Thu Nov 04, 2010 3:00 pm
by MJS
Hey shoesama solve this and you'll get your prize: :P

Image