Jump to content
3DXChat Community

Authenticated API == No Room Stealing


BlackVelvet

Recommended Posts

No chance... but I did it anyway... signed the room I did for someone else... it's easy... we have a contract that he is not allowed to remove it. If he would do it, what he will not, he has to face the consequences, like receiving an iggy ^^ but... since we are friends this will never happen. That's why I share things only with friends I trust, especially bigger things, like a whole room.

 

From what I understand right doesn't matter if you only open to friends, if you don't quit game from editor after working on file it upload room file to server. So changes will happen in room next time you log in and go into room editing, so they would still be able to copy your room if I understood everything correctly. So not sharing room public apparently does not prevent it from being stolen if this is true, unless you never test any changes and modifications you make to room in real time room visit. That is again if I understood that part correctly.

Link to comment
Share on other sites

From what I understand right doesn't matter if you only open to friends, if you don't quit game from editor after working on file it upload room file to server. So changes will happen in room next time you log in and go into room editing, so they would still be able to copy your room if I understood everything correctly. So not sharing room public apparently does not prevent it from being stolen if this is true.

 

I don't know exactly but it can be stolen yes... but I think people with good reputation will think twice to do so and the rest sn't able to get people in their rooms even if they steal a great one. It did not happend with the old rooms and will not happen much with the new editor. 

 

Beside this at least downloading rooms if you don't share them should be disabled and protected if this is currently not true. So nobody can open your room before you can do it. If you have a thief under your friends you should overthink the friendship status.

Link to comment
Share on other sites

Excepted if I am totally wrong, the copy of the White Palace Borthel without autorisation of the creators, then a very light change (color) and then opening to public it the first time it happens.

 

The reaction to this of the comunity is "high" and I think the person who did that will not anymore have idea to open again his "red palace blabla"

 

Technically speaking there will not be an evolution.

 

So let's turn the positive sides.

 

Without technical solution we have the capacity to act, reduces the negative effect of such a bad attitude and so give back to the owner the legitime proudness to have created something and be recognised for this.

 

This is not so bad no ?

 

So let's do the same again if it happens again and let's focus on fun enjoying the amazing creativity of the community.

 

You can blame a lot the technical aspect of the game (which I remind has a very very small player number base compared with SL or others) and of the world editor but on my side, I see 3dx time much more intense and fun that it was some month ago and so I pay my subscription with no hesitation.

Link to comment
Share on other sites

I think there is an answer to maybe minimise this problem and others that have been presented in these forums recently.

There has been some major changes in the game and some trends that the majority of people have shown not to like and feel there should be something done about.

Could it be time to review the game rules with all of this happening, maybe adding it is against the rules to copy a players world without their permission.

And with the changes actually have a popup window appear when we go into the game announcing the new rules.

And yes it would take the devs actually enforcing the rules, but I think better attention to that is well overdue anyway.

Link to comment
Share on other sites

You guys need to understand something...

 

Let's say that the client adds some imaginary super uncrackable quantum whatever encryption to the room files.

The question is: Do you want random people to visit your room? This is the reason why you spent all those 100s of hours on it right?

If your answer is yes, then at some point, any random person's game client will have to decrypt the room somehow so that it will be shown on the screen. (unless of course you want people to just look at a binary file and try to imagine how the room would look like if it was decrypted).

 

Well, since the game's client runs on our personal computer, we have physical access to it and no matter what the encryption will be, we will still have the decryptor running on our computer. Ironic? well no it's not.. It's how the system works. It might be harder for someone to exploit, but eventually it will happen.

 

Encryption would work just fine if you just wanted your room to be available to a select group of friends that have the key. But when you want it to be publicly available - then tough luck. Everyone will be able to decrypt it otherwise the word "public" loses its meaning.

 

Imagine how every open-source developer feels like when his work is being used in thousands of projects and gets nothing for it.

All that a developer of any kind wants when his work is "stolen" (a better word would be "re-used"), is to be mentioned.

So just be a good sport and if you steal a room, at least have the decency to mention clearly whose creation this is.

 

Just my thoughts on this issue.

 

Have fun and don't let things like that ruin your day

Link to comment
Share on other sites

Pfffff... i have to quote myself since what I proposed seems not to be clear to some of us.

 

 

Nope, when a random player enters your room, he download a not encrypted version of that room that can be used only to build and enter the world.
The world editor shouldn’t be able to load not encrypted worlds but only those previously encrypted using a hash and a salt composed by something unique and related only by the room owner. In this way even if I’ll try to load someone else encrypted world , the world editor will be unable to decrypt it because my fingerprint is not the one used to encrypt it.
Do you understand what I mean?

 

The world editor shouldn’t be able to load not encrypted worlds <--- This means that some changes have to be done to the World Editor too.

 

Guys is simple:

  • World Editor: Import and export only encrypted files.
  • Locations: No changes at all. They will be loaded in the same way they are actually doing.

And that's all. Understanding if a file is encrypted or not is not a hard thing to be done at all...

 

And, last but not least, It's funny how nobody cares that with the solution I've proposed (tokens exchange) Pandora would die. ^^"

You know what?

Life is strange :)

 

I've read tons of posts of people crying for Pandora and now nobody cares :)

Anyway .. I'm happy to read all your opinions peeps and if you have better ideas please share them with us.

 

Kisses and \m/

Link to comment
Share on other sites

Pfffff... i have to quote myself since what I proposed seems not to be clear to some of us.

 

 

 

The world editor shouldn’t be able to load not encrypted worlds <--- This means that some changes have to be done to the World Editor too.

 

Guys is simple:

  • World Editor: Import and export only encrypted files.
  • Locations: No changes at all. They will be loaded in the same way they are actually doing.

And that's all. Understanding if a file is encrypted or not is not a hard thing to be done at all...

 

And, last but not least, It's funny how nobody cares that with the solution I've proposed (tokens exchange) Pandora would die. ^^"

You know what?

Life is strange :)

 

I've read tons of posts of people crying for Pandora and now nobody cares :)

Anyway .. I'm happy to read all your opinions peeps and if you have better ideas please share them with us.

 

Kisses and \m/

 

Do you actually understand what you are saying?

 

1) I join a room and i get the decrypted world file.

2) I open my World Editor and I cannot import my decrypted file because it only accepts encrypted ones salted with something that is only relevant to my own user.

3) But wait.. 3dxchat.exe has all the information I need to encrypt the decrypted file with the proper "legal" way using all my information.

4) --reverse engineer people getting to work-- -- accessing encrypt function--

5) I upload an encrypted version of your room using 3dxchat's own encrypt functions.

 

So how does this help? Corrent me if I'm wrong but I don't see how your solution would work. It needs far more steps to be added to this to actually get close to being "secure".

Link to comment
Share on other sites

So, again:

 

3) But wait.. 3dxchat.exe has all the information I need to encrypt the decrypted file with the proper "legal" way using all my information.

 

Fix a problem means that code refactoring is necessary :)

3DXChat.exe must not have the informations needed to encrypt and decrypt. It should, instead, call a web service (which contains the logic necessary for data encryption and decryption not accessible by the client) to obtain the encrypted/decrypted file.

 

And that's all. Mine was a suggestion of how to solve a problem and logically speaking it doesn't sounds to me like a crazy thing.

Moving sensible logic outside of the game client is something that should be done if you want to protect your software a bit.

 

I never wanted to dive deeper in technical aspects than just drawing a mindmap of how things could be done, otherwise next step would means me to write the code that's needed ^^"

 

Now, do you actually understand what am I saying?

Link to comment
Share on other sites

So, again:

 

Fix a problem means that code refactoring is necessary :)

3DXChat.exe must not have the informations needed to encrypt and decrypt. It should, instead, call a web service (which contains the logic necessary for data encryption and decryption not accessible by the client) to obtain the encrypted/decrypted file.

 

And that's all. Mine was a suggestion of how to solve a problem and logically speaking it doesn't sounds to me like a crazy thing.

Moving sensible logic outside of the game client is something that should be done if you want to protect your software a bit.

 

I never wanted to dive deeper in technical aspects than just drawing a mindmap of how things could be done, otherwise next step would means me to write the code that's needed ^^"

 

Now, do you actually understand what am I saying?

 

OK and what will stop me from using that web service to encrypt a decrypted file? Meaning to do manualy what the world editor would do.

 

Do you expect them to keep diffs of every "commit" that you make to see if you are actually editing your own room or uploading a previously saved one?

 

Or you maybe expect them to create a massive big data comparison system to check the % of each room being similar with other rooms? Imagine the cpu power that this would take for the scale of users that this game has.

 

I assure you that every step that you will add in your solution, will have an answer on how to trick/exploit it.

 

Unless of course the game's client becomes somehow unreadable to us and cannot see what the actual code does. Only when this happens you can start talking about securing the rooms and everything else.

 

I'm sorry, but if you don't understand what I'm saying, don't ask me if I understand what you are saying lol

 

Do you understand what I'm saying?

 

https://www.youtube.com/watch?v=su-HUDo7XQ4

Link to comment
Share on other sites

OK and what will stop me from using that web service to encrypt a decrypted file? Meaning to do manualy what the world editor would do.

 

:) Oh yes, if you read again from the beginning what I wrote, yes. You'll be able to do it manually for your own account.

Do you know other users email and passwords in order to obtain a secure token and exchange it with the REST server every time you have to interact with it?

 

I assure you that every step that you will add in your solution, will have an answer on how to trick/exploit it.

Do you have time for a good read? ^^

https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

 

Hmmm these are the basics of security policies nowadays in the IT world, just to say.

 

I'm sorry, but if you don't understand what I'm saying, don't ask me if I understand what you are saying lol

 

Do you understand what I'm saying?

:) Now? Is it more clear?

 

Edit: Ah sry i was going to forget this :)

photo-5618.png?_r=1454406944

Link to comment
Share on other sites

:) Oh yes, if you read again from the beginning what I wrote, yes. You'll be able to do it manually for your own account.

Do you know other users email and passwords in order to obtain a secure token and exchange it with the REST server every time you have to interact with it?

 

Do you have time for a good read? ^^

https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

 

Hmmm these are the basics of security policies nowadays in the IT world, just to say.

 

:) Now? Is it more clear?

 

I'm going to work now and won't reply anymore :P You already have mentioned decrypted version when I join a room and that there will be a web service (authenticating to it with my own credentials only - since those are the ones I have).

I get the decrypted file, upload it to the web server, sign it with my credentials and get it encrypted and I have a room online.

I don't see where OAuth2 would stop me from doing that. The problem is far deeper than you might think and won't be solved unless the code of the game becomes unreadable to us.

 

Oh.. and to clear things out for you, I would only need credentials of other users, to upload a stolen room to someone else's account lol The whole topic here is for stealing a room and using it as your own. You only need your own credentials and noone else's.

 

You know what I'm saying? :P

Link to comment
Share on other sites

:) i'm eating now, so I've time to reply again ^^

 

I get the decrypted file, upload it to the web server, sign it with my credentials and get it encrypted and I have a room online.

 

And no :)

Just because as I was saying before multiple times:

The "world editor" shouldn’t be able to load not encrypted worlds but only those previously encrypted using a hash and a salt composed by something unique and related only by the room owner. In this way even if I’ll try to load someone else encrypted world , the world editor will be unable to decrypt it because my fingerprint is not the one used to encrypt it. 

 

Have a nice day :) it was a lot of fun anyway

Link to comment
Share on other sites

@BlackValvet I think I have understood your attempt ... but...

 

as long as the 3dx Client can be hacked there will be always a way to steal a room, whatever you are doing. Your solution, if I understand it correctly, could work if this would be prohibited by the devs. We all know there is no 100% protection but... at the moment there is none :)

 

Before this is not changed we can stop all discussions. No web service or de / encryption can protect you. 

Link to comment
Share on other sites

:) i'm eating now, so I've time to reply again ^^

 

 

And no :)

Just because as I was saying before multiple times:

 

Have a nice day :) it was a lot of fun anyway

 

 

OK I couldn't resist, I had to reply before leaving for work.

 

Why do you keep ignoring the most important flaw in your scheme? I urge you to go look at your own picture of your scheme and see the get user room function you have described. What does it say? It says that it returns a decrypted version of the user's room.

 

So why you keep telling me that I can't upload an encrypted room with someone else's signature? Why do I care since I will never get an encrypted room anyways. I only get decrypted ones every time I join someone's room. So what makes this function of yours so special to protect from theft? Because you require a token? So what? The server will just know that I just joined a room like everyone else.

 

How will you stop the fact that I could take that decrypted file, load it into the client (making it think that I'm currently designing this room and not uploaded it yet), then upload it to the theoretical web service, get it encrypted, and publish it using my own tokens and credentials to make it my own.

EDIT: sorry, i add this here because i know what your reply would be lol: the load into the client won't happen from the actual vanilla client's interface. I'm talking about a theoretical plausible in-memory hack.

 

The whole thing you are describing, sounds like I have to encrypt my room so it gets uploaded, but I already know someone who encrypts it for me giving him just my own timed token. It's that web service.. 

 

If you're about to reply again to this, at least make it more interesting, accept the flaw and give solutions on how to not be able to encrypt rooms without breaking the functionality to load previously saved rooms.

 

What you need to solve this, is as AlexRyder has previously stated, that you need to maintain 2 completely different versions of room formats (incompatible with each other) and 2 completely different versions of scene loaders so that a different file is loaded in the world editor, and a different file reaches the clients. BUT even if this happens, it would be fairly easy to create a "translator" between the two formats after a while...

 

I repeat: unless the game's code becomes unreadable to us - there will be no true protection of rooms (and other things).

 

You know what I'm saying now? :P

Link to comment
Share on other sites

Fuck it go after the copy thieves, if people chose to copy aka steal a room,whatever shit storm happens after, they earned. When I build i relax, I post it for people to have parties on it and if people like it unless it is made for a person i have no issues in sharing or giving away parts of the room. 

But understand, people that like to build may chose not to build if devs do nothing about it. Bad enough we lost Achiles' music due to something similar, (mix being copied), but hell,maybe SL bound anyways.

Link to comment
Share on other sites

Loool xD

 

ok ok you made my day with this reply xD

Thx hun, it's a better world now :)

 

Hugs and kisses :* :)

 

What was so funny with my reply?

 

3_DXChat_-_Authenticated_API.png

 

What you think how long does an experienced 3dx modder will need to disable your "just load encrypted" worlds functions in the NEW world editor? I would say until the new DLL is ready less an hour :)

And if you think I do not know what I'm talking about, you are wrong. I am no modder so I may need a bit more time to inject new code into the right DLL. Tell me your master plan to stop me from doing this!

Link to comment
Share on other sites

To be clear, 3DX doesn't seem or want to deal with the DMCA claims for Copyright, Trademark and such.  Any and I mean any game you work with someone can steal what you have created.  With games like IMVU, SL and such you can file a DMCA and then you have to prove you are the initial creator of said thing with the files and such, here you don't have that luxury.  As much as it pains people to hear it, it's clear that it's not going to change here and that we have to accept it and move on playing the game or go somewhere else but in the end this happens all over.  It's happened to me and countless others.  While it stings and a bitter pill to swallow from it happening, you can only move forward and not let it get to you.  While there are countless measures that can be put into place to help doesn't mean it's going to prevent it.

Link to comment
Share on other sites

Guys, you should understand that for an experienced modder it's not difficult to copy your world data when the game loads it from the server.

Someone speaks about 2 completely different formats? Modders will quickly create a format converter. They will download the data in one format, then convert it to a readable format.

 

Many of you are afraid that the world data will be copied. But it is impossible to copy charisma and talent to host parties, entertain people, it is impossible to steal your taste for music and the manner of communication.

Link to comment
Share on other sites

Someone speaks about 2 completely different formats? Modders will quickly create a format converter. They will download the data in one format, then convert it to a readable format.

 

That was me ^^  but I meant a raw format without objects just raw vertex + texture information... impossible to get something back you could edit in the editor again. It's like you export a Photoshop file to JPG.... everyone can see the JPG and sure could manipulate it (as any file), but only if you have the original PS file you can easily change the text for example, or move things around.

 

Anyway.... I agree with your last sentence... but the message you gave us with:

 

 

By saving your world on the game server, you must understand that it becomes public and available to all players. This means that your world can be downloaded, and also copied as any public information in the Internet.

If you do not agree that your world can be accessible to other players, then do not create your worlds in the World Editor.

 

Wasn't that nice (or ambiguous)... I mean there is a difference if you say that you can't prevent it in contrast to "it becomes public and available to all players".

Because most of us interpret this as we, the content creators, have no copyright on our works. 

 

Your message is like an invitation to theft. Is it too much to ask if 3dx speaks out against this?

Maybe with a community rule? 

Link to comment
Share on other sites

Why not starting with a official statement, saying it is forbidden to hack/steal rooms. As a first step? It is a reason to get banned.

 

I also agree, that would be a very good start.

People might still be able to do it, but there will be the fear of getting banned.

Link to comment
Share on other sites

People might still be able to do it, but there will be the fear of getting banned.

It may seem to be the most obvious first glance solution, but then we should think of a reverse situation — when someone holding a grudge on someone else is trying to abuse the system by claiming a fake theft. To be able to verify the theft, the server would need to keep a full history of each single world server upload with a respective timestamp so that a diff comparison could be performed later "in court". It would bloat the server data storage requirements enormously, and still is not error prone due to the fact that a user can work with offline files and the theft may happen even without the server involvement (well, in such case the claim can probably just be discarded, but it still does not solve the data amount issue).

Link to comment
Share on other sites

Does anyone know why on a game such as habbohotel.com that rooms aren't copied there? It is also a "browser" game if I remember correctly but people cannot steal rooms from others.

 

Also, why would anyone want to build after knowing that anyone joining can just take it from them and claim credit? Is there no way to put a personal signature like one would on a painting? And anyone trying to use it after stealing will not be able to get rid of this digital signature? 

Link to comment
Share on other sites

Does anyone know why on a game such as habbohotel.com that rooms aren't copied there? It is also a "browser" game if I remember correctly but people cannot steal rooms from others.

 

 

 

Are you sure?

 

http://www.dailymail.co.uk/news/article-1283410/Police-carry-real-life-raid-searching-virtual-furniture-stolen-online-hotel.html

https://help.habbo.com/hc/en-us/articles/221643288-Some-of-my-furni-is-missing-got-stolen-What-can-I-do-

 

smile

 

There is nothing that can't be hacked, nothing that can't be stolen. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...