So how 'bout those Mets?

[Gandalf Parker]

Quote:

You don't let a client program directly modify the server's concept of state, such as how much resources a side has available. The client will modify its local perception of state (e.g. adjusting gem quantities during alchemy) but the modifications need to be noted and checked for legality.

What was apparently done was that the turn file was edited to have extra gems. Those gems had to be converted to something else or used in forge commands or turned into gold and used to make troops in that same turn before turning in a 2h. The game does have checks for such things but the variations make for alot of "thinking" needed by the game. The game sent him a turn with XX gems in each Category, and received back a 2h file of commands to do things. To take into account the original amounts, plus new gem income, plus all of the things that can be done with it in order to decide "oops too much" is pretty hairy. Especially when you try to reverse logic the troop queue to the gold to the fire gems made from the astral gems which were made from the death gems just as one example. NOT IMPOSSIBLE before someone jumps my case about it, just hairy and time consuming to get it put in. I didnt want to get into the "method of hack equals difficult to track" how-to here.

Quote:

You do let a client program submit instructions (proposed modifications to state, essentially) but need to check for bogosity. Having the client record "have this commander with a dwarven hammer forge this item" is very different from having the client itself define the new gem and item inventories.

Hmmm is that what it does now? The pros and cons of a clearer "log of commands given" is being discussed as something which has some advantages although of course some disadvantages also. As usual, the programmers in the forum have a pretty cler view of what can be done. Its great to see these discussions.

Quote:

A host could still cheat, but a sufficiently paranoid system could be set up to defeat cruder attempts like a host modifying data after receiving it, or reading turn files before submitting his own; it would increase the number of Messages -- e.g. players submit files encrypted with single-use keys (key pairs, preferably), all encrypted files duplicated at a second host site (a public key algorithm would allow verification of authorship), both hosts process the same files using the same PRNGs and math, both hopefully coming up with consistent results which could be reasonably checked using message-digest algorithms without revealing unencrypted state to all players. Either host in such a system could potentially learn full game state, but only after their turns were submitted, and it would require conspiracy or freakish luck for a host to be able to edit the turn files. Separate host-controlled game state files could be similarly signed/encrypted using keys submitted by all the players, to reduce the probability of the host being able to independently modify or read that file as well. Feh.

To an extent this could be implemented now by players. Before the addition of a master password feature I had setup to be a "seperate trusted host" setting up an email account that people could email their game-file passwords to. That way the host (who was also playing) didnt have access to the passworded files, but if a player fell out of the game then I could step in to turn on AI or do other checks.

In fact, that might work now as a low-tech answer. One thing Im worrie about is that now that Illwinter has shown they can dismantle a turn file to get answers Im afraid they will be swamped by requests every time any player feels another player did something shady. As often as we see Posts to that affect here which get answered as possibilitys that the player hadnt considered, you can see how busy that might be.

If someone declared their game to be only playable by people who were willing to email their passwords to a trusted site, would that help? In the case of what occured we would either have had a player who flatly refused "to let anyone view his secret tactics and strategies" (in which case anyone who played with that player would be taking their chances) or we would have had a much quicker and sooner way to have someone examine the turn file for inconsistancies. I AM NOT SAYING THIS IS THE ANSWER OR THAT OTHER THINGS CANT BE DONE just that its a low-tech thing that can be done today if people are concerned. (thats another disclaimer to cut off some of the responses I tend to get)

[Taqwus]

If he modified gem inventories to do stuff with it, then the game presumably isn't too fanatical about checking this, or the server itself was somehow compromised or worked-around.


It occurs to me that their shouldn't be that much looping. That is --

Gems left in the treasury were computed from the previous turn.

Gem income from sites, gifts, events and enchantments was computed from the previous turn.

Outside of diplomatic means (handled by the messaging system) there is no in-game way to turn anything that's not a gem into a gem, or for 1 gem to turn into more than 1 within a turn. Within a turn but before processing, then, total gems should be strictly nonincreasing. It also should not matter at what point gem alchemy was done, because you can't get more in-turn except by alchemy and because the ratio is fixed. That is, if alchemy was done at any point in the turn, it must have been legal with identical results and with the gems available at the beginning of the turn.
Then there aren't that many numbers to juggle (six types of gems turning into pearls, pearls turning into six types of gems, fire and earth gems turning into money -- which can be done after all other alchemy checks because that's a one-way street and can't make other alchemy operations possible if they weren't already).

Forging has a bit of bookkeeping; the game would need to check that the number of forges done using hammers does not exceed the number of hammers available from the end of the previous turn, and that the forgers had the necessary item slots in addition to skills.

Then, once alchemy is completed, gold becomes a one-way-street; you can get gold from alchemy, but you can't easily turn anything else (people, buildings, units) into gold that you can use that very same turn. You can pillage or hike tax rates, but you don't see the gold until next turn, so it'd be illegal to spend it or put it in the treasury until the appropriate time in turn computation.

Exception: You can get a refund of gold by clearing a recruitment queue that was non-empty after the previous turn. Whether or not you can clear a queue, however, is not affected by other in-turn actions, and the maximum you can get should be based on the Last turn since even if you increase the refund by adding units you have an equally large debit incurred during the addition.

And so forth. I don't think there's much room for bizarre circular operations (actually profitable alchemy, say; e.g. a _MoM_ player with Alchemy, Runemaster and obscene casting skill forging and breaking small items during a turn for pure profit) or anything else that would be unusually difficult to serialize.

[Gandalf Parker]

Quote:

If he modified gem inventories to do stuff with it, then the game presumably isn't too fanatical about checking this, or the server itself was somehow compromised or worked-around.

No it was the turn file itself. As near as can be figured the .trn had a gem number, the gems were added, and then they were "money laundered" into other things before returning the .2h to the server. There were checks but even the checks that were put into the game caused complaints from players when they reported "cheats" which werent really cheating players. That may have slowed down adding additional checks.

[nakomus]

The methods of cheating discussed in this forum (with the exception of Taqwus) seem to focus on alteration of *data* files of the game in question, in two forms:

1. The machine on which the game was hosted was compromised and the fatherland file was edited to change game state. Than the modified, but structurally valid fatherland file was used the hosting Dominions 2 system generate the next turn

2. Either trn or 2h files were modified such that an illegal (but structurally valid) 2h file was returned to the server, which failed to detect the inconsistency in the game state.

Both of these methods assume that the hosting installation of Dominions was operating correctly on the input it was given (although it may be insufficiently paranoid).

If 1) is the true scenario than this clearly need not be the case, the attack would have had access to the executable, configuration information, and runtime state during hosting.

Even if the attacker does not have root access on the hosting server, there is the possibility of a remote exploit in Dominions, either through structurally invalid 2H files or attacks through the network connection.
In short, it may be that the server was coerced to generate invalid turn files, rather than failing to detect subtle modification of an otherwise valid input.

I won’t speculate further as to how this could be carried out.

Of course, the devs may have reason to rule these sorts of attacks out.

[Anglachel]

OMG! I have figured it out! Stormbinder and Norfleet are the same person! You all fell for it suckers!!!!

[jarenko]

Is this thread about baseball?

[Cheezeninja]

No this thread got started after a particularly ugly thread about cheating by a very prominent member of the forum got locked. The title is a sentence commonly used in the USA as a way to change the subject when the current subject is uncomfortable or for some reason taboo.

[Esben Mose Hansen]

Quote:

...One thing Im worrie about is that now that Illwinter has shown they can dismantle a turn file to get answers Im afraid they will be swamped by requests every time any player feels another player did something shady. As often as we see Posts to that affect here which get answered as possibilitys that the player hadnt considered, you can see how busy that might be.

This also worries me. I'm thinking of having my server make a a complete .tar.bz2 image of the game directory every turn.Then a master password, and independent part (NOT ME!!!) and the backup history could determine any cheating for sure.

What do you think?

[archaeolept]

yah that would work wonders even if only to scare off certain potential cheaters. all that really happened here was that IIRC was that the existence of a master password allowed norfleets lies and the extend of his cheating to be exposed. a turn by turn history would might also, however, have provided valuable clues as to what precisely he was manipulating.

[Gandalf Parker]

Quote:

This also worries me. I'm thinking of having my server make a a complete .tar.bz2 image of the game directory every turn.Then a master password, and independent part (NOT ME!!!) and the backup history could determine any cheating for sure.

What do you think?

If for no other reason, it would be simple enough to implement and would at least make everyone feel better. If you need a "neutral server" we can setup an auto-ftp between your server and mine. Or you could put the tar's in a directory and just schedule a remote sync using some sort of mirror software.