CUSEC Part Two: Karan’s Warning
January 26, 2009Andrew 8 Comments »I’ve returned to Waterloo from CUSEC. On Friday, Noah Sugarman and I presented findthehotties.com to the CUSEC democamp. We were a big hit, but unfortunately, we were hacked by three seperate groups within minutes of finishing the presentation. Two of the groups personally contacted me with suggestions on how to improve security; of that I’m grateful. I was surprised when I found out our game was hacked, although, I should have expected it. Firstly, we gave the presentation to a bunch of software engineers, and secondly, my dear friend Karan had warned me that we were doing server validation horribly wrong. He was 100% correct.
Unfortunately, Noah and I could not fix the site because the hotel took away our internet access for going over our bandwidth limit. (Note: Never stay at a Best-Western). Today, we finally got the site working again, this time with marginally better security. To make the site properly secure, we need to do a major overhawl, but that will have to wait because we are both very busy making up school work, preparing for exams, and attending job interviews.
So far, I have five interviews lined up for the coming week. Finally, I left my fridge open while I was at the conference. This is most unfortuate because I’d just bought three bags of fresh milk. Oh well, Murphy’s law, right?
January 27th, 2009 at 3:44 AM
Regarding FTH, a temporary solution you can use for weeding out the ‘image removed’, is store the hash of that image, and replace if if it comes up in a set. I just went through an awesome round but got screwed on the 8th picture because that was the answer
January 29th, 2009 at 11:22 PM
find the hotties is not engineered against a simple pointer scan you may want to fix that.
January 30th, 2009 at 1:24 PM
What is a pointer scan?
February 2nd, 2009 at 3:49 PM
Basically in cheat engine you can scan for your high score, and freeze the pointer and set its value. Then submit that and it tricks the server into thinking thats your score. Darius did it too cause hes a noob. Basically, start using floating points and multiply and divide them, its harder to find. You may also need a parity (because users can still check for delta changes unless you use a hash code to determine everything but ya).
February 2nd, 2009 at 9:19 PM
damnit u removed my high score! and I actally got that one legitatemately. Are my cahones so big that everyone thinks im using steroids! damnit!
February 2nd, 2009 at 9:28 PM
All in all, as a parity that would be hard to spot, I’d probably keep track of how many were correct and the time, and then submit that, and recalculate it at the server to see if it matches. Most ppl wouldnt be able to figure it out short of disassembling the flash file.
February 4th, 2009 at 12:13 PM
Shit, I didn’t even know you could do that. AND I AM STILL NUMBER ONE!
February 4th, 2009 at 1:13 PM
@Karan
. And apparently, one of the cheating scores was actually legit.
I removed the cheating scores, so you’re not as good as you think