Thoughts on Security ?

[captfc]

I was sitting working with director when I thought of two things regarding security of a swf...

1) Has anyone on the board tried to crack a flash presentation embedded in a director clip? I know it's simple to crack a SWF, but it also seems like Macromedia put a little more thought into Director. Maybe since Lingo is an offshoot of C+, something could be done. I was also thinking of the 'security by obscurity' idea. Not many people work with Director, so not many people have bothered to think about cracking a director file.

2) I forget who it is, but he can break open any high score table and several people have challenged him. I was wondering if the people who lost to him stripped everything but numbers out on the variable and validated the source?

3)And, if he's out there, would SSL encryption of the file stop you?

yeah, i know it's impossible to stop someone from stealing your work, but if we put our heads together, maybe we can make it harder.

[xMCNUGGETx]

Would SSL help, nopers.

Basically what I can do (without telling you how ), is 1). Change a variable. 2) Load another flash movie inside of your flash movie

Putting the flash movie inside of a director file, would prolly guard against what im doing. but it defeats the whole purpose of flash. a tiny plugin with tons of possibilities. you now force your audience to need the shockwave plugin wich is much larger.

[captfc]

Sorry, I hate to belabor a point, and I know it has been discussed to death. I am just trying to think outside the .swf, so to speak.

So no amount of server-side variable validation would stop someone using your methods? You don't have to say "yes" or "no", just blink once for yes, twice for no

So you physically crack the swf? I have experimented with bugs and viruses in my own projects by leaving out form validation and not stripping off certain stuff. Hmmm...

(please forgive my faux pas in not remembering your handle)

[xMCNUGGETx]

Serverside validation is always a good thing, but everyone knows about as viewers. The user can open up you swf and see how you calculate your score. Lets say you have a function that adds up the users score and sends it off to the server (wich i think is a good way to do it, very organized like). Well its possible for me to just see how you send the info the the server via it, also very easy for me to find, youd prolly call it something like sendscore(). Seeing this there are 2 different possibilities, eigther replace the sendscore function, or just see how you send the info and send it myself.

With serverside validation you could do some tricky things (lets say ingame you only use values of 3), the score you know when sent has to be divisible by 3, any other score isnt possible. But again the user can see things like that eigther playing the game or viewing the as.

PS anyone know and flash highscore stuff giving away prizes?

[captfc]

Cool, thanks for being so open about this.

Then why not use includes? You can then lock your score script safely away on the root level of your server. You might take a performance hit, but I think it would be negligible.

[xMCNUGGETx]

An include in flash doesnt work quite like other languages.

When you use an include. when flash turns the file from a fla to an swf it puts all the included code in the swf.

If you look in the as viewer you wont see #Include me.as
youll actually see the script that was included

[captfc]

damn.

damn. damn. damn.

thanks for not not saying anything, letting me make something and then going out and blowing me out of the water. My fragile nerd ego thanks you too.

I guess all that's left to say is...

"I would have gotten away with it if it wasn't for that meddling xMcNuggetx"
-every villian in 'Scooby Doo'

[xMCNUGGETx]

lol

feel free to send me something you wanna see what i can do with. im always up for a challenge =D

Nugget

[Kirill M.]

You could use the POST method to send info to the server that way you wouldn't be able to send it by simply putting the variables and their values into the URL. Also you could make some obscure guard variable that would tell you if you calculated the score yourself or not. I haven't thought about this issue much. Let's hope everyone who knows how to do this is like McNugget.

[captfc]

I was actually thinking using 'LOAD VARIABLE' for the score function...like I meant for the include file...

I think one of the ways we'll be able to make it harder on him is by hiding all the pertinent files. Also, I think that not using guessable variable names...

I do that alot with my servers. I will name important files after old girlfriends (that and because I just can't let go of the past).

[xMCNUGGETx]

If your taking the route of making things unreadable you may want to check out: http://www.genable.com/aso/preview.html

Havent used it personally but looks wonderful =)

Nugget