Re: Software authentication (was RE: Gibson (was Crack Office XP))

[bill_weiss () att net]

Mark Collins(me () thisisnurgle org uk)@Wed, Jun 13, 2001 at 05:57:32PM +0100:
> > And... why not pirate servers that perform whatever game administration
> > is required? Can't be that tough to set up a server that listens to
> > broadcasts and requests; I don't think WON has the market cornered there.
> > And legitimate users could also set up proxies that re-serve the game
> > listings coming off the WON. My guess is that folks join the game through
> > direct connection anyway,  so it really would be fairly trivial.
>
> If the authentication server is hardcoded and obfuscated, it would be be 
> nearly impossible to change it.
>
> Some serious hacking of the TCP stack would be in order (if it addresses the 
> auth server by IP only), and I'd expect most people who are capable of such 
> would either a) be white-hat or b) be too 'leet to release it.

I hate to be simplistic, but what about redirection?  I have a linux box as 
a router, and a windows box behind it.  Could easily redirect requests to the
auth IP to somewhere else, even localhost (where I could serve false auths).
 
> > Without actually looking at current implementations of this method in
> > various games, my guess is that it's probably done badly.
>
> There was a recent discussion about this on the Linux Game Developer list. 
> Having 2 copies of the auth key, one which is MD5 encoded and well hidden 
> would make changing the addresses pretty tough.

If the cracker is watching, he'll see the references to both keys.  Then, watch
the transformation from key to MD5 key...

I'd agree that it's possible to make it too much of a pain in the ass, though
:)