I know LTXR won't have this.

(I am not trying to burn or cause any problems here. Just making a statement about our plugin.)

You notice, that when Lil Blob opens his pie hole, you only hear two things:


1) 'We' are making a version of LifeTank that will rock 'when' it comes out.


2) I hate you and want to start a flame fest, and I don't care how I do it.

 

-----signature-----

Chaz, that's





and I am sorry you had to resort to my standards. As such, Sticking to the subject at hand here was my intentions. Nothing else. I made statements. Everyone does, get used to it. Psst...It's a message board.

Will you all please knock it off...


You are driving poor Kestrina crazy.


/e carefully oils and polishs the new boxing gloves Yula gave Kestrina...

Elgar: you're also assuming no one wants to hack the plugin directly.


If you do all the security processing locally, all it takes is a couple people with talent and a hex editor, and it won't matter.


If you send the request to the server and use the server to validate the request, then it is exponentially harder to bypass (if done properly)

^ True. I just decided that if they were that cleaver to be able to hack all the protections then it's too much hassle to bother stopping.


Add to that, if they are cleaver enough to hack out the Auth protections I've put in, then sending data to the server for auth is just as easily hacked out.


I decided on a level of Auth that would take a good mnemonic hacker to defeat. Anything above that I decided was superfluous.

This is why I stated what I did. It really doesn't help matters.

Eh.. that's a different discussion for a different time.


I've just been doing a lot of application security training lately and have been deep into a lot of people's code, and seen what works and what doesn't for me personally. Judging from what I've seen, a properly done authorization server would be very difficult to hack out unless you're really good at reverse engineering, where as a local security scheme (even a pretty good one) is fairly trivial with little reverse engineering skill.

It's very easy to create a "spoof" for authentication for plugins if source is available.


However, trying to obtain/downloading the MD5 Checksum is much harder.


Reverse engineering is what happened on AC-Hackers. I can't go into details, but there was a version of Lifetank II that had been reversed. SPK came to AC-Hackers to obtain how we did it on the pretense he provided AC-Hackers members a unlimited/un-restricted version of the plugin. This was of course 2-3 years ago.


I knew how it was done, and it took all but 2-3 days of work to get it to work.


The best authentication would of course be aquring a ssl connection in the authentication process and a non-revealing MD5.

Double Encryption AND 1024bit security tunnel.

Thanks for the idea.

 

-----signature-----