[QUOTE=amcfaggot;34423662]I was looking at how the Facepunch Lua API does this, and I swear I thought we were using a token system, but we don't do anything different than what the browser does, which was also by design. Considering you're not passing the cookie back through the API calls, I actually agree. Your method is probably the best take on this without adding additional unnecessary data to the mix.[/QUOTE]
The only disadvantage with accepting the username and password MD5 is that to stay authenticated in this way, we need to know the user ID. The only way to get that is to make a request to get it. This is done lazily at the moment, each request it re-grabs the user ID. I'll be making this into a cached system tomorrow, where we only need to go make a request to get it if it's not in the local cache.
Going to move the API backend to run on HipHop too to squeeze some extra performance out of it.
[QUOTE=@@;34423655][url]http://oauth.net/[/url]
Use oauth. They give you a full list of reasons on their wiki page on why it's safer to do it that way.[/QUOTE]
Complete overkill, OAuth isn't going to provide any benefit here.
Holy yes. JohnnyCache gave me one.
[b]edit:[/b] No, I probably wouldn't be analyzing anything, since I don't have a device that I can use to access the app. I'm interested in developing apps that use the API.
I was looking through the wikipedia page on x86 assembly when I thought I realized I didn't have anything like mov
Then I realized I already do :v:
[editline]27th January 2012[/editline]
It appears I have an area in my code that crashes the lua plugin of my IDE :v:
I'm about to start working on the FP for iOS app. Tonight I hope to code a model for the API using AFNetworking. That's about it. I want to talk with Overv about how he would vision the app to be designed, as he designed the Android one. I am not going to make another shit design ever again.
NO MORE DESIGNING FOR ME.
[QUOTE=Hexxeh;34422748]All requests must have GET parameters username and password, where password is the MD5 hash of the user's password.[/QUOTE]
md5 is not security.
[QUOTE=Hexxeh;34422748]Okay so I've got an initial version of the Facepunch API working now that garry's added the tiny patch required on Facepunch's server.
Here's how it works.
Firstly, login. You don't need to login. This is a design decision.
All requests must have GET parameters username and password, where password is the MD5 hash of the user's password.
All responses are JSON, format isn't quite fixed yet. I could use some help writing documentation, since I suck at it.
You must also pass a GET parameter called action, see the list below for the possible values of this parameter. Bolded word is the action paramter value.
Soon you'll also be able to register for an API key, to get stats on your applications usage of the API. These won't be required, totally optional, but there might be advantages to using an API key in the future.
[B]<api snip>
[/B]
The API is live at api.facepun.ch right now.
I'm aware these docs suck and don't document responses, but I've spent like 12 hours working on this so I really can't be arsed doing better docs at the moment.[/QUOTE]
Could someone provide me with an example URL to show me how this is used? I'm new to this shit but I wanna play with it :v
[editline]oops[/editline]
I worded this badly, I mean for making the GET requests and stuff.
[QUOTE=synthiac;34424194]i don't think there's any other choice[/QUOTE]
asymmetric encryption + time based token to prevent replay attacks
Hell yes, I got equivalents of jmp, je, jl, and jg working
This is fun once it start working
who cares anyway, it's a facepunch account password, there are more sensitive things out there that send plaintext for shit
[editline]27th January 2012[/editline]
those who were in the webdev chat yesterday probably recall my bank's official app passing plaintext for my username and password
brilliant shit
[QUOTE=ZenX2;34424311]Hell yes, I got equivalents of jmp, je, jl, and jg working
This is fun once it start working[/QUOTE]
Now get it to not be interpreted
[QUOTE=amcfaggot;34424349]who cares anyway, it's a facepunch account password[/QUOTE]
facepunch is serious shit
[QUOTE=synthiac;34424323]touché.
[editline]27th January 2012[/editline]
but it ends up being md5 in the end[/QUOTE]
What if you use SHA?
Hey Overv, bug report.
If the user hasn't set up their community profile yet, the conversion from a friend to a user will try to null an int, which can't be done.
[QUOTE=supersnail11;34424471]What if you use SHA?[/QUOTE]
it's worthless because facepunch uses md5 directly, which is what hexxeh is just passing on
[QUOTE=Ploo;34423044]Before I begin, NSFW warning and such. Just incase.
Last night I spoted some 'risk' games on /b/, where they would take a map of europe split up into small territories and doubles would take over land or something, it was all done manually and I can't believe they could be bothered. So I wrote a bot for it.
There's a game running right now at [url]http://boards.4chan.org/b/res/377111339[/url] which will 404 soon enough but here's the game in progress: [url]http://dl.dropbox.com/u/3687652/ChanBot/cap1.png[/url] and another few turns later: [url]http://dl.dropbox.com/u/3687652/ChanBot/cap2.png[/url]
First players use the start_nation command to create a team with a name and description. Then they use the expand command an specify a coordinate to colonize further land. Then they insult each other and fight for land. Hopefully someone wins by the time post limit is reached. The bot refreshes the thread every x seconds and processes new replies. The random seed used is the post id of the first poster so the bot can crash all it wants, I can fix it and when I restart it the exact same outcome should be reached.
I plan to let people attach an image to their post when they make a nation, so that can be their avatar or something.
EDIT:
They're so... dedicated
[url]http://dl.dropbox.com/u/3687652/ChanBot/cap3.png[/url]
[url]http://dl.dropbox.com/u/3687652/ChanBot/cap4.png[/url]
[url]http://dl.dropbox.com/u/3687652/ChanBot/cap5.png[/url][/QUOTE]
Holy shit I so want to do that now!
[QUOTE=Ploo;34423044]Before I begin, NSFW warning and such. Just incase.
Last night I spoted some 'risk' games on /b/, where they would take a map of europe split up into small territories and doubles would take over land or something, it was all done manually and I can't believe they could be bothered. So I wrote a bot for it.
There's a game running right now at [url]http://boards.4chan.org/b/res/377111339[/url] which will 404 soon enough but here's the game in progress: [url]http://dl.dropbox.com/u/3687652/ChanBot/cap1.png[/url] and another few turns later: [url]http://dl.dropbox.com/u/3687652/ChanBot/cap2.png[/url]
First players use the start_nation command to create a team with a name and description. Then they use the expand command an specify a coordinate to colonize further land. Then they insult each other and fight for land. Hopefully someone wins by the time post limit is reached. The bot refreshes the thread every x seconds and processes new replies. The random seed used is the post id of the first poster so the bot can crash all it wants, I can fix it and when I restart it the exact same outcome should be reached.
I plan to let people attach an image to their post when they make a nation, so that can be their avatar or something.
EDIT:
They're so... dedicated
[url]http://dl.dropbox.com/u/3687652/ChanBot/cap3.png[/url]
[url]http://dl.dropbox.com/u/3687652/ChanBot/cap4.png[/url]
[url]http://dl.dropbox.com/u/3687652/ChanBot/cap5.png[/url][/QUOTE]
I noticed this too. I was thinking about making some dumb networked game with a facepunch logo as the island. Then I said fuck it and kept working on my app.
I'm making something similar to what ZenX2 is making, except it's stack oriented
[code]swap dup rot 1 sub
while
1 sub
swap
0 st mult
swap
.
swap out 10 outc[/code]
This raises the first commandline argument to the second (they get pushed on the stack before the code is executed)
Also, while's and if's along with .'s are just syntactical sugar for conditional jumps, they get replaced by the compiler before they are executed.
Started working on a Mech for this flash game I'm making. They'll be enemies that use them and you'll be able to hijack them somehow; i might make it so you can buy/upgrade your own too. Next i think i'll make it so you can squish enemies if you step on them :D.
[video=youtube;NBa0i4E3kU8]http://www.youtube.com/watch?v=NBa0i4E3kU8[/video]
It was fun to make and pretty fun to use in-game too, thinking about adding Tanks and stuff now. At the moment in this game you defend your crashed Spaceship as you collect Metal to repair it and buy upgrades for your weapon and stuff. You can build defenses like Sentries, landmines and a Healing station, so maybe you could deploy controllable Vehicles that way as well.
Ha, I just noticed while checking the video that the Mech bleeds! Whoops :P
[QUOTE=Octave;34424925]I'm making something similar to what ZenX2 is making, except it's stack oriented
[code]swap dup rot 1 sub
while
1 sub
swap
0 st mult
swap
.
swap out 10 outc[/code]
This raises the first commandline argument to the second (they get pushed on the stack before the code is executed)
Also, while's and if's along with .'s are just syntactical sugar for conditional jumps, they get replaced by the compiler before they are executed.[/QUOTE]
Is making interpreted languages with unintelligible syntax the new fad?
[editline]28th January 2012[/editline]
I mean come on, and I thought x86 looked bad...
EDIT:
I think it's cool people are making interpreted languages, it's a fun project. I'm simply pointing out that it seems to be a fad to abbreviate your opcodes/keywords/syntax to the most illegible mash of letters possible.
Gimme all your boxes for caring about usability.
[QUOTE=Torrunt;34425156]Started working on a Mech for this flash game I'm making. They'll be enemies that use them and you'll be able to hijack them somehow; i might make it so you can buy/upgrade your own too. Next i think i'll make it so you can squish enemies if you step on them :D.
[video=youtube;NBa0i4E3kU8]http://www.youtube.com/watch?v=NBa0i4E3kU8[/video]
It was fun to make and pretty fun to use in-game too, thinking about adding Tanks and stuff now. At the moment in this game you defend your crashed Spaceship as you collect Metal to repair it and buy upgrades for your weapon and stuff. You can build defenses like Sentries, landmines and a Healing station, so maybe you could deploy controllable Vehicles that way as well.
Ha, I just noticed while checking the video that the Mech bleeds! Whoops :P[/QUOTE]
I don't see why all mech games always end up with ungainly hard to control units. Maybe it's because the feet always look retarded and go slow, but I've never had fun with a mech game of that style. (The mouse aim always feels weird to me too)
Anyone know of an all-purpose picture/image library for C#? It needs to be able to read pictures either from a stream or file, and write pictures either to a stream or file. Also create pictures, as in drawing functionality (draw pixel/line/circle/2d polygon etc.)
The only place I see the drawing functions are in Graphics, and that seems to be tied tightly with winforms or something like that.
I'm probably an idiot.
Yup.
[url]http://stackoverflow.com/questions/1535730/convert-graphics-object-to-bitmap-object[/url]
[QUOTE=supersnail11;34424471]What if you use SHA?[/QUOTE]
vbulletin
[editline]28th January 2012[/editline]
also SHA is not security
heh, the most difficult part about the steamweb-lua-sdk project is deciding how to design it
[QUOTE=supersnail11;34424471]What if you use SHA?[/QUOTE]
Word of warning: I haven't read the argument from the beginning, so what I'm about to say does not necessarily apply to the matter at hands.
SHA, md5 or any other general purpose cryptographic hash functions are [b]NOT[/b] safe for password keeping purposes, without a work factor. In that situation any of them is easy to crack.
Rainbow tables are incredibly easy to defeat by using salts, but keep in mind that all of those algorithms were designed to be very fast so that OSs can call them hundreds/thousands of times for quick integrity checks. This means that some implementations of password crackers which take advantage of immense parallel computing power in GPUs can crack, literally, millions of passwords a second. And, as long as Moore's law holds, that number keeps climbing.
So how do you do it properly, then? You use an adaptable algorithm. These allow you to select a work factor which you can increase as computing power increases. This effectively allows you to keep your hash function's calculation time constant (and big!) despite advances in computing power, which is a very good thing when it comes to passwords. For you, calculating a couple of hashes every now and then, the performance hit is not going to be noticeable. For the cracking software, however, an increase of an order of magnitude is very, very noticeable. bcrypt is generally considered a good idea.
On another note, I noticed some of you mentioned transmitting the md5 of the password via cookie. Even considering the hash function is safe, it's probably safer to transmit an {id, random key} pair and keep a local table of id => key associations. Then when the user wants to authenticate, he sends over an id and a key, and if it checks out, that pair is invalidated, a new one created and sent to the user, and he is allowed in for that action/session. Again, I'm not aware of any already existing limitations so that might not be possible.
Some links, from which I learned about this stuff:
[url]http://codahale.com/how-to-safely-store-a-password/[/url] Some figures on cracking passwords using CUDA
[url]http://www.win.tue.nl/cccc/sha-1-challenge.html[/url] Article linked in the previous page. How some guys in Eindhoven got 700 000 000 (yes, million) SHA-1 hashes per [b]second[/b]
[url]http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html[/url] Another useful article on why md5/sha is a bad idea for passwords
[url]http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html[/url] And yet another one, which presents some nice alternatives.
[url]http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/[/url] An article about proper cookie authentication
Valve has a versioning scheme for their interfaces, and I'm choosing to reflect this in the API like so:
[lua]local ISteamOAuth2 = require( "steamwebapi.ISteamOAuth2.v0001" )
[/lua]
There aren't "nice" names for the interfaces, considering the interfaces have nice enough names and "functions", if you will.
So logging in will be something like this (roughly):
[lua]local ISteamOAuth2 = require( "steamwebapi.ISteamOAuth2.v0001" )
local postData = {
clientID = omgauthID,
username = "shitlord",
password = "poopoo",
other = "shit"
}
local response = ISteamOAuth2.GetTokenWithCredentials( postData )
if ( response.error and response.x_error_code = "dongs" ) then
postData.steamGuardorwhatever = io.write( "or some other bullshit" )
response = ISteamOAuth2.GetTokenWithCredentials( postData )
end
[/lua]
Idk, not sure if the arguments for these "functions" should be separate args or just a postData struct of some sort.
[QUOTE=grlira;34425926]SHA, md5 or any other general purpose cryptographic hash functions are [b]NOT[/b] safe. They are easy to crack. Any of them.[/QUOTE]
crack it: 9641283b87012ba0a51d58ff26fefab5
[editline]28th January 2012[/editline]
100,000 round MD5
noticed i put io.write in there instead of read, and gave it arguments??? shit code great job self
[editline]27th January 2012[/editline]
my automerge :(
[QUOTE=swift and shift;34425973]crack it: 9641283b87012ba0a51d58ff26fefab5
[editline]28th January 2012[/editline]
100,000 round MD5[/QUOTE]
Doing 100,000 rounds is just introducing a work factor. A scalable work factor is still a better idea because it allows you to keep up with increases in computing power.
Still, a correction to what I said: what I meant by SHA/md5 not being safe is that a single calculation (or 10, or 20) is not safe.
Sorry, you need to Log In to post a reply to this thread.
