CoderHire - Developers - Facepunch Forum

[QUOTE=MeepDarknessM;42063689]I understand why, but I don't want some random person showing up at my house, that I've met online, and for some reason they hate me. People can do a lot of things in the real world. In the virtual world they can only do a few things, including: annoy me, ddos. ~At the "risk" of being rated dumb: I am pretty far up there on the chart that tells how many people hate me online. I don't want someone to find my address, then leaking it to the whole world. Who knows what people would do with it?[/QUOTE] Since coderhire was created at least 10 people hates me now and none of them showed at my door.

[QUOTE=Noi;42064022]Woah dude, how can I cash out dosh from PayPal in Russia? Seriously, I did some research on my side and results aren't very optimistic. [editline]3rd September 2013[/editline] Oh wait, Nevermind everyone, I think I know a workaround on how to (almost) legitimately cash out from PayPal.[/QUOTE] Any credid card (Maestro (the blue and red one), MasterCard, VISA) can be attached to your paypal account, then you just go to Menu > Pay out > Select your bank account from the list. That's pretty much it :V:

there is sooo much douchebaggery in the comments section I got people asking how come this has any sales and oh how did he do that, with people giving demonstrations like really? that's not the place for it.

Ask and ye shall soon be in receipt of. (WIP) [img]http://puu.sh/4itge.png[/img]

[img]http://puu.sh/4iGly.jpg[/img] Some pages have missing footers like clearing notifications, it doesn't really affect anything but it looks out of place without it. Also, the search bar seems to be a bit too big [img]http://puu.sh/4iGmX.png[/img] Forums look great though

Recently the drama with Panda came to my attention. Panda is accused of posting jobs on coderhire, refusing to pay and releasing the addons as if they were his own. This is terrible, but the evidence against him is mostly indirect, in the form of forum posts that talk about his reputation, chat logs and addons with certain modification dates. While the heap of evidence should be enough to convince your average scripter to not start a deal with him, it's not [i]conclusive[/i] evidence. And that's a situation you don't want to get in. You want undeniable proof that you made the script. When someone like Panda comes around being an ass, you will want to be able to prove, without [b]any[/b] question, that you made the addon. I present to you two cryptographically valid ways of doing this. The first is a lot of work (especially if you're not used to it), but proves more. The second one is really simple and requires very little effort. In return, the second option proves slightly less, although it should be more than enough. [b]First method: Use a (private) git repository[/b] Reason: git hosting sites (assembla.com, bitbucket.org, github.com, etc.) use asymmetric cryptography. You generate a private key, you sign your work with that key, your key pair is linked to your account (and name). Proving that you made the script is (cryptographically) as simple as proving that you possess the private key with which the commits were signed. You probably won't have to start encrypting messages with your private key to post this proof though, for the git repository host site can prove the following: - Commits building/fixing the script linked to your username on that site - The same commits linked to a [b]date[/b] (very important, especially if the dates show you made it before the scammer had the addon). The problem with git here is that you can probably mess with commit dates before you commit. The other evidence method will have a better solution for this. - Your username on the git hosting site is linked to [b]you[/b] as a person because you (and only you) have the private key with which the commits have been made. SVN doesn't work with asymmetric cryptography. It works (depending on the host) with user accounts and passwords. This doesn't prove as much as git does. [b]Second method: Cryptographic commitments[/b] This is actually the method I recommend. _Undefined can actually implement this in the coderhire website. It's very simple, and it works with hashes. The idea of "commitments" can be used in several ways, but here's what I suggest: 1. Accept the deal 2. (this step might be redundant if coderhire already contains the information) Write a text file saying something like: [code] I, <YOURNAME> (<YOURSTEAM>) have accepted a deal for the following addon: <ADDON DESCRIPTION HERE> (you can take this from the coderhire page) I will make this addon for <NICKNAME> (<STEAMID>) [/code] Hash this file with a secure hash algorithm (Sha256 or whatever, as long as it's [b]not[/b] MD5) 3. Create the script/addon. 4. Here's the most important bit: Compress the addon (in a zip or any other format), [b]hash[/b] the zip and publish the hash on this thread, pastebin or on coderhire [u]before[/u] giving it to the buyer. If you post it on facepunch, do [b]not[/b] edit the post that contains the hash. You can change the hash if you edit your post, and everyone can see if you edited your post. 5. If you create a new version of the addon, you might choose to hash it again and post the new hash, but unless you recoded everything I don't think this is necessary. Here's some facts about this method: - Posting a hash on the forum does not reveal what you're working on. No one will know who the hash is for, what the addon of the hash is about. You can keep this secret if you like. This is useful if it's really a private/confidential project. - You cannot fake a hash, unless you're using MD5. So use a cryptographically strong hashing algorithm (SHA-256 is definitely good) - Depending on where you post the hash, the hash [b]undeniably proves[/b] a link between the addon and your account on a [b]specific date[/b] (the post date of the hash). It proves that you had the addon in possession when you posted the hash. After all, I assume you cannot forge a post date on Facepunch or pastebin unless you're an administrator. - It does [b]not[/b] prove conclusively that you made the addon. After all, you can hash other people's scripts and post the hash before the script is actually released. - Don't fear, though, because it [b]does[/b] prove that you claimed to have accepted the job before [i]any[/i] drama started, and it also proves that you had the addon before the buyer released it. In Panda's case, Oubliette posting a hash of the addon before handing it over to Panda would have ended all discussion (and left it with people who deny cryptography itself). This method is as simple as downloading a tool, running it on a zip file and copy pasting a string of (seemingly) random characters to pastebin/Facepunch/Coderhire. _Undefined can implement this by allowing scripters to post hashes on coderhire, but even if he doesn't, you can still post it on pastebin or Facepunch. [editline]4th September 2013[/editline] More information on cryptographic commitments and what their use is (and why MD5 is shit) [url]http://www.win.tue.nl/hashclash/Nostradamus/[/url]

Can we get ability to comment reviews ? I've got a review saying: "The car dealer is ok. There is a few things that need to be fixed I asked him and it hasn't been done". The guy hasn't talked to me on steam, coderhire pm nor the comments and yet he posted such a review. You know, I can read minds easily, but not over the internet. I've sent him a PM tho to clear that out, but it seems odd. @Edit: Forgot to add, that's why we could use such an ability to clear things out.

I've received some criticism about my previous post, saying it's not really clear what I'm doing with the hashes. Have an example: I, FPtje have created a script for someone. This person does not want me to tell anyone what I'm working on, but I still want to prove that I made the script. The following hash is SHA-256. [code]49ce2b2ce9779187f8853e726aaadd3d2ff33e9b7d86c123807eb37b2d145611[/code] ---- A few posts later ---- I am now finished with the addon. Have another SHA-256 hash. [code]55b543cf7f5793a461128381775a21d89ab18e9231b00212a5efe5e971ce5993[/code] ---- Some days pass ---- [quote=Han Harry] [_.-Release-._] HI! My name is Han Harry and I made a really cool script! I made this myself, no one else. Here it is! [lua]/*/*/*Made by Han Harry*/*/*/hook.Add("Think", "a", function() for k,v in pairs(player.GetAll()) do /* Han Harry was here */ v:Kill() end end)[/lua] [/quote] This is where I, FPtje, can say [b]bullshit![/b]. Hash the following Lua code in some [url=http://www.xorbin.com/tools/sha256-hash-calculator]hash calculator[/url], and you will see that it matches the second hash I had posted. [lua]hook.Add("Think", "a", function() for k,v in pairs(player.GetAll()) do v:Kill() end end)[/lua] Han Harry edited the code, but it's obvious that it's the same code, since Han Harry only added comments. But not only that, I also claimed that I accepted a job from Han Harry [i]days[/i] before he released it on Facepunch. [quote]I, FPtje (STEAM_0:0:8944068) have accepted a deal for the following addon: KILL EVERYONE EVERY FRAME HAHAHAHAHA I will make this addon for Han Harry (STEAM_0:1:7099)[/quote] Hash the above text, and you will find that it matches the first hash I posted. This proves that I accepted the job days before Han Harry released the script. The only thing Han Harry can do is say that he made the script, gave it to me, that we got into a fight and that he released the script several days later. That's the one thing these hashes (called commitments) do not prove. You can solve this by putting evidence of the buyer requesting the script in the hash. You can also use git to track development of the script, which will prove that you authored all the bits that lead up to the final product. This is one of the reasons why I recommend using version control even if you're working alone. Side note: There are hash calculators for zip files, rar files an pretty much any other file format. You can hash anything that exists of bits and bytes.

The problem with all the hashing stuff is that changing one bit in the zip will give a completely different hash, making the whole thing pretty pointless because if somebody does decide to try sell someone else's work, they're likely to add/change their name in the file. I am absolutely open to suggestions to prevent this sorta stuff, but with the open source nature of lua, it's pretty difficult to do.

You could have CH transfer the addon from the developer to the hirer. 1) Developer uploads file as zip 2) CoderHire logs hash 3) Hirer downloads the files 4) Hirer either doesn't pay and keeps the files or releases them when that goes against the agreed license. 5) Coder has proof that he is the original author as he can provide zip that when hashed will match the hash logged on CH, CH's hash must have a timestamp and must be tied with whoever uploaded it and who supposedly paid him to make it.

[QUOTE=_Undefined;42077233]The problem with all the hashing stuff is that changing one bit in the zip will give a completely different hash, making the whole thing pretty pointless because if somebody does decide to try sell someone else's work, they're likely to add/change their name in the file. I am absolutely open to suggestions to prevent this sorta stuff, but with the open source nature of lua, it's pretty difficult to do.[/QUOTE] Save the zip file that matches the hash. Never expect the buyer to provide the zip file that matches the hash. The point of the commitment is that you have your coded addon, you prove that you had it before the other guy released it. I should edit my example to not rely on Han Harry to provide the code that matches the hash.

Maybe if you compile lua files, strip debug information, and hash them after that?

[QUOTE=MDave;42077593]Maybe if you compile lua files, strip debug information, and hash them after that?[/QUOTE] Not necessary and it wouldn't work. I'm sure you can add meaningless bytes to the bytecode. Besides, if one edits the Lua even slightly, the hash would still be different. The property of hashes that they change completely is actually the property that gives hashes their power of evidence. Hashes still work even if the buyer edits the addon to change their name. After all, you store the zip file that matches the hash. If you [i]don't[/i] store the zip file, you might never be able to create a zip file with the same hash. After all, the ideal hashing algorithm has the following property: changing one bit in the input file will cause [i]each[/i] bit in the hash to have [u]exactly[/u] 50% chance to flip. No hashing algorithm actually has this property, but the common ones come close enough. (and it's way too academic, you can ignore this paragraph, really) So you have to keep the original zip that matches the hash anyway. It doesn't matter if the buyer changes the addon slightly. The evidence is in the fact that [b]you[/b] had the addon (your version of it) [i]before[/i] the buyer did, and especially before the buyer released it under his name. [editline]4th September 2013[/editline] [QUOTE=>>oubliette<<;42077532]You could have CH transfer the addon from the developer to the hirer. 1) Developer uploads file as zip 2) CoderHire logs hash 3) Hirer downloads the files 4) Hirer either doesn't pay and keeps the files or releases them when that goes against the agreed license. 5) Coder has proof that he is the original author as he can provide zip that when hashed will match the hash logged on CH, CH's hash must have a timestamp and must be tied with whoever uploaded it and who supposedly paid him to make it.[/QUOTE] That would work, but it has some downsides. The first is that it's quite some work for _Undefined to implement. It's up to _Undefined whether he considers this "much" though. The second downside is that _Undefined will have access to all the addons uploaded to coderhire. For buyers this might be a reason to avoid Coderhire if they want the addon to be confidential. He would be put in a position of trust that could get him in trouble in the form of accusations that he stole private scripts that were uploaded to coderhire. The access to the zip files alone could damage his reputation, even if he's the most trustworthy guy on the planet. But otherwise it's a pretty good idea, and it would work. Your idea would also prove that the transaction occurred between the two people, which is something neither of my two ideas prove. That is unless you also make a screenshot of a steam chat/email/whatever and post that hash as well.

_Undefined already has access to all the scripts you know. I really don't think it's a problem.

[QUOTE=tommy228;42077888]_Undefined already has access to all the scripts you know. I really don't think it's a problem.[/QUOTE] Oh, I didn't know. In that case, I don't think CoderHire will have to log the hash. CoderHire would serve as an impartial party that confirms the existence of an addon, uploaded by a certain user at a certain point in time.

[QUOTE=FPtje;42078083]Oh, I didn't know. In that case, I don't think CoderHire will have to log the hash. CoderHire would serve as an impartial party that confirms the existence of an addon, uploaded by a certain user at a certain point in time.[/QUOTE] I think you didn't understand me. When I said scripts I was talking about the [url="http://coderhire.com/scripts/index"]scripts section[/url], he has access to all the scripts there and I don't see any reason to not trust him. But still, private scripts are different.

[QUOTE=tommy228;42078292]I think you didn't understand me. When I said scripts I was talking about the [url="http://coderhire.com/scripts/index"]scripts section[/url], he has access to all the scripts there and I don't see any reason to not trust him. But still, private scripts are different.[/QUOTE] Oh, so the "jobs" section can still describe private scripts? In that case: A person that doesn't have access to private information can be trusted infinitely more than someone who does. You can't steal information that you don't have. This is cryptographically the best option (if it is available). Not only does this position prevent people in power from abusing the information they have, it also makes sure that they cannot be accused of power abuse. Some people are paranoid, those people can be reassured if the owner of CoderHire does not have access to their private scripts. I never meant to imply that _Undefined is not trustworthy. The person doesn't matter when I talk about redundant positions of trust on this abstract level.

Don't know if this is the right section to post it so correct me if I am wrong. I recently lost a SWEP that a coder made for me 2 weeks ago on CoderHire. I somehow forgot to back it up during the hacking festival on my server. Now he refuses to make me another one even though it is like 40 lines of code. If it is completely my fault and I should just make another job request then please say so.

I posted a comment and thought it didn't post because it didn't show up, so I waited 60 seconds and accidentally made two comments. :3

[QUOTE=angelbill5914;42082562]Don't know if this is the right section to post it so correct me if I am wrong. I recently lost a SWEP that a coder made for me 2 weeks ago on CoderHire. I somehow forgot to back it up during the hacking festival on my server. Now he refuses to make me another one even though it is like 40 lines of code. If it is completely my fault and I should just make another job request then please say so.[/QUOTE] Surely they should still have a copy lying around they can simply give to you?

[QUOTE] I have no clue. Hilarity and kinda a report. [url]http://pastebin.com/Byz1BjMW[/url] EDIT: Sorry heres his steam permalink: [url]http://steamcommunity.com/profiles/76561197989645326[/url] [/QUOTE] Does this suffice as a reason for a ban on CH? [url]http://facepunch.com/showthread.php?t=1305288&p=42100819&posted=1#post42100819[/url]

Matt you are a real dick. Lack of knowledge, I wont be doing it anymore.

[QUOTE=Damnedone;42101127]Matt you are a real dick. Lack of knowledge, I wont be doing it anymore.[/QUOTE] You did it already so your out of here imo. No your the dick for redistributing other peoples hard work.

I bought it for other people oh no!

So the drama begins. Better grab some popcorn.

[QUOTE=Netheous;42101318]So the drama begins. Better grab some popcorn.[/QUOTE] [IMG]https://mycotopia.net/forums/attachments/mycotopia-historic-threads/104559d1224546425-smilies-emoticons-1947_eating_popcorn_and_drinking_beer.gif[/IMG]

I think implementing something like FPtje suggests is a great idea. I was able to undeniably prove that the TTT Level System addon Panda leaked on facepunch was mine, only because he was stupid enough to leave a console command I put in that contained my name (ls_credits). Even then, I only implemented this console command after how shady he was acting and seeing that he already removed me from the file boiler-plates / info.txt once, and figured something like this would happen in the future. If it were not for those precautions there really wouldn't have been a 100% solid way for me to prove the code was mine, which really sucks. Setting up some system to help prove author authenticity is vital, or else your going to start seeing alot of work with insurance. I think a nice way for jobs atleast would be for the developer to upload his work to coderhire after its complete, where its hashed and provided to the client so we can maintain some sort of history.

Although an implementation could be useful with my hashing idea, people can start posting hashes in this thread or pastebin right now. People can also start using git. Private repositories are free on sites like assembla and bitbucket. No one has to wait for an implementation. Also, if you use svn instead of git, it proves slightly less in court because it doesn't use asymmetric cryptography, but if your svn account is proven to be yours, it should prove more than enough.

[QUOTE=FPtje;42106278]Also, if you use svn instead of git, it proves slightly less in court because it doesn't use asymmetric cryptography, but if your svn account is proven to be yours, it should prove more than enough.[/QUOTE] Don't think anyone's gonna go to court over a Coderhire job... but if they do they'll be happy they used git!

[img]http://i.imgur.com/DV1GTlE.png[/img] Just noticed this when I was about to update my subscription. The cancel button :c