After seeing the word “id()” I had a flash back in the old days of me trying to hack a program. One of things you could do was scan the memory stored in ram and find values. Such as passwords and or key values for health, points, and lives.
So I did a little searching on google and came across this little website. It takes a memory location and "0"s it out after being used. This would be a great thing to have for a more finish game that has to pass information around and they don’t want others to find out.
Hm, intriguing. I’m not sure if this will solve anything though. If a hacker can get access to your app’s memory anyways, he’ll be able to read the content of your variable before you zero it out. So I’m not sure if this is actually helpful.
The best way to prevent this kind of attacks is to secure your sensitive data in memory, and protect against things like buffer overflows and dereferencing pointers you don’t own, etc.
True, but as long as you’r keeping the data moving, thats another step the hacker has to take in to break in. This would keep lower everyday hackers from actully from changing something fast enuf.
How so? It’s moving faster then any human can find it. (Remember it’s a pool of data, so they would have to re-scan everytime a value changed, moved, flip around, change location.) More or less, it helps protects from a hacker changing the values, not so much reading them I guess.
But again, thats another step that the hacker has to take in and stops lower grade hackers from getting anything useful.
As for protecting the password, just encrypt it and then keep it moving.
Theres no way we can stop all attacks (human are always better then computers;)), but we do try to slow them down.
Try to forget about the romantic Hollywood idea of a hacker as a human at a keyboard guessing passwords. In real life, a hacker is a human writing (or changing) code, and his code is just as fast as your code.
But more importantly, any program that is running locally on the hacker’s computer is subject to attack–he can inject code into the program to make it do what he wants, rather than what you wanted. In particular, he can find the bit of code that zeroes out the memory you’re trying to hide, and replace it with a no-operation sequence instead. Now your sensitive data is out there in the clear where he can read it at his leisure.
This sort of attack is almost trivially easy. You’ve already spent more time thinking about how to protect your data than the hacker will spend getting past your protections.
drwr is right. if a hacker has access to the machine you can totaly forget about security anyway. if you want to do anything. try to keep the network transmission itself as secure as possible.
aside from that security is an illusion. best thing you can do is to keep the players data secure on the network, and (if your dowing networking apps) make sure the server wont be tempered with, and try to minimize the effects hackers can have on the gameplay.
aside from that.there is nothing you can do against them.
amazon’s ebook DRM was cracked within 8 days.
apple’s ipod protection mechanisms are cracked everytime they update them.
pretty much every media encryption was…
even the “ultimatively 100% secure”-advertised british electronic passports where modified in less than 12 minutes after the guy got his hands on it.and copied in less than 20 minutes (with nothing but a nokia out-of-the-box mobilephone)
making applications secure is a nice idea. but you shouldnt waste time to secure the wrong parts of it. there are more important things to focus on than memory. i mean, you should prevent your room-mate from reading your passworts when you sent them to the internet just because he uses wireshark and your password was send in plain text. that’s a security issue.
I don’t quite agree with that. You’re not making it harder for hackers, just more challenging. An inexperienced hacker will get bored of entering ’ or 1=1# in password fields soon enough, and move on to more advanced things. If he finds out that you clean up your sensitive data, writing a program to scan the memory or trace system calls for him would be a trivial step for the hacker.
Not saying that there would be anything wrong with you clearing out your strings. Just saying that it’s a waste of your time. Just make sure that the hacker does not get access to the machine. And if it’s the hacker himself running the program, there’s no way to secure it at all. There are thousands of ways to know exactly what the program is doing, and it isn’t hard to change that behavior. Especially Windows makes that [color=black]easy, but as anyone can run the program under virtualization anyways, theres no way to secure it.
Idk guys, you keep saying one thing and then saying something else XD
I know theres no 100% way to stop a hacker, and you have to tell your self that everyones a hacker on the client side in networking. The server is the only safe point there can be and ever be, but if you leave your client side open your just asking for more people to try and hack it.
Theres many types of hackers and many types of levels for each class.
inexperienced, advance, and except.
Theres no way you can stop the top dog hackers, or even the ones that know what they are doing somewhat, but if you can take one of the levels out, you just cut it by 1/3 of the hackers.
This was just a example on passwords, mainly I saw it for more information such as health-points-speed movements… As for sending data over the network, we can just put a random 256 bit encryption code on it. To “stop”/slow wireshark users from cracking / packit sniffing your passwords on someone network. As for where the data is really at, it’ll be on the server, safe and kept away from the user unless ask, then only a read only-copy message is given.
How about I ask you, how many of the top dog hackers are going to attack your system vs the one the 100000 10-18 year olds that are inexperienced in hacking anyways? Not to many. For the most part, the server just needs to worry about thos hackers while the client just helps fliter out the less inexperienced ones.
I know you can spent years on sercity while it only takes a hacker a few mins to break it lol.
That’s what I don’t agree with. A hacker learns. If he discovers he can’t get access to your passwords the easy way, he’ll learn new ways. And in this particular case, there are dozens of almost-trivial ways.
Reducing the amount of hackers by making it harder to hack is an illusion. In practice, by making it more challenging to hack, you’ll only attract more hackers. Really.
No no, not my passwords, the password in the example was showen how it can be zoerd out. Only way they are going to crack a password is to be in the server it self or just brute force guessing it from the client side or be right there all ready with their target computer (aka wireshark). It’s not going to make it “harder” it’s just going to help slow it down. Like I said before, the more advances ones and the top dog onces all ready know how to break your client down to nothing. The only way to protect that is to have server not take anymore information from them. This just fliters out inexperienced hacker or kids that have a problem playing right.
As he learns, he’ll be bump up into the nexts two classes or levels. As that happens, the admin should notice spikes in his account profile that shouldnt happen. Then the client can be track down and then scan for any tamping using a hash tracker. If the main .exe was found with a different hash, then there is a good changes hes been messing with it.
But with the server running almost of the code, a hacker can only mess with somethings, like the models-collison space-and some other code to help with gravity.