Author Topic: FBA Downloading  (Read 12767 times)

Offline Barry Harris

  • dontbeabarry
  • *
  • Posts: 1785
  • Karma: +0/-65535
  • I'm Barry Harris and I like to f*** people over
FBA Downloading
« on: August 12, 2008, 04:54:09 AM »
I'm really excited by the auto download feature that Captain CPS-X is working on. It's pretty exciting and I can see all sorts of good uses for it. I can also see a couple of problems that we need to think about and see if we can somehow prevent.

1.   I'm wondering if it's possible to keep unappoved builds out. What I mean is if we have a build that is violating the license can we lock it out? We need some kind of checksum based on the exe and only approved ones are allowed to connect.

2.   I'm worried about somebody using this feature and turning it into a auto-download roms feature - not good. Can anyone think of a good way to prevent this? I know the roms are larger than images and bandwidth usage will probably make it very difficult for someone to host - but if we can think of a way to make it more difficult then we probably should.

I'm not saying we can prevent these two things - I'm just saying we should as hard as we can to prevent them. Anyone have any ideas? Probably best not to get into absolute specifics here as we don't want to publically post anything that could help circumvent anything we come up with.
Account of Barry Harris; the traitor.
Send me an e-mail at barry@fbalpha.com letting me know how big of a piece of sh** I am.

Offline CaptainCPS

  • FBNeo Dev
  • ******
  • Posts: 1513
  • Karma: +127/-0
  • FB Alpha Team
    • CaptainCPS's Home
Re: FBA Downloading
« Reply #1 on: August 12, 2008, 05:41:00 AM »
I was worried a bit about that too, and well at least we should make a modification to the license mentioning uses / modifications not allowed to the source code.

Probably we could make this feature excluded from the 'released source' someway but the feature working in the official 'build' release, that way nobody can use the source of that particular feature

Other thing is, something im not sure if it can be done, encrypt the source in a way that cant be modified xDDD we can do a puzzle or something to make that function a hell xDD LOL

Those are the ideas I have right now but probably will come with more later. For now the thing we can do is keep the source of that feature private until we come up with an idea ?  :p

SeeYaa!
 :biggrin:


Offline 0746

  • Expert
  • *****
  • Posts: 108
  • Karma: +2/-0
Re: FBA Downloading
« Reply #2 on: August 12, 2008, 05:44:24 AM »
Umm I don't think no 1 is possible. Even if that kind of authentication was introduced, checksum based or otherwise, the fact that FBA is open source will work against it. Its not practical to think about those kinds of security when its this easy to hack. The same thing applies for no 2. If someone really wanted to add that feature, this image downloading feature being or not being there won't make any difference. Because its in the public domain, its not something the developers should worry about. Discouraging is the only thing that can be done about them.

The only thing you could do to protect yourself against rom download is not host roms. For the images, you can put a cap on the maximum no of images that can be downloaded per day per ip address.
« Last Edit: August 12, 2008, 05:47:41 AM by 0746 »

Offline CaptainCPS

  • FBNeo Dev
  • ******
  • Posts: 1513
  • Karma: +127/-0
  • FB Alpha Team
    • CaptainCPS's Home
Re: FBA Downloading
« Reply #3 on: August 12, 2008, 06:00:35 AM »
Before going to sleep I have an idea for the no 1 ...

Only the official build or allowed builds can use the image download feature, how to make this?... FTP based downloads, only Barry and allowed users can access the server

Source can be released with the URL in blank...then I give Barry the information so he can use it in his build ^^

If anyone wanna use the feature on other builds they must use other server  :cool: because mine will have encrypted directory names that cant just be known random + FTP user / pass are needed

For no 2 I havent come with something because FBA is Open Source..and anything we do will be modded / hacked, so its better to discourage the wrong use of the source code like 0746 said  :smilie:

SeeYaa!
 :biggrin:

kev

  • Guest
Re: FBA Downloading
« Reply #4 on: August 12, 2008, 06:13:34 AM »
The only way is to put a clause in the licence. At least that way you could go after an abusing build. Also I like caps idea of taking the URL out of the code to save bandwidth but that won't stop determined people. Also we should make the URL configurable if we are not load balancing across multiple servers or maybe randomly select which server to use at the client end?

Offline Barry Harris

  • dontbeabarry
  • *
  • Posts: 1785
  • Karma: +0/-65535
  • I'm Barry Harris and I like to f*** people over
Re: FBA Downloading
« Reply #5 on: August 12, 2008, 06:16:57 AM »
The only way is to put a clause in the licence. At least that way you could go after an abusing build. Also I like caps idea of taking the URL out of the code to save bandwidth but that won't stop determined people. Also we should make the URL configurable if we are not load balancing across multiple servers or maybe randomly select which server to use at the client end?

Agreed. I really want all the code to be public - but that does limit our options. License enforcement is the only real option. I was just hoping to shut closed source builds out if possible. :)

I think the URL should definitely be configurable - it seems EmuFrance have offered their server so with Cap and EF we have two for the user to choose from. :)
Account of Barry Harris; the traitor.
Send me an e-mail at barry@fbalpha.com letting me know how big of a piece of sh** I am.

Offline 0746

  • Expert
  • *****
  • Posts: 108
  • Karma: +2/-0
Re: FBA Downloading
« Reply #6 on: August 12, 2008, 06:24:18 AM »
URL should be masked. It's possible to write a php script to act as an access controller to not give out the file directory.
e.g. something like barryharris.com/.../getResource.php?category=tile&rom=opwolf
and it can respond with the png image or whatever format tiles have. Can also keep a back end database with access times and ip address of the last 24 hours.

I think that can be achieved simply

If ftp/password type thing is used, users will have to register.
« Last Edit: August 12, 2008, 06:26:43 AM by 0746 »

kev

  • Guest
Re: FBA Downloading
« Reply #7 on: August 12, 2008, 07:10:20 AM »
URL should be masked. It's possible to write a php script to act as an access controller to not give out the file directory.
e.g. something like barryharris.com/.../getResource.php?category=tile&rom=opwolf
and it can respond with the png image or whatever format tiles have. Can also keep a back end database with access times and ip address of the last 24 hours.

I think that can be achieved simply

If ftp/password type thing is used, users will have to register.

Yeah, that wouldn't be a bad idea. No idea how to do that in PHP tho, I can only .net web stuff. :)

Offline CaptainCPS

  • FBNeo Dev
  • ******
  • Posts: 1513
  • Karma: +127/-0
  • FB Alpha Team
    • CaptainCPS's Home
Re: FBA Downloading
« Reply #8 on: August 12, 2008, 07:41:02 AM »
Yeah, that wouldn't be a bad idea. No idea how to do that in PHP tho, I can only .net web stuff. :)

I have used php in the past and that idea is fantastic, still i need to check if the masked link will return the image data, most probably it will, I just really dont remember xD, because there is no intermediate data received while connecting using that method

PS: I tried to sleep but I cant, so I'll be working with some things until i get the need of sleep xD

SeeYaa!
 :biggrin:

Offline 0746

  • Expert
  • *****
  • Posts: 108
  • Karma: +2/-0
Re: FBA Downloading
« Reply #9 on: August 12, 2008, 07:54:20 AM »
If you just read and flush content of the file, it'll work. Hope that rings some bells. I believe the package you're using to download takes care of the HTTP protocol stuff.

For browsers, you can use the header("Content-type: [png or whatever else content type here]"); to modify the response content type but it shouldn't be needed for FBA.

Offline CaptainCPS

  • FBNeo Dev
  • ******
  • Posts: 1513
  • Karma: +127/-0
  • FB Alpha Team
    • CaptainCPS's Home
Re: FBA Downloading
« Reply #10 on: August 13, 2008, 11:05:55 PM »
Check this out ...

http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=previews/&key=NOTHINGSPECIAL

and these...

http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=titles/&key=FBAKEY
http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=flyers/&key=WHATEVER
http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=marquees/&key=WTFJUSTLOAD

now if you try this 'temporary' KEY...

http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=titles/&key=20-ABC-30-ABC-40-ABC-50-ABC-00-FBA-KEY
http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=previews/&key=20-ABC-30-ABC-40-ABC-50-ABC-00-FBA-KEY
http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=flyers/&key=20-ABC-30-ABC-40-ABC-50-ABC-00-FBA-KEY
http://fightercore.plesk3.freepgs.com/getimage.php?img=mslug&type=marquees/&key=20-ABC-30-ABC-40-ABC-50-ABC-00-FBA-KEY

you can access any image ^^ ... since Im not finished working on this I do not worry ppl see my current url, later i will change things >__> xD

The idea of this is that I, owner of the server space provided to host the images for now, authorize 'FBA Official Project' to have access to all my preview images, including flyers, marquees, cabinets, etc...this authorization is a KEY only in the official compiled build, the source should be released with the variable 'szOfficialAuthKey' with a empty value.

The ingame 'previews' will be available for public use, so doesn't need the official key to use the url

I hope everyone like the idea, its the most I could do to protect my bandwidth and the bandwidth of other people wanting to contribute.

btw, if someone wanna contribute I can send you the 2 .php files I made needed for this to work in any server  ;p

SeeYaa!
 :biggrin:

Offline 0746

  • Expert
  • *****
  • Posts: 108
  • Karma: +2/-0
Re: FBA Downloading
« Reply #11 on: August 13, 2008, 11:29:00 PM »
The key thing is futile =/ I thought you were gonna design a new encryption scheme and not release its sources but this is the simplest among the simplest approachs. Given a fba binary build that can download from your sire, it'll take anyone around 30 seconds to 3 minutes to find its key. Thats assuming people who doesn't have a packet sniffer installed on their system will download and install one in 2 minutes and 30 seconds.

Offline CaptainCPS

  • FBNeo Dev
  • ******
  • Posts: 1513
  • Karma: +127/-0
  • FB Alpha Team
    • CaptainCPS's Home
Re: FBA Downloading
« Reply #12 on: August 13, 2008, 11:40:43 PM »
The key thing is futile =/ I thought you were gonna design a new encryption scheme and not release its sources but this is the simplest among the simplest approachs. Given a fba binary build that can download from your sire, it'll take anyone around 30 seconds to 3 minutes to find its key. Thats assuming people who doesn't have a packet sniffer installed on their system will download and install one in 2 minutes and 30 seconds.

I designed this entire idea based on the following... 

Quote
URL should be masked. It's possible to write a php script to act as an access controller to not give out the file directory.
e.g. something like barryharris.com/.../getResource.php?category=tile&rom=opwolf
and it can respond with the png image or whatever format tiles have. Can also keep a back end database with access times and ip address of the last 24 hours.

I think that can be achieved simply

If ftp/password type thing is used, users will have to register.

:p, the key was something i decided to add but without a key it would be easier to hack...(btw not everyone know about packet sniffers, you just contributed to the cause xD)

anyway, there must be a way to encrypt the connection or something..or there would not be sites like 'Paypal' working xD

SeeYaa!
 :biggrin:

Offline CaptainCPS

  • FBNeo Dev
  • ******
  • Posts: 1513
  • Karma: +127/-0
  • FB Alpha Team
    • CaptainCPS's Home
Re: FBA Downloading
« Reply #13 on: August 14, 2008, 12:32:14 AM »
Ahhh, whatever xDDD...I will leave everyone get the images , use my server as you like xDD LOL

Im tired and hungry now, I did UNDO to everything in my source , since everything I do will have a "hack possibility" I will just stop wasting time  on this matter :p

I declare my server a public domain from now on!  :cool:

SeeYaa!
:biggrin:

Offline 0746

  • Expert
  • *****
  • Posts: 108
  • Karma: +2/-0
Re: FBA Downloading
« Reply #14 on: August 14, 2008, 12:38:39 AM »
damn =(
you gave up too soon
I was thinking of writing a few "How to hack FBA's encryption" tutorials.