Jump to content




MineCredit (Credit cards in minecraft)

networking wireless lua

25 replies to this topic

#1 PossieTV

  • Members
  • 62 posts

Posted 11 December 2012 - 04:51 PM

This program adds money called MineCredit to minecraft.

Different programs
Spoiler


Downloads

Pictures
Spoiler


#2 Bubba

    Use Code Tags!

  • Moderators
  • 1,142 posts
  • LocationRHIT

Posted 11 December 2012 - 06:22 PM

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

#3 PossieTV

  • Members
  • 62 posts

Posted 12 December 2012 - 02:17 PM

View PostBubba, on 11 December 2012 - 06:22 PM, said:

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

I prefer media fire over paste bin for a couple reasons, 1. I can see how many downloads i get (so I can see if I am getting more downloads as the versions progress) 2. I think it would be easier than for you (since its just one link and you guys don't have to copy and paste anything). The credit cards are pretty secure. The only way for someone to make a copy is if they got your card and make a program that copies them.

#4 Bubba

    Use Code Tags!

  • Moderators
  • 1,142 posts
  • LocationRHIT

Posted 12 December 2012 - 02:40 PM

View PostPossieTV, on 12 December 2012 - 02:17 PM, said:

View PostBubba, on 11 December 2012 - 06:22 PM, said:

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

I prefer media fire over paste bin for a couple reasons, 1. I can see how many downloads i get (so I can see if I am getting more downloads as the versions progress) 2. I think it would be easier than for you (since its just one link and you guys don't have to copy and paste anything). The credit cards are pretty secure. The only way for someone to make a copy is if they got your card and make a program that copies them.

Okay, it's your preference. The reason I requested pastebin is because my phone does not have zip capability (or at least, it is a pain in the ass to work) and my computer is broken.

As to the security, let me change my question somewhat (although the duplication issue is a fairly valid security concern to consider). How vulnerable is the server and other rednet reliant programs. What would happen if I were to send fake deposit/withdrawal messages to the server? How easy is it to fake deposit/withdrawal messages to the server? Questions like that.

#5 immibis

    Lua God

  • Members
  • 1,033 posts
  • LocationWellington, New Zealand

Posted 12 December 2012 - 02:55 PM

View PostBubba, on 12 December 2012 - 02:40 PM, said:

View PostPossieTV, on 12 December 2012 - 02:17 PM, said:

View PostBubba, on 11 December 2012 - 06:22 PM, said:

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

I prefer media fire over paste bin for a couple reasons, 1. I can see how many downloads i get (so I can see if I am getting more downloads as the versions progress) 2. I think it would be easier than for you (since its just one link and you guys don't have to copy and paste anything). The credit cards are pretty secure. The only way for someone to make a copy is if they got your card and make a program that copies them.

Okay, it's your preference. The reason I requested pastebin is because my phone does not have zip capability (or at least, it is a pain in the ass to work) and my computer is broken.

As to the security, let me change my question somewhat (although the duplication issue is a fairly valid security concern to consider). How vulnerable is the server and other rednet reliant programs. What would happen if I were to send fake deposit/withdrawal messages to the server? How easy is it to fake deposit/withdrawal messages to the server? Questions like that.
The server does not check the sender ID.
Any computer can send activation messages to the server to create accounts with 100 credit, then transfer their balance to someone's account.
The server also doesn't check for negative balance, so you can easily get a lot of money by making two accounts, then transferring a large amount of money from one to the other.
Unrelated, the server will also crash with a stack overflow after processing a lot of transactions.

#6 dissy

  • Members
  • 181 posts

Posted 12 December 2012 - 03:09 PM

I'll admit I haven't installed the program yet, but I'm reading over the code files (especially the server) and feel a bit confused.

So I gather "Activate" is used to create a new card. It asks for input for the "card ID" and simply stores that in a file on the disk.
I'd gather if you used huge numbers, such as 16 digits or more like on a real credit card, these would be pretty hard to guess at.

But the server program is what worries me.

There doesn't appear to be any checks in the code to prevent a transfer from happening when the person's card doesn't have enough funds on it.
It doesn't even appear to check if the card ID is valid at all, so you can simply make a text file on a disk with a random number, and transfer your initial $100 off of it to your real card, and keep doing that all day (or have a turtle do it for you) until you are a billionare.

I also suspect the server program would actually crash if you spoofed a card ID that did not exist, since it looks like it just tries to read their balance from a non-existant file, without checking first.

Your idea is nice, but the implimentation needs a bit of work

#7 PossieTV

  • Members
  • 62 posts

Posted 13 December 2012 - 03:46 PM

View Postdissy, on 12 December 2012 - 03:09 PM, said:

I'll admit I haven't installed the program yet, but I'm reading over the code files (especially the server) and feel a bit confused.

So I gather "Activate" is used to create a new card. It asks for input for the "card ID" and simply stores that in a file on the disk.
I'd gather if you used huge numbers, such as 16 digits or more like on a real credit card, these would be pretty hard to guess at.

But the server program is what worries me.

There doesn't appear to be any checks in the code to prevent a transfer from happening when the person's card doesn't have enough funds on it.
It doesn't even appear to check if the card ID is valid at all, so you can simply make a text file on a disk with a random number, and transfer your initial $100 off of it to your real card, and keep doing that all day (or have a turtle do it for you) until you are a billionare.

I also suspect the server program would actually crash if you spoofed a card ID that did not exist, since it looks like it just tries to read their balance from a non-existant file, without checking first.

Your idea is nice, but the implimentation needs a bit of work

First of all, thank you. This is the just first version (or rough draft) it is more of a template that I will use to create something more secure. The thing I am working on right now, is an encryption system to encrypt the password. The encrypted password will be sent to the server anytime a transaction takes place and decrypted by the server (so people don't send fake messages to the server).

#8 dissy

  • Members
  • 181 posts

Posted 13 December 2012 - 05:24 PM

View PostPossieTV, on 13 December 2012 - 03:46 PM, said:

First of all, thank you. This is the just first version (or rough draft) it is more of a template that I will use to create something more secure. The thing I am working on right now, is an encryption system to encrypt the password. The encrypted password will be sent to the server anytime a transaction takes place and decrypted by the server (so people don't send fake messages to the server).

Encryption for between the server and client(s) over rednet is a good plan.
However for password storage, you might not want to use encryption, but instead use one-way hashing. This offers many advantages in security.

The basic process would be, when a user is setting up their account and setting a password for the first time, take the input and put in variable one.
Then immediately pass that variable to the one-way hasing function, storing the hash in variable two. Then set variable one to a blank string.
The plaintext password is now gone (and thus safe), so save the hashed password along with their username/id.

Later when that user goes to authenticate, you do the same process. input into var, hash the var, and blank it.
Then you can compare the hash you currently have, with the hash stored in their account.
If they match, the user has typed the same thing this time as they did the first time, whatever that thing may be. If they don't match, give a "wrong password" error.

Most people re-use the same password many places, which yes is a horibly bad idea, but that's what happens.
For a non-insignifigant percentage of users, if a hacker stole your password file and it contained plain text passwords, now the hacker might have access to the users minecraft account, email, and who knows what else.
Worse, if you had the passwords encrypted in a reversable way, well clearly the server program would need to know the key to decrypt them, which means that key would need to be stored somewhere that the hacker also has access to. That means they could just decrypt the passwords too, and the encryption didn't protect anything.
If you assume the worse (a hacker copied every last file from the server), with one way hashing all they could do is try every word in a dictionary (a brute force) which takes time, and is easily thwarted by not using words in the dictionary as passwords ;}
But that would be a lot better than basically handing them both the encrypted passwords and the key to decrypt them.

As an administrator, you'll never have a need to know their password. You can reset a password if one is forgotten, and you can compare hashes to know if what was typed matches what was stored.

I do recall someone posting code to do SHA1 hashing. I'd avoid rc5 since it's not really that good these days.

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.

#9 immibis

    Lua God

  • Members
  • 1,033 posts
  • LocationWellington, New Zealand

Posted 13 December 2012 - 05:37 PM

View Postdissy, on 13 December 2012 - 05:24 PM, said:

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.
Not mine :P

#10 dissy

  • Members
  • 181 posts

Posted 13 December 2012 - 05:54 PM

View Postimmibis, on 13 December 2012 - 05:37 PM, said:

View Postdissy, on 13 December 2012 - 05:24 PM, said:

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.
Not mine :P

Your cables allow intercepting and/or spoofing? To be honest I had no idea.

I stand corrected - point-to-point communications would be the required feature to look for, before deciding not to encrypt the communications.

#11 FUCKCOMPUTERCRAFT!"£

  • Validating
  • 87 posts
  • LocationBasement

Posted 14 December 2012 - 12:24 PM

View Postdissy, on 13 December 2012 - 05:24 PM, said:

View PostPossieTV, on 13 December 2012 - 03:46 PM, said:

First of all, thank you. This is the just first version (or rough draft) it is more of a template that I will use to create something more secure. The thing I am working on right now, is an encryption system to encrypt the password. The encrypted password will be sent to the server anytime a transaction takes place and decrypted by the server (so people don't send fake messages to the server).

Encryption for between the server and client(s) over rednet is a good plan.
However for password storage, you might not want to use encryption, but instead use one-way hashing. This offers many advantages in security.

The basic process would be, when a user is setting up their account and setting a password for the first time, take the input and put in variable one.
Then immediately pass that variable to the one-way hasing function, storing the hash in variable two. Then set variable one to a blank string.
The plaintext password is now gone (and thus safe), so save the hashed password along with their username/id.

Later when that user goes to authenticate, you do the same process. input into var, hash the var, and blank it.
Then you can compare the hash you currently have, with the hash stored in their account.
If they match, the user has typed the same thing this time as they did the first time, whatever that thing may be. If they don't match, give a "wrong password" error.

Most people re-use the same password many places, which yes is a horibly bad idea, but that's what happens.
For a non-insignifigant percentage of users, if a hacker stole your password file and it contained plain text passwords, now the hacker might have access to the users minecraft account, email, and who knows what else.
Worse, if you had the passwords encrypted in a reversable way, well clearly the server program would need to know the key to decrypt them, which means that key would need to be stored somewhere that the hacker also has access to. That means they could just decrypt the passwords too, and the encryption didn't protect anything.
If you assume the worse (a hacker copied every last file from the server), with one way hashing all they could do is try every word in a dictionary (a brute force) which takes time, and is easily thwarted by not using words in the dictionary as passwords ;}
But that would be a lot better than basically handing them both the encrypted passwords and the key to decrypt them.

As an administrator, you'll never have a need to know their password. You can reset a password if one is forgotten, and you can compare hashes to know if what was typed matches what was stored.

I do recall someone posting code to do SHA1 hashing. I'd avoid rc5 since it's not really that good these days.

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.

I'm looking into a LUA encryption program ATM :) Im planning to start over the weekend, it probably wouldn't be strong but it will offer some protection. So keeps your eyes open to see my epic fail :L

#12 dissy

  • Members
  • 181 posts

Posted 14 December 2012 - 12:49 PM

View Postx0pk1n, on 14 December 2012 - 12:24 PM, said:

I'm looking into a LUA encryption program ATM :) Im planning to start over the weekend, it probably wouldn't be strong but it will offer some protection. So keeps your eyes open to see my epic fail :L

I'm personally not proficient enough to do the job correctly in Lua, however after seeing all the half finished apis out there, I'm really thinking strongly about dusting off my old encryption server app.
Long ago I wrote this encryption server and its own protocol so that another device I was working with, with a very limited language and memory (a basic stamp microcontroller specifically), could send data to it for encryption and get the result back to use and relay off.

My server app already does aes, blowfish, and des, as well as the md4, md5, md5crypt, and sha1 hashes.

While serial communication with it is out of the question, at least socket would be possible. Unfortunately for CC the only comm channel that's readily available is http, and while that would be very possible to use, I fear the overhead would slow things down too much for most network related uses.

But I can see this working over http... send a request to localhost for /blowfish and pass all but the data as get arguments, such as ?mode=ecb&dir=encrypt&initvector=0&pad=1&key=supersecret
Then pass the data as uu-encoded POST data, get the result back as uu-encoded tetx/plain.

Grr, now I think my weekend plans have just changed ;}

#13 Khento

  • Members
  • 40 posts
  • LocationBrazil

Posted 14 December 2012 - 02:07 PM

What a coincidence!
I was working on a similar project.

Well, I'm not a Lua expert but I think your server will have a stack overflow.
I think it would be easier if you just used a while true loop

#14 kornichen

  • Members
  • 220 posts
  • LocationGermany

Posted 17 December 2012 - 01:38 AM

Hey!

I really like this. Maybe I am allowed to implementate it into my OS (link in signature) soon?


Best regards from germany,

kornichen

#15 Flazh

  • New Members
  • 1 posts

Posted 19 December 2012 - 05:30 AM

Hi, i cannot get the ATM to work, i have changed the ID on the ATM to the Server Computer ID, but its still showing a Blank Screen, with nothing, anyone that could assist/help me with this?

This is how i made the ATM, i don't know if its a error:


[Computer][Modem - Side]
[Disk Drive]
[-----Ground-----]

Like this: Posted Image

#16 InputUsername

  • Members
  • 231 posts
  • LocationThe Netherlands

Posted 19 December 2012 - 07:04 AM

Quite nice with the pictures and all, but why no actual 'in-program' screenshots? No pics no clicks :mellow:

#17 FuuuAInfiniteLoop(F.A.I.L)

  • Banned
  • 435 posts
  • LocationThe left part of this post

Posted 20 December 2012 - 04:52 AM

suggestions:
1- Hash the passwords and the rednet messages
2- crypt the id with something and send it like a password to give more security
3- need a password for creating more accounts
4- a type of verification so a player can only create one card
5- History

#18 theoriginalbit

    Semi-Professional ComputerCrafter

  • Moderators
  • 7,332 posts
  • LocationAustralia

Posted 20 December 2012 - 05:52 AM

View Posturielsalis, on 20 December 2012 - 04:52 AM, said:

suggestions:
1- Hash the passwords and the rednet messages
2- crypt the id with something and send it like a password to give more security
3- need a password for creating more accounts
4- a type of verification so a player can only create one card
5- History

Hello urielsalis,

I am currently working alongside PossieTV to merge some programs I have made with his to bring several improvements and new features to this set of programs. Thank you for your suggestions. We are currently working on all these suggestions, except history I'm not sure about that one, I'll have to check and see if we had thought of that. Again thank you for your suggestions :)

EDIT: Oh didn't see 2. what id?

#19 FuuuAInfiniteLoop(F.A.I.L)

  • Banned
  • 435 posts
  • LocationThe left part of this post

Posted 20 December 2012 - 07:06 AM

View PostTheOriginalBIT, on 20 December 2012 - 05:52 AM, said:

View Posturielsalis, on 20 December 2012 - 04:52 AM, said:

suggestions:
1- Hash the passwords and the rednet messages
2- crypt the id with something and send it like a password to give more security
3- need a password for creating more accounts
4- a type of verification so a player can only create one card
5- History

Hello urielsalis,

I am currently working alongside PossieTV to merge some programs I have made with his to bring several improvements and new features to this set of programs. Thank you for your suggestions. We are currently working on all these suggestions, except history I'm not sure about that one, I'll have to check and see if we had thought of that. Again thank you for your suggestions :)

EDIT: Oh didn't see 2. what id?
the id of the computer, to add security so nobody can use a fake computer to gain access

and history is for security reasons so you can see every movement and cancel it also you can view a resume of your account

#20 theoriginalbit

    Semi-Professional ComputerCrafter

  • Moderators
  • 7,332 posts
  • LocationAustralia

Posted 20 December 2012 - 12:02 PM

View Posturielsalis, on 20 December 2012 - 07:06 AM, said:

the id of the computer, to add security so nobody can use a fake computer to gain access

Ahh so you meant to combine the id and something to create the public encryption key

View Posturielsalis, on 20 December 2012 - 07:06 AM, said:

and history is for security reasons so you can see every movement and cancel it also you can view a resume of your account
Yeh I understood the history ;)


thank you.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users