[MUD-Dev] strong encryption for authentication

[Edward Glowacki]

Quoted from Caliban Tiresias Darklock on Wed, Jul 11, 2001 at
08:29:12PM -0700:
> On Wed, 11 Jul 2001 09:35:39 -0400, Edward Glowacki
> <glowack2 at msu.edu> wrote:

>>  1. Cheating
>>  2. Spying

> So... you don't consider these perfectly legitimate applications
> of player ingenuity?

Cheating is not a legitimate application of player ingenuity, IMHO.
In some forms, cheating can totally destroy the carefully crafted
balance of a game, and in others in can destroy the enjoyment of the
game for those that don't cheat.  Think about the Quake style games
that people have built auto-aimers for.  You walk into a room and
before it's humanly possible for anyone to target you, the cheating
player has a bullet flying towards your head.  Yes, it's player
ingenuity, but it devalues the game as a whole when people use it.

As for spying, if you want to support it in a game, build it into
the game itself.  Sniffing a connection is an out-of-game action
that nets in-game benefits.  There is no way for the victimized
characters to protect themselves unless the game supports fully
encrypted sessions, there's no way to even detect it other than
deducing that "Buffy has too much knowledge that she wasn't told,"
and in the general case, there's nothing the victim can do in-game
to offset the advantage gained by the spy (i.e. no equivalent skill
to learn).

So no, I don't think either of these applications of player
ingenuity are desireable in any multi-player universe.

> I do. I won't say I *like* them, because I don't, but let's face
> it: that takes some effort and some thought. I like effort and
> thought. When a player comes up with a good little exploit that
> doesn't actively ruin the game for other people, I think that's
> great. In your two examples, the cheater is finding a wounded
> player in a PK area -- which is a known and accepted risk taken by
> that player -- and the spy is delivering a desired item to someone
> who desires it.

See the above Quake example for people using cheating to ruin the
game for others.  Finding a wounded player in a zone is almost
identical to the Quake scenario, you're using out-of-game
information to give in-game advantages.  In Quake, it's sending a
bullet at someone's head, in PK it's sending a thug to go kill
someone.  Yes there's risk in hiding in PK and trying to heal up,
but if you have an idea of how big the area is, how many other
hiding places there are, and how many people are hunting you, then
you can assess that risk and decide how long to stay there before
moving on or getting out of the zone.  If someone is sniffing your
connection for your location, they have super-human abilities to
track you down, and they will *always* go directly to you just as
the auto-aimer in Quake will *always* hit you.

> I don't think either of those has particularly far-reaching
> consequences.

As long as you don't count "destroying the balance of the game"
far-reaching.

> I couldn't think of any good reason why it should be disallowed,
> either. Players *should* hack the game, reverse-engineer the
> protocol, and know every byte their client sends and receives. If
> they intercept someone else's information, I think they have every
> right to inspect it.

Once again this allows someone to use real-world skills to give them
an advantage in-game.  If this is acceptable, then those that are
physically fit in real life should move faster and hit harder, those
that are "smarter" in real life should learn skills in-game faster,
and those that have more money in real life should start the game
with more gold.  The point of a virtual world is that everyone
starts the same and can build from that base to be whatever they
want to according to the rules of the universe.  As long as the game
is fairly well balanced (which is very difficult to do), every
player will always have a relative advantage in *something* over
other players, and other players will always have a relative
advantage in *something* over them.  But there's always checks and
balances.  If you want people to spy, build hiding and listening
skills into the game and balance them with the ability to "sense
that someone is listening to you" or something.  If any single skill
is one-way and there is no defense against it, it will be abused and
unbalance the game.

> That aside, let's stop and think: has this ever actually HAPPENED?

I've never been thrown through the windshield of a car, but I still
always wear my seatbelt...

> You do at this writing. Whatever encryption scheme you decide
> upon, the player has to acquire a compatible client. At first,
> that will be...  your client. Period. And you will NEVER really
> free the user to choose his *own* client. I don't like that. That
> means I have to develop TWO products, instead of just one.

All it would take is one or two big MUDS to say, "Hey, we're going
to start supporting SSL/SSH connections," and soon there'd be MUD
clients out there that support SSL/SSH.  In fact, a quick search at
SourceForge.net reveals one Unix MUD client that already supports
SSL.

>> There are reasons to dislike *applications* of encryption, that I
>> can understand with things like DVD's, music, etc., but to
>> dislike encryption itself doesn't make sense.

> I think encryption is a pain in the ass. If I can avoid it, I
> will. If I don't think it's necessary, I don't want it. I need a
> *real* reason to use encryption, and it better be a good one.

You appear to dislike current applications/implementations of
encryption, not the encryption itself.  Encryption is moving towards
being more and more transparent.  Look at SSL connections on the
web, those are almost transparent now, since clients that support
them are fairly widespread and the servers support them too.  When
encryption becomes transparent like this, it's much more of a
benefit than when you have to go far out of your way to get
encryption.  Encryption would be ubiquitous already except that the
Internet evolved from a network where data was generally open and
available to most everyone, so privacy and security wasn't a big
concern.  Now we've had to retrofit encryption onto the network, and
surprise, it's a lot more work.

> And until that situation changes, this will remain the case. I
> didn't like PGP even when I could right-click to encrypt and/or
> sign my mail messages in Eudora. It was just a plain old pain in
> the ass. Didn't want it or need it. There was just no point. The
> public key infrastructure never materialised, so PGP was
> essentially the province of a few geeks and paranoiacs. It would
> have been nice, but nobody really cared enough to encrypt
> everything.

Yeah, PGP was a bit of a letdown.  It looked like it would take off,
but never did.  I think the problem is once again that it's
encryption retrofitted onto an inherently insecure medium.  Email
was never designed to be private, so nothing about it is encrypted
except that which users manually do themselves, e.g. PGP.

> Why? Because there was no compelling reason to do so. And there
> still isn't. My credit card information has been sent in the clear
> across the net dozens, if not hundreds, of times. I have never had
> a single problem. Now, if I can happily send my credit card info
> spiraling off through who knows how many routers, SMTP servers,
> and gateways without a problem... don't you think the average
> player can pretty much do the same with his gaming?

Why risk it though if there's a reasonable alternative?  If you can
encrypt traffic as it goes over the network, that's one less place
the bad guys can get ahold of your information.  Security isn't
about making your system invincible, it's about making your system
more difficult to break in than it's worth.  If I encrypt all my
network traffic and you don't, who's password or credit card number
are the bad guys going to go after first (all other things being
equal)?  If I encrypt over the network but leave my computer itself
open to security comprimises, and you use network encryption and
have a secure workstation on your end, who are the bad guys going to
go after first?  Unless there's something very specific about a
particular individual, say one person is a player and another is an
imp or admin or whatever, people will generally go after the easier
target, just as lions go after the weaker members of the herd.

>> And it's really not just a game, it's also a social gathering
>> place.

> Which is, essentially, a CHAT ROOM. Is this rocket science or
> something?  Why don't chat rooms encrypt? Well, because there's no
> good reason for it. Which is pretty much what I've already said.

I don't know why chat rooms don't encrypt.  Probably because people
don't really understand the underlying principles of the network and
realize that it *is* possible for other people to read what they
type.  Even when they do, as is starting to happen with web sites,
credit cards, and SSL, they don't think that anyone would *want* to
listen to them talk.  In a pure chat room, that's probably true.
But an online universe like a MUD isn't a pure chat room, it's also
a game, and in games, people talk about more than their favorite
band, they talk about things like when they are going to raid the
enemy stronghold, who they have grudges against, who owes them
money, etc.  Players will take advantage of this information if they
can get ahold of it.

>> You mentioned business conferences, which could be something you
>> are able to have within one of these virtual environments.

> And which are already supported by very nice business-oriented
> applications which are compatible with any number of encryption
> standards. What self-respecting business would conduct a sensitive
> meeting on a public server anyway?

Probably nobody, but you never know.  Maybe it's a covert way for
them to meet, talk a little bit in key phrases or obscure terms to
negotiate something.  Good cover for selling things really, as long
as both parties understand what's being talked about you can say
something like, "I'll sell you my *gold dagger* for 300," complete
the in-game transaction, then out-of-game complete the real-life
sale.

>> Why *not* just start encrypting everything?

> Because there's no good reason for it.

I think we've gone over many good reasons for it. =)

> No there aren't. ;)

Yes there are! ;) (Hehehe, despite the heated discussion, all I can
think about with this little bit is a couple of little kids out in
the sandbox saying to each other, "No I'm not!" "Yes you are!" "No
I'm not!" "Yes you are!" and it just makes me smile.  A nice little
reminder to myself that we're not out here to kill each other, we're
just pushing ideas around in the sandbox. =) )

> Don't get me wrong on this; I'm doing a lot of devil's advocacy
> here.

Me too.  We're kind of arguing the opposite extremes, but the real
answer I think is somewhere in the middle.  It's good discussion
though, I think, because at least it's making me think this stuff
through and contemplate the issues at hand.

> My primary goal is to get all the various bits and pieces hammered
> out.  I've written a lot of code in my day that I really wish
> someone would have said "what the HELL are you thinking?" about
> *before* I wrote it.

I'm trying to do that with several things myself, to have people
poke all sorts of holes in my ideas before I actually try to build
them.  It's a good strategy.

> I'm not violently opposed to the idea of encryption in MUDs, but I
> *am* violently opposed to the idea of adding features to software
> that serve no good purpose.

Agreed! =) Say NO to bloatware! =)



> Let's look at what we have.

>   1. Encryption would be a Good Thing. Why?

>   2. Because it is a Desirable Feature. Why?

>   3. Because it prevents Undesirable Results. What are they?

>   4. Well, This and That and The Other. Are these real problems?

>   5. Um, no, not really, but they could be. What's the frequency,
>   Kenneth?

I think we've already covered all these, so I'll skip them.

>   6. Ummmmm about ummmm once in a coon's age. What's the resource
>   cost?

It might be easy, it might be hard.  If your code is modular enough,
it should be trivial to add an SSL module instead of a telnet
module.  If not, well then, you may have some work ahead of you to
retrofit.  If you're designing from the ground up, put a layer in
there so that even if you don't want encryption now, you can add it
easily later.

>   7. Ummmm about 20% of the CPU power used by the game. Wouldn't a
>   25% speed increase be better? (current speed == 80%, new speed
>   == 100%, 100/80 == 1.25 == 125%)

I think someone else in this thread noted that encryption isn't that
big of a hit on the CPU, and I think I'd tend to agree.  For a small
player base (say even 100 players online at one time), I doubt you'd
really tax the CPU at all, unless you're running on a very
underpowered server.  For larger active player counts, it would show
up a bit more, but then again, your're more likely to have
rendundant servers or servers with power to spare to handle peak
loads anyways, and you can take the encryption into account when you
buy your hardware, so the CPU hit shouldn't be a big deal.

Depends on what speed increase you are referring to.  Chances are
the limitation will be with the users net connection (just recently
read somewher that the average internet connection you should design
web sites for is 33.6k +/- 10k), so unless your server is really
lagging due to a badly designed loop somewhere, the users probably
wouldn't notice the speed increase.

>   8. Ummmm not with those problems. Doesn't a 25% speed increase
>   benefit all the players all the time?

Nope, see answer to #7.

>   9. Ummmm yes but ummm what about those problems? Do all players
>   have them all the time?

>   10. Ummmm... no. Doesn't that pretty much make your decision for
>   you?

Not quite sure how to answer these right now, skipping. =)

> If you'd like me to continue this line of reasoning through
> hardware encryption accelerators and convincing ISVs to add
> encryption to their clients, I could, but the results aren't
> pretty. ;)

=)

>> find out first themselves) and soon MUD clients will start
>> supporting SSL connections.

> Only a very few of them. The rest will go on not even properly
> supporting the telnet standard. :P

Well that's the kind of problem you get a lot these days, where
people know how to write code but they don't know how to really
*write code*.  Anybody can learn the syntax of a language and start
writing stuff (say a MUD client... ;) ), but unless they really
understand some programming theory and the underlying technologies
their software is going to use (in this case, the telnet protocol),
the end result is going to be less than desireable for others to
use.

--
Edward Glowacki			glowack2 at msu.edu
"Speak softly and carry a +6 two-handed sword."  --fortune
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev