JoWie

That fails if you have multiple per line though, because * is greedy. In that cause you could use instead: (.*?)

Try replacing it with "$1". You will not be able to use regular expressions if the html gets more complex though. In that case you would need a DOM parser, such as the one found in your browser, or by making for example a simple node.js script.

In the config you can specify a port, you then then need to forward: UDP "port" (e.g. 5000) UDP "port"+1 (e.g. 5001) And if you are using asss with chatnet you also need to forward TCP on that port. Some routers prevent you from connecting to yourself, so make sure you also let someone else try.

ASSS isn't really GPL (after all, everyone has been distributing it with closed sourced security binaries since it was first released). And hyperspace never has been GPL. In theory that would have been a valid practice for the copyright holder (grelminar?). The copyright holder is not bound by the GPL (he can of course not revoke gpl licenses he already gave to other people). The copyright holder can even give out licenses to other people that would like to redistribute the application without the GPL. But you have to indeed look really carefuly to find out it is GPL. If I recall correctly, the license was not even in any of redistributable tarballs that were made.

Is this one of the reasons why you stopped working on asss/hyperspace? Anyway I agree that it limits freedom in other ways, and that is exactly my intention. Do note that I rarely use the viral variant of the GPL. I either use LGPL or add a class path exception. The "entire work, as a whole" part of the GPL is something I do not agree with and it is also not made explicit in the GPL. Is linking to a shared library a combined work?, what if I put a socket or pipe in between my work and the GPL work? Anyways I have no issues with using closed source games/applications. It is only on issue when I am volunteering my time.

The reason why I would prefer open source, in this context, is not a difference in quality/innovation. It is about freedom. Suppose for the sake of argument I am making a subspace clone. If you want to create your own game based on my work (rebrand it, sell it, whatever) you may. If I ever leave, anyone may pick up the work. If someone does not like my tyrannous dictatorship they can create their own community without needing my approval. If you have a zone and desperately want a feature, you can make it yourself without having to wait for the JoWie council to develop it. I would only ask in return: You keep my work open. But what you do with additions to my work, for example by using modules or different assets is up to you. (e.g. AGPL with class path exception). You give a little credit where it is due. Having said that, I am not against closed source software. I develop plenty of software that is proprietary. The difference is one of goals and core values. It is a different kind of project. Both approaches have downsides and upsides.

The reason for me to not participate with phoenix is because it is or was closed source. I am not saying closed source is bad, just that I do not wish to participate/help in a non trivial way with such a project. (unless you pay me haha)

Where is the code?

In my opinion having to store passwords in cleartext on the client side (or not storing passwords at all) is unacceptable. p could be another hash. Just like the method you posted earlier. The database would then need to store xplain and vplain and xhashed and vhashed Web interface would use the first two, client authentication would use the last two.

Do you mean bcrypt? Yea i've seen it, I have actually mentioned one that is very similar in this thread, scrypt. Scrypt has an advantage over bcrypt, you can also vary the memory that is needed to take a guess. This makes it much harder to parallelize. The downside of scrypt is that it has been researched a lot less. bcrypt has been around for a while. There is a bitcoin alternative that uses scrypt though.

This one is interesting: http://srp.stanford.edu/design.html It does not require storing plain text in the database. And all you need is a hash function and a secure random number generator. C lib: http://code.google.com/p/csrp/

What I envision is that the auth service is _only_ a website. Everything is https, all connections are short lived. Points, chat, banning, whatever is not part of this auth service. This scales out (instead of up) very easily Setting up such a service is probably a days work. Note that I am ignoring any existing architecture in these ideas. This is mainly because I do not believe in a drop-in replacement (like mysql & mariadb) for continuum (or at least, not worth the effort required)

But this online interface would need some encryption as well, otherwise your password would fly in raw form over the network. This would require asymetric encryption, very likely in the form of https (TLS). Now if you have https, why not implement every part using https. All you need to do is distribute Certificate Authority keys with the client (which you do not need to change if a new biller is added with different keys), or use the ones that come with the operating system. This would also take care of the database leak issue, the client connects to the biller on his own. If you use a very strong method of storing password in the database like scrypt (a very interesting one, it is much harder to parallelize), even if you leak the database you would not be able to login as any player (provided they had chosen a strong password) with a modified client. This is my reasoning for preferring a system that is similar to openid.

So if you do not want to use asymmetric encryption, how would you go about secure signups or password changing? And what about database leaks? If the password is not sent to the biller, but only a hash, the database would need to store the password (or whatever is equivalent to the the thing that is put into the hash)

my favorite time was with the normal sized ships, overpowered terr, money overflow bugs, no exp (i've had 2 billion thrice haha). The money gained from bounty was way too much though. I also remember the time before that with area bots disconnecting. Last man standing would get all the kills because others had no prizes. (with the little center spawn square). I was like 14 or something at the time.

Ah, nice. This is why I made that original comment haha. You would also need a hash back from the server with a second salt so that the client can verify the biller (if that is needed of course)

What I meant is that the client can not verify that the given salt comes from the biller (in the setup that he described). The zone could just make the salt all 0: player to zone: connect zone to biller: player X online biller to zone: salt=PRNG zone to player: salt=0x00000 (or another fixed value) player client hashes pw using salt (0x00000) player to zone: hash zone to player: some kind of error zone: look up hash in a rainbow table of a dictionary This attack could be prevented if you either have the client connect to the auth service on his own.Or somehow verify the salt really comes from the auth service, or just encrypt the entire auth handshake. Maybe there is another way to fix this (I am not an expert on encryption, I just pretend to be haha). But you probably need to use asymmetric encryption in most solutions. If you want a system where someone has to verify a zone before it is allowed to use the biller/auth service, that could be the better choice. But if you want authentication to be open to all players and any random zone, it would not matter much if the attack was done by impersonating zones vs impersonating players. As for denial of service, attacking the zones directly is probably a lot more effective (even if you would want to attack the top 50 of zones for example). They can not be distributed over multiple servers easily, require more resources, are more suspect to targeted attacks (like abusing the game protocol). For an auth service which only has one simple purpose it is much more simpler. There are even online proxy services like cloudflare that could help such an auth service (the caching does not help much, however it hides the address to your real server and it auto blacklists attackers)

The client would only need to contact the biller/auth service to authenticate, register, change passwords. (unless you also want to secure cross zone chats). The client would be able to drop his connection after authenticating. You could probably easily handle 10'000+ connections concurrently using a single server (node.js, nginx, and a few others support this: http://synrc.com/lj/webcompare/connections.png ). Imo, a separate auth service is good because it would let anyone run whatever biller or zone they want. Authentication is the only thing that _must_ be centralized. It would also be good if the auth service does not perform banning (unless someone abuses the auth service itself), this would prevent the current SSC-madness.

With weak I meant in the cryptography sense. The zone server can make the client hash the password using any salt it wants (even if it was rejected by the biller, just fake a lagout and pass the normal salt the next time). This would make bruteforcing passwords much easier. (it gets even more dangerous if the salting is implemented incorrectly, lookup hmac and maybe scrypt). You would also need to store the passwords as plain text in the authentication server. Of course you could add another layer of hashes, but that means the hash is your password now. An easy fix would be to make the client go to the auth service on its own using TLS, authenticate there, and then the zone contacts the auth service to verify (like how openid works, as x-demo mentioned). Or I guess you could tunnel to the auth service through the zone, but that seems too complicated.

This is weak because a zone operator could make up its own salts.

But how much is -3^2 ? -9 or 9 ? hehe

Sounds very good. I wanted to make something very similar a while back (however I got completely fed up with asss and I quit making things with it). I've actually implemented a websocket server from scratch back when there were not many libs, for a different project haha (using one of the now obsolete drafts). Did you actually integrate SSL yourself, or are you using a reverse proxy like nginx?

duh

Does BnetEx only take care of serialization? Or does it also take care of more stuff specific to games? Are you are simply sharing x,y (and perhaps z ) values periodically, or doing something more complex to prevent cheating.

hah nice. Are you playing the music yourself? The graphics look a bit cluttered, a lot is going on. Not necessarily a bad thing though. What kind of networking model did you end up with? I remember a topic about it a long time ago.