Long due update - security and stuff
Greetings. It’s been a quiet two weeks, sorry about that. We’ve been busy at work as always.
I’ve taken a closer look at the situation with octrees, map data handling and networking. It’s going to take about 6 months until to finish. We’ve decided to put as much time and work on this as it requires and put everything else on hold and push back all the schedules.
The most of you are probably going “What are octrees? What’s taking so long?” I’m not going to go into technical details, but suffice it to say that we are currently working on the heart and soul of our game engine. It needs to be done well, really well. If it’s not done well then we are entering a world of hurt later on.
The basics are already there. It doesn’t take long to implement the octree data structure itself. It’s everything else related to it that takes time, ie. things like bug testing, performance improvements, loading the data and sending the data over network, handling the memory footprint, delta updates, etc.
So we have our lead coder working on that for the next 6 months (an estimate). In the mean while our other coder has started to implement the login verification server.
The login server structure is what handles your password, verifies you as an authentic user and let’s game servers know you are indeed who you say you are.
Security is really important to us and to me personally. We don’t want to create a situation by negligence - like some other popular games which I’m not going to mention by name - where there are countless of stolen accounts. This is a huge problem for server owners.
Usually when you’re running a server you have two points of verification: the user account and the IP address. IP is trivial to change and cannot be relied upon when identifying users. So you are left with the account. And if you can get stolen accounts from the internet for free or by the hundreds with a single dollar - you lose all hope of stopping cheaters and griefers on open non-whitelisted servers. The cheaters just change their IP and login with a different account, again and again.
So. What can we do about this? One important step is to force security on the players. It’s a nuisance - we know - but it’s absolutely necessary.
We are going to have password, email, login account name and player character’s name.
- You cannot use your email - or ANY email - as your login.
- You cannot use your character’s name as your login.
- We will add a number to your login account, ie. coolguy#48390
- Your login account will be 100% secret and not revealed anywhere.
- We WILL force you to use a minimum of 16 characters in your passwords and require a level of complexity.
- Your password will be stored hashed and salted with the best possible practices on our servers in case of a breach.
- Your email will be stored on our servers also as hashed and salted which means we cannot contact you - and if our database gets stolen it will be an additional layer of security and makes life harder for the attacker - you will still be able to get password reset emails.
- We will never reveal if an email or an account exists to curb automated attacks.
- Strict policy of not revealing customer information such as account name and email address even against proof of purchase (would be impossible anyway with emails since they are hashed and salted) to 100% stop social engineering attacks. If you forget your account name, forget your email address or lose acccess to your email address after forgetting your password your game account will be lost forever. Period.
- Long tutorial and other helpful information on account and password security to educate players about the dangers of reusing or sharing passwords etc.
I probably forgot something from that list but the gist of it is that we take security and server owner empowerment seriously having run various game servers ourselves for years.
We are familiar with the problems that server owners and players face daily and will do our best to invent efficient and working methods to circumvent and detect cheating - which, unfortunately, is unavoidable. It is going to happen and it is impossible to stop cheating completely. But we believe we can do much about automatic cheat detection and add support for automatic permission removal, warning admins, automatic delayed banning, shadow banning, etc.
Most games on the market give you /ban /ipban commands and that’s it good luck you’re on your own! This approach is utter crap and devalues the games. So what if you have the best game in the world with amazing graphics and performance? If your game is full of cheaters and the server owners are powerless to do anything about it - it ruins the whole game experience. We’ve all seen that so many times. It’s not right.
Our goal is not to completely stop cheating - it’s unrealistic and impossible - but to put some real effort into cheater detection and give admins amazing and varied tools to detect cheaters and griefers and to frustrate them with things like shadow bans - they won’t even know they’ve been banned. The server will feed them false information and remove their actions from the ordinary flow of things.
About other things. We are currently finishing the player character’s walk cycle animation. I will post it here when it’s finished.
Still looking for extra 3D modeler. Let us know if you know someone.
Until next time, Pilvinen out.