Jump to content

Shadow

Alpha Team Vanguard
  • Posts

    300
  • Joined

  • Last visited

Everything posted by Shadow

  1. If you want a parabola, you should also be able to remove matter with a spherical shape. Regards, Shadow
  2. Actually, I think you are right: skills affect it and they were thinking about upgrades, but not confirmed if I remember correctly. Regards, Shadow
  3. Hi supermasternico, To complete Lethys answer, NQ stated somewhere (sorry, I don't remember in which topic/video) that the nanoformer (the tool use to build and terraform) will be upgradable so that you can dig faster over time. PS: don't spam the submit button when creating a topic or you create several duplicates ;). Regards, Shaodw
  4. Yes, indeed. It looks like to be working fine by now. Nevertheless, I think I'll get mine without waiting. Regards, Shadow
  5. Hello, From this topic: ... I followed the link to the event to https://www.eventbrite.com/e/novaquark-open-doors-event-dec-2017-evenement-novaquark-portes-ouvertes-tickets-40138804244 but cannot find where to register for it (I have created an account). The website says that "Sales Ended", but it was only announced for one hour... Are all the places already sold !? Regards, Shadow
  6. Ok, the "hide" word was probably not the best choice, but my question has no other meaning than "what kind of information do you would like to limit (and how would you like to share it)" because: You can already hide your pledge (but the option is an opt-out). Location and personal information are not mandatory and you can just not give them (actually, I don't really see the point to fill them in). Most of the other information (like name, etc.) are visible more globally and actually required. I was just curious about it (and I think that NQ may need more details about what you wanted). I guess that what matters to you is the organizations members being public. In that case, I believe that we will have to wait until complete RDMS implementation (that's also why I don't belong to any organisation except ATV). This is not my point of view, that's actually the contrary. Regards, Shadow
  7. Hi CPExtreme, Long story short: you can't buy the game currently. Detailed answer: future pledge packs will be available (probably later this year) and will give access to alpha 2 which starting date is not announced yet (and probably subject to change anyway). Note also that, until release, the game servers may not be up all the time, several bugs are expected and features are not all implemented (it's an alpha after all). Last information was given by Nomad is this thread: Regards, Shadow
  8. Just to be clear: this thread is not targeted against yamamushi's bot (or any other specific bot for that matters). I've done some tests on it and I have not found any evidence of major security breach (I won't say any as there is always a risk in any application, even minimal). Besides, any information gathered by the bots are publicly available (you can only hide your pledge status and, in this case, the bots won't find it either). The potential problem is identity theft: someone saying that he is you backed by a bot validation. Don't trust someone if you didn't verified it yourself correctly or trust the bot having verified him. What do you want to hide exactly (and to who) ? Regards, Shadow
  9. Shadow

    Resourcepacks

    According to NQ information so far: -> LOD (level of detail) will adapt based on graphic power and distance. -> You will be able to customize the UI which is written in HTML / CSS and update it with Lua. Regards, Shadow
  10. From last interviews, current NQ vision is "one gun = one player". They won't be "automatable". Regards, Shadow.
  11. CCP hasn't invented it: you can find this idea in several books (I think about universes from Peter F. Hamilton for example). I'm for keeping what we have now though. Regards, Shadow
  12. What about https://youtu.be/jPRx6WQlVQc?t=499 ? Does it answer the question or were you talking about ship defense ? Regards, Shadow
  13. Except if they are banned because they didn't respect the NDA. I'd be happy if NQ inform us, but they didn't and probably have good reasons for it. Regards, Shadow
  14. I can probably call it a "token". Post edited. Well, that's why automatisation is better :). We had the case for ATV Discord where we had to remove someone. In this case, NQ did warm us and we manually removed him. But is NQ didn't, he would still have access to NDA'd information. I'm sure that several persons did loose their early access and NQ didn't post an announcement about it. This is where automatic check helps. I'd be happy to update the post with another solution if you have one. PS: for pure organization related membership, manual removal may still be enough. Regards, Shadow
  15. Hello explorers, I see more and more communities and organizations setting up authentication based on Dual Universe account in order to identify players on Discords, websites or other places outside the game. However, it's not a simple process and there are lots of potential security breaches (I've seen and reported a few). Thus, I decided to write this post where I describe good security practices and point some common attack scenarios. While this post is mostly directed towards developers and webmasters, I think it's also a good and interested read for all players. How authentication works Currently, Novaquark doesn't provide any way for third party applications to identify a player (they have other priorities like creating the game for now). So, how to do it then ? Usually, we rely on authenticating a player on the third party application via standard login/password authentication and then give to the player a random token he must show on his/her profile. In other words, the authentication process works using the following steps: The player create an account on the third party application. The third party application generates and gives a token to the player (ex: "my-app-auth:396943934983749839"). The player logs into his Dual Universe account and updates his profile, appending the token. The player tells the application that token is uploaded on his profile (specifying his/her profile name or URL). The application browses the profile, read the player name and public information (organizations, titles, etc.). It also double-check that the token is present and correct. The application then "links" the local account to the player profile and may autorise access to restricted content. When security fails This list is not exhaustive, but contains most problems I've seen or can think about. For easier reading, I put in red the attack scenario and in green the good practices you should use/see. 1) Token randomness A secret must be random! Else, someone could just predict or guess the token and use it on his/her own profile. Standard random() functions provided by languages are actually not random and may present collisions: you can predict their output (see https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d if you don't trust me). Thus, it is important to use strong random generators like: java.security.secureRandom() for Java random_bytes() or openssl_random_pseudo_bytes() in PHP crypto.randomBytes() for NodeJS secrets.token_bytes() (or secrets.token_hex()) in Python Etc. 2) Your token is actually public! Yes, the token is public: you put it on your public profile as the application needs to read it. A hacker could read it when you update your profile and authenticates at your place before you get the time to do it yourself. If you think that it is too hard to watch all forums accounts for a new posted secret and authenticate before the player, note that there is a RSS feed which gives in real time all profiles changes. How to prevent the attack ? Make sure to bind the token to the third party account. This way, if someone else tries to authenticate with the token, the local account won't match. As a good practice, also send the token in private and not in a public channel. 3) Weak or lack of verification Some applications may forget to actually verify the token (don't laugh, a bug is always possible). So make sure to test it after each code update. Another important point: the forums user feed also contains data from the posts liked or messages posted. If the verification function just looks for the token anywhere in the page, a hacker could create a post with his token in the title and this secret will appear in the feed of whoever likes or answers it. So make sure to only check in profile updates. 4) Validating the wrong profile If the player enters the URL of his profile (on the forum, this is nearly mandatory as there is no easy way to know the profile URL based only on the player name), it is possible to host a webpage on another website with a copy of your profile with modified information about your pledge, title or organizations. Thus, it is important to double-check when validating the token and gathering player information that the URL domain is actually correct! Hint: it should be something like *.dualthegame.com (make sure to test against URLs like "*.dualthegame.com.hacker.com" or "hacker.com/*.dualthegame.com"). 5) Luring someone else to edit his/her own profile This one is a bit tricky. Let me break it down into a detailed scenario: I start authenticating on Achilles' Discord which requests me to put the "123456" token in my forums profile. I don't do it right now and instead setup my own application with authentication. I share my application with Hector who tries to authenticate there. He is requested to put the same "123456" token on his profile. Hector put the token on his profile (and finishes authentication on my application for what matters). I finalize authentication on Achilles' Discord indicating that I'm "Hector". And now, Achilles' Discord thinks that I'm Hector. Tricky. A quick and easy recommendation is to generate a token which is clearly related to your application. So, for example, Achilles' Discord could have generated a token like `Code for authenticating with Achilles' Discord (don't use this code if it was not given to you by the "Achilles' Bot"): 123456`. As Hector is a smart guy, he would probably not put this token for authenticating with an application which is not named "Achilles' Discord". It is not perfect as a player who is not paying attention can blindly copy/paste the code. 6) Quits and bans Last but not least: players may quit an organization, be kicked from ATV or lose their backer title for whatever reasons. Thus, if a third party application records groups and roles only once during authentication, the player rights may become outdated in the future. It is important to regularly check the player organisations, titles and rights and update them accordingly (ideally before any request, but realistically a check every hour or day is ok-ish). I hope this post will help. Feel free to ask questions or repost it anywhere. Regards, Shadow
  16. You can host up to 500 MB included all files on the forums. After this point, you need to delete some. NQ doesn't have enough space for more on the forums server. Best thing to do is to host them somewhere else. Regards, Shadow
  17. Hi, Having transparent cockpits is also for gameplay purpose. RP wise, we probably have found very resilient transparent materials. Like plexiglas is a lot better than glass. Lastly, look at all futuristic books and movies. Except a few exceptions, they still put transparent cockpits too. Probably because it helps to find know points of reference for immersion. Regards, Shadow
  18. I may be wrong, but I think that NQ has done more polishing than implementation last month (especially because of the alpha). Thus, there is just not much to show. They may publish a short video about on-going pre-alpha sometime... or maybe they are waiting to announce alpha... who knows ? Regards, Shadow
  19. Ok guys, stop now. This is not going anywhere. Kind reminder: all time spent on moderating and reading trolls is time not spent on communication and game. Feeding the trolls is not the smartest idea. Please leave it and find something more useful to do. Regards, Shadow
  20. At least, this seems more useful. Looking at all troubles and the difficulties to "just" manage the ATV Discord, I'm pretty sure that NQ won't host an official Discord. An I can't blame them: they don't have the man power to moderate it, from far and value added is minimal. I may be wrong though. It's only my opinion. Regards, Shadow
  21. Hello, Nobody here can verify what has exactly happened so nothing will happen with this post instead of hanger and trolls. I predict a fast lock. If you want to discuss with community decision, you do need to talk with the Discord admins. Regards, Shadow
  22. Without breaking NDA, I think you can use several "keyboards" unit and assign some doors to each one. Not 100% sure if you can activate all keyboard at the same time, but it's what the July dev. diary looks like. Regards, SHadow
  23. Hello, Unfortunately, NovaQuark is bound to French law which is very strict in regard to week-end and night work. It's not their own decision. @NQ-Nyzaltar will probably give you a longer explanation (but it's NDA for me). Regards, Shadow
  24. You can find all info regarding pre-alpha tests here : The "redacted" messages are just auto-censure due to NDA. We cannot share any info regarding last test. Regards, Shadow
×
×
  • Create New...