Jump to content

Search the Community

Showing results for tags 'nda'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Starting Zone
    • Rules & Announcements
    • The Arkship Pub
    • Novark's Organization Registry
    • General Discussions
    • Off Topic Discussions
  • Ideas & Gameplay discussions
    • Idea Box
    • The Builder's Corner
    • The Gameplay Mechanics Assembly
    • DevBlog Feedback
  • Fan Art, Fan Fictions & Roleplay
    • Novark Agora
    • Novark Archives
    • Novark Art Gallery

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location:


Interests


backer_title


Alpha

Found 6 results

  1. 😕 I am hwshadow, have played eve-online for years https://evewho.com/character/1505039261 sent me here.
  2. Please note https://www.dualthegame.com/en/news/2019/09/25/new-authentication-bot-coming-to-the-official-discord-server/ "On October 22nd, the new bot will go live and the old authentication process will be retired." If you linked your account on the Community Portal during phase 1, the transition will be seamless. First you must own an account that has current access to the game, if you don't this won't work. go to https://board.dualthegame.com/ and sign in Click on your user name in the top left of web page Click on Profile In top right of profile click on edit profile Toggle the top option to ON, “Enable status updates” should be green with a check mark Scroll down and click save Go to https://board.dualthegame.com/index.php?/forum/20-the-arkship-pub/ This is the introduce yourself to Dual Universe forum page. Your forum account needs moderator approval, post an introduction message in the Arkship Pub subforum so everyone knows you're a real person. This can take a day or to, but normally is only a few hours. You will need to keep logging back in to see if your introduce your self forum post has been approved and posted for public viewing on the forum page, once this is done your ready for the next part. Open discord, go to the DU server, look for the text channel #newcomers and click on it, make sure you are scrolled down in that chat channel, In the message area to the right on the bottom type ~forumauth (that is the tilde key shift + the key below the esc button) You will see a message notification on the top left under the white discord home button with a little red box, click on this to read message from dual universe bot: Authorization: In order to validate your access to the Alpha sections of this discord, you must first validate your backer status or ATV status through the Dual Universe forum. To complete this process, please post the following text on your public message feed through your forum profile: discordauth:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= goes here If you do not see the public message feed on your profile, you need to enable status updates in your forum account settings. It's the first option in Basic Info at the top of the edit profile settings window. You can disable it after this registration process is complete. Once you have posted your discordauth key, please reply to the direct message bot with the following command to complete the validation process: ~linkprofile <copy and paste the url of your forum profile here> If you continue to have issues with this process, please contact a discord moderator for assistance. (This message may not display properly on mobile due to a discord bug!) Forum Auth Tutorial - https://www.youtube.com/watch?v=tPZuxhz6KeE (for those that perfer video directions) How to Get DU NDA discord access.txt
  3. I've been gone the last 5 month's overseas for work and I'm wondering has any more word been put out on when the NDA will be lifted. Thank you to anyone who replies.
  4. So I don't really post much here but I thought this was an interesting topic. Looking from the point-of-view as someone who helps runs/admins a community the Pre-alpha hurts quite a lot. It stops communication between people in the org, talk about most of the game and stops the community from growing as much as I want. This can lead to burnout from the orgs and the game itself which is a problem. Now there are a few options to fix this: 1. NQ removes the NDA This probably wont happen as NQ has said quite a few times that it still committed to the NDA 2. Upgrade the accounts - So Beta gets access to Alpha, etc. This could happen, probably wont. Justified because the sudden release of pre-Alpha. Everything got kicked back. (according to an old thread Beta was meant to be released this year.) Now the third option is probably the best and most likely to happen: 3. Allow non Pre-Alpha users to agree to the NDA and add a badge to there profile showing they have signed it. This would really help communities develop as more people can have access to chats/and actually talk about the game but still keep the NDA intact. I do hope choose something to help communities with this. And I know the Supporter packs mean more can access the Pre-Alpha but that is locked behind a pay wall that not everyone can access. Many Thanks Darrk
  5. Hello explorers, I see more and more communities and organizations setting up authentication based on Dual Universe account in order to identify players on Discords, websites or other places outside the game. However, it's not a simple process and there are lots of potential security breaches (I've seen and reported a few). Thus, I decided to write this post where I describe good security practices and point some common attack scenarios. While this post is mostly directed towards developers and webmasters, I think it's also a good and interested read for all players. How authentication works Currently, Novaquark doesn't provide any way for third party applications to identify a player (they have other priorities like creating the game for now). So, how to do it then ? Usually, we rely on authenticating a player on the third party application via standard login/password authentication and then give to the player a random token he must show on his/her profile. In other words, the authentication process works using the following steps: The player create an account on the third party application. The third party application generates and gives a token to the player (ex: "my-app-auth:396943934983749839"). The player logs into his Dual Universe account and updates his profile, appending the token. The player tells the application that token is uploaded on his profile (specifying his/her profile name or URL). The application browses the profile, read the player name and public information (organizations, titles, etc.). It also double-check that the token is present and correct. The application then "links" the local account to the player profile and may autorise access to restricted content. When security fails This list is not exhaustive, but contains most problems I've seen or can think about. For easier reading, I put in red the attack scenario and in green the good practices you should use/see. 1) Token randomness A secret must be random! Else, someone could just predict or guess the token and use it on his/her own profile. Standard random() functions provided by languages are actually not random and may present collisions: you can predict their output (see https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d if you don't trust me). Thus, it is important to use strong random generators like: java.security.secureRandom() for Java random_bytes() or openssl_random_pseudo_bytes() in PHP crypto.randomBytes() for NodeJS secrets.token_bytes() (or secrets.token_hex()) in Python Etc. 2) Your token is actually public! Yes, the token is public: you put it on your public profile as the application needs to read it. A hacker could read it when you update your profile and authenticates at your place before you get the time to do it yourself. If you think that it is too hard to watch all forums accounts for a new posted secret and authenticate before the player, note that there is a RSS feed which gives in real time all profiles changes. How to prevent the attack ? Make sure to bind the token to the third party account. This way, if someone else tries to authenticate with the token, the local account won't match. As a good practice, also send the token in private and not in a public channel. 3) Weak or lack of verification Some applications may forget to actually verify the token (don't laugh, a bug is always possible). So make sure to test it after each code update. Another important point: the forums user feed also contains data from the posts liked or messages posted. If the verification function just looks for the token anywhere in the page, a hacker could create a post with his token in the title and this secret will appear in the feed of whoever likes or answers it. So make sure to only check in profile updates. 4) Validating the wrong profile If the player enters the URL of his profile (on the forum, this is nearly mandatory as there is no easy way to know the profile URL based only on the player name), it is possible to host a webpage on another website with a copy of your profile with modified information about your pledge, title or organizations. Thus, it is important to double-check when validating the token and gathering player information that the URL domain is actually correct! Hint: it should be something like *.dualthegame.com (make sure to test against URLs like "*.dualthegame.com.hacker.com" or "hacker.com/*.dualthegame.com"). 5) Luring someone else to edit his/her own profile This one is a bit tricky. Let me break it down into a detailed scenario: I start authenticating on Achilles' Discord which requests me to put the "123456" token in my forums profile. I don't do it right now and instead setup my own application with authentication. I share my application with Hector who tries to authenticate there. He is requested to put the same "123456" token on his profile. Hector put the token on his profile (and finishes authentication on my application for what matters). I finalize authentication on Achilles' Discord indicating that I'm "Hector". And now, Achilles' Discord thinks that I'm Hector. Tricky. A quick and easy recommendation is to generate a token which is clearly related to your application. So, for example, Achilles' Discord could have generated a token like `Code for authenticating with Achilles' Discord (don't use this code if it was not given to you by the "Achilles' Bot"): 123456`. As Hector is a smart guy, he would probably not put this token for authenticating with an application which is not named "Achilles' Discord". It is not perfect as a player who is not paying attention can blindly copy/paste the code. 6) Quits and bans Last but not least: players may quit an organization, be kicked from ATV or lose their backer title for whatever reasons. Thus, if a third party application records groups and roles only once during authentication, the player rights may become outdated in the future. It is important to regularly check the player organisations, titles and rights and update them accordingly (ideally before any request, but realistically a check every hour or day is ok-ish). I hope this post will help. Feel free to ask questions or repost it anywhere. Regards, Shadow
  6. While I appreciate we can't get any details.. I'm just curious about how the ATV test went over the weekend As expected, better, need some work, Ready for next weekend? Inquiring mind would like to know, obviously no details because NDA.. Any crumbs.. please
×
×
  • Create New...