PDA

View Full Version : An innovative way to deal with bugs



glmaximus
05-02-2014, 06:53 AM
So maybe I'm the only nerd here that would actually do this- but this is what I'm thinking.

Cryptozoic is a small shop when it comes to programming, some bugs take a lot of man hours to find. On the other hand a lot of your backers can probably program. I'm thinking it would be cool to crowd-source the finding (not the fixing) of game-breaking bugs (like the drafting bug) and offer some in game gold or plat as a reward.

You wouldn't need to release your entire source code- or have all parts visible at all times. Just whenever something catastrophic is happening find a way to post the code its related to the problem, and specify a bounty. We can find it, suggest a fix if we want, but leave the actual coding to you guys.


Would anyone else do this, or is it just me?

ryuukan
05-02-2014, 07:00 AM
just you

Kami
05-02-2014, 07:32 AM
This is a bad idea imo.

Given enough different parts (even with bugs), smart people can eventually reverse engineer a large chunk of the code.

This is a security risk, not only that, code tends to require context. How do you know how to fix a bug if you don't have the context of how it affects everything else?

glmaximus
05-02-2014, 07:53 AM
Addressing the context-

1) Release enough code to give context
2) have an explanation of context (An explanation of what events get you to this point in the code, plus an explanation of what they are seeing)

On security
1) if there is a way to exploit their game outside the login/store/network parsing code we are all in trouble - and I'm not saying they release that
2) if there are security bugs in code that they release to us- those will get pointed out by the community as well- thereby making the code base better. Security through obscurity is never real security. Linux is fully open source- it goes down last in pwn to own every year. Apple is completely closed- it has gone down first every year in the last decade. (I'd still rather use a mac because it's usable :P )
3) Since they are fixing the bugs- the final source code wont be released.

#2 in security only works if there are actually enough good guys that would help fix things. When I was in grad school I would have jumped at the chance to potentially get something like 50 free booster packs. I just don't know how many Hexers have that kind of background

Kami
05-02-2014, 07:57 AM
Oh, I was thinking security beyond more than just exploiting code. I meant something along the lines of private servers and such (like you see in some MMORPGs).

glmaximus
05-02-2014, 08:05 AM
Ah- Well if you've every tried playing on a private server- it is not a pleasant experience

People doing that have created their own special form of hell they deserve :P

MasterN64
05-02-2014, 08:15 AM
Releasing source code for something people are paying cash for and expecting to have a secure and safe experience playing is always a bad idea. Having the code can result in people finding security flaws inside the systems to generate all sorts of nasty stuff to happen ingame from cheating to outright theft or item duping and is far too big a risk to take when all they would get out of the deal would be that maybe someone can help with some code for free.

It is far more likely someone will simply search for exploits to steal or break things for their benefit. In no way is something like this even remotely feasible if you want to retain a secure service.

Unhurtable
05-02-2014, 11:01 AM
You know bug fixing is 90% finding where the problem is.... right?

Once you've found where the problem lies its usually the wrong variable/method being used or something that "should've been changed four months ago but was skipped".

Unless you are planning on them releasing the source code for multiple classes and files and saying "the bug is somewhere is this big bulk, have fun".

schild
05-02-2014, 11:05 AM
lol, why is this thread still open?

Pezzle
05-02-2014, 11:08 AM
Opened the thread expecting to see Ignore them!

That may not be terribly innovative, but it would be less disappointing =(

YourOpponent
05-02-2014, 11:24 AM
In some games I've played there's been rewards for being the first person to find and report the bug (with enough detail for it to be identified or at least replicated of course.)

dopplepopolis
05-05-2015, 10:55 AM
Addressing the context-
On security
...
2) if there are security bugs in code that they release to us- those will get pointed out by the community as well- thereby making the code base better. Security through obscurity is never real security. Linux is fully open source- it goes down last in pwn to own every year. Apple is completely closed- it has gone down first every year in the last decade. (I'd still rather use a mac because it's usable :P )


Open Source (i.e. Linux) works because ALL of the code is public and can be publicly tested and vetted. Releasing some of the code doesn't really help because you cannot see the entire system. While some bugs *could* be found, there is no guarantee that those who find them will use that knowledge for the good of the community. Also, the Linux kernel is studied by researchers and students and is of high interested of large tech companies. Combined, many, many thousands of man hours are spent each year inspecting the code. There are enough good guys to outweigh the security holes the bad guys find.

To be honest, I think you are overestimating the technical expertise of this community. While I have a graduate degree in engineering and have almost ten years of experience as a software engineer I doubt I could in a short amount of time understand the HEX code (assuming I am given ALL of it) to the point I could find and fix actual bugs in way that did not break the code.

If you want to help, your best change is to find bugs as a user and report them with the most data as possible. Ideally you could repeat your test and find bug again.

Saeijou
05-05-2015, 11:00 AM
Open Source (i.e. Linux) works because ALL of the code is public and can be publicly tested and vetted. Releasing some of the code doesn't really help because you cannot see the entire system. While some bugs *could* be found, there is no guarantee that those who find them will use that knowledge for the good of the community. Also, the Linux kernel is studied by researchers and students and is of high interested of large tech companies. Combined, many, many thousands of man hours are spent each year inspecting the code. There are enough good guys to outweigh the security holes the bad guys find.

To be honest, I think you are overestimating the technical expertise of this community. While I have a graduate degree in engineering and have almost ten years of experience as a software engineer I doubt I could in a short amount of time understand the HEX code (assuming I am given ALL of it) to the point I could find and fix actual bugs in way that did not break the code.

If you want to help, your best change is to find bugs as a user and report them with the most data as possible. Ideally you could repeat your test and find bug again.

well... the statement "linux is safe because tons of people are looking into it" is not totally correct
you can still write malware for linux... but noone sees the profit in it... linux is only used on... 5% of the pc worldwide?
it makes more sense to write malware for windows, you get more profit out of it!

dopplepopolis
05-05-2015, 11:21 AM
well... the statement "linux is safe because tons of people are looking into it" is not totally correct
I think you missed my point. Linux is not free of malware, hacks, etc. Although all of the code is available, It is *relatively * safe because ENOUGH people are looking at it who know what they are doing. If there is a serious bug, its hard to hide too long before somebody finds it or discoverers some implemented exploit and looking for find the source. If your Mac or Windows machine has an exploit you are 100% dependent of Apple or Microsoft engineers finding and fixing the problem. If its a low priority you are out of luck.


u can still write malware for linux... but noone sees the profit in it... linux is only used on... 5% of the pc worldwide?
it makes more sense to write malware for windows, you get more profit out of it!
While the Linux PC market is small (but growing), over half of all computer devices (smartphones, tablets, PC, laptops, servers) shipped in 2014 run some version of Linux. The Android OS is a Linux variant and about 1/3 of all web servers using Linux as its operating system.

While it might be easier to exploit Windows machine, mostly because I believe it has a inherently poor security model, there are more enough Linux devices to warrant attention from the bad guys. I think 1.5 billion smart phones is enough.

Kami
05-05-2015, 11:50 AM
Please don't necro year old threads. Especially in response to someone who hasn't been on the forums in the same amount of time.