Jump to content
MakeWebGames

Farewell.......

rulerofzu

By rulerofzu
in Chit Chat

 Share

Recommended Posts

a_bertrand Newbie

a_bertrand

Posted
Posted
Why acquire a complicated engine with everything perfect and no room for failure to learn with?; thats just spoon feeding.

Mmm for me, by reading you => Our softs do contain bugs on purpose such that you can learn how to fix them.

Sorry CB but overall your statements means very little to me beside a huge confusion...

Link to comment
Share on other sites
ColdBlooded Newbie

ColdBlooded

Posted
Posted
Mmm for me, by reading you => Our softs do contain bugs on purpose such that you can learn how to fix them.

Sorry CB but overall your statements means very little to me beside a huge confusion...

I'm not saying these bugs were there on purpose. Just saying it gives a developer an opportunity to dig. Use these forums while at it also.

You are just making it confusing by being negative. Otherwise I would be done with this thread a long time ago (after I patched it).

Cheers.

Link to comment
Share on other sites
a_bertrand Newbie

a_bertrand

Posted
Posted

You high-jacked the thread "Farewell......." with your patch about McCodes, and you waked up the thread, I'm not negative I simply don't understand your statement and pointed it out and... thread being done long time ago? Sorry makes again little sense, I posted like 2 hours after your last post... CB cool down, I think you are starting to act and react in a odd way.

On the positive side, I start to see posts from you on your own forum, and that's something we didn't saw since a long time ;)

Link to comment
Share on other sites
ColdBlooded Newbie

ColdBlooded

Posted
Posted
You high-jacked the thread "Farewell......." with your patch about McCodes, and you waked up the thread, I'm not negative I simply don't understand your statement and pointed it out and... thread being done long time ago? Sorry makes again little sense, I posted like 2 hours after your last post... CB cool down, I think you are starting to act and react in a odd way.

On the positive side, I start to see posts from you on your own forum, and that's something we didn't saw since a long time ;)

I was only answering Skooda's and others post against MCCodes. Incorrect statements they threw, so I was correcting them.

You elaborated on.

The purpose of this thread anyhow I see it was just to rage @ mcc and quit. Making me and my team feel guilty for no reason.

I'm just counter attacking where I see fit, and taking responsibility where I see fit.

Link to comment
Share on other sites
Octarine Newbie

Octarine

Posted
Posted

Interestingly enough while the newest patch to McCodes Free 1.1.0a does indeed fix a couple of problems, it remains as insecure as ever.

Now, when somebody suggests you have a flat tyre, you fix it. Most people I imagine would have the presence of mind to check the pressure of the other tyres - apparently this does not apply to those people at McCodes who I'm rapidly coming the conclusion actually feel it necessary to provide software that is critically flawed so others may learn. Now there's an interesting marketing model if ever I saw one.

Apparently time is in short supply so a thorough analysis of the code has not been possible - which I find rather curious, as it took me less than 30 seconds to discover another unpatched exploited in the so-called patched code and that was by using the mark-one eyeball, not some expensive fool who thinks that automation is the way to find all problems.

Now call me old fashioned if you will, but I tend to be of the school where if I install software, I expect it to work. I don't expect critical bugs to exist that can be exploited by any spotty nosed teenager who has ideas above their station and more than 30 seconds to spare...

There has to be some reason the staff act like this, though it so far eludes me. Perhaps there really is some misguided concept of providing broken software to try to improve our lot - though I'm not sure who that's aimed at. Game owners after all have to spend time and often money in order to patch the considerable number of existing bugs, so I can't see its aimed at them. Players bear the brunt of broken games with rampant inflation, staff changes, broken (and unnecessary) crons, and in some cases loss of account so again, surely the software can't be aimed to "help" players. As a learning tool it does actually work however; in that it is an excellent aid in how NOT to do things. Maybe that's it.

I think the only thing that can be taken away from McCodes is the simple fact that no matter what "they" (the owners) state, you can take with a pinch of salt. It's not secure, it's unlikely it ever will be. Its full of bad practices not to mention areas that still simply don't work as expected. I'd compare it other engines but that would be unfair.

Link to comment
Share on other sites
ColdBlooded Newbie

ColdBlooded

Posted
Posted
Now there's an interesting marketing model if ever I saw one.

Not a marketing model. I'm just saying. There is no marketing models/strategy.

not some expensive fool who thinks that automation is the way to find all problems.

We don't have the capital to invest in making an automated test suite to test each functionality / unittests.

So whatever we find, we fix. Whatever you guys find, you guys fix, and so do we and push out patches.

Now call me old fashioned if you will, but I tend to be of the school where if I install software, I expect it to work. I don't expect critical bugs to exist that can be exploited by any spotty nosed teenager who has ideas above their station and more than 30 seconds to spare...

Absolutely.

There has to be some reason the staff act like this, though it so far eludes me. Perhaps there really is some misguided concept of providing broken software to try to improve our lot - though I'm not sure who that's aimed at. Game owners after all have to spend time and often money in order to patch the considerable number of existing bugs, so I can't see its aimed at them. Players bear the brunt of broken games with rampant inflation, staff changes, broken (and unnecessary) crons, and in some cases loss of account so again, surely the software can't be aimed to "help" players. As a learning tool it does actually work however; in that it is an excellent aid in how NOT to do things. Maybe that's it.

I think the only thing that can be taken away from McCodes is the simple fact that no matter what "they" (the owners) state, you can take with a pinch of salt. It's not secure, it's unlikely it ever will be. Its full of bad practices not to mention areas that still simply don't work as expected. I'd compare it other engines but that would be unfair.

What other exploits are there that will break the game to the ground? (with regards to: Loss of account, sensitive information disclosed, etc as you stated in your post)

Like you've done before, report it and we'll push out fixes. You have to admit that improvement is visible through out the years of these softwares.

Link to comment
Share on other sites
Octarine Newbie

Octarine

Posted
Posted
What other exploits are there that will break the game to the ground?

Have you actually looked at the code, or are you simply relying on reports and fixing them on a "as-discovered" basis? If you have looked at the code, and can't in fact see the multiple entry points then so be it. I'll consider the entire suite as being simply a learning process for you and the other developers, but if you can see the problems, then I would really question the motives behind providing a product with known problems. I'm sure it probably breaks some archaic rule of these very forums, but I'll not go into that. On the other hand, if you are not looking at the code, then surely you cannot be in a position to defend or indeed support it.

10 PRQNT "hello world"
20 PRQNT "hello world"
... there's a bug on line 10 !! ... 
10 PRINT "hello world"
20 PRQNT "hello world"
... uhm ...
See the problem? That's exactly what is happening.
Link to comment
Share on other sites
ColdBlooded Newbie

ColdBlooded

Posted
Posted
Have you actually looked at the code, or are you simply relying on reports and fixing them on a "as-discovered" basis? If you have looked at the code, and can't in fact see the multiple entry points then so be it. I'll consider the entire suite as being simply a learning process for you and the other developers, but if you can see the problems, then I would really question the motives behind providing a product with known problems. I'm sure it probably breaks some archaic rule of these very forums, but I'll not go into that. On the other hand, if you are not looking at the code, then surely you cannot be in a position to defend or indeed support it.
10 PRQNT "hello world"
20 PRQNT "hello world"
10 PRINT "hello world"
20 PRQNT "hello world"

See the problem? That's exactly what is happening.

People and myself have wondered who you really are.. today I feel you just a bot. Just kidding.

I am not doing a full audit on the engines anytime soon. So yes, we do rely on our customers/community to report bugs and we push out fixes based on reports.

We do look at the codes when there is need.

Link to comment
Share on other sites
ColdBlooded Newbie

ColdBlooded

Posted
Posted
Have you actually looked at the code, or are you simply relying on reports and fixing them on a "as-discovered" basis? If you have looked at the code, and can't in fact see the multiple entry points then so be it. I'll consider the entire suite as being simply a learning process for you and the other developers, but if you can see the problems, then I would really question the motives behind providing a product with known problems. I'm sure it probably breaks some archaic rule of these very forums, but I'll not go into that. On the other hand, if you are not looking at the code, then surely you cannot be in a position to defend or indeed support it.
10 PRQNT "hello world"
20 PRQNT "hello world"
10 PRINT "hello world"
20 PRQNT "hello world"

See the problem? That's exactly what is happening.

People and myself have wondered who you really are.. today I feel you just a bot. Just kidding.

I am not doing a full audit on the engines anytime soon. So yes, we do rely on our customers/community to report bugs and we push out fixes based on reports.

We do look at the codes when there is need.

Link to comment
Share on other sites
sniko Apprentice

sniko

Posted
Posted
People and myself have wondered who you really are.. today I feel you just a bot. Just kidding.

I am not doing a full audit on the engines anytime soon. So yes, we do rely on our customers/community to report bugs and we push out fixes based on reports.

 

We do look at the codes when there is need.

I'm going to comment.

There is always a need. A need for security (on your own behalf)

Link to comment
Share on other sites
Spudinski Newbie

Spudinski

Posted
Posted
Which we have done few months ago. But not on a continuous basis. So for some bugs which got away, we rely on the users of the products to report.

We don't have a team specialized in testing.

It might just be my logic, but why are you still selling MCCodes "on a continious" basis then?

Your logic is flawed, and I think you're even beginning to confuse yourself.

Link to comment
Share on other sites
Octarine Newbie

Octarine

Posted
Posted
... we push out fixes based on reports.
We do look at the codes when there is need.
Yet plainly, you fail the very people who are willing to provide support.

For example:

Free 1.1.0

function remove_enemy()
{
   global $ir, $c, $userid;
   mysql_query(
           "DELETE FROM blacklist WHERE bl_ID={$_GET['f']} AND bl_ADDER=$userid",
           $c);
   print
           "Black list entry removed!<br />
<a href='blacklist.php'>> Back</a>";
}

Free 1.1.0a (After patching)

function remove_enemy()
{
   global $ir, $c, $userid;
   $_POST['ID'] = abs((int) $_POST['ID']);
   mysql_query(
           "DELETE FROM blacklist WHERE bl_ID={$_GET['f']} AND bl_ADDER=$userid",
           $c);
   print 
           "Black list entry removed!<br />
<a href='blacklist.php'>> Back</a>";
}

So the patch which seems to be heralded with a great deal of bell ringing, does ... nothing. Not only does it not address the actual problem at hand, it relies on extremely poor practices - as most of the code does - in coercing data and making assumptions rather than proper type checking. Now I seem to remember a patch a submitted in full being totally misunderstood in the past which is why I am no longer interested in posting complete fixes, however the lack here of anything even resembling a viable patch does indeed suggest an extremely lackadaisical approach to your products and customers.

You've stated that you don't have a team specialized in testing, but surely this is the type of testing that can be discovered by both the mark-one eyeball and the very handy error_reporting(-1) statement. Of course the latter would probably scare the pants of you if you've not already tried it due to the large number of errors it spews out throughout the entire code-base.

Yes, programmers do make mistakes. But in theory, they also learn from their mistakes. The former is apparent in this, the latter not so. Actually reading through the code - in this case only a few lines - would be sufficient for most people to see and realize that the patch is wrong. Sure, it's an easy one for other people to fix, but herein lies one of the main problems:

According to my knowledge, MCC engine v1 and v2 user-end pages are now secured from SQL injections (for the past several months).
Simply put, it's not. I've not audited the code, but I can still find a large number of access points simply by performing a quick read of the code.

Even were you to have correctly patched this - I'd still raise any number of questions as you have left similar exploits untouched certainly in v1.1.0a. I think perhaps it might be wise to issue a press release stating something along the lines that ""we have been told that the engine is full of holes - so don't expect it to be stable enough to run on a production box as we are not able/willing to fix the problems ourselves"". I'm not sure it will make much difference, since other products do appear to be gaining ground here (at MWG), but at least its being a lot more honest than the current statements.

And in answer to the obvious question, why am I not simply reporting the bugs as I find them? Really why should I? Not only does the team ignore certain reports, the muck around with submitted patches so badly as to make it barely if at all worthwhile and in this most recent case, fail to address the problem all-together yet still "ring-the-bell" with a self-congratulatory pat on the back. As Spud stated elsewhere:""what's in it for me?""

  • Like 1
Link to comment
Share on other sites
KyleMassacre Collaborator

KyleMassacre

Posted
Posted
It's amazing how off topic this thread has become, and the fact that members of the Administrative team have taken it to this.

Ruler you will be missed.

Agreed. Granted ROZ has urked me by some of his posts by being such a negative nancy 99% of the time it is sad to see someone leave over such nonsense.

Off topic here but following up on Octarine's post:


function remove_enemy()
{
   global $ir, $c, $userid;
   $_POST['ID'] = abs((int) $_POST['ID']);
   mysql_query(
           "DELETE FROM blacklist WHERE bl_ID={$_GET['f']} AND bl_ADDER=$userid",
           $c);
   print
           "Black list entry removed!
<a href='blacklist.php'>> Back</a>";
}

Shouldnt it be something like:


function remove_enemy()
{
   global $ir, $c, $userid, $h;
   $_POST['ID'] = abs((int) $_POST['ID']);
//The POST was secured what about the GET?
   $_GET['f'] = abs((int) $_GET['f'];
if ($_POST['ID'] != $_GET['f']) {
print "An error has occurred, please go back and try again. <a href='blacklist.php'> Back</a>";
$h->endpage;
exit;
}
   mysql_query(
           "DELETE FROM blacklist WHERE bl_ID={$_GET['f']} AND bl_ADDER=$userid",
           $c);
   print
           "Black list entry removed!
<a href='blacklist.php'>> Back</a>";
}
Link to comment
Share on other sites
Octarine Newbie

Octarine

Posted
Posted
Where else does it exist?

Sorry, I think it's time you looked yourself instead of relying on the community to point out your errors. It doesn't take long if you have a keen eye for these types of things, but if you need some help, then enabling error_reporting would be a good start. You stated something earlier along the lines of not wanting to spoon-feed programmers with a fully working, stable, and secure product... Perhaps the community is gradually reaching the stage where spoon-feeding the developers is no longer appropriate.

Link to comment
Share on other sites
ColdBlooded Newbie

ColdBlooded

Posted
Posted
Sorry, I think it's time you looked yourself instead of relying on the community to point out your errors. It doesn't take long if you have a keen eye for these types of things, but if you need some help, then enabling error_reporting would be a good start. You stated something earlier along the lines of not wanting to spoon-feed programmers with a fully working, stable, and secure product... Perhaps the community is gradually reaching the stage where spoon-feeding the developers is no longer appropriate.

I understand. Thank you for your efforts so far.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...