Lackey Vulnerabilities
28 Apr 2021 23:33 #102185
by self biased
Yes, and he's basically content to only host the server, and that's about it. he's come out and said that there are no plans to further update Lackey.
Replied by self biased on topic Lackey Vulnerabilities
Do we know who own Lackey? If he can fix the code?
Yes, and he's basically content to only host the server, and that's about it. he's come out and said that there are no plans to further update Lackey.
Please Log in or Create an account to join the conversation.
- self biased
-
- Offline
- Antediluvian
-
- I pray at an altar of farts.
Less
More
- Posts: 823
- Thank you received: 357
29 Apr 2021 16:42 #102187
by Ankha
Replied by Ankha on topic Lackey Vulnerabilities
And considering it's been years we've sent requests to him, at least to support non-qwerty keyboards, I think we can assume no change will be ever done.
Do we know who own Lackey? If he can fix the code?
Yes, and he's basically content to only host the server, and that's about it. he's come out and said that there are no plans to further update Lackey.
Please Log in or Create an account to join the conversation.
29 Apr 2021 19:14 #102188
by beslin igor
yes we know,i just checked me old meseges with lackey owner. he promise in end 2019 how will talk with some people to share lackey code to they fix bugs. i remind him some time if he want to do that but him stop to answer on me mesages.
because lackey server be much time down one guy want to donate : a dedicated VPS machine with good connectivity,to help with this problem,lackey admin say he will checked shared topic about this,but never reply.
idk if make sense ask him to share code again,because some people inform me if him share code him will lose control of lackey.
well if want to contact him first need to find again people who want to help about fix bugs,because people who promise that earlier maybe dont have more free time for that.
Replied by beslin igor on topic Lackey Vulnerabilities
Do we know who own Lackey? If he can fix the code?
yes we know,i just checked me old meseges with lackey owner. he promise in end 2019 how will talk with some people to share lackey code to they fix bugs. i remind him some time if he want to do that but him stop to answer on me mesages.
because lackey server be much time down one guy want to donate : a dedicated VPS machine with good connectivity,to help with this problem,lackey admin say he will checked shared topic about this,but never reply.
idk if make sense ask him to share code again,because some people inform me if him share code him will lose control of lackey.
well if want to contact him first need to find again people who want to help about fix bugs,because people who promise that earlier maybe dont have more free time for that.
The following user(s) said Thank You: Katricz
Please Log in or Create an account to join the conversation.
- beslin igor
-
- Offline
- Antediluvian
-
Less
More
- Posts: 684
- Thank you received: 135
09 Feb 2022 12:58 #104660
by rolv
I've been fiddling with Lackey's commands and macros recently, and I think some solutions can be found, for some of these issues at least. Here are the commands is anyone's interested: lackeyccg.com/tutoriallogcommands.html
01 - Cancel Draw
In Lackey terms, Cancel Draw moves a card from top of "Hand" zone to top of "Library" zone. I think that in order to fix that, the order of library would have to be tracked, which is not possible at the moment AFAIK. At the moment, players have to remember what was the last card they've drawn.
02 - No Shuffle
In my opinion this could be resolved using:
Where S is a player's seat and Z is number of the zone to be shuffled. This, combined with chained commands can give is a command to shuffle All 5 players Library that could be dispatched by the judge, provided that players haven't changed the zone order in plugininfo.txt (I mean, that would result in other horrible bugs, so this is highly unlikely and is a part of a larger problem):
03 - Disconnect and Load Game Offline
04 - Cain Mode
05 - Revert to Autosave
Well, that would be basically cheating, so the problem is the insecurities of an adult that is cheating in a card game played for fun, I don't know how to fix that :/ Opinions aside, it's indeed an issue and would require extending Lackey with some encryption capabilities.
Some other ways I can think of in order to prevent it is to have a judge/unbiased player who's handling the game state, i.e. runs /savegame gamefile_name, /loadgame gamefile_name commands. This won't prevent bad intentions though.
Another one would be that after restoring a saved game, all players have to whisper the checksum of the save file using the "/checksum LocalPath" command. This however can get a bit tedious since it's requires a chain of actions to handle, but basically yeah, checking a file sum of a file can indicate whether the file has been tampered with, it won't fix the issue of peeking into the file without making changes though.
As far as vulnerabilities go, in general, Lackey was not designed to handle malicious intent in my opinion. It's intended for having fun together, at least that's how I try to use this software. For example, if somebody would like to ruin the game, they could just run /shufflealldecks in the chat and boom, every zone of every player gets shuffled (Hand, Library, Crypt etc.), one could exchange hands of players clockwise with a command and so on.
Also, I agree that online tournament ranking should be a separate category and/or should be calculated differently from real-life tournaments.
Replied by rolv on topic Lackey Vulnerabilities
Greetings folks.
I found 05 vulnerabilities in Lackey that I share with all of you.
First, I would like to emphasize that the goal is to make it public for everyone and look for a solution for this application and for our beloved game.
01 - Cancel Draw
The Cancel Draw button returns the leftmost card to the library, if the cards are changed order in your hand, Cancel Draw will return the wrong card.
02 - No Shuffle
In the main folder of the plugin, which is at:
(...) \ LackeyCCG \ plugins \ vtes \
has a file called plugininfo.txt with the settings for shuffling the deck, marked as Yes. If you switch to No, the decks will not be shuffled when imported, allowing the user to choose the order of the cards he will draw (order that was placed in the deck creation).
03 - Disconect and Load Game Offline
the user can disconnect in a match, go offline and use the Load Game. With that he restores the same game table online.
That user will be able to see his hands and all his library before resuming to the online game, giving them an unlawful advantage.
04 - Cain Mode
When passing the turn, Lackey generates an autosave file in the \ LackeyCCG \ plugins \ vtes \ saved \
This file contains all the information of the table, such as hand, libray, crypta, pool of all players.
Although the card is in code, it is easily possible to make the corresponding name for that code.
It is not need to map all the cards to have extraneous advantages, just know that the X, Y, Z codes are deflection cards and the T card is Archon, to be able to use that bleed of 07 without worry.
I mapped all cards ID and Names to show how this work, and I will gladly show you.
After start a game and pass turn, I can tell all hand, livrary order, crypt for all players.
05 - Revert to Autosave
The Autosave file can be changed before using Revert to Autosave. It is possible to change the pool, the cards, the library before using Revert to Autosave.
This information is already known to several people from different countries.
I can't say that anyone used that in games, but I'm sure they know it.
Rather than trying to solve the problem, people that knew tried to hide these flaws to prevent users from using it.
I prefer to divulge to everyone about them and ask the community for help in finding solutions.
No further.
Katricz
I've been fiddling with Lackey's commands and macros recently, and I think some solutions can be found, for some of these issues at least. Here are the commands is anyone's interested: lackeyccg.com/tutoriallogcommands.html
01 - Cancel Draw
In Lackey terms, Cancel Draw moves a card from top of "Hand" zone to top of "Library" zone. I think that in order to fix that, the order of library would have to be tracked, which is not possible at the moment AFAIK. At the moment, players have to remember what was the last card they've drawn.
02 - No Shuffle
In my opinion this could be resolved using:
/shuffleseat S Z
Where S is a player's seat and Z is number of the zone to be shuffled. This, combined with chained commands can give is a command to shuffle All 5 players Library that could be dispatched by the judge, provided that players haven't changed the zone order in plugininfo.txt (I mean, that would result in other horrible bugs, so this is highly unlikely and is a part of a larger problem):
/shuffleseat 1 2;/shuffleseat 2 2;/shuffleseat 3 2;/shuffleseat 4 2;/shuffleseat 5 2
03 - Disconnect and Load Game Offline
04 - Cain Mode
05 - Revert to Autosave
Well, that would be basically cheating, so the problem is the insecurities of an adult that is cheating in a card game played for fun, I don't know how to fix that :/ Opinions aside, it's indeed an issue and would require extending Lackey with some encryption capabilities.
Some other ways I can think of in order to prevent it is to have a judge/unbiased player who's handling the game state, i.e. runs /savegame gamefile_name, /loadgame gamefile_name commands. This won't prevent bad intentions though.
Another one would be that after restoring a saved game, all players have to whisper the checksum of the save file using the "/checksum LocalPath" command. This however can get a bit tedious since it's requires a chain of actions to handle, but basically yeah, checking a file sum of a file can indicate whether the file has been tampered with, it won't fix the issue of peeking into the file without making changes though.
As far as vulnerabilities go, in general, Lackey was not designed to handle malicious intent in my opinion. It's intended for having fun together, at least that's how I try to use this software. For example, if somebody would like to ruin the game, they could just run /shufflealldecks in the chat and boom, every zone of every player gets shuffled (Hand, Library, Crypt etc.), one could exchange hands of players clockwise with a command and so on.
Also, I agree that online tournament ranking should be a separate category and/or should be calculated differently from real-life tournaments.
Please Log in or Create an account to join the conversation.
10 Feb 2022 12:37 #104663
by Lönkka
Replied by Lönkka on topic Lackey Vulnerabilities
LOL,
such a system is sure fine and dandy for casual games but especially now during covid there has been official championships organized using Lackey which leaves the tournament wide open to anyone sorry and ruthless enough to exploit these weaknesses :'(
such a system is sure fine and dandy for casual games but especially now during covid there has been official championships organized using Lackey which leaves the tournament wide open to anyone sorry and ruthless enough to exploit these weaknesses :'(
Finnish
Politics!

Please Log in or Create an account to join the conversation.
Time to create page: 0.163 seconds
- You are here:
-
Home
-
Foro
-
Online Play
-
LackeyCCG
- Lackey Vulnerabilities