MineCredit (Credit cards in minecraft)

This program adds money called MineCredit to minecraft.

Different programs

Spoiler

*Activation - this program will turn any floppy disk into a credit card with 100 MineCredit already on it
*Server - stores all of the data for all of the cards
*Cash register - has a company card already on file, and when you put another card in it asks you how much the item is. It then takes that much out of your account and puts it in to the card that is on file.
*ATM - shows how much MineCredit is in your account
*Transaction Machine - You put one card in then you take that one out and put another one in. Type an amount and it will take that amount out of the first account and put it in the second one.

Downloads

Spoiler

v1.0 http://www.mediafire...aza20c7t31bg1mf

Pictures

Spoiler

[attachment=765:2012-12-10_19.44.59.png]
[attachment=766:2012-12-10_19.46.19.png]
[attachment=768:2012-12-10_19.48.26.png]

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

Bubba, on 11 December 2012 - 06:22 PM said:

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

I prefer media fire over paste bin for a couple reasons, 1. I can see how many downloads i get (so I can see if I am getting more downloads as the versions progress) 2. I think it would be easier than for you (since its just one link and you guys don't have to copy and paste anything). The credit cards are pretty secure. The only way for someone to make a copy is if they got your card and make a program that copies them.

PossieTV, on 12 December 2012 - 02:17 PM said:

Bubba, on 11 December 2012 - 06:22 PM said:

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

I prefer media fire over paste bin for a couple reasons, 1. I can see how many downloads i get (so I can see if I am getting more downloads as the versions progress) 2. I think it would be easier than for you (since its just one link and you guys don't have to copy and paste anything). The credit cards are pretty secure. The only way for someone to make a copy is if they got your card and make a program that copies them.

Okay, it's your preference. The reason I requested pastebin is because my phone does not have zip capability (or at least, it is a pain in the ass to work) and my computer is broken.

As to the security, let me change my question somewhat (although the duplication issue is a fairly valid security concern to consider). How vulnerable is the server and other rednet reliant programs. What would happen if I were to send fake deposit/withdrawal messages to the server? How easy is it to fake deposit/withdrawal messages to the server? Questions like that.

Bubba, on 12 December 2012 - 02:40 PM said:

PossieTV, on 12 December 2012 - 02:17 PM said:

Bubba, on 11 December 2012 - 06:22 PM said:

I imagine most people would find pastebin preferable to mediafire, but I suppose it's your choice. How secure are the "credit cards" and what keeps people from duplicating them?

I prefer media fire over paste bin for a couple reasons, 1. I can see how many downloads i get (so I can see if I am getting more downloads as the versions progress) 2. I think it would be easier than for you (since its just one link and you guys don't have to copy and paste anything). The credit cards are pretty secure. The only way for someone to make a copy is if they got your card and make a program that copies them.

Okay, it's your preference. The reason I requested pastebin is because my phone does not have zip capability (or at least, it is a pain in the ass to work) and my computer is broken.

As to the security, let me change my question somewhat (although the duplication issue is a fairly valid security concern to consider). How vulnerable is the server and other rednet reliant programs. What would happen if I were to send fake deposit/withdrawal messages to the server? How easy is it to fake deposit/withdrawal messages to the server? Questions like that.

The server does not check the sender ID.
Any computer can send activation messages to the server to create accounts with 100 credit, then transfer their balance to someone's account.
The server also doesn't check for negative balance, so you can easily get a lot of money by making two accounts, then transferring a large amount of money from one to the other.
Unrelated, the server will also crash with a stack overflow after processing a lot of transactions.

I'll admit I haven't installed the program yet, but I'm reading over the code files (especially the server) and feel a bit confused.

So I gather "Activate" is used to create a new card. It asks for input for the "card ID" and simply stores that in a file on the disk.
I'd gather if you used huge numbers, such as 16 digits or more like on a real credit card, these would be pretty hard to guess at.

But the server program is what worries me.

There doesn't appear to be any checks in the code to prevent a transfer from happening when the person's card doesn't have enough funds on it.
It doesn't even appear to check if the card ID is valid at all, so you can simply make a text file on a disk with a random number, and transfer your initial $100 off of it to your real card, and keep doing that all day (or have a turtle do it for you) until you are a billionare.

I also suspect the server program would actually crash if you spoofed a card ID that did not exist, since it looks like it just tries to read their balance from a non-existant file, without checking first.

Your idea is nice, but the implimentation needs a bit of work

dissy, on 12 December 2012 - 03:09 PM said:

I'll admit I haven't installed the program yet, but I'm reading over the code files (especially the server) and feel a bit confused.

So I gather "Activate" is used to create a new card. It asks for input for the "card ID" and simply stores that in a file on the disk.
I'd gather if you used huge numbers, such as 16 digits or more like on a real credit card, these would be pretty hard to guess at.

But the server program is what worries me.

There doesn't appear to be any checks in the code to prevent a transfer from happening when the person's card doesn't have enough funds on it.
It doesn't even appear to check if the card ID is valid at all, so you can simply make a text file on a disk with a random number, and transfer your initial $100 off of it to your real card, and keep doing that all day (or have a turtle do it for you) until you are a billionare.

I also suspect the server program would actually crash if you spoofed a card ID that did not exist, since it looks like it just tries to read their balance from a non-existant file, without checking first.

Your idea is nice, but the implimentation needs a bit of work

First of all, thank you. This is the just first version (or rough draft) it is more of a template that I will use to create something more secure. The thing I am working on right now, is an encryption system to encrypt the password. The encrypted password will be sent to the server anytime a transaction takes place and decrypted by the server (so people don't send fake messages to the server).

PossieTV, on 13 December 2012 - 03:46 PM said:

First of all, thank you. This is the just first version (or rough draft) it is more of a template that I will use to create something more secure. The thing I am working on right now, is an encryption system to encrypt the password. The encrypted password will be sent to the server anytime a transaction takes place and decrypted by the server (so people don't send fake messages to the server).

Encryption for between the server and client(s) over rednet is a good plan.
However for password storage, you might not want to use encryption, but instead use one-way hashing. This offers many advantages in security.

The basic process would be, when a user is setting up their account and setting a password for the first time, take the input and put in variable one.
Then immediately pass that variable to the one-way hasing function, storing the hash in variable two. Then set variable one to a blank string.
The plaintext password is now gone (and thus safe), so save the hashed password along with their username/id.

Later when that user goes to authenticate, you do the same process. input into var, hash the var, and blank it.
Then you can compare the hash you currently have, with the hash stored in their account.
If they match, the user has typed the same thing this time as they did the first time, whatever that thing may be. If they don't match, give a "wrong password" error.

Most people re-use the same password many places, which yes is a horibly bad idea, but that's what happens.
For a non-insignifigant percentage of users, if a hacker stole your password file and it contained plain text passwords, now the hacker might have access to the users minecraft account, email, and who knows what else.
Worse, if you had the passwords encrypted in a reversable way, well clearly the server program would need to know the key to decrypt them, which means that key would need to be stored somewhere that the hacker also has access to. That means they could just decrypt the passwords too, and the encryption didn't protect anything.
If you assume the worse (a hacker copied every last file from the server), with one way hashing all they could do is try every word in a dictionary (a brute force) which takes time, and is easily thwarted by not using words in the dictionary as passwords ;}
But that would be a lot better than basically handing them both the encrypted passwords and the key to decrypt them.

As an administrator, you'll never have a need to know their password. You can reset a password if one is forgotten, and you can compare hashes to know if what was typed matches what was stored.

I do recall someone posting code to do SHA1 hashing. I'd avoid rc5 since it's not really that good these days.

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.

dissy, on 13 December 2012 - 05:24 PM said:

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.

Not mine :P/>

immibis, on 13 December 2012 - 05:37 PM said:

dissy, on 13 December 2012 - 05:24 PM said:

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.

Not mine :P/>

Your cables allow intercepting and/or spoofing? To be honest I had no idea.

I stand corrected - point-to-point communications would be the required feature to look for, before deciding not to encrypt the communications.

dissy, on 13 December 2012 - 05:24 PM said:

PossieTV, on 13 December 2012 - 03:46 PM said:

First of all, thank you. This is the just first version (or rough draft) it is more of a template that I will use to create something more secure. The thing I am working on right now, is an encryption system to encrypt the password. The encrypted password will be sent to the server anytime a transaction takes place and decrypted by the server (so people don't send fake messages to the server).

Encryption for between the server and client(s) over rednet is a good plan.
However for password storage, you might not want to use encryption, but instead use one-way hashing. This offers many advantages in security.

The basic process would be, when a user is setting up their account and setting a password for the first time, take the input and put in variable one.
Then immediately pass that variable to the one-way hasing function, storing the hash in variable two. Then set variable one to a blank string.
The plaintext password is now gone (and thus safe), so save the hashed password along with their username/id.

Later when that user goes to authenticate, you do the same process. input into var, hash the var, and blank it.
Then you can compare the hash you currently have, with the hash stored in their account.
If they match, the user has typed the same thing this time as they did the first time, whatever that thing may be. If they don't match, give a "wrong password" error.

Most people re-use the same password many places, which yes is a horibly bad idea, but that's what happens.
For a non-insignifigant percentage of users, if a hacker stole your password file and it contained plain text passwords, now the hacker might have access to the users minecraft account, email, and who knows what else.
Worse, if you had the passwords encrypted in a reversable way, well clearly the server program would need to know the key to decrypt them, which means that key would need to be stored somewhere that the hacker also has access to. That means they could just decrypt the passwords too, and the encryption didn't protect anything.
If you assume the worse (a hacker copied every last file from the server), with one way hashing all they could do is try every word in a dictionary (a brute force) which takes time, and is easily thwarted by not using words in the dictionary as passwords ;}
But that would be a lot better than basically handing them both the encrypted passwords and the key to decrypt them.

As an administrator, you'll never have a need to know their password. You can reset a password if one is forgotten, and you can compare hashes to know if what was typed matches what was stored.

I do recall someone posting code to do SHA1 hashing. I'd avoid rc5 since it's not really that good these days.

Also if you use one of the many LAN cable mods out there instead of rednet, that will eleminate the need for encryption all together, and make the job that much easier.

I'm looking into a LUA encryption program ATM :)/> Im planning to start over the weekend, it probably wouldn't be strong but it will offer some protection. So keeps your eyes open to see my epic fail :L

x0pk1n, on 14 December 2012 - 12:24 PM said:

I'm looking into a LUA encryption program ATM :)/> Im planning to start over the weekend, it probably wouldn't be strong but it will offer some protection. So keeps your eyes open to see my epic fail :L

I'm personally not proficient enough to do the job correctly in Lua, however after seeing all the half finished apis out there, I'm really thinking strongly about dusting off my old encryption server app.
Long ago I wrote this encryption server and its own protocol so that another device I was working with, with a very limited language and memory (a basic stamp microcontroller specifically), could send data to it for encryption and get the result back to use and relay off.

My server app already does aes, blowfish, and des, as well as the md4, md5, md5crypt, and sha1 hashes.

While serial communication with it is out of the question, at least socket would be possible. Unfortunately for CC the only comm channel that's readily available is http, and while that would be very possible to use, I fear the overhead would slow things down too much for most network related uses.

But I can see this working over http… send a request to localhost for /blowfish and pass all but the data as get arguments, such as ?mode=ecb&dir=encrypt&initvector=0&pad=1&key=supersecret
Then pass the data as uu-encoded POST data, get the result back as uu-encoded tetx/plain.

Grr, now I think my weekend plans have just changed ;}

What a coincidence!
I was working on a similar project.

Well, I'm not a Lua expert but I think your server will have a stack overflow.
I think it would be easier if you just used a while true loop

Hey!

I really like this. Maybe I am allowed to implementate it into my OS (link in signature) soon?


Best regards from germany,

kornichen

Hi, i cannot get the ATM to work, i have changed the ID on the ATM to the Server Computer ID, but its still showing a Blank Screen, with nothing, anyone that could assist/help me with this?

This is how i made the ATM, i don't know if its a error:


[Computer][Modem - Side]
[Disk Drive]
[—–Ground—–]

Like this:

Quite nice with the pictures and all, but why no actual 'in-program' screenshots? No pics no clicks :mellow:/>

suggestions:
1- Hash the passwords and the rednet messages
2- crypt the id with something and send it like a password to give more security
3- need a password for creating more accounts
4- a type of verification so a player can only create one card
5- History

urielsalis, on 20 December 2012 - 04:52 AM said:

suggestions:
1- Hash the passwords and the rednet messages
2- crypt the id with something and send it like a password to give more security
3- need a password for creating more accounts
4- a type of verification so a player can only create one card
5- History

Hello urielsalis,

I am currently working alongside PossieTV to merge some programs I have made with his to bring several improvements and new features to this set of programs. Thank you for your suggestions. We are currently working on all these suggestions, except history I'm not sure about that one, I'll have to check and see if we had thought of that. Again thank you for your suggestions :)/>

EDIT: Oh didn't see 2. what id?

TheOriginalBIT, on 20 December 2012 - 05:52 AM said:

urielsalis, on 20 December 2012 - 04:52 AM said:

suggestions:
1- Hash the passwords and the rednet messages
2- crypt the id with something and send it like a password to give more security
3- need a password for creating more accounts
4- a type of verification so a player can only create one card
5- History

Hello urielsalis,

I am currently working alongside PossieTV to merge some programs I have made with his to bring several improvements and new features to this set of programs. Thank you for your suggestions. We are currently working on all these suggestions, except history I'm not sure about that one, I'll have to check and see if we had thought of that. Again thank you for your suggestions :)/>

EDIT: Oh didn't see 2. what id?

the id of the computer, to add security so nobody can use a fake computer to gain access

and history is for security reasons so you can see every movement and cancel it also you can view a resume of your account

urielsalis, on 20 December 2012 - 07:06 AM said:

the id of the computer, to add security so nobody can use a fake computer to gain access

Ahh so you meant to combine the id and something to create the public encryption key

urielsalis, on 20 December 2012 - 07:06 AM said:

and history is for security reasons so you can see every movement and cancel it also you can view a resume of your account

Yeh I understood the history ;)/>


thank you.

(Not advertising, because it's on topic ;)/>)
You could take a look at my bank program (see sig) for a bank program with hashing. It's really not that difficult to implement.

pokepal101, on 31 December 2012 - 05:04 PM said:

(Not advertising, because it's on topic ;)/>)
You could take a look at my bank program (see sig) for a bank program with hashing. It's really not that difficult to implement.

Already being done :)/>

You should look in to immibis's mag stripe cards.

I liked this program but there was a few exploits, money went into negative. Program crashes on blank disk. I hope someone can fix this up and make it verify via rednet that the money is there etc.

this is a really good idea!

Finaly some "functionality" to Computercraft on servers!

Hmm i was about to make something like this. I love the idea always. My idea which i will be putting into action is you make programs and then upload them to a server. People spend ccbucks to buy the programs and then the money is added to your credit card well your floppy and or if you want access to something say on a server like a room you can use your card to gain access see what i mean. XD you have the basic concept of my idea :P/>