I remember seeing a pretty good writeup somewhere about spoofing attacks against helpers and scripts. Anyone know what I'm talking about? I can't find the link anymore.

Edit: NM, found it... http://tw-cabal.navhaz.com/strategy/twxansitricks.html

Man... I was hoping to get away with ignoring ANSI in my data parser. Alas, "Command [TL=00:00:00]:[1234] (?=Help)? : " is a perfectly valid trader name. ANSI is the only way to detect such spoofs.

Wow! I've never seen anyone use that before. Some would spoof other players, but JP put a stop to that by requiring the first 6 charactors of a players name to be unique. Only the first 6 show on fed com, so I show up as Crunch, not Cruncher

I've been spoofed before when someone entered the game as Cruncher. with a dot at the end. That causes confusion because we both look the same over fed com.

I referred to them as "mini-me" LOL eventually the sysop changed their name.

That didn't stop it, for example when Mombot broke a couple years back the daily logs were used to spoof the self destruct command. The same could be achieved by private messaging a user.

In the end spoofing can only be stopped by the creator of the script not JP, unless of course he turns off fedcoms, subcomms, daily logs, private comms, planet display prompts, stardock display prompts, shipname prompts, you get the picture.

I knew that change had been discussed, but I wasn't aware that it ever went live.

One way I'm trying to inhibit spoofing is by matching certain strings only when they appear at the beginning of a line. However, there are some messages where the player's name appears at the beginning of the line. This is what forced me to match strings by ANSI codes as well as the text between them. But even so, there are a few trader names that could cause messages like someone blasting off from Stardock to perfectly spoof another game message, at least for the first several characters. For example, your name can be "Enter your choice: ", which spoofs the game menu prompt right down to the color. I'm taking extra steps to prevent such things. Thank goodness your name can't be "Deployed Fighters"!

If it were up to me, trader names could only contain alphabetic characters and spaces. (Filing that idea away in my botlink notes...)

Actually, it's not quite a perfect spoof because TW strips trailing spaces off trader names. (At least it does when you change your name in the underground.) Sooooo... matching the trailing space after the real game menu prompt is important when "Enter your choice: blasts off from the StarDock."

Then those types of spoofs may only effect the script players. Play with fire and you just might get burned! LOL

Or, write better scripts with safeties.

To my knowledge there has never been a server-side spoof, i apologize I had thought you were referencing client side which almost entirely is comprised of scripting attempts.

I think we're all talking about the same thing.

With Web applications, you want to carefully consider where and how anything that is entered by a user is displayed to other users. That's basically the approach I'm taking with my helper, but of course from the client's perspective instead of the server's. I'm looking at every place where user-submitted text is displayed in the game, and looking for distinctions that will allow me to positively identify it as such. With only the one exception I mentioned, ANSI codes and/or the preceding context clearly distinguish every real game message I've examined. For example, as long as ANSI is on, it's impossible for a player to spoof the Command prompt. It's also impossible to pass off a Fedcomm message as anything other than a Fedcomm message. It's when scripters use naive text triggers that they're liable to get bitten. I'm debating whether I should include any text trigger capability at all in my scripting API.