2019-07-27 03:22:09

Good Friday evening everyone.

the last day or so on the forum has become a bit crazy, with the
release of a new game plus our actions towards the developer of said
game. This morning I brought this forward to the staff list so we as a
team could discuss it. though I fully support the actions of my fellow
staff members, I was also bothered by the fact that while doing our
due diligence to keep the forum a safe place, we were straying into
territory that was hurting the community as a whole.

Let me step back for a moment and apologize that this post contains
so many I's and me's. Upon agreement from the staff, I was tasked with
writing this update for all of you. Please understand that though I am
writing in the first person, I speak for the staff as a single unit,
and that I've been given the go-ahead to write this. No overrides lol.

one of the major concerns about rule 3 has been where it pertains to
audio games. I will just be blunt and say it, as it has been said in
other posts. An extremely high number of the existing games in our
database use assets which they were not authorized to be using. I am
not about to start writing an exhaustive list, as some of the possible
games could/would spark arguments. Suffice it to say that rule 3, as
it is being enforced towards game assets, would decrease the number of
games on a major scale. I've seen comments on this, both publicly and
privately, from concerned forum members regarding their favorite games
and what would be done with them.

As a team, we have decided  to relax our stance on game assets so
long as all of the following is true.
1. the assets in question are not directly lifted from another audio
game. This is not easy to enforce, and we will not be checking every
game. However, if a game is using custom recorded sounds such as
custom sound effects, speech, etc, it will probably be looked in to
and we will most likely talk to the developer about how to fix this.
Keep in mind that most games use publicly available libraries. We're
not going to go combing through every game. that's just not realistic.
2. Where possible, we encourage developers to please obfuscate their
data with encryption. As a developer, I realize this concept isn't
always easy, so we're not making this mandatory, but we would still
like to see developer's attempt to secure their assets whenever
possible.
3. The project in question is not accepting payment, whether that be
donations, or the game being shareware.
4. The game or project isn't designed to do things like offer users
the ability to obtain copyrighted material. The example I gave on the
list for laughs was that the secret level in Super Liam 2 where you
can stream episodes of 13 reasons why from a torrent site would most
likely not be allowed. tongue BTW. that level doesn't actually exist. Hate
to spoil the fun.

I’m hoping this post answers questions for everyone, and that we can
get back to gaming.

My name is Inigo Montoya. You killed my space bar. Prepare to die!

http://l-works.net

2019-07-27 03:53:38

Chiming in right away to support this.

At the end of the day, there is absolutely no squeaky-clean choice here. I am wary of this choice, myself, but accept that it might be best for the community itself even if it wanders into some moral gray areas. As such, I'm in support of it; this isn't a torpedo attempt.

All this having been said, guys, I would love it if people used copyrighted material as little as possible going forward, and that, where feasible, people might consider replacing it. Crazy Party is the oft-cited example that keeps coming up, and the one which troubles me the most. There are literally hundreds of copyrighted assets here, and I would personally like to see that change, even if it takes time. We may not be about to drop the hammer really hard on such things at this point, but we'd still like to endorse as much aboveboard behaviour as we can. If you are a developer considering making a game, please keep Liam's post in mind, and if you feel you absolutely must use assets that you haven't bought and paid for, or which you don't have a license to use, please keep it to a minimum, and obscure it as much as possible so it happens at little as we can reasonably manage.

To be clear, we're still against ROMs, and we're still against the discussion and sharing of audio-described content here. We likewise have no tolerance for unauthorized code forks or theft, so just don't do any of that. None of that has changed. We're only saying that it is essentially unrealistic to put forward a hard-line stance about copyrighted assets in pre-existing games, much as it might be cleaner if we could; it would detonate the forum in a blaze of un-glory, and that wouldn't be good. So let's all work together in minimizing our use of pirated assets, and let's try very hard to encourage others to source their own stuff; big corporations or no, nobody really deserves to have their hard work reappropriated.

Check out my Manamon text walkthrough at the following link:
https://www.dropbox.com/s/z8ls3rc3f4mkb … n.txt?dl=1

Thumbs up +1

2019-07-27 04:16:44

here is a link to the topic in the dev room on places to find legal assets for your games. there are quite a large number of options here.
https://forum.audiogames.net/topic/2812 … and-music/

My name is Inigo Montoya. You killed my space bar. Prepare to die!

http://l-works.net

2019-07-27 08:03:52 (edited by Ethin 2019-07-27 08:04:16)

I'm quite sad that we need to use encryption to stop this. Most mainstream games use license agreements, but I understand why this is necessary. I would advise doing three things, if you want this to work:
1. Continue discouraging the use of BGT. Even done right, encryption with BGT is easy to break, do to the way BGT stores code.
2. Continue the encouragement to use languages like Python. Extremely encourage developers to learn how cryptography works -- I really don't like lecturing devs on how to properly use encryption systems because they clearly don't understand how to use them properly, thereby nullifying the encryption altogether. I'm sure that other developers feel the same way. Using cryptography is something that can be learned in a self-educating manner via Google, books, etc. You don't need to take a class on it.
3. Strongly encourage developers to use Cython on their sensitive code. This ensures that the code cannot easily be gotten access to (by, say, freezing the interpreter).

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2019-07-27 08:33:26

Sadly you'd think that a license agreement would mean something, but it unfortunately does not.

My name is Inigo Montoya. You killed my space bar. Prepare to die!

http://l-works.net

2019-07-27 09:18:31

I see your point. But businesses still use it -- it gives them a way to cover their asses.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2019-07-27 11:25:17

Thank you very much for making this clear for everyone. More importantly, thank you very much for listening to the community.

@Ethin, mainstream games heavily use asset encryption for short term data protection, so this is nothing new. If it is breached, the license is there for legal reasons, in the event of a court case, or a private settlement, etc.

1. BGT is often blamed for data breaches, while people forget that it is still the only language that provides a very easy environment for those who are starting out. All the essential tutorials, libraries and numerous examples are provided in the package, specifically designed for audio game creation. It is certainly not ideal if you want to do general programming, but it is not meant to fulfill this purpose. The way BGT stores its code is the way 99% of all interpreters work, including some incredibly popular languages, such as Lua.
The reason why BGT's encryption can be broken is because it is completely unprotected, just like Python, or Cython, C, and other languages.

2. Modern cryptography is a science that heavily relies on math. You will need a lot more than a few books to learn it. Educating yourself will take you only so far. Knowing how to use a library or two is like having musical phrase libraries that play chords for you, it does not mean that you know how to play the instrument, nor know how to use it effectively. Little knowledge is worse than no knowledge, as they say.

3. If you know how to freeze an interpreter, you also know how to access Cython memory areas and hook into someone's code, enough to break most of what's out there.

While I appreciate your advice and sharing your personal opinion, I think there are a lot of things that we cannot expect from someone who's just starting out. Their language choice is likely to be influenced by ease of use and the availability of resources. The majority of them will certainly not spend days or more on going through books that deal with cryptography, just to protect their assets. To be honest, if I started out right now, while being 12 or so, I would be very discouraged, to say the least.

Rob

Visit my site
http://erion.cf
You can also stop by for a slice of Pi
http://tardis.pw

Thumbs up

2019-07-27 15:41:36 (edited by Ethin 2019-07-27 15:52:37)

@7:

1. BGT is often blamed for data breaches, while people forget that it is still the only language that provides a very easy environment for those who are starting out. All the essential tutorials, libraries and numerous examples are provided in the package, specifically designed for audio game creation. It is certainly not ideal if you want to do general programming, but it is not meant to fulfill this purpose. The way BGT stores its code is the way 99% of all interpreters work, including some incredibly popular languages, such as Lua.
The reason why BGT's encryption can be broken is because it is completely unprotected, just like Python, or Cython, C, and other languages.

This is not true whatsoever. There is a difference between what BGT does when it stores code and what Lua and Python do. With Lua and Python, you have tools such as luac that compile your code to native code. Most interpreted languages have this. BGT is a major exception, primarily because all the offsets for everything is fixed. Once you know the offset for string_decrypt, you always know the offset for string_decrypt. C, on the other hand, is not so easy: C compiles directly to machine code. I cannot just take a C program and pull the decryption keys out of it (because I don't know what is what). . It would require many hours (days, possibly even months to years) for me to figure it out. This is not the case with BGT at all. As a suggestion, please go read up a topic called name mangling.
Furthermore, C, Python, Lua, etc., have a unique quality that BGT does not: you only know the function names for the standard libraries they bundle in. You don't know where the decryption logic is. With BGT, I know the decryption function is always at a particular memory offset, therefore I can easily break your code. While BGT provides a lot of things that Python does not for audio game development in particular, it causes vendor lock-in, and its much better if you go with a mainstream programming language than one that is no longer maintained and raises AV flags everywhere. Do you really want your potential user base dealing with that?

2. Modern cryptography is a science that heavily relies on math. You will need a lot more than a few books to learn it. Educating yourself will take you only so far. Knowing how to use a library or two is like having musical phrase libraries that play chords for you, it does not mean that you know how to play the instrument, nor know how to use it effectively. Little knowledge is worse than no knowledge, as they say.

This is only for the underlying theories and processes of making your own cryptographic algorithms. You do not need to know a huge amount of math to use a cryptographic library safely. Never mess with underlying cryptographic primitives without knowing what yoru doing -- it is a very good way to break yourself. However, as someone who isn't a wiz at math, I can tell you that I use cryptographic libraries (OpenSSL, Monocypher, Mongoose, AWS KMS, etc.) safely without knowing any of the underlying extreme theory.

3. If you know how to freeze an interpreter, you also know how to access Cython memory areas and hook into someone's code, enough to break most of what's out there.
While I appreciate your advice and sharing your personal opinion, I think there are a lot of things that we cannot expect from someone who's just starting out. Their language choice is likely to be influenced by ease of use and the availability of resources. The majority of them will certainly not spend days or more on going through books that deal with cryptography, just to protect their assets. To be honest, if I started out right now, while being 12 or so, I would be very discouraged, to say the least.

This is far more of your opinion than mine. Most of it is myth, or misinterpreted. You either misinterpreted what I wrote deliberately or ignorantly, I don't really know; however, please go read up on the subjects I raise in regards to programming before you come to me and say that what I am doing is wrong. Also, you cannot break Cython hooks and cannot determine (beforehand) its memory areas. A cythonized Python program with a single line is over 5000 lines in C. Add over 600 lines of game logic and Cython code is about 12 times that. I significantly doubt anyone could break Cython code without extreme effort, and no blind person is going to spend that much effort in breaking an audio game just to get the sounds. My advice, for that is what it was in six, was entirely correct.
I'm not really sure where you got this information, but if someone is using cryptographic primitives in their program, I would expect them to know how to use them safely. So yes, I would expect someone, even at the age of 12-13, to know these things if they are using a cryptographic library in their applications. Someone who is just starting out should be asking questions on how to use cryptographic systems, instead of blindly going with what works and what doesn't. If your using cryptographic systems of any kind, I would expect you to know how to use them properly, or not use them at all. Any programmer would expect the same.
Finally, your first reason about languages is just funny. That was my first clue that you've never looked into how C/C++ work, nor how the Python module system works, for that matter, or Lua either. You can write Python modules in C. You can write Lua modules in C. You can write C in, uh, C. And C is the go-to language for over 80 percent of the code in the world.
So, really, what I'm saying is check your facts before posting and trying to correct me. Your saying that a language used by pretty much every software engineer (and even developer) is easily breakable when it comes to cryptography or any other field. This is just not true. If it was that simple, C would no longer be popular.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2019-07-27 15:51:01

Yeah, and it's completely up to people what language they use, we can't be assholing everyone into using python because well, python isn't for everyone, the same way BGT isn't for everyone. The only part of this rule I disagree with is the paid / ddonationware thing, since what if someone uses sounds out of say, SFX kit that have also been used in other audiogames, a mod could just a use them of ripping sounds directly out of said game and they would lose a lot of customers as a result.

2019-07-27 15:54:46

@9, I disagree. If a language is clearly harmful to a community (i.e. BGT is harmful because it is easily breakable for encryption, something the staff want to start pushing), then I would discourage you from using it, and to choose another. BGT does not need to be the de facto language you learn when jumping into AG development. You can easily start with any other.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2019-07-27 16:07:06

True, but by that same logic someone also doesn't have to use python or c++ or whatever if they don't fly well with that language. FYI, there are ways to protect your assets if you're clever about it. I have written a few functions for this myself, but won't share them here for obvious reasons. I challenge you to try getting the sounds out of balloon master or toom hunter, for instance. For the record, I've seen what both those games do to protect their sounds, and I've also been on team talk with Carter Temm when he tried to debug them, and even he didn't have much luck, so good luuuuuuck!

2019-07-27 16:11:33 (edited by Ethin 2019-07-27 16:19:12)

@11, if it uses string_decrypt, its breakable. I can understand how hard it would be if your creative, but ultimately, if it tracks back to BGT's decryption functions, which it would ultimately have to do (unless they found a native DLL) is still locatable. Then its just down to figuring out what is what.
My point is, you shouldn't need to jump through tons of hoops just to use BGT's cryptography in a way that's hard to crack. If BGT were C, and had the libraries C has... well... you certainly wouldn't need to worry about having to be overly inventive. Yes, someone may not fly well with Python, for example, but at least they're using a language with a massive user base. They'd get answeres on stack overflow, for example. If you ask a question about BGT o stack overflow your not going to get a useful answer back at all because <no one> knows anything about BGT. Its a far better idea to use a popular programming language that has libraries and a support foundation behind it than use something that's only known by a nitch community and that raises red flags all over the place.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2019-07-27 16:44:58

cmerry wrote:

Yeah, and it's completely up to people what language they use, we can't be assholing everyone into using python because well, python isn't for everyone, the same way BGT isn't for everyone. The only part of this rule I disagree with is the paid / ddonationware thing, since what if someone uses sounds out of say, SFX kit that have also been used in other audiogames, a mod could just a use them of ripping sounds directly out of said game and they would lose a lot of customers as a result.

Please read the original post. I point out that most sounds that are being used are from publicly availible libraries. if you use sounds out of SFX Kit we are going to have to assume that you own a license for it. however if we fidn out that you don't, then that is where we'd probably take action if your game was being sold.

Unfortunately, I'm confident that in 9 out of 10 cases, people have downloaded sF kit for fre eand are using sounds from it. Proving that of course is a whole different story.

My name is Inigo Montoya. You killed my space bar. Prepare to die!

http://l-works.net

2019-07-27 16:49:49

Moderation:
Also if we could please keep this topic from descending in to the realm of which programming language is better that would be great.

My name is Inigo Montoya. You killed my space bar. Prepare to die!

http://l-works.net

2019-07-27 17:49:00

@Ethin, from time to time, you demonstrate that your knowledge is not as extensive as you think it is. There is nothing wrong with that, unless you give factual advice, in which case it is rather harmful for those who do not have as much experience as you, and choose to follow suit. For the sake of the community, please, please make sure that what you say is correct. As far as I am concerned, I am done discussing this, as it is getting off-topic. The reason why I pointed out and I am still pointing out what is incorrect is because this is not what people who are starting out should see. You are, of course, entitled to your opinion, unless you provide them as facts that others should follow.

Ethin wrote:

This is not true whatsoever. There is a difference between what BGT does when it stores code and what Lua and Python do. With Lua and Python, you have tools such as luac that compile your code to native code.

Incorrect. What you mean by "native code" is actually bytecode, and not machine code, also referred to as "native code". Bytecode is interpreted by a virtual machine, and it is an intermediate form.

Ethin wrote:

Most interpreted languages have this. BGT is a major exception, primarily because all the offsets for everything is fixed. Once you know the offset for string_decrypt, you always know the offset for string_decrypt. C, on the other hand, is not so easy: C compiles directly to machine code. I cannot just take a C program and pull the decryption keys out of it (because I don't know what is what).

For the record, BGT is using Angel Script, which does compile "BGT code" to bytecode, so no difference so far.
Name mangling does not make a difference her. It takes two minutes or less to get a function address via any capable debugger. It is not designed to protect functions, but rather to avoid collision. Rather than pretending to know what I don't know, you should actually listen, for once.

Ethin wrote:

Furthermore, C, Python, Lua, etc., have a unique quality that BGT does not: you only know the function names for the standard libraries they bundle in. You don't know where the decryption logic is.

Please enlighten us about where the encryption logic is exactly in BGT. Just because you know the offset, which you are right, never changes, you do not know where the encryption logic is. This is the equivalentof knowing a function address via a debugger in any other language you personally encourage using. Surely, BGT encryption is not just one function, right? All you do is access a wrapper function, along with a few registers. Yet again, this does not mean that the entire encryption logic is in the function you know the offset of.

Ethin wrote:

However, as someone who isn't a wiz at math, I can tell you that I use cryptographic libraries (OpenSSL, Monocypher, Mongoose, AWS KMS, etc.) safely without knowing any of the underlying extreme theory.

As I have pointed out earlier, knowing how to use a library does not necessarily make you effective. Effectiveness is not something you can judge alone. You will see this once you start working for a company where they rely on your code that uses encryption. There is a huge difference between: "It works, I can use it," and "It works, I can use it, and it is not vulnerable."

Ethin wrote:

... aAlso, you cannot break Cython hooks and cannot determine (beforehand) its memory areas. A cythonized Python program with a single line is over 5000 lines in C. Add over 600 lines of game logic and Cython code is about 12 times that. I significantly doubt anyone could break Cython code without extreme effort, and no blind person is going to spend that much effort in breaking an audio game just to get the sounds.

Please look into Capstone, since you are a firm believer of using premade tools. A huge amount of automatically generated C code, or any code for that matter, be it in source or compiled form, is not an excuse on grounds for code protection. You do not expect anyone to go through those lines manually, right? If yes, you will be really happy about Cython's built-in debugger.

Ethin wrote:

I'm not really sure where you got this information, but if someone is using cryptographic primitives in their program, I would expect them to know how to use them safely. So yes, I would expect someone, even at the age of 12-13, to know these things if they are using a cryptographic library in their applications.

So do I. In reality, we both know that this is not the case. Google, Microsoft, Apple, and thousands of other companies did not always make it right. Clearly, there must be some magic going on in your case.

Ethin wrote:

Someone who is just starting out should be asking questions on how to use cryptographic systems, instead of blindly going with what works and what doesn't.

Were you? Can you honestly say that when you were starting out, you had these questions about encryption? I think you were rather busy with grasping the required concepts, hopefully practicing your programming skills, and were actually happy that you could create something. This is what we have from novice game developers at the moment. Even in an educational environment, encryption is definitely not the first, nor the second question anyone would ask about, or teach. But I guess all the universities that produce the world's best developers today must be doing it wrong.

Ethin wrote:

Finally, your first reason about languages is just funny. That was my first clue that you've never looked into how C/C++ work, nor how the Python module system works, for that matter, or Lua either.

You are absolutely right. You should probably inform my employers as well, when they employ me for critical application development with more than 25 years of C and C++ (and other languages) experience. Well done! :-)

Rob

Visit my site
http://erion.cf
You can also stop by for a slice of Pi
http://tardis.pw

Thumbs up +7

2019-07-27 20:03:25

Moderation:
I'm actually going to go ahead and drop a caution here.
Ethin, even if you are, in fact, a hundred percent correct, the way you're approaching this is borderline obnoxious. You ought to know better. Rob did not come after you personally in his first post where he disagreed with you; he stuck to facts as he sees them, and you responded with quite a bit of snark and condescension. Why, exactly, do you think that's a good idea? Also, it goes without saying that, while you have your own experience, so does Rob. I am not expert enough to say which of you is right here, and I'm not about to go do the research right this instant, but that part is sort of irrelevant. You can disagree with people all day if that's what you want, but let's leave out the sarcasm and personal insults. Also, you may have something of a point about BGT not being the best language long-term, but the way you're grinding this axe reminds me of those people who said they would be glad when Skype 7 stopped working...wait, weren't you one of those people? I misremember. Either way, it's not just about giving the advice and walking away for you. For you, it seems to be that you're going to badger and push people into not using BGT. Frankly, what a new dev does is really not your concern; if they use a language - any language, even one of those you support - and it makes them miserable for some reason, then that's an issue. You are striking me more and more as the sort of person who feels that personal integrity and rightness are tied together. i.e., if someone says you're wrong or does a thing you don't support, you feel personally slighted somehow, and you respond by insulting them and sometimes hounding them until they agree with you. It's relentless, it's off-putting, it's disrespectful and it needs to stop, like yesterday, preferably.

Check out my Manamon text walkthrough at the following link:
https://www.dropbox.com/s/z8ls3rc3f4mkb … n.txt?dl=1

Thumbs up +4

2019-07-29 19:03:47

Right, congrats on making that.
Now, we'll lose a ton of good games, we'll lose a ton of developers and so on and so forth.
Ironically, games like Super Liam, Judgement day and some other classics use assets optained from somewhere else.
update the db right away!

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2019-07-29 19:10:35

BTW don't try doing something you won't be able to verify.
In the game I am making as my current project I have optained some assets from Yulong, who allowed me to use them.
And how you'll verify that? How you might know if I'm telling the truth or not? Will you ban me because some of assets are used in Battle Of Armageddon? Or you'll try to reach out Yulong, because he's put here as an example?

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2019-07-29 23:30:26

please read the original post. We have stated we're not doing that.
Thank you.

My name is Inigo Montoya. You killed my space bar. Prepare to die!

http://l-works.net

2019-07-30 06:15:24

I'm glad this decision was taken, I remember you guys saying you were doing the other things because having that content around might deter future developers, but cracking down on games because of their sounds would probably be much more of a turn-off for developers than any of the other stuff.

Thumbs up

2019-07-30 11:50:09

i didn' mean to b e rude or anything Liam, I think this decision is not good, unless, for example someone stils sounds from AHC, because this content is created by Out Of Sight games. But for example NN uses very big amount of sounds from other sources, like Night of Parasite.

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2019-07-30 14:42:35

sorry. what's nn?

My name is Inigo Montoya. You killed my space bar. Prepare to die!

http://l-works.net

2019-07-30 14:50:43

Bokurano Daiboukenn

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2019-07-30 15:58:59 (edited by Ty 2019-07-30 15:59:20)

I have one question. how is nn, Bokurano Daiboukenn? Just wondering.

I like cats.

Thumbs up

2019-07-30 17:48:55

I don't know. The installers are named like that lol

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha