Protected Module Service Alpha Testers


#1

Hello fellow Robloxians!

About the Service

Roblox recently announced that they will be dropping support for private modules without introducing an alternative starting in February for security reasons. This has left many of you with a tough choice – give up the intellectual property that is the source of your income by making your code public, or stop offering your code.

As a solution to this problem, I created RbxMod.com. After a period of code review, you can grant access to specific games to use your module. Your module will be split into two parts, the protected code that runs in the cloud on my service and the public code that runs on the game server and communicates with your protected code. Since the protected code runs on my server, it doesn’t have access to any Roblox services or instances (like HTTPService, game, workspace) and all the input and output go through the public code. By itself, the protected code is incapable of harming games.

The Position

The service is almost in a working state, and I’d like to have some developers break in the service before I release access to the public. As an alpha tester, you’d either develop or port your existing private module over to the protected cloud / public game module structure described above. If you encounter any problems (cloud to server latency is too high, unresponsiveness, questions about the service or best practices, or lacking features) then you will have direct access to me.

The Compensation

This service will allow you to continue to make income after private module support is dropped in February. You will not be charged for the server resources you use or for code reviews until the service is released to the public. The cost of these after release is not yet known. It will depend on the data obtained during the testing period.

If you have any additional questions about the service, please don’t hesitate to ask here. For applications, contact me on the discord server. Thank you!

Edit: I’ve made a discord server since those without access to the dev forum have reached out letting me know that they are interested. Here is the link: https://discord.gg/78aB2tx


#2

Wouldn’t this be impractical for larger modules? f.e. administration scripts?
Other than that I’d say this is a pretty good alternative.


#3

How do you plan to get all the necessary resources for your server? Because I imagine that it won’t come cheap at all if you need to handle thousands of requests simultaneously, like a popular administrative commands model alone might need, for instance.


#4

You know, to be honest, I think you got a great idea to help out developers who don’t know how to do something like this however is it just me or this leaves some security issues? Especially of giving someone else your code on someone else servers with them having access to do whatever they want with the code. With the possibility, if someone finds out how to go through you’re security measures and do all sorts of things. Of course, I believe a lot of people, the risks wouldn’t overshadow the benefits since most people don’t have huge projects with huge userbases.


#5

The service is built on the Amazon ECS cloud. This is a professional cloud based solution that in addition to changing from half a CPU to 8 in seconds allows efficient load balancing between server instances. They also offer solutions with massive amounts of ram. I’ve also built my own webserver in C to get the absolute minimum possible latency with maximum bandwidth. Amazon offers low rates for the resources they provide, and protected module users will be asked to compensate for the resources they use, allowing the service to efficiently scale to match demand. My compensation will come from the time I spend reviewing code.

Yes, it does, and I am aware. In order for this to work, module developers must trust me with their code and game developers must trust me that the code is safe. While I don’t yet have the proven track record to show you, I do have some information that will suggest my competence.

  1. I will graduate this semester with my Bachelors in Computer Science
  2. Roblox looked at my background and hired me as an Intern in the spring of 2018
  3. The first web page I worked on was the Login page, and didn’t move onto another page until I had my SSL domain certificate, enabled HTTPS, and installed reCaptcha v2 verification. You will see all of these features on the website from day 0.
  4. You can see my competence in my replies on this forum (I spend a lot of time in the scripting helper’s subcategory).

In addition, hearing about some of the security feature may put you at ease. Lua is a great sandbox. Lua code is run on a register based virtual machine, making accessing the underlying program very, very difficult. Having only enabled the math, string, and table libraries, they would need to exploit a function I provide. The only function I am providing sets the callback that is run when the game sends information to the protected code. As for the security of the website, I could probably teach a class on it. From SQL injections, XSS, and MITM to bots, I got it. I have also custom compiled OpenSSL to only have support for TLS 1.0 or newer protocols. Rest assured that attacks common to other web servers will not work on mine because I’ve built my own web server and I only made the features I intend to use. There are no hidden urls for developers or obsolete and forgotten features.

If all of that fails, you will be able to legally sue me for redress because I would have broken your intellectual property rights. Scary prospect for me, so I’ll do my job and do it well!


#6

I can’t access RbxMod.com, is it down or?


#7

Yes, I only bring it up while developing. I can bring it up in a few. The registration page isn’t done yet, so you won’t be able to see more than the login page. In addition, it can only be accessed through https. The redirect from http to https isn’t done yet. This is the proper url: https://RbxMod.com Working on bringing it up now


#8

Same i can’t go to the site for some reason. :anguished:


#9

A few things:

If RbxMod goes down, i’d assume the code running from RbxMod would also go down, seeing that it’s being created with the Amazon ECS Cloud, would the code snapshot to the last state it was executed on or would the entire code break if the game server has already started?

Another question: In the event that someone creates code with malicious intent, heavily obfuscated, how would you prevent people with harmful code uploaded to your service?

Other than that, this service does seem promising, especially with your reliable background experience.


#10

Okay, https://rbxmod.com is up. I tested it on a couple devices and browsers, but this will be the first time it’ll see some traffic! I’m excited!

Yes, that is the current setup. I may move the web server to a difference instance once I release. It’ll help me keep track of costs in addition to providing protection. No, there is no RAM backup. I’ll consider what to do in those cases more, but they should be rare.

I will be reviewing the code. If it is obfuscated or I can’t understand it then I will shamelessly deny it. In addition, harmful code running on my service will simply rack up resources costs for them. The public code in addition to my review will be seen by the game developers. I discussed other options here:

btw, I see that someone is attacking my server right now. Quit that, I see you xD


#11

I login and why is showing my pass? :face_with_raised_eyebrow:


#12

The login page isn’t connected to the backend. That is just a debug lua script. People wanted to see the website, so there it is right now. It wont be complete and I wont need the testers for another week or two. Your password was securely transmitted and encrypted while in flight using AES 256 bit encryption with elliptical curve Diffie–Hellman key exchange. It was secure.

I’m seeing lots of errors. This may be as result of the attack someone is trying to run, otherwise if you are unable to access the login page let me know in a DM. The only known error is when refreshing after staying on the page for while. I think it has something to do with HTTP caching.


#13

Ok thanks for the reply just wanted more information on that.


#14

Glad you’re doing something like this you have no idea how many communities can be saved by this. My question is how much do you plan on making the “average” price?


#15

I’m on my phone now btw. It is very hard for me to tell in advance as a lot of factors will go into it. The data from the alpha test will help me determine the price. I think $0.10 USD per CPU hour may give you a good idea of what your looking at. That hour only is process specific time, not including when your script isn’t running nor even when the process running your script is swapped out. If your script only runs for 0.1 seconds handling admin commands, you can run about 36,000 commands for $0.10 USD. I hope that preliminary information helps.

As for code reviews, I’ll quickly review scripts submitted and give an estimatebased on how long it will take me and the current work load. If you accept payment will be due and I will review the code. In most cases I’ll approve it. If there is questionable activity then I will ask for it to be revised and we’ll begin the process over (although it shouldn’t take me as long to review code I’m familiar with, so the estimate will be lower).


#16

I see. The pricing sounds fair to me. I haven’t understood how this works 100% but does this mean that UIs and other stuff that would be inside the module normally would be available to the public?

Note that I haven’t tried your service yet


#17

Yes. The upload page of my website will ask for a link to the public model acting as a frontend for your protected module, and a .lua file for the source of your protected module. The game using your protected module will use my loader script and enter your protected module ID. At runtime my loader will insert your public model, and require the main module. Your public module will basically use an object like a RemoteFunction to communicate with your protected code, similarly to how localscripts and scripts communicate. Your public model can contain a GUI, or your public module can automatically generate a GUI.

There is a way to protect all asset types, not just scripts, from being stolen but it would require lots more work to setup. Perhaps in the future. It involves making a game that neither the game owner or asset developer have access to, so neither can steal each other’s assets.

(This isn’t different from current private modules. Any instances created can always be seen by the server, and so have never been truely private.)


#18

Hey, it’s a great concept and all… but I don’t think developers are willing to trust a complete stranger with their code.


#19

Great idea, however, imagine you get 1000 requests / min. Yes you might have a good server, but every single code on the server must be non-blocking and not being synchronous.

Providing a service like this is great, but it’s voluntary work. You have no commitments to actually deliver the service anymore and can stop at any time, I’m not saying you will stop, but that you actually can.

reCaptcha <= v2 is nothing, there is a reason Roblox changed to fun captcha (mainly to prevent fraud and carding). Yes, recaptcha by google is an amazing free service. You are covered by a service that might be good enough. There are many ways to bypass a captcha, and one way is really good but nobody knows of it (rumours say it does not bruteforce), emulating a browser, getting people to do them for you (found on many sites where you have to pay for people to solve them, and they require you to complete a captcha before you can log in, ironically.)

The point is that your service can get botted, and all the bots will make you save their code. Eventually you will pay for more storage, get rid of the bots and implement a manual verification process, or give up.
There might be other options, though.

I am not trying to make you discouraged at all, I am just stating the amount of work it is to do this. It is great that you do it, but it comes with a lot of work. Just be prepared :wink:


#20

So far this service seems promising, as you do seem to know what you’re doing. It makes sense that people are skeptical, given the nature of this kind of service.


This is from HTTPS, right?

I’m more concerned about what you’ll do with passwords. I can totally understand how the current output is just debug and you aren’t saving the passwords just yet.

When you do start saving the passwords, will you be doing it securely? That is…

  • Hashed passwords, with a strong, slow hashing algorithm. A suggestion I found online is PBKDF2 with HMAC-SHA-256.
  • User-individual salts, to prevent hackers from seeing when two passwords are the same if your database is leaked.
  • Nearly unlimited password length; something like 1000 characters. You’re storing fixed-size hashes, so this only matters so that you don’t have to do long, slow hashing on thousands-of-character passwords.

If you can assure us that you’ll be following modern password storage practices, this will ease our minds when it comes to some of the security aspects of this service. There are libraries to handle these things, so you really just have to plug in the password, salt, and iterations then store the resulting hash.


Not everyone will trust you to maintain this service. It would be awesome if you made the service open-source with a permissive license so that independent developers can run their own server that they can absolutely trust.

This doesn’t bar you from making money from this service: most developers will not run their own server, and probably don’t know how. It’s easier to pay you than it is to run their own server and pay for it. The ones that can run their own server don’t need your code to do it, your code just makes it easier.

Additionally, keeping the service open-source allows others to find and patch security flaws, and allows others to do security reviews on the server code.

Making the service open-source will go a long way towards building trust with the community.