The service is built on the Amazon ECS cloud. This is a professional cloud based solution that in addition to changing from half a CPU to 8 in seconds allows efficient load balancing between server instances. They also offer solutions with massive amounts of ram. I’ve also built my own webserver in C to get the absolute minimum possible latency with maximum bandwidth. Amazon offers low rates for the resources they provide, and protected module users will be asked to compensate for the resources they use, allowing the service to efficiently scale to match demand. My compensation will come from the time I spend reviewing code.
Yes, it does, and I am aware. In order for this to work, module developers must trust me with their code and game developers must trust me that the code is safe. While I don’t yet have the proven track record to show you, I do have some information that will suggest my competence.
I will graduate this semester with my Bachelors in Computer Science
Roblox looked at my background and hired me as an Intern in the spring of 2018
The first web page I worked on was the Login page, and didn’t move onto another page until I had my SSL domain certificate, enabled HTTPS, and installed reCaptcha v2 verification. You will see all of these features on the website from day 0.
You can see my competence in my replies on this forum (I spend a lot of time in the scripting helper’s subcategory).
In addition, hearing about some of the security feature may put you at ease. Lua is a great sandbox. Lua code is run on a register based virtual machine, making accessing the underlying program very, very difficult. Having only enabled the math, string, and table libraries, they would need to exploit a function I provide. The only function I am providing sets the callback that is run when the game sends information to the protected code. As for the security of the website, I could probably teach a class on it. From SQL injections, XSS, and MITM to bots, I got it. I have also custom compiled OpenSSL to only have support for TLS 1.0 or newer protocols. Rest assured that attacks common to other web servers will not work on mine because I’ve built my own web server and I only made the features I intend to use. There are no hidden urls for developers or obsolete and forgotten features.
If all of that fails, you will be able to legally sue me for redress because I would have broken your intellectual property rights. Scary prospect for me, so I’ll do my job and do it well!
Yes, I only bring it up while developing. I can bring it up in a few. The registration page isn’t done yet, so you won’t be able to see more than the login page. In addition, it can only be accessed through https. The redirect from http to https isn’t done yet. This is the proper url: https://RbxMod.com Working on bringing it up now
If RbxMod goes down, i’d assume the code running from RbxMod would also go down, seeing that it’s being created with the Amazon ECS Cloud, would the code snapshot to the last state it was executed on or would the entire code break if the game server has already started?
Another question: In the event that someone creates code with malicious intent, heavily obfuscated, how would you prevent people with harmful code uploaded to your service?
Other than that, this service does seem promising, especially with your reliable background experience.
Okay, https://rbxmod.com is up. I tested it on a couple devices and browsers, but this will be the first time it’ll see some traffic! I’m excited!
Yes, that is the current setup. I may move the web server to a difference instance once I release. It’ll help me keep track of costs in addition to providing protection. No, there is no RAM backup. I’ll consider what to do in those cases more, but they should be rare.
I will be reviewing the code. If it is obfuscated or I can’t understand it then I will shamelessly deny it. In addition, harmful code running on my service will simply rack up resources costs for them. The public code in addition to my review will be seen by the game developers. I discussed other options here:
btw, I see that someone is attacking my server right now. Quit that, I see you xD
The login page isn’t connected to the backend. That is just a debug lua script. People wanted to see the website, so there it is right now. It wont be complete and I wont need the testers for another week or two. Your password was securely transmitted and encrypted while in flight using AES 256 bit encryption with elliptical curve Diffie–Hellman key exchange. It was secure.
I’m seeing lots of errors. This may be as result of the attack someone is trying to run, otherwise if you are unable to access the login page let me know in a DM. The only known error is when refreshing after staying on the page for while. I think it has something to do with HTTP caching.
Glad you’re doing something like this you have no idea how many communities can be saved by this. My question is how much do you plan on making the “average” price?
I’m on my phone now btw. It is very hard for me to tell in advance as a lot of factors will go into it. The data from the alpha test will help me determine the price. I think $0.10 USD per CPU hour may give you a good idea of what your looking at. That hour only is process specific time, not including when your script isn’t running nor even when the process running your script is swapped out. If your script only runs for 0.1 seconds handling admin commands, you can run about 36,000 commands for $0.10 USD. I hope that preliminary information helps.
As for code reviews, I’ll quickly review scripts submitted and give an estimatebased on how long it will take me and the current work load. If you accept payment will be due and I will review the code. In most cases I’ll approve it. If there is questionable activity then I will ask for it to be revised and we’ll begin the process over (although it shouldn’t take me as long to review code I’m familiar with, so the estimate will be lower).
I see. The pricing sounds fair to me. I haven’t understood how this works 100% but does this mean that UIs and other stuff that would be inside the module normally would be available to the public?
Yes. The upload page of my website will ask for a link to the public model acting as a frontend for your protected module, and a .lua file for the source of your protected module. The game using your protected module will use my loader script and enter your protected module ID. At runtime my loader will insert your public model, and require the main module. Your public module will basically use an object like a RemoteFunction to communicate with your protected code, similarly to how localscripts and scripts communicate. Your public model can contain a GUI, or your public module can automatically generate a GUI.
There is a way to protect all asset types, not just scripts, from being stolen but it would require lots more work to setup. Perhaps in the future. It involves making a game that neither the game owner or asset developer have access to, so neither can steal each other’s assets.
(This isn’t different from current private modules. Any instances created can always be seen by the server, and so have never been truely private.)
Great idea, however, imagine you get 1000 requests / min. Yes you might have a good server, but every single code on the server must be non-blocking and not being synchronous.
Providing a service like this is great, but it’s voluntary work. You have no commitments to actually deliver the service anymore and can stop at any time, I’m not saying you will stop, but that you actually can.
reCaptcha <= v2 is nothing, there is a reason Roblox changed to fun captcha (mainly to prevent fraud and carding). Yes, recaptcha by google is an amazing free service. You are covered by a service that might be good enough. There are many ways to bypass a captcha, and one way is really good but nobody knows of it (rumours say it does not bruteforce), emulating a browser, getting people to do them for you (found on many sites where you have to pay for people to solve them, and they require you to complete a captcha before you can log in, ironically.)
The point is that your service can get botted, and all the bots will make you save their code. Eventually you will pay for more storage, get rid of the bots and implement a manual verification process, or give up.
There might be other options, though.
I am not trying to make you discouraged at all, I am just stating the amount of work it is to do this. It is great that you do it, but it comes with a lot of work. Just be prepared
So far this service seems promising, as you do seem to know what you’re doing. It makes sense that people are skeptical, given the nature of this kind of service.
This is from HTTPS, right?
I’m more concerned about what you’ll do with passwords. I can totally understand how the current output is just debug and you aren’t saving the passwords just yet.
When you do start saving the passwords, will you be doing it securely? That is…
Hashed passwords, with a strong, slow hashing algorithm. A suggestion I found online is PBKDF2 with HMAC-SHA-256.
User-individual salts, to prevent hackers from seeing when two passwords are the same if your database is leaked.
Nearly unlimited password length; something like 1000 characters. You’re storing fixed-size hashes, so this only matters so that you don’t have to do long, slow hashing on thousands-of-character passwords.
If you can assure us that you’ll be following modern password storage practices, this will ease our minds when it comes to some of the security aspects of this service. There are libraries to handle these things, so you really just have to plug in the password, salt, and iterations then store the resulting hash.
Not everyone will trust you to maintain this service. It would be awesome if you made the service open-source with a permissive license so that independent developers can run their own server that they can absolutely trust.
This doesn’t bar you from making money from this service: most developers will not run their own server, and probably don’t know how. It’s easier to pay you than it is to run their own server and pay for it. The ones that can run their own server don’t need your code to do it, your code just makes it easier.
Additionally, keeping the service open-source allows others to find and patch security flaws, and allows others to do security reviews on the server code.
Making the service open-source will go a long way towards building trust with the community.
I appreciate your willingness to help the community out with things like this. I for one was very dissapointed to find out they were removing modules, because I had created a complex module system to deal with blacklisting and other things, and only 5 days later did they make that announcement haha. However, I believe it was the right call as the backdoor module problem has really grown quickly and almost every front page plugin was a backdoor. Additionally, I think it is crazy to be able to modify a module and have it replicate to every game without the game owner even knowing. I may try this service out to see how it is, but currently I just rely on obfuscation or people being good samaritans and not leaking my code. I’ll let you know in the future if I am interested!
The web server immediately creates a new thread for every https connection. When requests are for a protected module, that module runs in a new process. The debian linux OS handles scheduling them and swapping them out when needed. If server resources become too strained, a new instance can be spun up with an ECS application load balancer to sort based on the HTTP URI.
An interesting point. If I ever do decide that I’d like to move on, I’d be sure to hire someone capable. I don’t see myself moving on though because it is voluntary work with compensation.
If it becomes a problem, I’ll look into it some more. It is on the login page mainly to prevent people from running password scans. For registration, you will be required to post a link on your Roblox profile. That means that at the minimum, my services bot prevention is as strong as Roblox’s.
Thank you.
Yes. The public key algorithm was RSA as well. That is the 256 bit AES with ECDHE and RSA is the only OpenSSL option my server has enabled.
Yeah. I remember when Blizzard entertainment had their breach and user information was leaked. Luckily, they hashed everyone’s password.
I’ll have to think on this some more. An excellent thought.
What I said about you having no commitments to actually deliver or continue might have come off wrong.
I meant like if you don’t want to continue delivering the service, you don’t really have to. It was just a heads up for other people, so they were aware.
I hope you do, though, because everything else (AFAIK) seems good enough.
