I personally do not think you should be allowing storage of sensitive information if you cannot properly secure this.
I am not against making the bot, I am against the lack of security of this bot.
You have a responsibility when you put this bot up for public use and this bot needs a lot more work…
Although the main purpose of this bot is to add back everything that RoVerify used to have, I’d still encourage against having the group management features unless you somehow manage to obtain OBC on multiple bots on Roblox and privately manage their cookies in a way that you can operate the bot without having to ask for sensitive information from the user.
Always go on the assumption that nothing will ever be safe, because it really never will. There is only so many defenses you can put up but attackers will always find a loophole to breach the defenses. If you are going to be storing sensitive information such as Roblox information, you will have to be wary of the responsibility that you are taking on yourself.
RoVerify was supposedly safe for users to use, but the data breach on the system that was supposedly safe shut the entire bot down. By allowing yourself to store sensitive cookie information, you sign yourself the contract that this will rebel against you at any time and that everyone’s information that is stored on the system can be usable within 24 hours time for full havoc. Once a leak happens, there is no telling what disaster can come out.
Whether you heed to my advice or not is not my concern. If you do continue, I wish the best of luck to you, knowing that you (hopefully) read these words and took it into consideration.
1 Like
It is extremely irresponsible to host a service which requires people to enter in sensitive info if you don’t know/are not capable of handling and securing that information.
Dismissing proper security due to not having “much Luck” shows that you don’t prioritize security. Coming up with schemes such as “Hashtag API” (which is as secure as using a pencil and crossing out something a few times vs shredding a document) to convince yourself and others that it is secure is just another security incident waiting to happen.
All this “service” is going to due is harm the most vulnerable individuals in the community: the newbies. Those who are experienced enough and are running large-asset groups either recognize the major security implications and flaws of this or have the ability to create their own properly-secured service. Those who are at most risk due to not having the security precognition from lack of experience are put at further risk by trusting this service.
I don’t know if you are just ignorant of implications caused by not having proper security; or if you completely understand what can go wrong and just don’t care. I don’t know which is worse. Irregardless, I recommend you do the responsible thing and remove and sensitive information of any users until you properly secure your service (and ideally have an experienced individual help you and verify it is secured) before going public.
7 Likes
- Option 1: Use an OBC Account and an automated joining system.
- Option 2: Encrypt the data (which is the original plan) and let you guys self host the Roblox account.
0 voters
I have read both of above comments about the Security, I might of found a way to encrypt it, But it will add up to 10 seconds delay in the setup time. So Ima add a poll and let you decide which should be done.
What is your encryption strategy
I currently do not feel like your method of data saving is trustworthy at all, even if you did manage to encrypt it. This is mostly because I do not trust anyone who is not 1) reputable and 2) knowledgeable in security & encryption to store my secure and sensitive information, and also because you still seem unsure if you know exactly what you’re doing.
I encourage you to stop and research fully into encrypting and figure out the best method of both encrypting data and storing it securely so that you are not a RoVerify V2.
2 Likes
Hey jorito, Thanks for the comment, I will continue to look into Encryption , How it works / Can be used.
Add a feature that gives devforum members a role (Server Owner preferring the role) just like RoVer
2 Likes
[UPDATE] Bot is now being FULLY Recoded from Scratch (not the program scratch). New Features can be seen on the Trello:
Trello (Will enable Comments on the Suggestions).
Sounds amazing!
All the features that it provides are very useful in discord groups.
I really like it, probably better than RoVerify!
Thats if it Actually gets finished, (With my Family Company starting backup, and other Stuff happening, I hope to get this finished by the 25th.
[UPDATE] We have 2 Choices Release RoLink as a Verification bot Until i sort Encryption (so you lot can still use it)or recode it all, pick the choices
- 1: Release as a Verification Bot (Until I get the Security Stuff out).
- 2: Wait for V2 Release,
0 voters
You still seem extremely unsure how to proceed, you need to get a handle on this otherwise nothing will come of you. Learn how to properly and securely encrypt sensitive data, and then act on it. You have run into this situation 3 times I believe on this thread already about, ‘ok idk if i can do that so maybe this?’.
I would suggest hashing over encrypting as anything encrypted can be decrypted using the proper key while hashing is one way and can’t be “unhashed”. I may be wrong so apologies in advance if I am.
1 Like
Hashing can and will be unhashed. However, developers can “salt” their hashing algorithm with a custom salting pattern to make it nearly impossible to dehash without the salting pattern. You got close though!
2 Likes
There is a difference between knowing what to use vs how to use it. OP seems, as @LordMerc said, unsure on how to do this. Even with a proper encryption library / function, you can still mess it all up. If you don’t know how to properly utilize encryption, you might as well store it blank text (jk, don’t).
Here’s a post I found in 5 seconds (didn’t read all of it, but after quickly checking it, I think it shows my point): 6 encryption mistakes that lead to data breaches | Crypteron
Tl;Dr: You’re doing it wrong!
1 Like
Be able to have group shouts be copied in to discord.
Like a Shout Command or an Shout Notifer like [USERNAME] has shouted [TEXT]?
[UPDATE] Bot Is now Registered as a Verification Bot until V2 is done!!!
All Bugs are fixed, (Code sided), If there is any Feel free to Hit me up on here or Discord!!
(Making a Manual how to set it up now)
(Still taking Command Suggestions)
1 Like
10 Long Days later. Encryption is finally coming along.
- Fixed the DB Errors, Turned out the DB was not returning data.
- Added Advanced Error Logging to quickly fix the Errors!
- If you need support you can now run
supportand a Support Agent will try and get to you. (The Support Staff will join your server with a Invite provided via the Bot.
Bot is now Fully working, Enjoy the Bots