ANN: Nomyx 0.1 beta, the game where you can change the rules

newer
building darcs failed (Unable to...

Corentin Dupont

26 Feb 2013 26 Feb '13

6:28 p.m.

Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules. This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell. At the beginning, the initial rules are describing: - how to add new rules and change existing ones. For example a unanimity vote is necessary to have a new rule accepted. - how to win the game. For example you win the game if you have 5 rules accepted. But of course even that can be changed! Here is a video introduction and first tutorial of the game: http://vimeo.com/58265498 The game is running here: www.nomyx.net:8000/Nomyx I have set up a forum where players can learn about Nomyx and discuss the rules they intend to propose: www.nomyx.net/forum As this is the first beta release of the game, I'm looking for beta testers :) Although I tested it quite a lot, I'm sure a lot of bugs remains, especially in multiplayer. So if you are interested in testing Nomyx, please go to this forum thread and we'll set up a small team to start a match! http://www.nomyx.net/forum/viewtopic.php?p=5 Comments/contributions are very highly welcome! There is still a lot to do. As for now, the game is not completely securised. It is easy to break it by submitting rules containing malicious code. I'm working on it. If you'd like to do security testing, please do it locally on your own machine and send me a bug report :). Cheers, Corentin [1] http://hackage.haskell.org/package/Nomyx [2] www.nomic.net

Attachments:

attachment.html (text/html — 2.2 KB)

Show replies by date

Ben Lippmeier

26 Feb 26 Feb

7:07 p.m.

On 27/02/2013, at 10:28 , Corentin Dupont wrote:

...

Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules.

Don't forget 1KBWC: http://www.corngolem.com/1kbwc/ Ben.

Tom Murphy

27 Feb 27 Feb

3:48 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

There's another one... http://3.bp.blogspot.com/-0-NT1rzFpik/Tpe4sb18gOI/AAAAAAAAAuM/j2BHO_TgLi4/s1... Tom On Tue, Feb 26, 2013 at 7:07 PM, Ben Lippmeier wrote:

...

On 27/02/2013, at 10:28 , Corentin Dupont wrote:

...
Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules.

Don't forget 1KBWC: http://www.corngolem.com/1kbwc/

Ben.

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Corentin Dupont

8:20 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

I think it would be harder to implement a computer version of 1KBWC and Calvin ball!! Have to think of it ;) On Wed, Feb 27, 2013 at 9:48 AM, Tom Murphy wrote:

...

There's another one...

http://3.bp.blogspot.com/-0-NT1rzFpik/Tpe4sb18gOI/AAAAAAAAAuM/j2BHO_TgLi4/s1...

Tom

On Tue, Feb 26, 2013 at 7:07 PM, Ben Lippmeier wrote:

...
On 27/02/2013, at 10:28 , Corentin Dupont

wrote:

...
...
Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only

game where You can change the rules.

...
Don't forget 1KBWC: http://www.corngolem.com/1kbwc/

Ben.

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Alexander Solla

26 Feb 26 Feb

8:17 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

On Tue, Feb 26, 2013 at 3:28 PM, Corentin Dupont wrote:

...

Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules. This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell.

That's very nice. I've been following your progress on the list. Congratulations! Did you learn as much about Haskell as you hoped?

Corentin Dupont

27 Feb 27 Feb

8:36 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

Thank you very much, that's very nice! That was a great journey, I started Nomyx 2-3 years ago as a personal project and learned Haskell on the way. I went through many refactorings as my comprehension of Haskell and Nomic progressed. Out of the top of my head, the points that gave me some headaches were: - how to split the program into modules properly without dependency cycles - Happstack big type signatures - having the right structures to pass data in a StateT - using existential types and type families for variables and events - ACID state, this is really not practical during development Cheers, Corentin On Wed, Feb 27, 2013 at 2:17 AM, Alexander Solla wrote:

...

On Tue, Feb 26, 2013 at 3:28 PM, Corentin Dupont < corentin.dupont@gmail.com> wrote:

...
Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules. This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell.

That's very nice. I've been following your progress on the list. Congratulations!

Did you learn as much about Haskell as you hoped?

Chris Wong

26 Feb 26 Feb

11:02 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

...

Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules.

I just gave it a go -- it looks fun :) However, I've spotted a security hole. The current user number is stored in the URL -- if I change that number, I can masquerade as someone else! Is this behavior intended?

...

This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell. At the beginning, the initial rules are describing: - how to add new rules and change existing ones. For example a unanimity vote is necessary to have a new rule accepted. - how to win the game. For example you win the game if you have 5 rules accepted. But of course even that can be changed!

Here is a video introduction and first tutorial of the game: http://vimeo.com/58265498 The game is running here: www.nomyx.net:8000/Nomyx I have set up a forum where players can learn about Nomyx and discuss the rules they intend to propose: www.nomyx.net/forum

As this is the first beta release of the game, I'm looking for beta testers :) Although I tested it quite a lot, I'm sure a lot of bugs remains, especially in multiplayer. So if you are interested in testing Nomyx, please go to this forum thread and we'll set up a small team to start a match! http://www.nomyx.net/forum/viewtopic.php?p=5

Comments/contributions are very highly welcome! There is still a lot to do. As for now, the game is not completely securised. It is easy to break it by submitting rules containing malicious code. I'm working on it. If you'd like to do security testing, please do it locally on your own machine and send me a bug report :).

Cheers, Corentin

[1] http://hackage.haskell.org/package/Nomyx [2] www.nomic.net

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Corentin Dupont

27 Feb 27 Feb

8:37 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

Hi Chris, Thanks! That's true for the user number. What should I do? Encrypt it? On Wed, Feb 27, 2013 at 5:02 AM, Chris Wong

...

wrote:

...

...
Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules.

I just gave it a go -- it looks fun :)

However, I've spotted a security hole. The current user number is stored in the URL -- if I change that number, I can masquerade as someone else! Is this behavior intended?

...
This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell. At the beginning, the initial rules are describing: - how to add new rules and change existing ones. For example a unanimity vote is necessary to have a new rule accepted. - how to win the game. For example you win the game if you have 5 rules accepted. But of course even that can be changed!

Here is a video introduction and first tutorial of the game: http://vimeo.com/58265498 The game is running here: www.nomyx.net:8000/Nomyx I have set up a forum where players can learn about Nomyx and discuss the rules they intend to propose: www.nomyx.net/forum

As this is the first beta release of the game, I'm looking for beta testers :) Although I tested it quite a lot, I'm sure a lot of bugs remains, especially in multiplayer. So if you are interested in testing Nomyx, please go to this forum thread and we'll set up a small team to start a match! http://www.nomyx.net/forum/viewtopic.php?p=5

Comments/contributions are very highly welcome! There is still a lot to do. As for now, the game is not completely securised. It is easy to break it by submitting rules containing malicious code. I'm working on it. If you'd like to do security testing, please do it locally on your own machine and send me a bug report :).

Cheers, Corentin

[1] http://hackage.haskell.org/package/Nomyx [2] www.nomic.net

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Mats Rauhala

9:16 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user. -- Mats Rauhala MasseR

Corentin Dupont

9:30 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

Yes, having a cookie to keep track of the session if something I plan to do. On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...

The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Erik Hesselink

9:52 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient. Erik On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...

Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Corentin Dupont

2:08 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table? On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...

Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...
Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Clark Gaebel

2:18 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

You could just hash it. - Clark On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont wrote:

...

So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?

On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...
Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...
Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Corentin Dupont

2:20 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

hash is reversible or not? On Wed, Feb 27, 2013 at 8:18 PM, Clark Gaebel wrote:

...

You could just hash it.

- Clark

On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont < corentin.dupont@gmail.com> wrote:

...
So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?

On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...
Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...
Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

David Thomas

2:31 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

hash(id:secret) should not be reversible, if you use a cryptographic hash. hash(id) can be brute-forced, on something with so small a range. On Wed, Feb 27, 2013 at 11:20 AM, Corentin Dupont

...

wrote:

...

hash is reversible or not?

On Wed, Feb 27, 2013 at 8:18 PM, Clark Gaebel wrote:

...
You could just hash it.

- Clark

On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont < corentin.dupont@gmail.com> wrote:

...
So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?

On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...
Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...
Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala
wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for

verifying

...
the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Ozgun Ataman

4:30 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

I would encourage you to take a look at the snap (the web framework) package, where this concern is handled for you as part of the "session" snaplet. The Snap.Snaplet.Sessionhttp://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple... module and the Snap.Snaplet.Session.Backends.CookieSessionhttp://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple... ensure that contents of the cookie-persistent sessions are encrypted and so you can place anything from user ids to other secret information there, although I would certainly keep it to a minimum for size concerns. Here it is: http://hackage.haskell.org/package/snap Hope this helps, Oz On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont wrote:

...

So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?

On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...
Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...
Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Corentin Dupont

4:43 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

Thanks Ozgun, but I'm using Happstack: this will be compatible? On Wed, Feb 27, 2013 at 10:30 PM, Ozgun Ataman wrote:

...

I would encourage you to take a look at the snap (the web framework) package, where this concern is handled for you as part of the "session" snaplet.

The Snap.Snaplet.Sessionhttp://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple... module and the Snap.Snaplet.Session.Backends.CookieSessionhttp://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple... ensure that contents of the cookie-persistent sessions are encrypted and so you can place anything from user ids to other secret information there, although I would certainly keep it to a minimum for size concerns.

Here it is: http://hackage.haskell.org/package/snap

Hope this helps, Oz

On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont < corentin.dupont@gmail.com> wrote:

...
So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?

On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...
Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...
Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Ozgun Ataman

4:55 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

You probably can't use it directly but it should at least show you how we did it. In particular, the Snap.Snaplet.Session.SecureCookie module (internal, I think, so look at source) may be of interest to you as it implements the self-contained idea of encrypted cookies. - Oz On Wednesday, February 27, 2013 at 4:43 PM, Corentin Dupont wrote:

...

Thanks Ozgun, but I'm using Happstack: this will be compatible?

On Wed, Feb 27, 2013 at 10:30 PM, Ozgun Ataman wrote:

...
I would encourage you to take a look at the snap (the web framework) package, where this concern is handled for you as part of the "session" snaplet.

The Snap.Snaplet.Session (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple...) module and the Snap.Snaplet.Session.Backends.CookieSession (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple...) ensure that contents of the cookie-persistent sessions are encrypted and so you can place anything from user ids to other secret information there, although I would certainly keep it to a minimum for size concerns.

Here it is: http://hackage.haskell.org/package/snap

Hope this helps, Oz

On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont wrote:

...
So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?

On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...
Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...
Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) http://www.haskell.org/mailman/listinfo/haskell-cafe

Brandon Allbery

7:26 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont wrote:

...

Hi Chris, Thanks! That's true for the user number. What should I do? Encrypt it?

It's not that you have a user number, or even that it's accessible: it's that it's the entirety of access control, meaning that if the user changes it they can masquerade as another user. The correct solution is that a user should authenticate, which creates a session hash that you stash away and also send back to the user as a cookie so the browser will present it on accesses. Then you check that the presented hash is there and matches the session hash. These should expire periodically, requiring the user to log back in again. -- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net

Chris Wong

28 Feb 28 Feb

11:17 p.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

On Thu, Feb 28, 2013 at 1:26 PM, Brandon Allbery wrote:

...

On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont wrote:

...
Hi Chris, Thanks! That's true for the user number. What should I do? Encrypt it?

It's not that you have a user number, or even that it's accessible: it's that it's the entirety of access control, meaning that if the user changes it they can masquerade as another user. The correct solution is that a user should authenticate, which creates a session hash that you stash away and also send back to the user as a cookie so the browser will present it on accesses. Then you check that the presented hash is there and matches the session hash. These should expire periodically, requiring the user to log back in again.

Brandon pretty much pulled the words out of my mouth, but I have one last thing to add: no matter how well you encrypt the information, as long as it's in the URL it's insecure. Hypothetical situation #1: if there's someone looking over your shoulder, they can just note down the address -- it is in plain view, after all. Even more likely: your friend wants to watch the game, so you send her the link. Unfortunately, you forget to delete your session information from the URL. Now your friend (conveniently named Eve) has hijacked your account and is voting on your behalf. The Ruby on Rails website has an excellent explanation of common security holes [1]. The article is Rails-centric, but most of it applies to Haskell as well. [1] http://guides.rubyonrails.org/security.html As for libraries, Happstack has happstack-authenticate [2]. I haven't used it myself, but it looks good. [2] http://hackage.haskell.org/package/happstack-authenticate Chris

...

-- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net

Corentin Dupont

1 Mar 1 Mar

5:20 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

happstack-authenticate looks impressive, they seem to support for Google , Yahoo, Live Journal, Myspace, and OpenId logins! I'll try it. On Fri, Mar 1, 2013 at 5:17 AM, Chris Wong wrote:

...

On Thu, Feb 28, 2013 at 1:26 PM, Brandon Allbery wrote:

...
On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont < corentin.dupont@gmail.com> wrote:

...
Hi Chris, Thanks! That's true for the user number. What should I do? Encrypt it?

It's not that you have a user number, or even that it's accessible: it's that it's the entirety of access control, meaning that if the user changes it they can masquerade as another user. The correct solution is that a user should authenticate, which creates a session hash that you stash away and also send back to the user as a cookie so the browser will present it on accesses. Then you check that the presented hash is there and matches the session hash. These should expire periodically, requiring the user to log back in again.

Brandon pretty much pulled the words out of my mouth, but I have one last thing to add: no matter how well you encrypt the information, as long as it's in the URL it's insecure.

Hypothetical situation #1: if there's someone looking over your shoulder, they can just note down the address -- it is in plain view, after all.

Even more likely: your friend wants to watch the game, so you send her the link. Unfortunately, you forget to delete your session information from the URL. Now your friend (conveniently named Eve) has hijacked your account and is voting on your behalf.

The Ruby on Rails website has an excellent explanation of common security holes [1]. The article is Rails-centric, but most of it applies to Haskell as well.

[1] http://guides.rubyonrails.org/security.html

As for libraries, Happstack has happstack-authenticate [2]. I haven't used it myself, but it looks good.

[2] http://hackage.haskell.org/package/happstack-authenticate

Chris

...
-- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net

Joe Quinn

7:38 a.m.

New subject: ANN: Nomyx 0.1 beta, the game where you can change the rules

On 2/28/2013 11:17 PM, Chris Wong wrote:

...

On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont

...
wrote:

...
...
Hi Chris, Thanks! That's true for the user number. What should I do? Encrypt it?

It's not that you have a user number, or even that it's accessible: it's that it's the entirety of access control, meaning that if the user changes it they can masquerade as another user. The correct solution is that a user should authenticate, which creates a session hash that you stash away and also send back to the user as a cookie so the browser will present it on accesses. Then you check that the presented hash is there and matches the session hash. These should expire periodically, requiring the user to log back in again. Additionally, you can change the session hash with every page hit, to some other totally random hash. If someone steals your session, they had better act on it immediately, lest you visit another page and it changes completely. If your session gets hijacked, you get logged out. When you log in again the attacker loses access.

You can also check sessions by the hash and IP address. That has usability concerns though. Even if players never switch machines in the middle of a game, suppose you are playing on a cell phone and your train goes through a tunnel. When you reconnect, your provider gives you a different IP and you are logged out.

Ertugrul Söylemez

7:59 a.m.

Joe Quinn wrote:

...

Additionally, you can change the session hash with every page hit, to some other totally random hash. If someone steals your session, they had better act on it immediately, lest you visit another page and it changes completely. If your session gets hijacked, you get logged out. When you log in again the attacker loses access.

That will likely cause trouble with concurrent connections aka pipelining: * Client sends request 1 with session id A. * Server receives request 1, verifies A = A, handles the request, sets new hash to B, sends response. * Client sends request 2 with session id A. * Server rejects request 2, because session id mismatch (A /= B). * Client receives response to request 1, sets session id to B. Don't change the session id in the middle of the session. To prevent session hijacking you need to use SSL. Greets, Ertugrul -- Not to be or to be and (not to be or to be and (not to be or to be and (not to be or to be and ... that is the list monad.

Corentin Dupont

27 Feb 27 Feb

4:12 p.m.

Hi all, there is quite a lot of players! Fantastic! I proposed a rule to lower the vote quorum from unanimity to a quorum of only 4, for the experimentation. But still, to have this rule accepted, everybody needs to vote! Could you please cast your vote? If you don't plan on playing, it's better to unsubscribe. The players which have submitted their email should have received a notification for this rule. To experiment with the rules, it's better to install Nomyx on your machine (cabal install Nomyx) and play alone, since the voting process can be long in multiplayer (I expect 1 or 2 days to reach the quorum for a rule). I saw people having problem writing the rules (in the log), I'll post some comments on the game's forum: http://www.nomyx.net/forum/viewtopic.php?p=5 not to flood this mailing list ;) Just note that all proposed rules should have type "RuleFunc". If you'd like to use GHCI to compose your rule, here's how: $ wget http://hackage.haskell.org/packages/archive/Nomyx-Rules/0.1.0/Nomyx-Rules-0.... $ tar -xzvf Nomyx-Rules-0.1.0.tar.gz $ ghci Nomyx-Rules-0.1.0/src/Language/Nomyx/Examples.hs Cheers! Corentin On Wed, Feb 27, 2013 at 12:28 AM, Corentin Dupont

...

wrote:

...

Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules. This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell. At the beginning, the initial rules are describing: - how to add new rules and change existing ones. For example a unanimity vote is necessary to have a new rule accepted. - how to win the game. For example you win the game if you have 5 rules accepted. But of course even that can be changed!

Here is a video introduction and first tutorial of the game: http://vimeo.com/58265498 The game is running here: www.nomyx.net:8000/Nomyx I have set up a forum where players can learn about Nomyx and discuss the rules they intend to propose: www.nomyx.net/forum

As this is the first beta release of the game, I'm looking for beta testers :) Although I tested it quite a lot, I'm sure a lot of bugs remains, especially in multiplayer. So if you are interested in testing Nomyx, please go to this forum thread and we'll set up a small team to start a match! http://www.nomyx.net/forum/viewtopic.php?p=5

Comments/contributions are very highly welcome! There is still a lot to do. As for now, the game is not completely securised. It is easy to break it by submitting rules containing malicious code. I'm working on it. If you'd like to do security testing, please do it locally on your own machine and send me a bug report :).

Cheers, Corentin

[1] http://hackage.haskell.org/package/Nomyx [2] www.nomic.net

Corentin Dupont

4:20 p.m.

NB: being unsubscribed, you can still watch the game. It's just that you are not anymore considered as a "citizen" of that game, thus not counted in the votes. On Wed, Feb 27, 2013 at 10:12 PM, Corentin Dupont

...

wrote:

...

Hi all, there is quite a lot of players! Fantastic! I proposed a rule to lower the vote quorum from unanimity to a quorum of only 4, for the experimentation. But still, to have this rule accepted, everybody needs to vote! Could you please cast your vote? If you don't plan on playing, it's better to unsubscribe. The players which have submitted their email should have received a notification for this rule.

To experiment with the rules, it's better to install Nomyx on your machine (cabal install Nomyx) and play alone, since the voting process can be long in multiplayer (I expect 1 or 2 days to reach the quorum for a rule).

I saw people having problem writing the rules (in the log), I'll post some comments on the game's forum: http://www.nomyx.net/forum/viewtopic.php?p=5 not to flood this mailing list ;) Just note that all proposed rules should have type "RuleFunc". If you'd like to use GHCI to compose your rule, here's how: $ wget http://hackage.haskell.org/packages/archive/Nomyx-Rules/0.1.0/Nomyx-Rules-0.... $ tar -xzvf Nomyx-Rules-0.1.0.tar.gz $ ghci Nomyx-Rules-0.1.0/src/Language/Nomyx/Examples.hs

Cheers! Corentin

On Wed, Feb 27, 2013 at 12:28 AM, Corentin Dupont < corentin.dupont@gmail.com> wrote:

...
Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules. This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell. At the beginning, the initial rules are describing: - how to add new rules and change existing ones. For example a unanimity vote is necessary to have a new rule accepted. - how to win the game. For example you win the game if you have 5 rules accepted. But of course even that can be changed!

Here is a video introduction and first tutorial of the game: http://vimeo.com/58265498 The game is running here: www.nomyx.net:8000/Nomyx I have set up a forum where players can learn about Nomyx and discuss the rules they intend to propose: www.nomyx.net/forum

As this is the first beta release of the game, I'm looking for beta testers :) Although I tested it quite a lot, I'm sure a lot of bugs remains, especially in multiplayer. So if you are interested in testing Nomyx, please go to this forum thread and we'll set up a small team to start a match! http://www.nomyx.net/forum/viewtopic.php?p=5

Comments/contributions are very highly welcome! There is still a lot to do. As for now, the game is not completely securised. It is easy to break it by submitting rules containing malicious code. I'm working on it. If you'd like to do security testing, please do it locally on your own machine and send me a bug report :).

Cheers, Corentin

[1] http://hackage.haskell.org/package/Nomyx [2] www.nomic.net

Corentin Dupont

1 Mar 1 Mar

9:33 a.m.

Hi all, with the mutiplayer server, the game was occasionally crashing with: CPU time limit exceeded (core dumped) I think it was due to some ulimit set too low, it should work better now. BR, C On Wed, Feb 27, 2013 at 12:28 AM, Corentin Dupont

...

wrote:

...

Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules. This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell. At the beginning, the initial rules are describing: - how to add new rules and change existing ones. For example a unanimity vote is necessary to have a new rule accepted. - how to win the game. For example you win the game if you have 5 rules accepted. But of course even that can be changed!

Here is a video introduction and first tutorial of the game: http://vimeo.com/58265498 The game is running here: www.nomyx.net:8000/Nomyx I have set up a forum where players can learn about Nomyx and discuss the rules they intend to propose: www.nomyx.net/forum

As this is the first beta release of the game, I'm looking for beta testers :) Although I tested it quite a lot, I'm sure a lot of bugs remains, especially in multiplayer. So if you are interested in testing Nomyx, please go to this forum thread and we'll set up a small team to start a match! http://www.nomyx.net/forum/viewtopic.php?p=5

Comments/contributions are very highly welcome! There is still a lot to do. As for now, the game is not completely securised. It is easy to break it by submitting rules containing malicious code. I'm working on it. If you'd like to do security testing, please do it locally on your own machine and send me a bug report :).

Cheers, Corentin

[1] http://hackage.haskell.org/package/Nomyx [2] www.nomic.net

Corentin Dupont

3 Mar 3 Mar

6:08 p.m.

Hi all, it's still crashing once a day with: CPU time limit exceeded (core dumped) ulimit -t gives unlimited. in /etc/security/limits.conf their is nothing. I'm not setting time limits in the software. Any ideas? On Fri, Mar 1, 2013 at 3:33 PM, Corentin Dupont wrote:

...

Hi all, with the mutiplayer server, the game was occasionally crashing with: CPU time limit exceeded (core dumped) I think it was due to some ulimit set too low, it should work better now.

BR, C

On Wed, Feb 27, 2013 at 12:28 AM, Corentin Dupont < corentin.dupont@gmail.com> wrote:

...
Hello everybody! I am very happy to announce the beta release [1] of Nomyx, the only game where You can change the rules. This is an implementation of a Nomic [2] game in Haskell (I believe the first complete implementation). In a Nomyx game you can change the rules of the game itself while playing it. The players can submit new rules or modify existing ones, thus completely changing the behaviour of the game through time. The rules are managed and interpreted by the computer. They must be written in the Nomyx language, which is a subset of Haskell. At the beginning, the initial rules are describing: - how to add new rules and change existing ones. For example a unanimity vote is necessary to have a new rule accepted. - how to win the game. For example you win the game if you have 5 rules accepted. But of course even that can be changed!

Here is a video introduction and first tutorial of the game: http://vimeo.com/58265498 The game is running here: www.nomyx.net:8000/Nomyx I have set up a forum where players can learn about Nomyx and discuss the rules they intend to propose: www.nomyx.net/forum

As this is the first beta release of the game, I'm looking for beta testers :) Although I tested it quite a lot, I'm sure a lot of bugs remains, especially in multiplayer. So if you are interested in testing Nomyx, please go to this forum thread and we'll set up a small team to start a match! http://www.nomyx.net/forum/viewtopic.php?p=5

Comments/contributions are very highly welcome! There is still a lot to do. As for now, the game is not completely securised. It is easy to break it by submitting rules containing malicious code. I'm working on it. If you'd like to do security testing, please do it locally on your own machine and send me a bug report :).

Cheers, Corentin

[1] http://hackage.haskell.org/package/Nomyx [2] www.nomic.net

4461

Age (days ago)

4466

Last active (days ago)

List overview

Download

26 comments

13 participants

participants (13)

Alexander Solla
Ben Lippmeier
Brandon Allbery
Chris Wong
Clark Gaebel
Corentin Dupont
David Thomas
Erik Hesselink
Ertugrul Söylemez
Joe Quinn
Mats Rauhala
Ozgun Ataman
Tom Murphy