On Sat, May 25, 2002 at 03:46:50AM -0500, Bob Tanner wrote:
> What prevents a man-in-the-middle attack?

Well, I thought the local IP address used to be used as part of the
negotiation ... but portswap through firewall must bypass that now,
because a client cannot know what it's external NAT IP would be.

An in the middle attack at system call level interface is always going
to be possible, with open operating systems.

> What prevents a user from picking out the embedded key and using it 
> (writing some code) to make a borg client that masquarades as a 
> blessed binary?

Not much.  There are some tricks in place to make it more difficult,
but it is not impossible.  The main defence is that the protocol and
data flow constrains the cheats that are possible, and so the reward
for making a borg is not particularly high, when compared to other games
that place more trust in their clients.

It is more important that the community believe that client 
authentication helps to prevent cheating.  That probably reduces cheat
attempts more than the actual defence capability.

Borg capability in Netrek is constrained to;
- predicting probable location of cloakers, by data analysis,
- automatic firing of weapons or activation of defensive measures,
- information processing, e.g. carrier highlighting.

James Cameron    mailto:quozl at us.netrek.org     http://quozl.netrek.org/