[me3]

Oh and I also find it unacceptable that some people tries to access by non-legitimate means. There are people who do not recognize the work of others, it's a shame.

if you just put up a simple forum, wordpress or simply just have a site with some limited traffic and visibility that has a login and/or signup page, you'll find that it'll eventually get targeted by bots trying to post and/or login. You'll also notice more manual looking attempts at the same, most of which really has nothing to do with the sites contents or what it's gaining access to (they don't really know), its mostly about gaining access to spread "something" or to look for usable data. That "data" can be a very wide range of things.

So just because you have a site with a game on it and someone is trying to gain access, it doesn't mean that it's someone looking to play the game.

Site uses php which makes it likely it uses a db, mostly that means mysql, both of which is a fairly common thing to use and also a fairly common target for attacks due to many possible and known exploits, loopholes and "novice" errors due to php being a simple place for many to start (i'm in no way saying that's the case with sportd or this site).
It also has a contact site which lists the email attempted for login, granted it's in an image but ppl have used images to hide emails for years and picking basic text out of an image isn't that complex and if it's a human, it's a safe bet they can read an email address :P
Login page is also pretty obvious, link is in clear easy text and the page url itself is pretty standard too, same with the login form.
I'm also fairly certain that the site is linked to on forums, which means it's visible and probably picked up by quite a few crawlers etc

This all adds up to it being rather likely to get some "unwanted attention", but by the looks of it, this seems to be something sportd has expected and seems to have accounted for.
How successful it's been is a different matter, as for the most parts you only really know about the failed attempts, a fairly successful attempt wouldn't leave much of a trace, but that's a whole different story

If you have site that's got a fair bit of traffic it can actually be rather fun to set up fake logins, you don't even have to link to it if the url for it is standard and/or obvious, bots will try it.
Those that's never seen or tried things like that may be a bit surprised of what gets tried.

Just as an end to this pretty off topic and probably uninteresting post.
With most security matters, it's not the ones that are "trying to gain access by non legitimate means" which is your biggest security risk, it's the ppl you've got on the inside, the ones you've given access to. They intentionally or unintentionally (usually ignorance or stupidity) make up what's most likely to "slip things past" your security measures.

[sportd]

It also has a contact site which lists the email attempted for login, granted it's in an image but ppl have used images to hide emails for years and picking basic text out of an image isn't that complex and if it's a human, it's a safe bet they can read an email address :P

That's a good point. The only email address that is accessible to the public / bots is that one image (which is skewed). But more sophisticated software can read that.

The reason I thought it was "people having a go" is that there are only one or two attempts before giving up. I would expect an automated attempt to try multiple variations on the most used passwords but I haven't seen that (looking at the timecode of these attempts).

I did consider setting up a honey pot that would use lots of infinte loops for bots to chase, to see if it was possible. My philosophy (the same with telemarketers), sometimes they gain access (I answer the phone, they get through the login) so then I go about wasting as much of their time as possible. If it becomes financially unviable (spellcheck says nonviable) to continue then maybe they will look for other avenues to make money (and hopefully leave me alone). There is also an argument here for "better the devil you know".

Just as an end to this pretty off topic and probably uninteresting post.

Most people would just want it to work I feel, but this is a part of the website I really enjoyed working on. There is a lot I wanted to do security wise but that needs to be balanced against getting the next game out, the number of visits I get and the quality of information that any hacker will get. Right now, a hacker would get a small list of email addresses but the passwords are hashed and salted so reverse engineering the password would take too much time for the reward they get. I am looking at other ways to store the email addresses too so that if anyone did gain access, even the email addresses aren't easily available.

Thanks for your post, it has got me thinking about what I could do to improve security further.

[Josh]

loved your games. and it just seemd right to support for all the hardship and good work.
its just a bit difficult to load those animation parts in the game, where is ur server? i tried to play with a US vpn, but it didnt help much. im in china btw.

[sportd]

Please don't laugh. I am using godaddy hosting. It's all I could afford starting out. All the animations should preload though.Have you tried switching to gif's in the settings menu? It uses less of the computer's resources, and can be a lot smoother on some machines... but the quality is reduced.

[lustboy1994]

Hi sportd, i allready donated you. Im still waiting for my login info. Please, make an effort, id like to play it today.

[Josh]

Please don't laugh. I am using godaddy hosting. It's all I could afford starting out. All the animations should preload though.Have you tried switching to gif's in the settings menu? It uses less of the computer's resources, and can be a lot smoother on some machines... but the quality is reduced.

I've tried everything but the animation couldn't preload. anyway i chose the gif setting and finished the game, basically skipped every cut scene. it probably due to the massive ddos attack in china today, i just saw it on the news, seems that i wasn't not the only one who suffered from slow internet today.

the animation aside, i have enjoyably finished the game at 100% completion rate. thanks again for such a good work, the ending is rather surprising and amusing in my opinion, but it is defiantly fun, it really brings the game up a level, and left me hanging. i was instantly tied to think of a way to reach an alternative ending, until i saw the 100% rate.

i will defiantly play it again when the internet become better(played the gym twice). Looking forward for your next game.

[sportd]

Lustboy PMed me. We are working on it.

Thanks josh. I appreciate the kind words. PM me or email me if the animations don't come right. We won't be the on
Y one suffering if it's not slow internet related. The quicker I can identify a problem the quicker I can fix it.

[sportd]

@didou : I'll hopefully get going on this in the next couple of days. (The walkthrough)

Update: lustboy seems to be logging in ok.

***Boring security stuff for those who enjoy it.

I have found a small hole in the donations section that one person has highlighted.

Paypal has an eCheck option which "promises the funds" and then deposits them a week later when funds have cleared (not sure how it works... something I'll google later).

I sent passwords out as donations were made and someone has (for whatever reason... possibly legitimate but they haven't answered emails yet) started an eCheck donation, got the password, played 5- 6 times, then the payment was cancelled before the transaction completed and any money shifted to me. I am being careful with my words as it may be completely legit problem on the other end but it does highlight an issue I thought I'd mention for anyone else creating automated delivery using paypal. I have changed my process so passwords are now sent on confirmation of payment. It is a hole that could have been heavily exploited and I'm happy it's happened with one person so it's drawn my attention.

***Boring security stuff done.

[me3]

***Boring security stuff for those who enjoy it.

I have found a small hole in the donations section that one person has highlighted.

Paypal has an eCheck option which "promises the funds" and then deposits them a week later when funds have cleared (not sure how it works... something I'll google later).

I sent passwords out as donations were made and someone has (for whatever reason... possibly legitimate but they haven't answered emails yet) started an eCheck donation, got the password, played 5- 6 times, then the payment was cancelled before the transaction completed and any money shifted to me. I am being careful with my words as it may be completely legit problem on the other end but it does highlight an issue I thought I'd mention for anyone else creating automated delivery using paypal. I have changed my process so passwords are now sent on confirmation of payment. It is a hole that could have been heavily exploited and I'm happy it's happened with one person so it's drawn my attention.

***Boring security stuff done.

You shouldn't be accepting anything else than payments/donations with a completed status, echecks is basically a bank to bank transfer, from the payers/donators bank to paypal, it'll have a pending status until it clears, at which point the paypal status will changed to completed. If you're using the notifications, you'll get a second post when that happens.
If the status says cancelled, it is a fairly safe bet the user cancelled it intentionally, but hitting a button. If something went wrong, the status would say that it either got refused or failed, in either of those cases there should be some explanation available.
Also, you might want to keep an eye out for disputed payments, that's when they have paid, completed and then decide to be an ass and try to get the money back by claiming stuff like goods not being delivered etc. Hopefully not something you shouldn't have to run into.

[antsyjoe]

LOVING this game! (now that I unspammed an access email). Thanks so much for making it happen!

Maybe a bug?

I managed to skip going into the locked office the first time. This lead to a loop when you later need to follow Amanda into the office and haven't been in yet (or were smart enough to write down the code).

The Sniper needs to be done. Now.

[sportd]

Thanks antsyjoe. I appreciate the kind words. I have rendered my first image for theSniper (it took 2 hours to render), so theSniper may take a while to write.

That's a good bug find... I'll have a crack at closing that. I may have to add a branch to the story that...

... if you dont get the passcode the girls are upset and the game ends.

I'll have a think on how I can close that bug.

Thanks for your help.

[Guntag]

Hi Sportd ! I played the Gym and really enjoyed it !

Sorry, but I haven't donated for The Physio. I have nothing against donation, and it's awesome and well deserved if you can get something for your work (this is the most important part of my message, what is next, you can ignore it if you want ). The only thing I find weird is what you give (or rather not give) in exchange for the donation. You don't give anything to the people who donated, you just delay the release for the people who did not. Maybe doing it privately would not be so awkward (to me at least).

Again, thanks for all your work and I'm happy to see you are working on something else !

[Greyelf]

You don't give anything to the people who donated, you just delay the release for the people who did not

Another way to look at this is that he gave pre-release access to the game for those that donated, and that the rest of the world has to wait until the game's public release date.
*smile*

[Köpi]

@Guntag: Shark is doing it almost the same way, accept some bonus scenes. I think it's a great way to express his gratitude.

[sportd]

Hi Guntag,

The thing is, without the donations I couldn't make the games. I ask for donations to help me keep moving forward. The only thing I can offer as a token of my appreciation is the opportunity for them to play while the database queries and the concurrent connections don't get max out crashing the game. What I can offer is the best playing experience I can create.

If theGym is anything to go by, when it goes live to the masses as a free game, the servers will crash for a couple of days under the weight of players. I am better prepared this time around so I hope it doesn't happen...but it might.

Don't be sorry for not donating. I am fully aware there are those that wont... and that is why I also put it up for free at a later date. My main idea is: a free back catalog will encourage more people as the games stack up to play the latest release as it comes out.