allow servers to prevent reverse-engineering of world seeds

Discussion in 'Bukkit Discussion' started by taleden, Jun 11, 2014.

Thread Status:
Not open for further replies.
  1. Offline


    As posted here:
    it is possible to reverse engineer Minecraft world seeds on multiplayer servers, even without the /seed command, and sometimes without even having to log in to the server. This is not just a theoretical vulnerability, I have written code to do it and confirmed that it does work.

    Relatively minor Minecraft code changes could prevent this attack for newly generated worlds, but Mojang considers it "not a bug". If Bukkit is interesting in offering server admins a way to defend against this attack, I'll be happy to provide the technical details and suggested fixes.
  2. Offline


    So... having a similarly generated SMP world file to that of a multiplayer server is an urgent problem?
    Any "thief" willing to steal a world seed would have a rough approximation of a server's untouched world, but no plugins or post-generation changes to the world would be retrievable via that method. I don't see how this could be used as an attack per se against a server, or used to significantly steal intellectual property from a server.
  3. Offline


    Whether the world seed is sensitive information is, of course, subject to the opinion of the server operator. Given that the /seed command was disabled awhile back, and most server admins that I've seen do not give out their world seeds, I'd say most of them don't want their players to be able to do this. That's why I'm posting about the issue without giving the technical details yet, I want to give developers a chance to protect their seeds (if they want to) before I give their players the tools to discover them.
  4. Offline


    The issue lies on "legit" survival servers, especially ones that have economic capabilities.

    anyone who obtains the seed can then use tools like ADMIST to find exactly where every Dungeon/Temple/Village/Fortress/etc is, and quickly rack up tons of rewards from those chests.

    And stuff like this could not be prevented by server owners, nor would it be detectable with solid proof....
  5. Offline


    Moved to a more appropriate forum.
  6. Offline


    I saw it as a "feature suggestion", but sure, move it where you see fit. Thanks.
  7. Offline


    Pretty much a custom generator can solve this issue. Since the world generator code of MC is known, it will always be possible to go the other way and try to get the world seed by checking the map.
  8. Offline


    Yes, it will always be possible in theory, but it's a matter of difficulty. A 64 bit world seed *should* take decades to crack, but in fact it doesn't -- that's easy to fix, if somebody can be bothered to do it. A fully custom generator isn't even necessary, just a few minor tweaks to the existing generator code.
  9. Offline

    Wolvereness Bukkit Team Member

    We have an issue tracker that you can report the issue to -

    However, unless you do something really clever with extra information relating to the world included in the protocol, I don't see how this is an issue for anyone, because the terrain generation is deterministic. While I am curious and am willing to examine solutions, our purpose is independent of fixing vanilla bugs (read: features); we weigh their behavior, impact, and the fix's maintainability before making changes to vanilla bugs.
  10. Offline


    Yes, I understand the "not a bug" argument -- that was the rationale for originally closing my bug report to Mojang. My counter argument is that /seed was disabled for a reason; presumably it was thought that multiplayer server operators should have the ability to prevent players from discovering their world seeds. In that sense, this is a "bug" because it circumvents the access control of the /seed command and lets you get the seed even as a regular user.
  11. If the seed can be recovered within reasonable amounts of time on ordinary consumer hardware, such would soon imbalance economy/item-based servers :p. This would be much worse than xray, because plugins can't protect too much, except for totally custom world generators, at least for ores and structures. (Edit: statistics plugins will help, but also take much more attention, also for some of the problems with fast finding stuff, i don't even know reliable plugins)
  12. Offline


    Yes, this is the danger, and this is why I have not yet released my source code.

    So, Bukkit devs, is this something you might be willing to address in your server plugins? It really would be very straightforward to give server operators the option to protect their newly generated worlds from this analysis, especially in 1.8.
  13. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

  14. Offline


    use TerrainControl to generate map - better map and no problems :p
  15. Offline


    I think it's not so much the concrete danger of it, as it is the concept of being stolen from and copied. It may have little to no effect on the server, but the idea of someone being able to copy anything of yours may worry you.
  16. Offline


    Unfortunately I cannot submit this issue to your tracker because "You do not have permission to create issues in this project."
Thread Status:
Not open for further replies.

Share This Page