Nuke code can be bruteforced

[ghost]

If someone knows 4/6 of the nuke code they can guess the final two in less than a minute in some cases. Inputting should incur a slight sanity loss to negate this because guessing nuke codes is scary. If they know 2/6 it takes roughly 20-30 minutes to guess, only a few minutes if the first two digits are low. Guessing the entire code would probably be impossible.

[ghost]

Someone nuked by guessing the code

[assortedbeads]

If they've gotten 4/6 codes I reckon they've already put considerable effort into blowing up the ship, so if they brute force it let them

[thevandie]

Let em brute force it lol

[ghost]

A topic limit should be introduced regardless, if not specifically a way of stopping people from brute forcing the nuke code. Lots of ways to lag/crash the server by spamming topics.

[MLGTASTICa]

Bullshit , we have topic limited.

[ghost]

Bullshit , we have topic limited.

You do not.

[MLGTASTICa]

Bullshit , we have topic limited.

You do not.

Prove it

[ghost]

Bullshit , we have topic limited.

You do not.

Prove it

`/client/Topic(href, href_list, hsrc)
if(!usr || usr != mob) //stops us calling Topic for somebody else's client. Also helps prevent usr=null
return

//search the href for script injection
if( findtext(href,"<script",1,0) )
	log_world("Attempted use of scripts within a topic call, by [src]")
	message_admins("Attempted use of scripts within a topic call, by [src]")
	//del(usr)
	return

// asset_cache
var/asset_cache_job
if(href_list["asset_cache_confirm_arrival"])
	asset_cache_job = asset_cache_confirm_arrival(href_list["asset_cache_confirm_arrival"])
	if (!asset_cache_job)
		return

// Tgui Topic middleware
if(tgui_Topic(href_list))
	return
// if(href_list["reload_tguipanel"])
// 	nuke_chat()
// if(href_list["reload_statbrowser"])
// 	src << browse(file('html/statbrowser.html'), "window=statbrowser")
// Log all hrefs
if(config && config.log_hrefs && href_logfile)
	DIRECT_OUTPUT(href_logfile, "<small>[time2text(world.timeofday,"hh:mm")]</small>[src] (usr:[usr]\[[COORD(usr)]\]) : [hsrc ? "[hsrc] " : ""][href]")

//byond bug ID:2256651
if (asset_cache_job && (asset_cache_job in completed_asset_jobs))
	to_chat(src, span_danger("An error has been detected in how your client is receiving resources. Attempting to correct.... (If you keep seeing these messages you might want to close byond and reconnect)"))
	src << browse("...", "window=asset_cache_browser")
	return
if (href_list["asset_cache_preload_data"])
	asset_cache_preload_data(href_list["asset_cache_preload_data"])
	return

//Admin PM
if(href_list["priv_msg"])
	var/client/C = locate(href_list["priv_msg"])
	if(ismob(C)) 		//Old stuff can feed-in mobs instead of clients
		var/mob/M = C
		C = M.client
	// its a fucking ckey
	if(istext(C))
		C = directory[C]

	cmd_admin_pm(C,null)
	return

if(href_list["irc_msg"])
	if(!holder && received_irc_pm < world.time - 6000) //Worse they can do is spam IRC for 10 minutes
		to_chat(usr, SPAN_WARNING("You are no longer able to use this, it's been more then 10 minutes since an admin on IRC has responded to you"))
		return
	if(mute_irc)
		to_chat(usr, "<span class='warning'You cannot use this as your client has been muted from sending messages to the admins on IRC</span>")
		return
	cmd_admin_irc_pm(href_list["irc_msg"])
	return

switch(href_list["_src_"])
	if("holder")
		hsrc = holder
	if("usr")
		hsrc = mob
	if("prefs")
		return prefs.process_link(usr,href_list)
	if("vars")
		return view_var_Topic(href,href_list,hsrc)
	if("chat")
		return chatOutput.Topic(href, href_list)

switch(href_list["action"])
	if("openLink")
		src << link(href_list["link"])
if (hsrc)
	var/datum/real_src = hsrc
	if(QDELETED(real_src))
		return

//fun fact: Topic() acts like a verb and is executed at the end of the tick like other verbs. So we have to queue it if the server is
//overloaded
if(hsrc && hsrc != holder && DEFAULT_TRY_QUEUE_VERB(VERB_CALLBACK(src, PROC_REF(_Topic), hsrc, href, href_list)))
	return
..() //redirect to hsrc.Topic()

`
I also wrote a very shitty python program recently to try and bruteforce the nuke code, never hit any form of topic limit like you would on TG(~50 topic calls per minute)

[Iglpigl]

My dude average eris players aren't writing python programs to brute force the nuke.

[ghost]

My dude average eris players aren't writing python programs to brute force the nuke.

That's like saying the average tarkov player doesn't cheat so you don't need to fix vulnerabilities. (There has even been multiple paid hack clients.)There are hundreds of videos on YouTube of people griefing SS13 servers. ~100 topic calls per minute would allow players to brute force the code within reason while stopping outright cheating from taking place.

[MLGTASTICa]

its a shame that if they dont know any number of the code , it'd take them optimistically 5000 minutes(considering they're only doing 50 topic calls per minute) to guess the code , considering theres 500k possibilities and testing all of them would take 11000 minutes
I also like to see actions , not words , so post a video of it and i might as well look into fixing it