Isn't it unethetical for HP employees to steal from their clients? They cheated to win the prize, and should not have accepted the food.

But then again, maybe thats how HP opperates.

@MSFTMVP Bah! If you are smart enough to beat the system, you deserve to beat the system.

nommz nommz noomz! YAY HP!

uhm 30%.. nevermind... i don't think you could play inside the store to win expensive prizes..

95% odds this was Carl's JR's new website. I remember a notice at their stores mentioning being unable to accept some sort of coupons printed from the internet.. From what I had read I thought of them being hacked right away. lol

An easy solution would be to use a session key and encrypt the gamestate and let the server decide if you won. Use Diffie-Hellman Key Exchange to get the session key, and as an extra layer of security, prevent you from winning more than X times in Y minutes. If you decompiled the game, you'd still be able to fake the key exchange, but at least the server decides if you won and not the game. And you can't use `strings` to find the shared secret either.

is there anything the restaurant could have done to avoid this tho? in fact, i dont see any way around this at all, even out of flash. at some point, the server needs information about the gamestate, in order to determine when to send a coupon. this is inherently insecure. even if you post gamestates every milestone in the game, this can be duplicated. theres nothing you can do. that said, id love to hear otherwise.

You can't create a game that can't be cheated this way, because the model is flawed. Code running on the client computer decides if the client wins a cheezburger; such code can always be subverted by a malicious user. The only way to secure it is to make it so that only a computer you trust decides if the client wins a cheezburger, based on information you trust

That being said, if the malicious user has to decompile the SWF and steal your shared secret, you've gone as far as you need to.

Yeah, it probably cost HP more to find the 'security' hole with their security team than the restaurant to produce the game, which was probably outsourced on the cheap. Big breakthrough here. People do this all the time with games that have top score lists.

In this case, wouldn't it be "Push buttan, receiv cheezburger."?

Push Buttan, reciev bakon cheezburger

Do you take requests? I have a great idea for a new game called "David wins a Ferrari."

I don't really understand what the big discovery is here.

Ultimately, the game is client side and as a result cheating is always possible. All the company really needs to do is require some type of registration and then put limits on the prizes dispensed on the server side.

Does the client really care if there are a few cheaters, or do they just want a fun game that is built as cheaply as possible? In my experience, most would choose to get it done cheaply and accept some inherent risks.

I think the point is that if the game was built correctly, cheating would not be possible at all.

@dln Sure, but the parent's point is that the restaurant probably doesn't care. They'll save more by having the game made cheaply and occasionally losing out, than they would building the thing properly.

Your point stands though - it's just this is a facetious example.

Cheeseburger? don't you mean "cheezburger" (or a "hot dog")?

All he needs is a sign, "Will crack for food." Nice job.