Also I haven't heard of any new asss zone where cypherjf is staff and the zone requires some feature that's in cont 39pr1.
CypherJF - Wed Feb 16, 2005 3:01 pm
Post subject:
woah where did i come in at? lol...
I agree that asss should support the same versions as subgame does, and the same option - disable pre-releases, disable VIE, etc.
I'd post more, but class has begun.
SuSE - Wed Feb 16, 2005 4:47 pm
Post subject:
I'm sure there is plenty of information regarding this online.
Bak - Wed Feb 16, 2005 6:23 pm
Post subject:
Grav, your solution is a good attempt... but the checksum you send to the server of your executable could just be the real executable checksum, rather than the one you are using.
For example: Say the approved client's checksum is "apple" and my cheating client's checksum is "hummingbird". Now when the server asks for an exe checksum, instead of calculating it on my code, I modify my client to run the checksum algorithm on the approved client executable, which isn't the one I'm running. I get "apple" back and send that to the server and the server doesn't know I'm using an alternate client.
This would prevent the novice cheater who just changes the executable(or code) and expects everything to work. However, since the checksum (or better yet hash) is calculated by the client, there's nothing stopping you from running the algorithm to calculate it on the correct version of the executable. So a determained cheater wouldn't have much trouble getting around this.
This is also the same mehcanism as I described in my original post (paragraph beggining with "One attempt might be...").
Suse, could you direct me to some of the information regarding this?
SuSE - Wed Feb 16, 2005 8:14 pm
Post subject:
http://www.google.com/search?q=open%20source%20mmorpg%20security
Bak - Wed Feb 16, 2005 8:32 pm
Post subject:
Every solution from that search query that is usable (not one that will only stop novice hackers) involves the server doing all the checking. This is not an acceptable solution for a Continuum like client.
Smong - Wed Feb 16, 2005 8:47 pm
Post subject:
Cypher I think it was only you that wanted ctm pr1 support, but I may be wrong.
Checksums probably won't work well unless you distribute a precompiled client.
You could move the game to the server, and use the client as graphics/input only with guess work on the non-critical/secondary stuff like explosion graphics. This will prevent damage/speed/sync cheats, but not aim/rep/dodge cheats.
Do you think an open source client will be more secure and contain less bugs? (or whatever other advantages you can think up). The contributors will be working for free and part time, so updates might not be released frequently even if there is some major bug. Some may submit poor/unsafe code with the potential to introduce more bugs later on. Who is going to write it? This very thread suggests you do not know any suitable cheat prevention, does anyone? Will they be willing to sacrifice their time to this, forever?
Bak - Wed Feb 16, 2005 10:26 pm
Post subject:
Continuum is pretty bug free... but the hope would be to be able to add features to it. Like hold down tab to "charge" your bomb which would increase it's damage or speed (and have a little charge bar on the bottom showing your powerup). Or be able to emulate any resolution on your server so even people with 800x600 max screens could see as much as people using 2048x1592. Or be able to make weapons curve when fired. The possiblilities are truely endless, and most involve changing the protocol in a way, but this isn't much of an issue due to a well organized open source server.
Ideally the client would be modular so that anyone could add a change without completely recompiling the client. The security of new changes would come either from only downloading "approved" modules which can be customized by the server through settings. An alternative would be to run the foreign code in a "sandbox" envornment (for example, if this could be done in Java we could make a Security Manger to not allow file access, process creation, or other possible potential abuse by malicious code).
Mr Ekted - Thu Feb 17, 2005 2:41 am
Post subject:
Look at all the bots we use. They "pretend" to be the real VIE client including all the security stuff. If it is known it can be replicated. The only client-side security is hiding stuff as much as possible. Any EXE can be broken. You need to hide stuff enough that it doesn't take a year to implement, but it does take a decent hacker a lot of work to break. Putting everything on the server-side would result in Netrek (for those of you who know that game).
Gravitron - Thu Feb 17, 2005 5:51 am
Post subject:
The startrek SS-like game?
I think it's only in unix so I didn't play it.
There was also x-pilot...anyway,
Don't the bots require smod or higher inorder to avoid the server booting them for security issues?
And that seurity protocol that allows ASSS to communicate with continuum that MGB/grel released, wasn't that damaging? Couldn't it been modified and implamented on some continuum client to disguise itself from security?
And how many super mad assemly-knowing net-mastering hackers waiting to destroy subspace are there really out there?
The most I've seen is stupid people like EdTheInvi using lag biffers or whatever packet editing and doing obvious shit that get them net banned for the better part of the millenium in two minutes.
Mr Ekted - Thu Feb 17, 2005 6:23 am
Post subject:
Netrek works on all platforms. I played from Windows.
Bots can stay logged in to a zone that allows VIE clients without VIP if they handle all security fields in the security packet. Powerbot does. I'm pretty sure MERV does. When zones went Cont-only, Twister was effectively neutralized.
Only takes 1 hacker to make a cheat like Twister and everything goes to hell. Or something even more subtle, like add a few percent to the recharge rate and skew ranodm bullet damage or bomb prox just a hair. Would be undetecable.
Gravitron - Thu Feb 17, 2005 9:15 am
Post subject:
Twister was effectively neutralized when sage released v1.35.2 server + client that forced a new client download which disallowed twister to run on it.
It would been effectively neutralized if the zone owners had a clue on how to run and manage a zone (if VIE was around Jeff would've made sure sage&twister were net wide bye bye long before).
Since all zones are now continuum only, then the bots can't stay logged in.
Only takes newbie zone owners that somehow got SSC and BanG to make everything goto hell.
Stop excusing your extreme nervousness with the twister incident, since it was nothing but your pathetic handling that caused it to become such a problem, nothing more.
And besides, again, BanG more than will make sure such a problem is handeled, since now even mods can execute IP ban with it.
P.S.
Twister 1.34.3 was more subtle.
And like I said, such changes can be done to continuum, without being distributed, and you'll never know.
It might be happening even now.
So like...what? big deal.
You don't know that it happens.
People get so illogical when they're terrified.
Mr Ekted - Thu Feb 17, 2005 9:24 am
Post subject:
Wow. Completely wrong. Every sentence. I'll never reply to you again after this. Pointless.
Gravitron - Thu Feb 17, 2005 11:38 am
Post subject:
Well, aren't you just pouring of adulthood.
How about you pretend to be mature, okay?
More than anything, the twister ran amoc at newbie zones like EG due to mods using *kill, which bans macID, which twister randomizes and thus bypass the ban.
Now, had they been using ip bans and macID ranges, permission mode (and lists, which worked quite effectively when they put it to use later on), and today with BanG incooperating everything and allowing mods access, wouldn't it stop twister outright?
I know for a fact sage put out a release with patched server/client inorder to prevent twister.
Not to mention, he released the source of twister v1.34.2.
What is completely wrong there?
Do you have Twister 3 that you can make any assertions to its subtlety?
Psycho-sociology studies have proven that much like the common animal, when encountered with fear that's unsurmountable the human will act by survival instincts and with extreme zeal despite all logic and parralel to that of an insane person.
If you truely believe that open source will be the extinction of the game, you'll say whatever you think you need to say and do whatever you think needs to be done inorder to ensure it'll never happen, no matter whether it's founded or not.
Since you believe you're doing what's right for the game's survival, that it's either that, or no existance at all.
Please, argue your case.
CypherJF - Thu Feb 17, 2005 11:41 am
Post subject:
I do know the source to twister is out there; I downloaded it one day by randomly googling for subspace (or something like that) but haven't come across a patched anything for it. :/
Gravitron - Thu Feb 17, 2005 11:47 am
Post subject:
Try testtube's ssdownload site, it's probably somewhere in there.
If not, I'll go search my archives.
Edit:
Here are two, maybe it's them
http://www.subspacedownloads.com/index.php?act=file&fid=23
http://www.subspacedownloads.com/index.php?act=file&fid=24
Currently bussy installing stuff so I can't check them.
CPU too bussy.
Bak - Thu Feb 17, 2005 12:34 pm
Post subject:
I doubt Mr Ekted, or anyone considers an open source client an "unsurmountable fear". Besides that's not even what he was talking about when he said you were wrong, as your entire post was about twister and the way it was handled.
Gravitron - Thu Feb 17, 2005 1:38 pm
Post subject: