Jump to content

Alloc

Fun Pimps Staff
  • Content Count

    1,497
  • Joined

  • Last visited

  • Days Won

    21

Alloc last won the day on July 30 2017

Alloc had the most liked content!

Community Reputation

100 Shiny

About Alloc

Backer
  • Rank
    Fun Pimps Staff
  • Birthday 09/16/1986

Personal Information

  • Location
    Germany - Darmstadt
  • Interests
    Electronics, IT

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi all, first of all always nice to see people care about security Of course development does not work like we have a switch somewhere saying "Prevent all cheating / hacking" that we just never cared to turn on because we hate everyone. That said, every game has always been and will always be prone to cheating. Even big companies which spent millions of bucks into fighting it, like Blizzard (not Activision Blizzard, haven't been following their activities for a long time anymore), never were able to fully stop it from happening. Even games like WoW that are mostly server authoritative, which makes it a lot easier to fight cheating, have not been able to fully prevent it. What we currently have in place is for the most part EAC, preventing users from modifying their game client. So unless someone actually bypasses their protection - and I'm currently not aware of any tool successfully doing so - we have to assume the client does nothing we don't allow it to. So for example forging wrong netpackets is not plausible on EAC protected servers. Of course if anyone becomes aware of any bypass that actually works ... please report it (either to us or directly to EAC / Kamu). That's the only way such things can be fixed. If you run a server *without* EAC in place *nothing* is ever going to stop client side cheating. Thinking that testing for a client's "fly mode switch" (if we had one that was transferred by default) would help anything is wrong. If you aren't totally dumb/lazy as a hacker you'd simply make it so that such a flag would not be reported to the server. Same for checking player's y-coordinate. If I was hacking my client I would simply send the terrain height as my position's y to the server while locally flying well above / below ground. So, relying on *any* data coming from a client that can not be considered unmodified (through means like EAC protection) is not helping to fight cheating on a server. (Which is also the reason as to why we do not support client side code mods yet, as that takes more measures to make sure they can't be abused for cheating) The server on the other hand is fully in the hand of whoever runs it so it can be used to cheat by the owner. Which means as a user I have to somewhat trust the admins that they don't abuse their power. But that's how it always will be for public run servers, no way to stop that part. The third major component involved is the network between the two first parties. And yes, people who do have the knowledge could use that to achieve some stuff they should not be able to. Haven't looked at the network protocol in some time, so can't say if just injecting packets would work without any issues, changing them on the other hand is pretty much a given. Using this to gain advantages for yourself should be possible, running commands on the server definitely is not though. We're going to look into closing up that side of things though if it's actively being exploited by now. In general: If you know of any publicly available cheats (e.g. exploits without using specific tools) or hacks (tools modifying the game while running EAC, tools for changing / injecting network traffic etc) report them. That way we can investigate them and get things fixed. Now for some responses to more specific talks in this thread... (Sorry for not using proper quotes, the forum software does not seem to let me use bb-code and making a big post with multi-quotes gets annoying here ) @giKoN Not sure if that's what you mean, but making sure the assemblies are not modified is exactly what EAC does. As stated above, even if those things were reported to the server it would not help. People who can enable those modes will also be able to prevent those states from being reported to the server. I'd really like to see an example of that. Not saying there can't be bugs in the code making this possible, but not aware of anything yet. The admin data is managed by the server, the clients can only interact with them through the means of the respective commands (admin, ban, etc). Running such commands on the server is protected by the permission levels of the users vs the commands. Now, if an admin missed that lower number means higher access level and e.g. switched the two around (e.g. perm level for "admin" = 1000, perm level of regular users = 0) it would mean everyone could access this data. But I doubt that's the case as it's not the defaults and admins are generally aware of that stuff when looking at the example and defaults. (PS: Running commands on client side, which is probably what some people here are talking about, won't affect the server's admin settings) @Grandpa Minion As stated above for giKoN and in the introducing parts, I don't see this happening. But I'll gladly look into this if you can provide more information @giKoN Any proof on that one? This is should be fairly impossible thanks to the way Steam authentication works. @CH1LLV1LLE Not seeing any attached proof. Though what I can state: I looked at the code for that mod (thanks @giKoN !) and unless giKoN removed parts that were responsible for such issues (and I highly doubt that) there's nothing in that mod that interferes with the way the in-game console works. @meganoth No, the console does not work like that. The sender of a console command is identified by his connection, and this connection is only accepted after succesful Steam authentication. So you can't just alter data on the command package to get yourself authenticated for commands. Now, *if* you were able to figure out the connection details (source IP + port at least) of another existing connection of an actual admin who's online you *might* be able to fake a package you send to look like it came from the admin. But unless you're on the same local network that's like arguing the NSA was hacking 7DtD because they don't like us If you or parts of your message didn't get mentioned explicitly above and isn't covered with what's here (or what I said sounds wrong) feel free to bring it up. Also note that repro steps, information on tools etc help incredibly with getting stuff more secure. Cheers, Chris
  2. Hi, first of all sorry for the delayed response, I opened this thread when I was mentioned but didn't want to answer on a weekend ...Simply forgot about it, my fault. Also, thanks @bobrossfor following my request and not keeping Catalysm's thread busy with this 👍 As for your points: I think it was already pointed out clearly enough that you purposely misquoted my post, I never said I didn't look at that stuff, only at the question about the licensing business. I'm neither a lawyer nor do I care enough about that part to be able to make a precise statement on that subject. All my other points are simple facts though. Also I did not (so far) demand any action to be taken on the mod itself, I only made a statement that users could see to decide on their own if they wanted to run that mod. Even IF I had shut down advertising the mod on this platform it could have still been continued in other places. The posts made by users after mine made clear, that a lot would have simply ignored those facts, so it wouldn't have changed anything for those. The decision to drop the mod completely was Prisma's alone. IIRC not the first time he did so btw. And he's actually been giving another reason for people not to start rely on closed source mods/tools: The author can decide at any point in time to just drop support (or even completely remove it), meaning no one can follow up on the work and everyone is screwed the same way. And that will happen sooner or later to any author, even if nothing "bad" happens, just because everyone will at some point lose interest in the game he build stuff for (afaik the Server Tools mod that's currently being run by Obsessive Compulsive is one such example, as I think I recall that being started by dmustanger at some point and taken over because he lost interest in it). And no, I did not talk to him this time. I have learned enough about his attitude in the past to know it would have made no difference on this part, and his reaction just proves me to be correct. Unless you call someone pulling the "he's German, I'll call him a nazi" card to be reasonable... As for the primary reason of this whole story: It's not like you said him "taking my code". I would have been sad about that fact if it was just that, but wouldn't have cared further. The reason I made my stuff open and reusable is so people can actually learn from it. We're mostly talking about the obfuscation, and I think a few people in here already gave pretty concise reasons on why that's a bad thing. The thing is: *If* a mod for any game does something bad people will blame the game dev company for it, not the mod author (or at least not only). Such things always fall back on the "platform" that enabled someone to do this crap. I'm not willing to give everyone a green card to be able to hide such stuff on their end. @Obsessive Compulsive, @StompyNZ and @stallionsden: This wasn't about any other mods so far and especially not about who "stole" what. I actually doubt any of us never looked at other mods when working on their own. Even I did so sometimes, even though I think I can say that I did the first major API mod out there. It's just that we learn from others, and in the end this makes us get better. As long as it's not just ending up mods completely copying (parts of) other mods, thus providing no improvements for the users in the end. Ideally there would be less duplication of features and rather work spit up between modders, but I know that's never easy to get running in a community. I will reopen this thread as I think it's only fair other being able to respond, but please keep it civil, especially when targeting each other. Think @bobross did a pretty good job at staying on a proper level of discussion here, so please don't start to completely derail it.
  3. When giving such a statement you should at least make sure that's correct. Never claimed it was not, but I suppose the line you're referring to can be interpreted that way: That highlighted part was basically going together, didn't think about that when I was writing that line. The fact that it's based on Coppi's was from the web site, as I don't know Coppi's mod by heart. Only thing I was trying to make the statement about 100% copy and no mention was mine, because I know that code and have seen it being used in there. That whole point is still mostly a follow up on the first one: The thing is: You get a lot from the community, not only in knowledge, but also in actual work spent, and then you just take that but all your stuff is then suddenly so much more worth than anything else done so far (including the base game btw...) that no one is allowed to even look at it? If every modder here was this protective of his own work there would be nothing at all because everyone would have to start from scratch as there's no information to learn with. That's my major gripe with that "I am allowed to completely copy stuff but others might not even take a look for ideas or anything" attitude. The performance of the vanilla code isn't impacted of course, but running obfuscated code is still unnecessarily slower, so any place where vanilla code executes part of the mod is slower. Was just giving one of the reasons obfuscation is bad practice here. Well, as you said yourself, there's no payment involved in this mod. So not a commercial product. So what reasons could he have (even more so even stating he won't even disclose the reasons)? Of course it could just be the above mentioned attitude of not wanting others to learn anything from his code, could also just be to hide the fact how much is copied (not saying it is a lot, just saying it could be a motivation!), but as well could be bad intentions. The thing is: No one can know if there's anything bad without quite some work involved reading through that obfuscated code. And that's what I was warning about: Running obfuscated code on your servers, where it's *very* unlikely anyone checked what it does. There's a lot of others who do the same, also for free. Never seen anyone hide what they do though. Actually one outcome of this thing I can take away for me is that I'll see if we enforce a rule about not allowing obfuscated code to be advertised/shared on this forum or workshop later on at all ... Also, if there's more you want to say, please make a thread for it, we captured Catalysm's thread for long enough now. Feel free to @mention me if you do make a thread and actually want me to read it.
  4. Just so there's no unnecessary confusion here: I was only talking about CPM! CSMM seems like a great project!
  5. I never thought I would ever do this ... but: I strongly advise against using CPM! As for why: I haven't checked in detail, but while I don't think it actually violates any license basing your whole work on a lot of other open source code and then saying "you may not even look at mine" (not even talking about reusing / modifying here) is an ass move The code is highly based on other peoples work. So far I know of at least Coppi's mod and mine, parts of it just copied 100%. Not even mentioning it. It's closed source and furthermore even obfuscated binary negatively impacting performance even worse it makes it hard to verify what it is doing. Remember that any code you load into your game can do anything on the system within the limits of the user permissions the game runs on even obfuscated all third party code it heavily relies on (like the whole LiteDB, Harmony, Coppi's and my code) [*]It's not an encouraging behaviour for a modding *community* As I said, (probably) nothing "illegal", just something that I don't like to see happening in our community and something I would be very worried about as a server admin.
  6. First of all you should not run SteamCMD yourself if using my scripts, that is bound to cause ♥♥♥♥ups in the end Anyway, SteamCMD throwing weird assertions isn't *that* uncommon, most of them can be ignored. The only thing that really matters if it updates properly in the end. Would need more output from when it runs, not just the above snippet as it's not directly related to the actual update process. Sounds like you found a workaround for yourself though, so glad it works
  7. Should automatically be found in the default installation directory. If not it's most likely just not installed
  8. Looks like you're missing the package libc6-dev on your system.
  9. You won't find any information on restoring, after all that's just plain file handling What I meant with proper way is making sure file permissions are correct after restoring stuff and making sure to grab the correct files in the first place (and put them in the correct place of the save of course).
  10. No, that's only if you have a very non-standard server configuration. Blazha is correct in that by default they go to %appdata%/7DaysToDie/GeneratedWorlds. Yes, not recommended though. Yes, that's save data, not worlds, and that of course goes to the saves folder
  11. As Sylen said the actual game save data is part of instances/<gamename>/..., enginge/data/worlds is only serving the base world. If you (properly!) restored some of that data and it did not fix those changes then the hack was done earlier than you though. Also make sure to stop the server first before replacing save files. No, the only thing cached on clients is the uncovered mini map view, nothing else.
  12. Only files directly in the folder, not from subfolders. That's why I was suggesting moving them to a subfolder
  13. Just used NitroGen for 18.1 again. Still think it would be cool if you would put the additional files that the game doesn't read in a subfolder of the output folder (like "previews" or something like that) as that would not make clients download those files without any work put on the server admins. Pretty sure a lot of people forget to remove them first (or don't know which ones they can delete) and thus cause additional download time for clients connecting the first time Other than that still a great tool, wonder when I'll run into the first crack. On the worlds itself: - Maybe it would be a nice addition to have an option to restrict cracks to desert/wastelands, as I don't feel like cracks in a forest environment are any kind of realistic (yeah, in a zombie game ... ) - I'd like an option for the world to be randomly rotated, i.e. north/south for desert/snow is cool, but if the whole thing was rotated randomly later on you would at least not always immediately know where to go for those biomes
  14. Sounds pretty much like you just haven't set up permissions. If it was the old issue with just the rendering failing you'd still get the map controls and all the other information on the page.
  15. Regions is game data, Map is where the rendered files for the webmap are. If you have a 12k map you should not try to render 24k, which is what your command tried (12k - -12k = 24k).
×
×
  • Create New...