843jdc wrote:Welcome to the anarchy world of Minetest.
843jdc wrote: I agree the server should track player actions much more closely than it does. Servers send out a massive amount of data even for only a few players. But receive a "blip" of data from clients. So tracking players closely will introduce a lot of "player position resets" once the server command finally gets a slot in the transmit queue. Players (ME!) get ticked off fast when that happens often.
843jdc wrote:A fix for viewing into someone else's locked chests should be relatively easy: if the client isn't used by the chest's owner don't send metadata of the contents.
+------------+ ,-----------. +--------------+
| Data | ------*----> | Filter 1 | ----> | Data sent |
| on server | | `-----------' | to client 1 |
+------------+ | +--------------+
|
| ,-----------. +--------------+
*----> | Filter 2 | ----> | Data sent |
| `-----------' | to client 2 |
| +--------------+
|
...
843jdc wrote: If a node is dug, server then sends out correct node type of revealed nodes. Server and network lag big factor here.
843jdc wrote: Maybe generate ores as the player digs. Though other players might not see those ores. Player-specific???
micheal65536 wrote: if we want to make Minetest secure there's no other way to do it than by discussing the vulnerabilities in the first place.
micheal65536 wrote:Because seriously, Minetest needs an open discussion about the technical aspects of hacking/cheating and how to work around them. Continually brushing it under the carpet isn't going to help the situation regarding how easy Minetest is to hack/cheat.
Linuxdirk wrote:Not directly addressing issues is endorsing malicious behavior.
Ferret2 wrote:Examples are: A player with a hacked client can give himself lots of privileges including flying and moving trough walls
Ferret2 wrote:and also a player with a hacked client apparently can make himself unkillable (hitpoints do not seem to go down when attacked).
Ferret2 wrote:In addition, just now I also saw on https://www.youtube.com/watch?v=wCK3I4HbRKw that simply by changing the texture for default stone on the client side into a transparent image, you can enable yourself to look through stone (so that you can see distant caves and the mobs and ores in them). These easily achieved hacks in a player's client installation give the cheater superpowers which make it totally impossible for normal players (who have not hacked their clients) to compete against him.
Ferret2 wrote:Indeed. The general idea should be, I think, that the server should send to a client only that part of the data that the client is allowed to see. This means that the server should not send to the client exactly the data as it is represented (stored) on the server, but instead it should only send "censored" data, i.e. data from which everything is removed that that particular client is not allowed to see.
micheal65536 wrote:In b4 this thread gets deleted under the "no discussion of cheating" rule.
Hacking/Cheating: It is not permissible to promote, link, or otherwise direct
Forum users to any kind of "hacking" or "cheating" tools, regardless of their
claimed purpose. This includes but is not limited to scripts, bots, modified
Minetest clients, CSM mods, third-party programs, etc.
Doing so is grounds for an immediate, permanent ban, and may
result deletion of all of the user's posts.
Ferret2 wrote:Another thought: Having discovered the hacked-client problem, I can now not help wondering how many of the regular long-time players on a server are using cheating in a subtle way that doesn't advertize clearly to the other players or the administrator, for example for finding caves and ores more quickly (and dirt pockets in JT2). Even with subtle cheating, you would become significantly more efficient in the game. I am beginning to wonder whether the real fun in online minetest is not about playing minetest, but rather about constantly balancing your cheating so that you are never caught out. I'm even wondering whether most of the long-time players find their fun in this subtle cheating, and whether this could explain why the cheating issue is not more openly addressed in the minetest community.
rubenwardy wrote:I guarantee that most players do not cheat. You've basically just invented a new conspiracy theory, congrats
Linuxdirk wrote:Point out the cheats/glitches/hacks in maximum detail providing examples if devs do not show interest in fixing the bugs making the cheats/glitches/hacks possible.
[...]
Only directly addressing issues causes attention
Ferret2 wrote:Each player simply gets sent map blocks in which the nodes that he is not allowed to see are censored out.
paramat wrote:Nonsense.
paramat wrote:Quite rightly, exploits are kept non-public and are privately explained to core devs, and this is what should happen.
rubenwardy wrote:Note that we fix most big security issues very quickly - 5.0.1
Linuxdirk wrote:This is good, yes. Too bad there is roughly one to two releases a year so the fixed versions aren't rolled out to the end users (no, not everyone is using the Git versions) after the issues are fixed.
rubenwardy wrote:We will be releasing 5.0.1 in the next few days. I'd like to do a lot more bug fixing point releases
Festus1965 wrote:As some of them do it, is fact. And just one bad guy can make big damage ... what was the one guy in New Zealand causing so much pain.
sorcerykid wrote:A similar concept was suggested by iisu a couple years ago. In simplest terms, it would not be a scalable client-server architecture. The engine would need to recalculate a raycast for every connected player at each server tick to determine what is viewable, while also storing mapblock state information for each client in memory and then sending mapblock state changes to every client. Minetest takes advantage of client-side prediction to lighten the load on the server and to reduce the network traffic. Realistically, what you propose would do the exact opposite in both respects.
Sorry, I don't mean to dismiss your idea wholesale, but it's too inefficient for little gain. This isn't about lackadaisical design. It's about spreading the processing load (aka distributed computing). Minetest clients needn't act as dumb terminals, when they are perfectly capable of full scene rendering and player movement :)
A more feasible way to handle cheating of this nature is to record player activity, and then flag unusually high deviations in digging times. I developed a script that analyzes the debug logs using a fairly sophisticated algorithm. It can detect with pretty high certainty what players are mining with fast, noclip, or long-range. The script first compiles the mining operations (serial digs within a given timeframe) of all players, and then applies a score based on average distance and frequency of digs involving specific valuable ores.
sorcerykid wrote:The only point I would add is that foolproof cheat prevention measures are always going to be a losing battle. This is the law of diminishing returns. If only a tiny fraction of players are cheating on a server, how is an excessively over-engineered anticheat implementation truly justified if all other players, as a consequence, must suffer with significantly degraded server and network performance?
Just some thoughts worth considering :)
rubenwardy wrote:micheal65536 wrote:In b4 this thread gets deleted under the "no discussion of cheating" rule.
The exact text of the rule is this:
- Code: Select all
Hacking/Cheating: It is not permissible to promote, link, or otherwise direct
Forum users to any kind of "hacking" or "cheating" tools, regardless of their
claimed purpose. This includes but is not limited to scripts, bots, modified
Minetest clients, CSM mods, third-party programs, etc.
Doing so is grounds for an immediate, permanent ban, and may
result deletion of all of the user's posts.
Talking about vulnerabilities and how to fix them is fine. Talking briefly about how to exploit them is fine (ie: you just need to comment out a privilege check to get a client with noclip/fly). Including working snippets or hacked client downloads is not.
This thread is perfectly fine so far. We have never deleted any discussions about vulnerabilities. The only thing this rule has been used to get rid of is: 1) prebuild hacked clients 2) bad CSM mods
Users browsing this forum: Wayback Machine [Bot] and 0 guests