Technical discussion about cheating and hacked clients

Re: Technical discussion about cheating and hacked clients

Postby Mineminer » Thu Apr 11, 2019 11:03 pm

ShadMOrdre wrote:This discussion is good and all...it should keep going. However, I'd like to point out some glaring issues.

1. If you find a problem, report it. Give the developer time to respond. In an opensource game, this could mean up to a year. Patience. If the issue is so pressing, either work towards fixing the problem, or quit using the product/software. Crying about a problem does nothing. Threatening to broadcasting a problem, for whatever reason, to force an issue is never the right way. As a developer, I will tell you this. Your threats will go ignored. Issues might get addressed, if I as the developer, deem the issue important enough to address. Your expectation of anything other than the above stated behavior is unrealistic. You would act the same way if you were in those shoes.

2. If you build it, they will hack it. Does this really need expounding upon?

3. Expecting an opensource game engine to provide any better security than your local run of the mill windows OS, with market cap to correct EVERY issue, well, again, totally unrealistic.

4. Security issues are always a delicate matter, and should be treated with the dignity and respect they deserve. Broadcasting security issues, regardless of the motivation, is only intended to do harm. There is no other explanation or excuse.

5. Discretion is advised. Otherwise, why bother posting the issue and waiting for a response. Just broadcast the security hole and let the harm fly.

AND MOST IMPORTANTLY....

Get involved with the nuts and bolts of coding. You cannot honestly expect anyone else to fix what ever you find, if you are not willing to at least help yourself. Help those who are trying to help you.


Up to a point, just because it's free as in free beer doesn't means they SHOULD take so long for a security flaw to be resolved/addressed. More than likely a "hold" of 90 or so days is reasonable depending on severely, complications and/or other reasonable means.

After that why give them the slack? One way or another you need to give some people a "push" to fix a outstanding issue if internal means fails for x amount of time (and not like a year in most cases).
Mineminer
Member
 
Posts: 75
Joined: Mon Mar 05, 2018 4:05 am

Re: Technical discussion about cheating and hacked clients

Postby sofar » Fri Apr 12, 2019 4:24 am

Mineminer wrote:After that why give them the slack? One way or another you need to give some people a "push" to fix a outstanding issue if internal means fails for x amount of time (and not like a year in most cases).


You seem to be forgetting this part of the software:

fsf wrote: 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.


In other words, if you behave like a jerk, you are just making things more difficult for the people who throw their free time into making some piece of code better.

And if you really think you can make people work as a slave for you, I have news for you: it's been illegal for well over a hundred years.

So maybe you want to not treat them like your personal servants and work cooperatively with them on addressing the issues you've found, like I did when I found issues myself.
sofar
Developer
 
Posts: 2063
Joined: Fri Jan 16, 2015 7:31 am
GitHub: sofar
In-game: sofar

Re: Technical discussion about cheating and hacked clients

Postby Mineminer » Fri Apr 12, 2019 4:39 am

sofar wrote:
Mineminer wrote:After that why give them the slack? One way or another you need to give some people a "push" to fix a outstanding issue if internal means fails for x amount of time (and not like a year in most cases).


You seem to be forgetting this part of the software:

fsf wrote: 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.


In other words, if you behave like a jerk, you are just making things more difficult for the people who throw their free time into making some piece of code better.

And if you really think you can make people work as a slave for you, I have news for you: it's been illegal for well over a hundred years.

So maybe you want to not treat them like your personal servants and work cooperatively with them on addressing the issues you've found, like I did when I found issues myself.


Yea but up to a point, if people don't work internally after a reasonable length of time then isn't it fair to proceed with a responsible disclosure?

Or are you saying that if there serious issues that they may be left unchecked for goodness how long that could lead to serious damages just because the software is not bonded by law to do so?

So in other words if someone gave someone a "comprised" meal with such disclaimers because the meal was free they will be totally fine to resolve their issues at "their pace" even if that means it's take a year to understand why the person gotten sick of the meal? Yea no thanks, even if that meal I was free I would still expect a full accountability for who ever did such actions (cross contamination, used wrong items, used rotting produce and/or etc etc etc).

Same idea here I expect to be able to "consume" the software without having to worry about serious issues happening down the road.
Mineminer
Member
 
Posts: 75
Joined: Mon Mar 05, 2018 4:05 am

Re: Technical discussion about cheating and hacked clients

Postby Festus1965 » Fri Apr 12, 2019 4:57 am

Mineminer wrote:... One way or another you need to give some people a "push" to fix a outstanding issue if internal means fails for x amount of time (and not like a year in most cases).

I agree,
a safety and low resource using game should be anyway a aim of all the team,
and if the hole team it not willing, or able even willing to do it,

the best legal way to push them is, not using it anymore, mean mts, game or the mods. So easy.

And every server, not maintained, not moderated, not kicking cheater out is BAD advertising for the game anyway.

So if keep like this, minetest has no better future at all.
(where had my 1st post gone about his ?)
Festus1965
Member
 
Posts: 921
Joined: Sun Jan 03, 2016 11:58 am
In-game: Thomas Explorer

Re: Technical discussion about cheating and hacked clients

Postby sofar » Fri Apr 12, 2019 4:58 pm

Mineminer wrote:Yea but up to a point, if people don't work internally after a reasonable length of time then isn't it fair to proceed with a responsible disclosure?


Yes, but I don't think that most people understand what that means. It doesn't mean you publish zero day exploits without warning to users, for instance.

Mineminer wrote:Or are you saying that if there serious issues that they may be left unchecked for goodness how long that could lead to serious damages just because the software is not bonded by law to do so?


That is why this is so difficult. There is not a single scenario that you can follow here because all vulnerabilities are different. If you're dealing with a potentially crippling bug for pacemakers, you will likely have to act differently than a bug in a tamagochi.

Mineminer wrote:So in other words if someone gave someone a "comprised" meal with such disclaimers because the meal was free they will be totally fine to resolve their issues at "their pace" even if that means it's take a year to understand why the person gotten sick of the meal? Yea no thanks, even if that meal I was free I would still expect a full accountability for who ever did such actions (cross contamination, used wrong items, used rotting produce and/or etc etc etc).

Same idea here I expect to be able to "consume" the software without having to worry about serious issues happening down the road.


I actually *like* that you expect full accountability, and more and more software makers are being held accountable if they are professionals and work for companies. However, that isn't the case for amateurs - you are still properly shielded from liability laws if you use good liability waivers and statements of no warranty. This isn't necessarily good, but it allows Free Software to be what it is today, and grow to the next level that it needs to be at.

Please note that even programs like Microsoft Windows essentially has no warranty (it's a paper thin warranty, essentially) and they guarantee you pretty much nothing.

The *good* thing about all this is that Free Software can be audited, and proprietary software can not. So you can, and every one can, do a full analysis of the security issues, and you can create and issue fixes for it. And this brings me back to the collaborative part of doing OSS security disclosures - you don't make friends if you threaten with a unilateral disclosure schedule and refuse to cooperate, and honestly if you have that attitude, you shouldn't be reviewing OSS software for security issues - go ahead and do that to proprietary software instead.
sofar
Developer
 
Posts: 2063
Joined: Fri Jan 16, 2015 7:31 am
GitHub: sofar
In-game: sofar

Re: Technical discussion about cheating and hacked clients

Postby sofar » Fri Apr 12, 2019 5:02 pm

Festus1965 wrote:the best legal way to push them is, not using it anymore, mean mts, game or the mods. So easy.

And every server, not maintained, not moderated, not kicking cheater out is BAD advertising for the game anyway.

So if keep like this, minetest has no better future at all.
(where had my 1st post gone about his ?)


wait whaaaa?

sarcasm aside, the best way is to learn the code, and help contribute with programming. Discussions like this are useful, but they don't solve security issues :)
sofar
Developer
 
Posts: 2063
Joined: Fri Jan 16, 2015 7:31 am
GitHub: sofar
In-game: sofar

Re: Technical discussion about cheating and hacked clients

Postby sofar » Fri Apr 12, 2019 5:16 pm

micheal65536 wrote:How many of those 150 mods were vulnerable?


Just a handful, I think it was 3 or 4

micheal65536 wrote:How many of the developers that you reported the vulnerabilities to understood the issue or cared enough to fix it?


all of them

micheal65536 wrote:How do you expect future mod developers to find and fix vulnerabilities in their mods, unless you were to repeat such a scan?


education and documentation, and providing better tools to prevent it

micheal65536 wrote:Would they not make the same mistakes that your original set of vulnerable mod developers made?


sigh, the negativity just drops off your posts. Do you write mods?

micheal65536 wrote:Why do you expect the individual mod developers to fix their mods when you could fix the core and squash between 75% and 90% of current Minetest vulnerabilities once and for all and leave mod developers in peace?


Because that would make stuff not work anymore that currently does. Things like fsc is *not* a solution for many use cases, these can't be protected that way and need special handling.
sofar
Developer
 
Posts: 2063
Joined: Fri Jan 16, 2015 7:31 am
GitHub: sofar
In-game: sofar

Re: Technical discussion about cheating and hacked clients

Postby Festus1965 » Sat Apr 13, 2019 12:36 am

sofar wrote:wait whaaaa?
sarcasm aside, the best way is to learn the code, and help contribute with programming. Discussions like this are useful, but they don't solve security issues :)

Tell that to those, first reaction to reports like my Indian hacker, change admin password is
* not believing
* tell me to use newest updates
* joke about my code tests, like solve global missing vars, and
* laughing about my long but clear, fact posts.
Then you might understand why I am not fancy about this anymore.

Programmer should be happy about even a non programmer is reporting, and further if report contains some important data, that has most time to be requested, like versions, that is our users help.

To ask for learn and do yourself is a bit far, then I also could have stuck to ms instead of Linux.

Yes I know my last issue I have in mind is the sorting from strange player of my owned mithril chest, so some day I might go in there, what mean try to solve an security issues ?

May be I do, but yesterday I enjoy so much just play - build 3000 nodes of 5 node wide street connection city's - I missed this silent fun since months. But this was possible as of server closed for new gamer, banned all that are not get basic rules of behavior - and NOT looking every day for new updates of [Mod]s.

But continue discussing,
I continue work when I am in good shape for it ... pipeworks was worth it, now I am at mobs_monster and reduces lag.
Then I will see what to go on next ... maybe digtron as crashing server or ... no better not plan this. Some update will crash all my plans and have to investigate something unexpected anyway. As most ... had been.
Festus1965
Member
 
Posts: 921
Joined: Sun Jan 03, 2016 11:58 am
In-game: Thomas Explorer

Re: Technical discussion about cheating and hacked clients

Postby bhree » Sat Apr 13, 2019 12:47 am

Isnt there any small codes that can be inserted so there must be a matched signature of clean build between server and client? Assuming every server use clean build then the signature of altered client wouldn't match and can't make connection. The modified client still usable for singleplayer only or connect to equally modified server which would be least probable used by regular servers.
bhree
Member
 
Posts: 150
Joined: Tue Jun 19, 2018 7:45 am
GitHub: bhree
In-game: bhree

Re: Technical discussion about cheating and hacked clients

Postby Festus1965 » Sat Apr 13, 2019 1:03 am

So far I understood
* clients can send whatever the server might want to hear - so does not work

* but if not discussion, we need to start check the codes of the build [Mod]s try to detect cheating behaviour, like
* fairplay
* anticheat

Mean clear definition what cheat is need to be done first before we would to be able to detect it and then stop it.

A cheat in my eyes is when
* server doesn't give fly as initiate privs, but player have it aside from them in auth = heat
* fast ... same
* noclip ...
* creative ...
sure you know more, I just play since 3 years about...
Joined: Sun Jan 03, 2016 18:58
Festus1965
Member
 
Posts: 921
Joined: Sun Jan 03, 2016 11:58 am
In-game: Thomas Explorer

Re: Technical discussion about cheating and hacked clients

Postby ShadMOrdre » Sat Apr 13, 2019 3:32 am

So, this is a discussion, right? I see many misunderstandings about how things simply work in the real world.

This isn't just an IT, Programmer/User, developer versus the world kinda thing. We all need to realize that our own expectations must simply be realistic. Expecting anything of anyone is not realistic. Asking for assistance, offering assistance, generally helping out to make things better. Those are the things that are realistic.

Responsible reporting means reporting, being patient with a response, and seeking guidance as to the next step if there is no response. "Hey, I found a huge, gaping hole!", and then blasting that info is not responsible. It is either bourne of ignorance or agenda. The big tech corps used to do this to each other, then realized, it isn't in anyones best interest, and stopped. Protocols were established.

New protocol recommendation.
If you find a gaping security hole, report it to the appropriate developer, whether this be a mod or an engine issue. If the issue is severe enough, consider reporting mods to the mod author as well as the engine dev team. Engine dev team, consider a protocol for this, in case the mod exploits an engine fault, or is otherwise dangerous. This has already been approached due to the CSM issue.

If you have found an issue, please be patient. This being a community developed project, not a corporate sponsored project, you must lower your expectations of a timely response. As pointed out, certain licenses do not contain any expectation of warranty, and so your (continued) use of any "faulty" software product is not only at your own risk, but you are still bound by the terms of the license, regarding disclosure. Blasting any exploit can be considered a violation of the license, if it is interpreted in such way in a court of law. For your own protection, tread lightly. As a developer, this is my official legal position, and this is what I will argue in court.

Please act as responsibly as you expect others to also do.
ShadMOrdre
Member
 
Posts: 281
Joined: Mon Dec 29, 2014 8:07 am
GitHub: ShadMOrdre
In-game: shadmordre

Re: Technical discussion about cheating and hacked clients

Postby sofar » Sat Apr 13, 2019 4:36 am

bhree wrote:Isnt there any small codes that can be inserted so there must be a matched signature of clean build between server and client?


This is DRM. DRM and Open Source are incompatible. Either you are DRM, or you are Open Source. You can not be both.
sofar
Developer
 
Posts: 2063
Joined: Fri Jan 16, 2015 7:31 am
GitHub: sofar
In-game: sofar

Re: Technical discussion about cheating and hacked clients

Postby shamwow420 » Sat Apr 13, 2019 4:41 am

bhree wrote:Isnt there any small codes that can be inserted so there must be a matched signature of clean build between server and client? Assuming every server use clean build then the signature of altered client wouldn't match and can't make connection. The modified client still usable for singleplayer only or connect to equally modified server which would be least probable used by regular servers.



Yes but the developers are against it. There's a thread about checksum or hash value somewhere. I think it's the best method to prevent cheating and server opwners should be given this choice. The reasons I hear the developers and others speak against it is "they want to customise their textures, sounds ect." Well buzz off and play on a server that doesnt run the check then. There's no reason not to have offical builds with as many os and distros as possible and a checksum for servers and clients to be sure they're connecting clean and not wasting their time fucking around with a bunch of trolls and evil nerd hackers.
shamwow420
Member
 
Posts: 11
Joined: Thu Mar 28, 2019 6:21 pm

Re: Technical discussion about cheating and hacked clients

Postby shamwow420 » Sat Apr 13, 2019 4:43 am

sofar wrote:
bhree wrote:Isnt there any small codes that can be inserted so there must be a matched signature of clean build between server and client?


This is DRM. DRM and Open Source are incompatible. Either you are DRM, or you are Open Source. You can not be both.


If it's already compiled liek F-droid, Win 64 ect, why would this not be a great idea? I mean sure there's various linux distros, lots of work there but at least do the top 5 or so most popular ones.
shamwow420
Member
 
Posts: 11
Joined: Thu Mar 28, 2019 6:21 pm

Re: Technical discussion about cheating and hacked clients

Postby sofar » Sat Apr 13, 2019 4:54 am

shamwow420 wrote:If it's already compiled liek F-droid, Win 64 ect, why would this not be a great idea? I mean sure there's various linux distros, lots of work there but at least do the top 5 or so most popular ones.


Because people who cheat don't download through F-droid or Win64. They compile their own clients, or worse, pay someone for a hacked client.

This is the same problem with e.g. DVD region coding: It doesn't make things more difficult for people who have bad intent, but it make a huge nuisance for legitimate DVD owners who move from one region to another and find their entire DVD library doesn't play anymore.

We don't want to go down this path, it will just make things more problematic for normal users, and not for those who cheat. Plus it doesn't solve the cheating at all.
sofar
Developer
 
Posts: 2063
Joined: Fri Jan 16, 2015 7:31 am
GitHub: sofar
In-game: sofar

Re: Technical discussion about cheating and hacked clients

Postby shamwow420 » Sat Apr 13, 2019 4:58 am

sofar wrote:
shamwow420 wrote:If it's already compiled liek F-droid, Win 64 ect, why would this not be a great idea? I mean sure there's various linux distros, lots of work there but at least do the top 5 or so most popular ones.


Because people who cheat don't download through F-droid or Win64. They compile their own clients, or worse, pay someone for a hacked client.

This is the same problem with e.g. DVD region coding: It doesn't make things more difficult for people who have bad intent, but it make a huge nuisance for legitimate DVD owners who move from one region to another and find their entire DVD library doesn't play anymore.

We don't want to go down this path, it will just make things more problematic for normal users, and not for those who cheat. Plus it doesn't solve the cheating at all.


What i meant is anyone who compiled their own even with good intentions would not pass the checksum. Allowing user compiled clients or servers could be up to the server or client owner.
shamwow420
Member
 
Posts: 11
Joined: Thu Mar 28, 2019 6:21 pm

Re: Technical discussion about cheating and hacked clients

Postby bhree » Sat Apr 13, 2019 5:34 am

May be it wont be easy and I'm not a real dev as I don't formally study computer science but we can refer to something like linux kernel ecosystem, it is open source and can be made very secure. Any build by anyone based on official linux source will be guaranteed to have equal level of security. It doesn't have to be core devs responsibility at least a PR can be an eye opener. It doesn't have to be limited to only prebuilt version but anyone who want to enjoy playing clean can do it.
bhree
Member
 
Posts: 150
Joined: Tue Jun 19, 2018 7:45 am
GitHub: bhree
In-game: bhree

Re: Technical discussion about cheating and hacked clients

Postby rubenwardy » Sat Apr 13, 2019 12:23 pm

shamwow420 wrote:What i meant is anyone who compiled their own even with good intentions would not pass the checksum


Except that they will pass the checksum, because they will modify the client to lie about it to the awrver
rubenwardy
Moderator
 
Posts: 5725
Joined: Tue Jun 12, 2012 6:11 pm
GitHub: rubenwardy
In-game: rubenwardy

Re: Technical discussion about cheating and hacked clients

Postby Festus1965 » Tue Apr 16, 2019 12:21 am

TalkLounge wrote:Please ban him. Thanks.


Thanks for this clear short evidence - and make other understand why my daughter got off.
Festus1965
Member
 
Posts: 921
Joined: Sun Jan 03, 2016 11:58 am
In-game: Thomas Explorer

Re: Technical discussion about cheating and hacked clients

Postby shamwow420 » Tue Apr 16, 2019 5:14 am

rubenwardy wrote:
shamwow420 wrote:What i meant is anyone who compiled their own even with good intentions would not pass the checksum


Except that they will pass the checksum, because they will modify the client to lie about it to the awrver


You're the experts so I'm dissapointed to hear that it's not psssible to stop cheaters via changes to the software. I've tried other games like Xonotic that has decent security (encryption option and a display if a server is running official) and players tell me assholes ddos what was once popular servers. I wish these people would die so I can enjoy something. I look at the minetest server list and see some interesting survival servers but why bother? Some evil nerd will ruin the contest.
shamwow420
Member
 
Posts: 11
Joined: Thu Mar 28, 2019 6:21 pm

Re: Technical discussion about cheating and hacked clients

Postby Astrobe » Tue Apr 16, 2019 11:46 am

Festus1965 wrote:
TalkLounge wrote:Please ban him. Thanks.


Thanks for this clear short evidence - and make other understand why my daughter got off.


What I see is that if the server would let moderators time-out bad players ( = temporary ban ), this video would probably have never happened.

As I said, administration and moderation is part of the game. Just because MT lets you build a game server by piling mods on top of mods, doesn't mean the resulting game will be good - both on the gameplay side and on the administration side.
Astrobe
Member
 
Posts: 223
Joined: Sun Apr 01, 2018 10:46 am

Re: Technical discussion about cheating and hacked clients

Postby Festus1965 » Tue Apr 16, 2019 1:09 pm

??? What !
... Every more word is useless ...
Festus1965
Member
 
Posts: 921
Joined: Sun Jan 03, 2016 11:58 am
In-game: Thomas Explorer



Return to General Discussion



Who is online

Users browsing this forum: Yandex Bot [Bot] and 0 guests