Alliedassault - View Single Post

DogMeat · 09-29-2002, 02:37 AM

I'm going to try to keep this brief, both because I don't want to rehash old material and also since I simply came here to take a short break from coding DMz Dogtag and want to get back to it.

General notes on security: All security, be it game cheat protection or securing your biz's puters from in/external threats, is a Cold War scenario. If you put a certain amount of time, money and effort into it you can achieve a level of relative safety, with ever decreasing returns for increasing expenditures. However there will always be more threats, no matter how "high" your security level, since there are many smart folks out there looking for more bugs, exploits, etc; be they white hat or black hat.

Gaming security is very much in it's infancy compared to the general state of computer security.

Difference checks, CRC, MD5, etc: Basically all do the same thing, the give us a way to verify files against a known good. MoHAA was very crippled by not having basic sv_pure functionality, which does, to quote John Carmack himself, "disallow native DLL loading if sv_pure, requires clients to only get data from pk3 files the server is using". Idealy it should work something like this: the client generates a checksum (CRC32, MD5, etc) for each and every exe, dll and pak file, which it blindly sends to the server. The server then forces the client to skip using any pak file that doesn't match, and if the exe or dlls have been changed then it won't even play on that server. There is alot of room for details and such but that's the basic blocks.

Back to the Cold War, already in progress: There is always a way to up the stakes, for example we could write a program that sends the known good checksum for the default exe, dll and pak files no matter if they have been changed or not. So why bother with the checks at all? Mostly because it will stop at least SOME players from cheating, and because on the scale of things it's worth the time, money and effort. The cycle definately results in better software for everyone eventually, but as I said games have a long way to go security wise.

This is why I'm spending time working on various MoHAA fixes that I know:
* can be circumvented
* already have a cheat freely available
* there are much worse cheats out that need to be fixed (but I can't fix em, ex: wallhack)
* stop at least some players from cheating that otherwise would be

Lately the guys from EA have posted over on the PlanetMoH forums asking for bugs and cheats in MoHAA so they can fix them before releasing Spearhead. I've sent them my entire list, including notes on sv_pure and security measures needed. They've already fixed the MG-42/Ladder, Grenade Switch Team bugs and a bunch more. [url=http://www.forumplanet.com/PlanetMedalOfHonor/user.asp?gid=19000986&mid=868436:97078]HessTruck[/url:97078] is the EA guy who is requesting all bugs and cheats, send them in a private message and lets see em get fixed folks. Don't be afraid to send in the common bugs that you hate, however do be clear, concise and legible; this guy is getting alot of mail so make sure he reads yours. Here's the [url=http://www.forumplanet.com/PlanetMedalOfHonor/topic.asp?fid=5221&tid=791275:97078]earlier thread[/url:97078] on this from Chris Shelton of EA.

I could go on, but I want to get back to coding so I can get the beta out ASAP. As Raph Koster, head designer for Star Wars Galaxies and former head for Ultima Online, says in the Laws of Online World Design; "Never trust the client. Never put anything on the client. The client is in the hands of the enemy. Never ever ever forget this."

	(#23)
DogMeat is Offline Senior Member Posts: 469 Join Date: Jan 2002 Location: Rockwood, MI	09-29-2002, 02:37 AM I'm going to try to keep this brief, both because I don't want to rehash old material and also since I simply came here to take a short break from coding DMz Dogtag and want to get back to it. General notes on security: All security, be it game cheat protection or securing your biz's puters from in/external threats, is a Cold War scenario. If you put a certain amount of time, money and effort into it you can achieve a level of relative safety, with ever decreasing returns for increasing expenditures. However there will always be more threats, no matter how "high" your security level, since there are many smart folks out there looking for more bugs, exploits, etc; be they white hat or black hat. Gaming security is very much in it's infancy compared to the general state of computer security. Difference checks, CRC, MD5, etc: Basically all do the same thing, the give us a way to verify files against a known good. MoHAA was very crippled by not having basic sv_pure functionality, which does, to quote John Carmack himself, "disallow native DLL loading if sv_pure, requires clients to only get data from pk3 files the server is using". Idealy it should work something like this: the client generates a checksum (CRC32, MD5, etc) for each and every exe, dll and pak file, which it blindly sends to the server. The server then forces the client to skip using any pak file that doesn't match, and if the exe or dlls have been changed then it won't even play on that server. There is alot of room for details and such but that's the basic blocks. Back to the Cold War, already in progress: There is always a way to up the stakes, for example we could write a program that sends the known good checksum for the default exe, dll and pak files no matter if they have been changed or not. So why bother with the checks at all? Mostly because it will stop at least SOME players from cheating, and because on the scale of things it's worth the time, money and effort. The cycle definately results in better software for everyone eventually, but as I said games have a long way to go security wise. This is why I'm spending time working on various MoHAA fixes that I know: * can be circumvented * already have a cheat freely available * there are much worse cheats out that need to be fixed (but I can't fix em, ex: wallhack) * stop at least some players from cheating that otherwise would be Lately the guys from EA have posted over on the PlanetMoH forums asking for bugs and cheats in MoHAA so they can fix them before releasing Spearhead. I've sent them my entire list, including notes on sv_pure and security measures needed. They've already fixed the MG-42/Ladder, Grenade Switch Team bugs and a bunch more. [url=http://www.forumplanet.com/PlanetMedalOfHonor/user.asp?gid=19000986&mid=868436:97078]HessTruck[/url:97078] is the EA guy who is requesting all bugs and cheats, send them in a private message and lets see em get fixed folks. Don't be afraid to send in the common bugs that you hate, however do be clear, concise and legible; this guy is getting alot of mail so make sure he reads yours. Here's the [url=http://www.forumplanet.com/PlanetMedalOfHonor/topic.asp?fid=5221&tid=791275:97078]earlier thread[/url:97078] on this from Chris Shelton of EA. I could go on, but I want to get back to coding so I can get the beta out ASAP. As Raph Koster, head designer for Star Wars Galaxies and former head for Ultima Online, says in the Laws of Online World Design; "Never trust the client. Never put anything on the client. The client is in the hands of the enemy. Never ever ever forget this."