In the instance where a player can leave a modded server he or she likes, it's not really that big of a deal. Now when you have people coming on to legitimate community servers and causing problems with modded files and plugins it's a different story, as in the first scenario, the person running the server has malicious intent, whereas in the second scenario, the malicious user is joining a server where plugins may give them an unfair advantage against other players.
While I agree that server operators can load plugins that do nasty things, the player has the option to leave, whereas if a malicious client plugin user joins a server, the server operator has to ban that person, if they even know they're using a plugin in the first place. I agree with the notion that clients should not be able to load plugins. Why? Because if you really want a lan server for 20 minutes you can run the server tool off your computer, a VM, or something of that nature. The people who are using plugins for legitimate reasons (such as testing) KNOW how to setup a server. To Saul, A server owner can run malicious programs to spam users with text, sounds, slap the player, and just make the game unplayable to the person. It could be subtle as well, such as making clients do differing amounts of damage (way lower, way higher than usual, etc.) But the client has the option to leave said server without much toil. On Fri, Apr 2, 2010 at 5:03 PM, Scott Highland <[email protected]> wrote: > How would disabling it be best? Again, no one on the list seems to get > it. I don't doubt that it's possible to load addons on the client, I'm > very sure it is. You guys seem to want to make the assumption that > anything that could be loaded into the client that can be malicious, IS > in fact malicious. Server administrators can install malicious plugins > that can do things 100x worse than any plugin on the client could do. Am > I going to make the argument that the whole system that allows servers > to load custom plugins should be removed, obviously not. > Why is it servers should be immune to this kind of 'security' (it's a > very false sense of security, what you guys are suggesting) and the game > client should not? > > 1nsane wrote: > > Right, having it disabled entirely would be the best. > > > > As I said before, there's the Steam SRCDS that practically installs > itself > > with Source engine games/mods if you need plugins and don't want > standalone > > SRCDS. > > > > On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison <[email protected] > >wrote: > > > > > >> They're loaded at launch, like any other DLL. It's basically treated > like > >> another game DLL (in terms of callbacks). If plugins are loaded when a > >> listen server is created, what about after that? Even if the plugin is > >> unloaded, the plugin could have injected anything into the engine > without > >> VAC noticing. > >> > >> Like I keep saying: the only way to prevent this is to have plugins for > >> dedicated servers only. > >> > >> Thanks, > >> - Saul. > >> > >> > >> On 2 April 2010 16:40, 1nsane <[email protected]> wrote: > >> > >> > >>> So tell me, if I make my own hacking plugin and have it privately > shared > >>> with trusted people, how will any server admin be able to detect it? > >>> > >>> The server plugins that stop client plugins are only checking PUBLICALY > >>> known cvars such as "sm_version",if those cvars are renamed or don't > >>> > >> exit, > >> > >>> you get to load any plugin you want and be a major HAXXOR besting this > >>> detection. > >>> > >>> Also the Source engine was just fine for years before people figured > out > >>> how > >>> to make/use "client" plugins. Disabling client side plugin loading > would > >>> probably be the easiest way of fixing this. > >>> Why should the game client load a VSP (Valve SERVER Plugin) unless it's > a > >>> listen server? > >>> > >>> > >>> On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland <[email protected]> > >>> wrote: > >>> > >>> > >>>> No offense, but this whole list sucks at problem solving, every single > >>>> idea to deal with this issue suggested in this thread is just > terrible, > >>>> absolutely terrible. > >>>> > >>>> You can't disable clientside plugins just because a few admins are too > >>>> lazy to want to install a plugin to block people using clientside > >>>> plugins. People have the right to install clientside addons just as > >>>> server administrators have the right to install whatever addons they > >>>> want on their server. It's easy for you morons to want to impose this > >>>> > >> on > >> > >>>> everyone without seeing any consequences, Valve actually has to deal > >>>> with the complaints from their customers who use legitimate uses for > >>>> their plugins. Why don't you let professionals with their own > companies > >>>> reputation on the line deal with this intense decision making process. > >>>> Suggesting valve should add a cvar to disable people with plugins is > >>>> dumb, there's already plugins out there that does exactly this, go > >>>> install it and quit complaining. Don't make Valve spent their time > >>>> babying the few admins too stupid to know how to set up a serious > >>>> dedicated server. > >>>> > >>>> This issue is basically the equivalent to the material hacks that are > >>>> possible to use anywhere on servers that have sv_pure set to 0 still. > >>>> It's not a big deal in the scope of things, and theres already ways of > >>>> dealing with it. Now quit acting like this is Valve's fault and go > back > >>>> to blaming hackers and cheaters for your in-game shortcomings. > >>>> > >>>> Arg! wrote: > >>>> > >>>>> I doubt making a cvar would work as the plugins could simply override > >>>>> it as they do now. > >>>>> > >>>>> On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison < > >>>>> > >> [email protected] > >> > >>>> wrote: > >>>> > >>>>>> If you aren't modifying game memory (i.e. hooking functions), then > >>>>>> > >> VAC > >> > >>>> won't > >>>> > >>>>>> mind. > >>>>>> > >>>>>> Thanks, > >>>>>> - Saul. > >>>>>> > >>>>>> > >>>>>> On 31 March 2010 16:00, Keeper <[email protected]> wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> I don't know how VAC works, but if it's loaded via a client side > >>>>>>> > >>>> plugin, I > >>>> > >>>>>>> doubt VAC sees it as an "external" program altering the game's > >>>>>>> > >> memory > >> > >>>>>>> space. > >>>>>>> But not knowing how VAC works, there's no telling what they look > >>>>>>> > >> for > >> > >>> or > >>> > >>>> how > >>>> > >>>>>>> they are detecting it. > >>>>>>> > >>>>>>> Keeper > >>>>>>> -----Original Message----- > >>>>>>> From: Michael Krasnow [mailto:[email protected]] > >>>>>>> Sent: Tuesday, March 30, 2010 9:31 PM > >>>>>>> To: Half-Life dedicated Win32 server mailing list > >>>>>>> Subject: Re: [hlds] Plugin Loading on clients, enough is enough. > >>>>>>> > >>>>>>> doesn't VAC check the memory? but +1 to the option for server > >>>>>>> > >> admins, > >> > >>>> but > >>>> > >>>>>>> somehow someone would find a way to change that or spoof it, idk, > >>>>>>> > >> its > >> > >>>>>>> weirds > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> To unsubscribe, edit your list preferences, or view the list > >>>>>>> > >>> archives, > >>> > >>>>>>> please visit: > >>>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> _______________________________________________ > >>>>>> To unsubscribe, edit your list preferences, or view the list > >>>>>> > >> archives, > >> > >>>> please visit: > >>>> > >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>>> > >>>>>> > >>>>>> > >>>>> _______________________________________________ > >>>>> To unsubscribe, edit your list preferences, or view the list > >>>>> > >> archives, > >> > >>>> please visit: > >>>> > >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>> > >>>>> > >>>>> > >>>>> __________ Information from ESET NOD32 Antivirus, version of virus > >>>>> > >>>> signature database 4989 (20100331) __________ > >>>> > >>>>> The message was checked by ESET NOD32 Antivirus. > >>>>> > >>>>> http://www.eset.com > >>>>> > >>>>> > >>>>> > >>>>> > >>>> __________ Information from ESET NOD32 Antivirus, version of virus > >>>> signature database 4993 (20100401) __________ > >>>> > >>>> The message was checked by ESET NOD32 Antivirus. > >>>> > >>>> http://www.eset.com > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> To unsubscribe, edit your list preferences, or view the list archives, > >>>> please visit: > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>> > >>>> > >>> _______________________________________________ > >>> To unsubscribe, edit your list preferences, or view the list archives, > >>> please visit: > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>> > >>> > >> _______________________________________________ > >> To unsubscribe, edit your list preferences, or view the list archives, > >> please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds > >> > >> > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4995 (20100402) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4995 (20100402) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
