The most a plugin can do is change your name and a few other cvars. It's not like srcds is an open window to your harddrive or anything...
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 7:09 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. I've never run malicious plugins so I really don't know what's out there. Here's a good website where you might find some more examples for your reference. http://www.google.com On Fri, Apr 2, 2010 at 6:01 PM, Steven Crothers <[email protected]>wrote: > I honestly thought you were going to give a "good" reason. > > I guess slapping is pretty bad in the servers you visit eh? > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Cc2iscooL > Sent: Friday, April 02, 2010 6:24 PM > To: Half-Life dedicated Win32 server mailing list > Subject: Re: [hlds] Plugin Loading on clients, enough is enough. > > In the instance where a player can leave a modded server he or she likes, > it's not really that big of a deal. Now when you have people coming on to > legitimate community servers and causing problems with modded files and > plugins it's a different story, as in the first scenario, the person > running > the server has malicious intent, whereas in the second scenario, the > malicious user is joining a server where plugins may give them an unfair > advantage against other players. > > While I agree that server operators can load plugins that do nasty things, > the player has the option to leave, whereas if a malicious client plugin > user joins a server, the server operator has to ban that person, if they > even know they're using a plugin in the first place. I agree with the > notion > that clients should not be able to load plugins. Why? Because if you really > want a lan server for 20 minutes you can run the server tool off your > computer, a VM, or something of that nature. The people who are using > plugins for legitimate reasons (such as testing) KNOW how to setup a > server. > > To Saul, > > A server owner can run malicious programs to spam users with text, sounds, > slap the player, and just make the game unplayable to the person. It could > be subtle as well, such as making clients do differing amounts of damage > (way lower, way higher than usual, etc.) > > But the client has the option to leave said server without much toil. > > On Fri, Apr 2, 2010 at 5:03 PM, Scott Highland <[email protected]> wrote: > > > How would disabling it be best? Again, no one on the list seems to get > > it. I don't doubt that it's possible to load addons on the client, I'm > > very sure it is. You guys seem to want to make the assumption that > > anything that could be loaded into the client that can be malicious, IS > > in fact malicious. Server administrators can install malicious plugins > > that can do things 100x worse than any plugin on the client could do. Am > > I going to make the argument that the whole system that allows servers > > to load custom plugins should be removed, obviously not. > > Why is it servers should be immune to this kind of 'security' (it's a > > very false sense of security, what you guys are suggesting) and the game > > client should not? > > > > 1nsane wrote: > > > Right, having it disabled entirely would be the best. > > > > > > As I said before, there's the Steam SRCDS that practically installs > > itself > > > with Source engine games/mods if you need plugins and don't want > > standalone > > > SRCDS. > > > > > > On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison < > [email protected] > > >wrote: > > > > > > > > >> They're loaded at launch, like any other DLL. It's basically treated > > like > > >> another game DLL (in terms of callbacks). If plugins are loaded when a > > >> listen server is created, what about after that? Even if the plugin is > > >> unloaded, the plugin could have injected anything into the engine > > without > > >> VAC noticing. > > >> > > >> Like I keep saying: the only way to prevent this is to have plugins > for > > >> dedicated servers only. > > >> > > >> Thanks, > > >> - Saul. > > >> > > >> > > >> On 2 April 2010 16:40, 1nsane <[email protected]> wrote: > > >> > > >> > > >>> So tell me, if I make my own hacking plugin and have it privately > > shared > > >>> with trusted people, how will any server admin be able to detect it? > > >>> > > >>> The server plugins that stop client plugins are only checking > PUBLICALY > > >>> known cvars such as "sm_version",if those cvars are renamed or don't > > >>> > > >> exit, > > >> > > >>> you get to load any plugin you want and be a major HAXXOR besting > this > > >>> detection. > > >>> > > >>> Also the Source engine was just fine for years before people figured > > out > > >>> how > > >>> to make/use "client" plugins. Disabling client side plugin loading > > would > > >>> probably be the easiest way of fixing this. > > >>> Why should the game client load a VSP (Valve SERVER Plugin) unless > it's > > a > > >>> listen server? > > >>> > > >>> > > >>> On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland <[email protected]> > > >>> wrote: > > >>> > > >>> > > >>>> No offense, but this whole list sucks at problem solving, every > single > > >>>> idea to deal with this issue suggested in this thread is just > > terrible, > > >>>> absolutely terrible. > > >>>> > > >>>> You can't disable clientside plugins just because a few admins are > too > > >>>> lazy to want to install a plugin to block people using clientside > > >>>> plugins. People have the right to install clientside addons just as > > >>>> server administrators have the right to install whatever addons they > > >>>> want on their server. It's easy for you morons to want to impose > this > > >>>> > > >> on > > >> > > >>>> everyone without seeing any consequences, Valve actually has to deal > > >>>> with the complaints from their customers who use legitimate uses for > > >>>> their plugins. Why don't you let professionals with their own > > companies > > >>>> reputation on the line deal with this intense decision making > process. > > >>>> Suggesting valve should add a cvar to disable people with plugins is > > >>>> dumb, there's already plugins out there that does exactly this, go > > >>>> install it and quit complaining. Don't make Valve spent their time > > >>>> babying the few admins too stupid to know how to set up a serious > > >>>> dedicated server. > > >>>> > > >>>> This issue is basically the equivalent to the material hacks that > are > > >>>> possible to use anywhere on servers that have sv_pure set to 0 > still. > > >>>> It's not a big deal in the scope of things, and theres already ways > of > > >>>> dealing with it. Now quit acting like this is Valve's fault and go > > back > > >>>> to blaming hackers and cheaters for your in-game shortcomings. > > >>>> > > >>>> Arg! wrote: > > >>>> > > >>>>> I doubt making a cvar would work as the plugins could simply > override > > >>>>> it as they do now. > > >>>>> > > >>>>> On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison < > > >>>>> > > >> [email protected] > > >> > > >>>> wrote: > > >>>> > > >>>>>> If you aren't modifying game memory (i.e. hooking functions), then > > >>>>>> > > >> VAC > > >> > > >>>> won't > > >>>> > > >>>>>> mind. > > >>>>>> > > >>>>>> Thanks, > > >>>>>> - Saul. > > >>>>>> > > >>>>>> > > >>>>>> On 31 March 2010 16:00, Keeper <[email protected]> wrote: > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>> I don't know how VAC works, but if it's loaded via a client side > > >>>>>>> > > >>>> plugin, I > > >>>> > > >>>>>>> doubt VAC sees it as an "external" program altering the game's > > >>>>>>> > > >> memory > > >> > > >>>>>>> space. > > >>>>>>> But not knowing how VAC works, there's no telling what they look > > >>>>>>> > > >> for > > >> > > >>> or > > >>> > > >>>> how > > >>>> > > >>>>>>> they are detecting it. > > >>>>>>> > > >>>>>>> Keeper > > >>>>>>> -----Original Message----- > > >>>>>>> From: Michael Krasnow [mailto:[email protected]] > > >>>>>>> Sent: Tuesday, March 30, 2010 9:31 PM > > >>>>>>> To: Half-Life dedicated Win32 server mailing list > > >>>>>>> Subject: Re: [hlds] Plugin Loading on clients, enough is enough. > > >>>>>>> > > >>>>>>> doesn't VAC check the memory? but +1 to the option for server > > >>>>>>> > > >> admins, > > >> > > >>>> but > > >>>> > > >>>>>>> somehow someone would find a way to change that or spoof it, idk, > > >>>>>>> > > >> its > > >> > > >>>>>>> weirds > > >>>>>>> > > >>>>>>> > > >>>>>>> _______________________________________________ > > >>>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>>> > > >>> archives, > > >>> > > >>>>>>> please visit: > > >>>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>> _______________________________________________ > > >>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>> > > >> archives, > > >> > > >>>> please visit: > > >>>> > > >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>> _______________________________________________ > > >>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>> > > >> archives, > > >> > > >>>> please visit: > > >>>> > > >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>>>> > > >>>>> > > >>>>> > > >>>>> __________ Information from ESET NOD32 Antivirus, version of virus > > >>>>> > > >>>> signature database 4989 (20100331) __________ > > >>>> > > >>>>> The message was checked by ESET NOD32 Antivirus. > > >>>>> > > >>>>> http://www.eset.com > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>> __________ Information from ESET NOD32 Antivirus, version of virus > > >>>> signature database 4993 (20100401) __________ > > >>>> > > >>>> The message was checked by ESET NOD32 Antivirus. > > >>>> > > >>>> http://www.eset.com > > >>>> > > >>>> > > >>>> > > >>>> _______________________________________________ > > >>>> To unsubscribe, edit your list preferences, or view the list > archives, > > >>>> please visit: > > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>>> > > >>>> > > >>> _______________________________________________ > > >>> To unsubscribe, edit your list preferences, or view the list > archives, > > >>> please visit: > > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>> > > >>> > > >> _______________________________________________ > > >> To unsubscribe, edit your list preferences, or view the list archives, > > >> please visit: > > >> http://list.valvesoftware.com/mailman/listinfo/hlds > > >> > > >> > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > > signature database 4995 (20100402) __________ > > > > > > The message was checked by ESET NOD32 Antivirus. > > > > > > http://www.eset.com > > > > > > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > > signature database 4995 (20100402) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
