This is a very big issue for source-based games. I agree that client plugins should be disabled but i also agree with the fact that there may be useful plugins for clients (already mentioned PREC)
2010/4/3 Saul Rennison <[email protected]> > Please stop for a god-damn second and think about your "solution". > PLEASE tell me how the server would possibly know whether the client > has any plugins loaded? And even if there was a way, it could probably > be blocked with 3 lines of code in a client plugin anyway > > Clientplugins were never supposed to be a feature and are a side > effect. There is nothing to do with clients in there by default, they > are SERVERPLUGINS. The only secure way to fix this is enable plugins > for dedicated servers only. > > On Saturday, April 3, 2010, Steven Crothers <[email protected]> > wrote: > > Possibly the worst idea ever mentioned on this list. > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Allan Button > > Sent: Saturday, April 03, 2010 1:42 AM > > To: Half-Life dedicated Win32 server mailing list > > Subject: Re: [hlds] Plugin Loading on clients, enough is enough. > > > > Make it a launch option of srcds to allow plugins on the server. Not a > cvar. > > And off by default. > > > > Then, for people who are serious about client plugins, maybe a way to > have > > them signed by Valve. Think Apple App Store for iPhone. > > > > Allan > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Mark Gunnett > > Sent: Saturday, April 03, 2010 12:14 AM > > To: Half-Life dedicated Win32 server mailing list > > Subject: Re: [hlds] Plugin Loading on clients, enough is enough. > > > > While you may not be removing all the cheaters by giving a cvar to > disable > > client side plugins, you will be preventing the people who are too stupid > to > > do some of the more complex cheats. Why make it easier to cheat? Learning > > how to Lua script (Or script in sourcepawn) isn't all that hard, > especially > > if you have a shell to plug into that handles all the major hooking you > need > > to do. The fact is, there are a lot of people who know how to read > > instructions and can install sourcemod into the client directory pretty > > easy. And from the sounds of it, there are pre-written lua scripts that > they > > can learn from to do whatever they want with the new client lua > interface. > > However, giving servers the option to disallow clients with plugins > loaded > > just like having the option to filter out clients that have failed md5 > > checksums for their textures isn't that bad of an idea. I can see where > > client side plugins are useful, ESEA and such aside. However, they have > no > > place, or legitimacy being run on regular servers. While not all users do > it > > for malicious intent (Hey look, I was at a LAN!), the fact is most users > > that use that interface, are doing so for malicious reasons. > > > > Again, it may not stop the big boys, but making it easier to cheat just > > doesn't make sense in my book. > > > > On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet <[email protected]> wrote: > > > >> So consider Valve does disable clientside plugins, what will change? > >> Absolutely nothing. All the cheaters will continue to use their cheats > >> that don't rely on clientside plugins. Everyone else will use a > >> network proxy, which can replication all the malicious exploits you're > >> worried about. With a network proxy you just send net_SetConVar to > >> force any cvar on the client. There's also the magic of the exploits > >> in the netcode that aren't fixed, like net_StringCmd before you do any > >> sign on, which is what the NULL player crash is. There's also the > >> client disconnect control command, which is again being exploited by > >> the lua clientside plugin, but is trivial to do with a network proxy. > >> > >> In the end Valve needs to fix the real exploits, which are the source > >> of the issue, not disable a very useful feature. > >> > >> On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott <[email protected]> > >> wrote: > >> > > >> > --- Scott Highland wrote: > >> > Maybe you could explain why this whole list, and the company that > >> > runs it should all agree to completely remove the ability to > >> > incorporate modifications just because it would suit YOUR needs as > >> > an anti-cheat function to thwart the .3% of TF2 players that are > >> > abusing it in this fashion? That's a pretty self-centered way of > >> > thinking and kind of ridiculous, it's sad so many of you don't seem to > > see it this way. > >> > --- > >> > > >> > The only suggestion I have seen that seems appropriate is a server > >> > CVAR > >> that > >> > forcefully unloads any non-valve released client plugins. (sv_pure > >> extension > >> > could be pretty good, but has a couple of issues). Which would allow > >> > everyone a decent options. A CVAR was added to effectively disable > >> > Mic > >> spam, > >> > remove the wait command from client scripts. Of which a very small > >> portion > >> > of the population actually used, however, it only takes one aimbot > >> > to hop into a f > > -- > > Thanks, > - Saul. > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
