* Florian Zschocke [2003-08-27 08:33]: > I wouldn't even be too sure that none use exec.
None that I can think of heh. Even if there is one, it should be something only the mod itself can do, and do it only once. > First off, I'm pretty sure that is not going to happen for HL1 and > maybe HL2 will have a different system so the problem will go away > eventually. We're all still waiting for a certain exploit to be fixed sometime this lifetime. Perhaps like windows, a worm needs to be released before people wakeup ? .. After all, valve employs how many ex m$ drones? ... (rant edited out). > > Then, look at the practicability of any such solution. Security on a massive scale like online games should be #1 priority. > You would have to implement on the client some way to set which > commands to allow and deny for which server. Write to a config file. Done heh. .. but then there's the whole gui thing :-) > And you would have to do it in a way that people can do it by clicking > somewhere. Make it part of the server browser, + popup when the server actually tries. > And in addition it needs to be in such away that even the people that > you mentioned below can do it, which means you need extensive > explanations about what a command does so that the user can make a > choice. Perhaps the final version would have more detailed help. But initially it could be as simple as High, Medium, and Low - much the same as a web browser. > And that would also have to include commands added by MODs. I must really be missing the ball here, that or we are misunderstanding each other. When I say console commands, I'm talking about bind, unbind, exec, quit, buy, alias, setinfo, etc. Not server level commands like playsound, updateinfo, etc. > You will have to set up a default configuration, if you set > them > all to allow or all to deny that doesn't really help. So you have > to make a guess at what needs to be allowed and what not and that > is where the problems start. Not really because again, those commands that I'm thinking of, have no business being used after I've joined the game. I think we both agree that a few of them may be exceptions ... *rate*, and changeteam. > Because 90% of all users will never > touch the settings themselves for the obvious reasons that they > don't know that they can, what to choose and that they just can't > be bothered with having to set up long lists of commands for every > bloody server before they play. They just want to click > Multiplayer->Join and go. This is flawed thinking heh. It is one of the primary reasons virues spread. Indeed the learning curve for something should be gradual. But, assuming users are stupid is like laughing at the guy who just bought CS and doesn't know the game _yet_. And if that were truely the case, webbrowsers would never have implemented security controls because "90% of users have no idea what most of this stuff is or does". > I still say that it's not gonna happen because it's probably not > worth the trouble for Valve. Of course it would be good for *you* > and probably most people on this list would know how to use it and > maybe even use it. But the people on this list don't make up the > majority of the people generating revenue for Valve by buying > their games. Microshit got a wakeup call with blaster. Shipping products out the door that have vulerabilities, then not patching those holes untill Something Bad Happens (tm), is NOT good business sense. Saddly in their case they thought the solution was to turn on windows retarded firewall out of the box -- in Windows <insert next release year here>. Sounds more like a marketing thingy then anything. <rant edited out> There have been a few public exploits released for HL. Thus far however, none have been used in an earth shattering way. The last two holes should have woken valve up a bit though because they DID cause quite a few providers to turn off their servers. Without providers (be it big "gsp"'s, or a kid with a server on his dsl), HL/CS would not exist. The common theme amongst providers right now seems to be to block whatever port / traffic the lastest worms are using. Now think for a second if 27000-27099 were blocked because of some worm. Evil eh? > Gah. The funny thing is that with Admin Mod the extend of control > is already limited compared to other addons that let their users > do whatever they want. Not hard to patch it heh. Assuming it hasn't been already is naive. :-) Plus as I mentioned, the last time was on a netfire hosted server. I don't know what the policies are of other GSP's, but it appears running commands on clients like that is not against their AUP's considering many of them are gui based to the point of you point'n click what you want loaded. It makes you wonder if providers even care either. They will though heh. First time it's used against a kiddie with his new found .edu resenet. > As I said before it is hard to draw the > line because things can be used for good and bad. Take bind as an > example. You can use it to mess up a players keybindings to annoy > him to no end. But you can just as well use it to help a newbie > who doesn't know how to activate his console or has messed up his > bindings. So do you strictly disllow it or not? CPU's are overclockable. Why? Done properly it is pretty safe. But done wrong and you fry your cpu. So they give the user a choice to either do it and void your waranty, or don't. > What you say is > let the user choose it. That is also the approach that Admin Mod > was going to take on this in the future, This is far more fundamental then Adminmod is heh. This is client side. The server can be modified at will (last I checked, adminmod source could be downloaded). > > Which doesn't show up in 1.6. > > It doesn't?! Well, since there is no 1.6 I don't think it is too > much a problem, yet. :) Steam ? :-) > > Indeed. It's still a hack though heh. It's like saying disable images > > from loading in your web browser so you don't become a statistic. If > > 99.8% of the webpages out there use images, that isn't a solution. > > No, actually it is more like saying disable ActiveX controls in > your IE to keep the bad apples among the websites from messing > with your system. ActiveX isn't used everywhere. Places that do run it, most people woudln't visit anyway :-) _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
