Re: [hlds] Plugin Loading on clients, enough is enough.
Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ 2010/4/3 Saul Rennison saul.renni...@gmail.com But there is no support for client plugins. People have just exploited the fact that plugins are loaded early and dubbed them clientplugins. It's exactly the same as injecting into the engine-- it's a hack. They should be banned. Thanks, - Saul. On 3 April 2010 12:25, Nightbox alexandrualexa...@gmail.com wrote: This is a very big issue for source-based games. I agree that client plugins should be disabled but i also agree with the fact that there may be useful plugins for clients (already mentioned PREC) 2010/4/3 Saul Rennison saul.renni...@gmail.com Please stop for a god-damn second and think about your solution. PLEASE tell me how the server would possibly know whether the client has any plugins loaded? And even if there was a way, it could probably be blocked with 3 lines of code in a client plugin anyway Clientplugins were never supposed to be a feature and are a side effect. There is nothing to do with clients in there by default, they are SERVERPLUGINS. The only secure way to fix this is enable plugins for dedicated servers only. On Saturday, April 3, 2010, Steven Crothers steven.croth...@gmail.com wrote: Possibly the worst idea ever mentioned on this list. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Allan Button Sent: Saturday, April 03, 2010 1:42 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Make it a launch option of srcds to allow plugins on the server. Not a cvar. And off by default. Then, for people who are serious about client plugins, maybe a way to have them signed by Valve. Think Apple App Store for iPhone. Allan -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mark Gunnett Sent: Saturday, April 03, 2010 12:14 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. While you may not be removing all the cheaters by giving a cvar to disable client side plugins, you will be preventing the people who are too stupid to do some of the more complex cheats. Why make it easier to cheat? Learning how to Lua script (Or script in sourcepawn) isn't all that hard, especially if you have a shell to plug into that handles all the major hooking you need to do. The fact is, there are a lot of people who know how to read instructions and can install sourcemod into the client directory pretty easy. And from the sounds of it, there are pre-written lua scripts that they can learn from to do whatever they want with the new client lua interface. However, giving servers the option to disallow clients with plugins loaded just like having the option to filter out clients that have failed md5 checksums for their textures isn't that bad of an idea. I can see where client side plugins are useful, ESEA and such aside. However, they have no place, or legitimacy being run on regular servers. While not all users do it for malicious intent (Hey look, I was at a LAN!), the fact is most users that use that interface, are doing so for malicious reasons. Again, it may not stop the big boys, but making it easier to cheat just doesn't make sense in my book. On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet azuisl...@gmail.com wrote: So consider Valve does disable clientside plugins, what will change? Absolutely nothing. All the cheaters will continue to use their cheats that don't rely on clientside plugins. Everyone else will use a network proxy, which can replication all the malicious exploits you're worried about. With a network proxy you just send net_SetConVar to force any cvar on the client. There's also the magic of the exploits in the netcode that aren't fixed, like net_StringCmd before you do any sign on, which is what the NULL player crash is. There's also the client disconnect control command, which is again being exploited by the lua clientside plugin, but is trivial to do with a network proxy. In the end Valve needs to fix the real exploits, which are the source of the issue, not disable a very useful feature. On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net wrote: --- Scott Highland wrote: Maybe you could explain why this whole list, and the company
Re: [hlds] Plugin Loading on clients, enough is enough.
Hello, thanks for posting this. Hopefully people realize it may be considered a cheat since it can give them an unfair (albeit tiny) advantage. Something to note: L4D2's sv_cheats cvar is a bit more tamper proof. Also: The list might not want to continue discussion on this topic. Speedhacks have been available in this game since mid december. On Wed, May 12, 2010 at 8:42 AM, AnAkIn . anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn . anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, ics i...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
I totally disagree. If they were using it to cheat then it doesn't matter in the least whether or not they were expecting to get VACbanned or not, nor how the ban came about. That guy even admitted he was speed hacking with it. One less idiot plaguing servers. On 5/12/2010 3:51 PM, Kyle Sanderson wrote: Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, icsi...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.comwrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
What Kyle is trying to point out is that the problem shouldn't even exist in the first place. VALVe should be preventing people from joining servers while plugins are loaded via the VSP interface. On Wed, May 12, 2010 at 3:10 PM, Nicholas Hastings nshasti...@gmail.com wrote: I totally disagree. If they were using it to cheat then it doesn't matter in the least whether or not they were expecting to get VACbanned or not, nor how the ban came about. That guy even admitted he was speed hacking with it. One less idiot plaguing servers. On 5/12/2010 3:51 PM, Kyle Sanderson wrote: Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, icsi...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
If they would simply prevent people from joining servers with client side plugins loaded, people would simply code a client side plugin which bypass this. The better way is just to remove the possibility of loading client side plugins at all. 2010/5/12 Kigen theki...@gmail.com What Kyle is trying to point out is that the problem shouldn't even exist in the first place. VALVe should be preventing people from joining servers while plugins are loaded via the VSP interface. On Wed, May 12, 2010 at 3:10 PM, Nicholas Hastings nshasti...@gmail.com wrote: I totally disagree. If they were using it to cheat then it doesn't matter in the least whether or not they were expecting to get VACbanned or not, nor how the ban came about. That guy even admitted he was speed hacking with it. One less idiot plaguing servers. On 5/12/2010 3:51 PM, Kyle Sanderson wrote: Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, icsi...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Maybe this isn't the whole truth in this matter. All we know maybe VAC already had signature from the player (and if it wasn't a sourcemod) and the ban was just speeded up to be more instant. In any case, in such clear cases as speedhacks, i don't mind if the jackasses get banned asap for once. However, if it was a manual ban just due to the guy seeing he was indeed speedhacking, it's bad policy because no one knows if someone gets accidentally banned and the innocent suffers. In this case though, there was no victims that did not deserve what they got. -ics 12.5.2010 22:51, Kyle Sanderson kirjoitti: Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, icsi...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.comwrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
I completely agree with the player being automatically banned for cheating in a public secured server, however this was not the case. Regardless if the player was hacking or not, there should have been zero discussion ingame about the matter, especially from an Employee who clearly did something to get this player banned faster/manually. Regardless, I'm happy his account was VACed for hacking/exploiting, however it was not handled properly, at all. As well to that, Kigen/AnAkIn/ics seemed to have explained better what I was trying to get at. Kyle. On Wed, May 12, 2010 at 1:34 PM, ics i...@ics-base.net wrote: Maybe this isn't the whole truth in this matter. All we know maybe VAC already had signature from the player (and if it wasn't a sourcemod) and the ban was just speeded up to be more instant. In any case, in such clear cases as speedhacks, i don't mind if the jackasses get banned asap for once. However, if it was a manual ban just due to the guy seeing he was indeed speedhacking, it's bad policy because no one knows if someone gets accidentally banned and the innocent suffers. In this case though, there was no victims that did not deserve what they got. -ics 12.5.2010 22:51, Kyle Sanderson kirjoitti: Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, icsi...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
eh, cheating is cheating, and he got caught. it don't matter how the ban was enacted, he got caught doing something he clearly knew he SHOULDN'T be, and got caught. Good for him. Next time, don't fuck with the system, and play by the rules. --mauirixxx -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kyle Sanderson Sent: Wednesday, May 12, 2010 11:03 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. I completely agree with the player being automatically banned for cheating in a public secured server, however this was not the case. Regardless if the player was hacking or not, there should have been zero discussion ingame about the matter, especially from an Employee who clearly did something to get this player banned faster/manually. Regardless, I'm happy his account was VACed for hacking/exploiting, however it was not handled properly, at all. As well to that, Kigen/AnAkIn/ics seemed to have explained better what I was trying to get at. Kyle. On Wed, May 12, 2010 at 1:34 PM, ics i...@ics-base.net wrote: Maybe this isn't the whole truth in this matter. All we know maybe VAC already had signature from the player (and if it wasn't a sourcemod) and the ban was just speeded up to be more instant. In any case, in such clear cases as speedhacks, i don't mind if the jackasses get banned asap for once. However, if it was a manual ban just due to the guy seeing he was indeed speedhacking, it's bad policy because no one knows if someone gets accidentally banned and the innocent suffers. In this case though, there was no victims that did not deserve what they got. -ics 12.5.2010 22:51, Kyle Sanderson kirjoitti: Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, icsi...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
As part of the Steam TOS that you agree to EVERY time you purchase a game, you agree to letting VAC ban you if you cheat. Really, go read it - Given the SM does alter the game, a VAC ban is fair. Furthermore most of the dumb facepuncher's have no idea what they are talking about - I think half of them are convinced it was an exploit on the SERVER due to SM. On Thu, May 13, 2010 at 10:53 AM, Rick Payton r...@mai-hawaii.com wrote: eh, cheating is cheating, and he got caught. it don't matter how the ban was enacted, he got caught doing something he clearly knew he SHOULDN'T be, and got caught. Good for him. Next time, don't fuck with the system, and play by the rules. --mauirixxx -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kyle Sanderson Sent: Wednesday, May 12, 2010 11:03 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. I completely agree with the player being automatically banned for cheating in a public secured server, however this was not the case. Regardless if the player was hacking or not, there should have been zero discussion ingame about the matter, especially from an Employee who clearly did something to get this player banned faster/manually. Regardless, I'm happy his account was VACed for hacking/exploiting, however it was not handled properly, at all. As well to that, Kigen/AnAkIn/ics seemed to have explained better what I was trying to get at. Kyle. On Wed, May 12, 2010 at 1:34 PM, ics i...@ics-base.net wrote: Maybe this isn't the whole truth in this matter. All we know maybe VAC already had signature from the player (and if it wasn't a sourcemod) and the ban was just speeded up to be more instant. In any case, in such clear cases as speedhacks, i don't mind if the jackasses get banned asap for once. However, if it was a manual ban just due to the guy seeing he was indeed speedhacking, it's bad policy because no one knows if someone gets accidentally banned and the innocent suffers. In this case though, there was no victims that did not deserve what they got. -ics 12.5.2010 22:51, Kyle Sanderson kirjoitti: Both http://forums.alliedmods.net/showthread.php?t=126487 and http://www.facepunch.com/showthread.php?t=935780 are interesting reads. The player was manually VAC banned by one Al or Professor Farnsworth for running SourceMod as a client plugin. VAC is supposed to be an automatic system, and not one that can be triggered manually by any Valve employee. This defunctionality really needs to be removed from the engine, as it's getting absolutely ridiculous. Kyle. On Wed, May 12, 2010 at 8:36 AM, icsi...@ics-base.net wrote: With that logic, a sourcemod in players pc isn't a cheat but you can override your own setting r_drawothermodels 2 and you see through walls even if the cheats are off on the server. This is exactly the reason why plugins in clients suck. Changing viewmodel isn't allowed in L4D2 by default, as those cvars are behind sv_cheats as far as i know. This plugin just bypasses it. -ics 12.5.2010 17:55, HL-SDK Synths kirjoitti: Apologies for the double post (I'm not sure how that works on a mailing list. This plugin doesn't change sv_cheats, it is not a cheat and deserves no special consideration. It will not be deleted either. On Wed, May 12, 2010 at 8:42 AM, AnAkIn .anakin...@gmail.com wrote: Now there is a client side L4D2 plugin to change cheat cvars like fov and viewmodel_fov. http://forums.steampowered.com/forums/showthread.php?t=1242368 For some reason it still hasn't been deleted, and it's been posted since 2 weeks. :/ -- Best regards, AnAkIn, - ESL EU TF2 Admin http://www.esl.eu/eu/tf2 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo
Re: [hlds] Plugin Loading on clients, enough is enough.
Possibly the worst idea ever mentioned on this list. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Allan Button Sent: Saturday, April 03, 2010 1:42 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Make it a launch option of srcds to allow plugins on the server. Not a cvar. And off by default. Then, for people who are serious about client plugins, maybe a way to have them signed by Valve. Think Apple App Store for iPhone. Allan -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mark Gunnett Sent: Saturday, April 03, 2010 12:14 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. While you may not be removing all the cheaters by giving a cvar to disable client side plugins, you will be preventing the people who are too stupid to do some of the more complex cheats. Why make it easier to cheat? Learning how to Lua script (Or script in sourcepawn) isn't all that hard, especially if you have a shell to plug into that handles all the major hooking you need to do. The fact is, there are a lot of people who know how to read instructions and can install sourcemod into the client directory pretty easy. And from the sounds of it, there are pre-written lua scripts that they can learn from to do whatever they want with the new client lua interface. However, giving servers the option to disallow clients with plugins loaded just like having the option to filter out clients that have failed md5 checksums for their textures isn't that bad of an idea. I can see where client side plugins are useful, ESEA and such aside. However, they have no place, or legitimacy being run on regular servers. While not all users do it for malicious intent (Hey look, I was at a LAN!), the fact is most users that use that interface, are doing so for malicious reasons. Again, it may not stop the big boys, but making it easier to cheat just doesn't make sense in my book. On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet azuisl...@gmail.com wrote: So consider Valve does disable clientside plugins, what will change? Absolutely nothing. All the cheaters will continue to use their cheats that don't rely on clientside plugins. Everyone else will use a network proxy, which can replication all the malicious exploits you're worried about. With a network proxy you just send net_SetConVar to force any cvar on the client. There's also the magic of the exploits in the netcode that aren't fixed, like net_StringCmd before you do any sign on, which is what the NULL player crash is. There's also the client disconnect control command, which is again being exploited by the lua clientside plugin, but is trivial to do with a network proxy. In the end Valve needs to fix the real exploits, which are the source of the issue, not disable a very useful feature. On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net wrote: --- Scott Highland wrote: Maybe you could explain why this whole list, and the company that runs it should all agree to completely remove the ability to incorporate modifications just because it would suit YOUR needs as an anti-cheat function to thwart the .3% of TF2 players that are abusing it in this fashion? That's a pretty self-centered way of thinking and kind of ridiculous, it's sad so many of you don't seem to see it this way. --- The only suggestion I have seen that seems appropriate is a server CVAR that forcefully unloads any non-valve released client plugins. (sv_pure extension could be pretty good, but has a couple of issues). Which would allow everyone a decent options. A CVAR was added to effectively disable Mic spam, remove the wait command from client scripts. Of which a very small portion of the population actually used, however, it only takes one aimbot to hop into a full server and empty it in a matter of minutes and does a number to the games overall population. How many games that made zero efforts against cheating and other aspects do you think hold an audience? That is what most of this discussion is about. A new threat is out there, all be it small at the moment, but might as well get the counter measures in place now. Some client side plugins are legitimate as I pointed out, and loosing those functions would be a hinderance to many players, but asking for Valve to give server ops an option to disallow client plugins on their servers isn't too much of a stretch since there is now a very public website and scripts that from what I read serve no purpose other than exploiting the game environment. Rather than having multiple parties code anti-cheat plugins, a bunch of server ops with something extra
Re: [hlds] Plugin Loading on clients, enough is enough.
Please stop for a god-damn second and think about your solution. PLEASE tell me how the server would possibly know whether the client has any plugins loaded? And even if there was a way, it could probably be blocked with 3 lines of code in a client plugin anyway Clientplugins were never supposed to be a feature and are a side effect. There is nothing to do with clients in there by default, they are SERVERPLUGINS. The only secure way to fix this is enable plugins for dedicated servers only. On Saturday, April 3, 2010, Steven Crothers steven.croth...@gmail.com wrote: Possibly the worst idea ever mentioned on this list. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Allan Button Sent: Saturday, April 03, 2010 1:42 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Make it a launch option of srcds to allow plugins on the server. Not a cvar. And off by default. Then, for people who are serious about client plugins, maybe a way to have them signed by Valve. Think Apple App Store for iPhone. Allan -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mark Gunnett Sent: Saturday, April 03, 2010 12:14 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. While you may not be removing all the cheaters by giving a cvar to disable client side plugins, you will be preventing the people who are too stupid to do some of the more complex cheats. Why make it easier to cheat? Learning how to Lua script (Or script in sourcepawn) isn't all that hard, especially if you have a shell to plug into that handles all the major hooking you need to do. The fact is, there are a lot of people who know how to read instructions and can install sourcemod into the client directory pretty easy. And from the sounds of it, there are pre-written lua scripts that they can learn from to do whatever they want with the new client lua interface. However, giving servers the option to disallow clients with plugins loaded just like having the option to filter out clients that have failed md5 checksums for their textures isn't that bad of an idea. I can see where client side plugins are useful, ESEA and such aside. However, they have no place, or legitimacy being run on regular servers. While not all users do it for malicious intent (Hey look, I was at a LAN!), the fact is most users that use that interface, are doing so for malicious reasons. Again, it may not stop the big boys, but making it easier to cheat just doesn't make sense in my book. On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet azuisl...@gmail.com wrote: So consider Valve does disable clientside plugins, what will change? Absolutely nothing. All the cheaters will continue to use their cheats that don't rely on clientside plugins. Everyone else will use a network proxy, which can replication all the malicious exploits you're worried about. With a network proxy you just send net_SetConVar to force any cvar on the client. There's also the magic of the exploits in the netcode that aren't fixed, like net_StringCmd before you do any sign on, which is what the NULL player crash is. There's also the client disconnect control command, which is again being exploited by the lua clientside plugin, but is trivial to do with a network proxy. In the end Valve needs to fix the real exploits, which are the source of the issue, not disable a very useful feature. On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net wrote: --- Scott Highland wrote: Maybe you could explain why this whole list, and the company that runs it should all agree to completely remove the ability to incorporate modifications just because it would suit YOUR needs as an anti-cheat function to thwart the .3% of TF2 players that are abusing it in this fashion? That's a pretty self-centered way of thinking and kind of ridiculous, it's sad so many of you don't seem to see it this way. --- The only suggestion I have seen that seems appropriate is a server CVAR that forcefully unloads any non-valve released client plugins. (sv_pure extension could be pretty good, but has a couple of issues). Which would allow everyone a decent options. A CVAR was added to effectively disable Mic spam, remove the wait command from client scripts. Of which a very small portion of the population actually used, however, it only takes one aimbot to hop into a f -- Thanks, - Saul. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
This is a very big issue for source-based games. I agree that client plugins should be disabled but i also agree with the fact that there may be useful plugins for clients (already mentioned PREC) 2010/4/3 Saul Rennison saul.renni...@gmail.com Please stop for a god-damn second and think about your solution. PLEASE tell me how the server would possibly know whether the client has any plugins loaded? And even if there was a way, it could probably be blocked with 3 lines of code in a client plugin anyway Clientplugins were never supposed to be a feature and are a side effect. There is nothing to do with clients in there by default, they are SERVERPLUGINS. The only secure way to fix this is enable plugins for dedicated servers only. On Saturday, April 3, 2010, Steven Crothers steven.croth...@gmail.com wrote: Possibly the worst idea ever mentioned on this list. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Allan Button Sent: Saturday, April 03, 2010 1:42 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Make it a launch option of srcds to allow plugins on the server. Not a cvar. And off by default. Then, for people who are serious about client plugins, maybe a way to have them signed by Valve. Think Apple App Store for iPhone. Allan -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mark Gunnett Sent: Saturday, April 03, 2010 12:14 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. While you may not be removing all the cheaters by giving a cvar to disable client side plugins, you will be preventing the people who are too stupid to do some of the more complex cheats. Why make it easier to cheat? Learning how to Lua script (Or script in sourcepawn) isn't all that hard, especially if you have a shell to plug into that handles all the major hooking you need to do. The fact is, there are a lot of people who know how to read instructions and can install sourcemod into the client directory pretty easy. And from the sounds of it, there are pre-written lua scripts that they can learn from to do whatever they want with the new client lua interface. However, giving servers the option to disallow clients with plugins loaded just like having the option to filter out clients that have failed md5 checksums for their textures isn't that bad of an idea. I can see where client side plugins are useful, ESEA and such aside. However, they have no place, or legitimacy being run on regular servers. While not all users do it for malicious intent (Hey look, I was at a LAN!), the fact is most users that use that interface, are doing so for malicious reasons. Again, it may not stop the big boys, but making it easier to cheat just doesn't make sense in my book. On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet azuisl...@gmail.com wrote: So consider Valve does disable clientside plugins, what will change? Absolutely nothing. All the cheaters will continue to use their cheats that don't rely on clientside plugins. Everyone else will use a network proxy, which can replication all the malicious exploits you're worried about. With a network proxy you just send net_SetConVar to force any cvar on the client. There's also the magic of the exploits in the netcode that aren't fixed, like net_StringCmd before you do any sign on, which is what the NULL player crash is. There's also the client disconnect control command, which is again being exploited by the lua clientside plugin, but is trivial to do with a network proxy. In the end Valve needs to fix the real exploits, which are the source of the issue, not disable a very useful feature. On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net wrote: --- Scott Highland wrote: Maybe you could explain why this whole list, and the company that runs it should all agree to completely remove the ability to incorporate modifications just because it would suit YOUR needs as an anti-cheat function to thwart the .3% of TF2 players that are abusing it in this fashion? That's a pretty self-centered way of thinking and kind of ridiculous, it's sad so many of you don't seem to see it this way. --- The only suggestion I have seen that seems appropriate is a server CVAR that forcefully unloads any non-valve released client plugins. (sv_pure extension could be pretty good, but has a couple of issues). Which would allow everyone a decent options. A CVAR was added to effectively disable Mic spam, remove the wait command from client scripts. Of which a very small portion of the population actually used, however
Re: [hlds] Plugin Loading on clients, enough is enough.
But there is no support for client plugins. People have just exploited the fact that plugins are loaded early and dubbed them clientplugins. It's exactly the same as injecting into the engine-- it's a hack. They should be banned. Thanks, - Saul. On 3 April 2010 12:25, Nightbox alexandrualexa...@gmail.com wrote: This is a very big issue for source-based games. I agree that client plugins should be disabled but i also agree with the fact that there may be useful plugins for clients (already mentioned PREC) 2010/4/3 Saul Rennison saul.renni...@gmail.com Please stop for a god-damn second and think about your solution. PLEASE tell me how the server would possibly know whether the client has any plugins loaded? And even if there was a way, it could probably be blocked with 3 lines of code in a client plugin anyway Clientplugins were never supposed to be a feature and are a side effect. There is nothing to do with clients in there by default, they are SERVERPLUGINS. The only secure way to fix this is enable plugins for dedicated servers only. On Saturday, April 3, 2010, Steven Crothers steven.croth...@gmail.com wrote: Possibly the worst idea ever mentioned on this list. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Allan Button Sent: Saturday, April 03, 2010 1:42 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Make it a launch option of srcds to allow plugins on the server. Not a cvar. And off by default. Then, for people who are serious about client plugins, maybe a way to have them signed by Valve. Think Apple App Store for iPhone. Allan -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mark Gunnett Sent: Saturday, April 03, 2010 12:14 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. While you may not be removing all the cheaters by giving a cvar to disable client side plugins, you will be preventing the people who are too stupid to do some of the more complex cheats. Why make it easier to cheat? Learning how to Lua script (Or script in sourcepawn) isn't all that hard, especially if you have a shell to plug into that handles all the major hooking you need to do. The fact is, there are a lot of people who know how to read instructions and can install sourcemod into the client directory pretty easy. And from the sounds of it, there are pre-written lua scripts that they can learn from to do whatever they want with the new client lua interface. However, giving servers the option to disallow clients with plugins loaded just like having the option to filter out clients that have failed md5 checksums for their textures isn't that bad of an idea. I can see where client side plugins are useful, ESEA and such aside. However, they have no place, or legitimacy being run on regular servers. While not all users do it for malicious intent (Hey look, I was at a LAN!), the fact is most users that use that interface, are doing so for malicious reasons. Again, it may not stop the big boys, but making it easier to cheat just doesn't make sense in my book. On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet azuisl...@gmail.com wrote: So consider Valve does disable clientside plugins, what will change? Absolutely nothing. All the cheaters will continue to use their cheats that don't rely on clientside plugins. Everyone else will use a network proxy, which can replication all the malicious exploits you're worried about. With a network proxy you just send net_SetConVar to force any cvar on the client. There's also the magic of the exploits in the netcode that aren't fixed, like net_StringCmd before you do any sign on, which is what the NULL player crash is. There's also the client disconnect control command, which is again being exploited by the lua clientside plugin, but is trivial to do with a network proxy. In the end Valve needs to fix the real exploits, which are the source of the issue, not disable a very useful feature. On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net wrote: --- Scott Highland wrote: Maybe you could explain why this whole list, and the company that runs it should all agree to completely remove the ability to incorporate modifications just because it would suit YOUR needs as an anti-cheat function to thwart the .3% of TF2 players that are abusing it in this fashion? That's a pretty self-centered way of thinking and kind of ridiculous, it's sad so many of you don't seem to see it this way. --- The only suggestion I have
Re: [hlds] Plugin Loading on clients, enough is enough.
They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server plugins that stop client plugins are only checking PUBLICALY known cvars such as sm_version,if those cvars are renamed or don't exit, you get to load any plugin you want and be a major HAXXOR besting this detection. Also the Source engine was just fine for years before people figured out how to make/use client plugins. Disabling client side plugin loading would probably be the easiest way of fixing this. Why should the game client load a VSP (Valve SERVER Plugin) unless it's a listen server? On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland tgnwe...@gmail.com wrote: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo
Re: [hlds] Plugin Loading on clients, enough is enough.
Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.comwrote: They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server plugins that stop client plugins are only checking PUBLICALY known cvars such as sm_version,if those cvars are renamed or don't exit, you get to load any plugin you want and be a major HAXXOR besting this detection. Also the Source engine was just fine for years before people figured out how to make/use client plugins. Disabling client side plugin loading would probably be the easiest way of fixing this. Why should the game client load a VSP (Valve SERVER Plugin) unless it's a listen server? On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland tgnwe...@gmail.com wrote: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus
Re: [hlds] Plugin Loading on clients, enough is enough.
How would disabling it be best? Again, no one on the list seems to get it. I don't doubt that it's possible to load addons on the client, I'm very sure it is. You guys seem to want to make the assumption that anything that could be loaded into the client that can be malicious, IS in fact malicious. Server administrators can install malicious plugins that can do things 100x worse than any plugin on the client could do. Am I going to make the argument that the whole system that allows servers to load custom plugins should be removed, obviously not. Why is it servers should be immune to this kind of 'security' (it's a very false sense of security, what you guys are suggesting) and the game client should not? 1nsane wrote: Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.comwrote: They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server plugins that stop client plugins are only checking PUBLICALY known cvars such as sm_version,if those cvars are renamed or don't exit, you get to load any plugin you want and be a major HAXXOR besting this detection. Also the Source engine was just fine for years before people figured out how to make/use client plugins. Disabling client side plugin loading would probably be the easiest way of fixing this. Why should the game client load a VSP (Valve SERVER Plugin) unless it's a listen server? On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland tgnwe...@gmail.com wrote: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its
Re: [hlds] Plugin Loading on clients, enough is enough.
Please tell me what malicious things a server can do Thanks, - Saul. On 2 April 2010 23:03, Scott Highland tgnwe...@gmail.com wrote: How would disabling it be best? Again, no one on the list seems to get it. I don't doubt that it's possible to load addons on the client, I'm very sure it is. You guys seem to want to make the assumption that anything that could be loaded into the client that can be malicious, IS in fact malicious. Server administrators can install malicious plugins that can do things 100x worse than any plugin on the client could do. Am I going to make the argument that the whole system that allows servers to load custom plugins should be removed, obviously not. Why is it servers should be immune to this kind of 'security' (it's a very false sense of security, what you guys are suggesting) and the game client should not? 1nsane wrote: Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.com wrote: They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server plugins that stop client plugins are only checking PUBLICALY known cvars such as sm_version,if those cvars are renamed or don't exit, you get to load any plugin you want and be a major HAXXOR besting this detection. Also the Source engine was just fine for years before people figured out how to make/use client plugins. Disabling client side plugin loading would probably be the easiest way of fixing this. Why should the game client load a VSP (Valve SERVER Plugin) unless it's a listen server? On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland tgnwe...@gmail.com wrote: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would
Re: [hlds] Plugin Loading on clients, enough is enough.
to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
I honestly thought you were going to give a good reason. I guess slapping is pretty bad in the servers you visit eh? -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 6:24 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. In the instance where a player can leave a modded server he or she likes, it's not really that big of a deal. Now when you have people coming on to legitimate community servers and causing problems with modded files and plugins it's a different story, as in the first scenario, the person running the server has malicious intent, whereas in the second scenario, the malicious user is joining a server where plugins may give them an unfair advantage against other players. While I agree that server operators can load plugins that do nasty things, the player has the option to leave, whereas if a malicious client plugin user joins a server, the server operator has to ban that person, if they even know they're using a plugin in the first place. I agree with the notion that clients should not be able to load plugins. Why? Because if you really want a lan server for 20 minutes you can run the server tool off your computer, a VM, or something of that nature. The people who are using plugins for legitimate reasons (such as testing) KNOW how to setup a server. To Saul, A server owner can run malicious programs to spam users with text, sounds, slap the player, and just make the game unplayable to the person. It could be subtle as well, such as making clients do differing amounts of damage (way lower, way higher than usual, etc.) But the client has the option to leave said server without much toil. On Fri, Apr 2, 2010 at 5:03 PM, Scott Highland tgnwe...@gmail.com wrote: How would disabling it be best? Again, no one on the list seems to get it. I don't doubt that it's possible to load addons on the client, I'm very sure it is. You guys seem to want to make the assumption that anything that could be loaded into the client that can be malicious, IS in fact malicious. Server administrators can install malicious plugins that can do things 100x worse than any plugin on the client could do. Am I going to make the argument that the whole system that allows servers to load custom plugins should be removed, obviously not. Why is it servers should be immune to this kind of 'security' (it's a very false sense of security, what you guys are suggesting) and the game client should not? 1nsane wrote: Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.com wrote: They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server plugins that stop client plugins are only checking PUBLICALY known cvars such as sm_version,if those cvars are renamed or don't exit, you get to load any plugin you want and be a major HAXXOR besting this detection. Also the Source engine was just fine for years before people figured out how to make/use client plugins. Disabling client side plugin loading would probably be the easiest way of fixing this. Why should the game client load a VSP (Valve SERVER Plugin) unless it's a listen server? On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland tgnwe...@gmail.com wrote: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation
Re: [hlds] Plugin Loading on clients, enough is enough.
I've never run malicious plugins so I really don't know what's out there. Here's a good website where you might find some more examples for your reference. http://www.google.com On Fri, Apr 2, 2010 at 6:01 PM, Steven Crothers steven.croth...@gmail.comwrote: I honestly thought you were going to give a good reason. I guess slapping is pretty bad in the servers you visit eh? -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 6:24 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. In the instance where a player can leave a modded server he or she likes, it's not really that big of a deal. Now when you have people coming on to legitimate community servers and causing problems with modded files and plugins it's a different story, as in the first scenario, the person running the server has malicious intent, whereas in the second scenario, the malicious user is joining a server where plugins may give them an unfair advantage against other players. While I agree that server operators can load plugins that do nasty things, the player has the option to leave, whereas if a malicious client plugin user joins a server, the server operator has to ban that person, if they even know they're using a plugin in the first place. I agree with the notion that clients should not be able to load plugins. Why? Because if you really want a lan server for 20 minutes you can run the server tool off your computer, a VM, or something of that nature. The people who are using plugins for legitimate reasons (such as testing) KNOW how to setup a server. To Saul, A server owner can run malicious programs to spam users with text, sounds, slap the player, and just make the game unplayable to the person. It could be subtle as well, such as making clients do differing amounts of damage (way lower, way higher than usual, etc.) But the client has the option to leave said server without much toil. On Fri, Apr 2, 2010 at 5:03 PM, Scott Highland tgnwe...@gmail.com wrote: How would disabling it be best? Again, no one on the list seems to get it. I don't doubt that it's possible to load addons on the client, I'm very sure it is. You guys seem to want to make the assumption that anything that could be loaded into the client that can be malicious, IS in fact malicious. Server administrators can install malicious plugins that can do things 100x worse than any plugin on the client could do. Am I going to make the argument that the whole system that allows servers to load custom plugins should be removed, obviously not. Why is it servers should be immune to this kind of 'security' (it's a very false sense of security, what you guys are suggesting) and the game client should not? 1nsane wrote: Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.com wrote: They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server plugins that stop client plugins are only checking PUBLICALY known cvars such as sm_version,if those cvars are renamed or don't exit, you get to load any plugin you want and be a major HAXXOR besting this detection. Also the Source engine was just fine for years before people figured out how to make/use client plugins. Disabling client side plugin loading would probably be the easiest way of fixing this. Why should the game client load a VSP (Valve SERVER Plugin) unless it's a listen server? On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland tgnwe...@gmail.com wrote: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just
Re: [hlds] Plugin Loading on clients, enough is enough.
The most a plugin can do is change your name and a few other cvars. It's not like srcds is an open window to your harddrive or anything... -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 7:09 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. I've never run malicious plugins so I really don't know what's out there. Here's a good website where you might find some more examples for your reference. http://www.google.com On Fri, Apr 2, 2010 at 6:01 PM, Steven Crothers steven.croth...@gmail.comwrote: I honestly thought you were going to give a good reason. I guess slapping is pretty bad in the servers you visit eh? -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 6:24 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. In the instance where a player can leave a modded server he or she likes, it's not really that big of a deal. Now when you have people coming on to legitimate community servers and causing problems with modded files and plugins it's a different story, as in the first scenario, the person running the server has malicious intent, whereas in the second scenario, the malicious user is joining a server where plugins may give them an unfair advantage against other players. While I agree that server operators can load plugins that do nasty things, the player has the option to leave, whereas if a malicious client plugin user joins a server, the server operator has to ban that person, if they even know they're using a plugin in the first place. I agree with the notion that clients should not be able to load plugins. Why? Because if you really want a lan server for 20 minutes you can run the server tool off your computer, a VM, or something of that nature. The people who are using plugins for legitimate reasons (such as testing) KNOW how to setup a server. To Saul, A server owner can run malicious programs to spam users with text, sounds, slap the player, and just make the game unplayable to the person. It could be subtle as well, such as making clients do differing amounts of damage (way lower, way higher than usual, etc.) But the client has the option to leave said server without much toil. On Fri, Apr 2, 2010 at 5:03 PM, Scott Highland tgnwe...@gmail.com wrote: How would disabling it be best? Again, no one on the list seems to get it. I don't doubt that it's possible to load addons on the client, I'm very sure it is. You guys seem to want to make the assumption that anything that could be loaded into the client that can be malicious, IS in fact malicious. Server administrators can install malicious plugins that can do things 100x worse than any plugin on the client could do. Am I going to make the argument that the whole system that allows servers to load custom plugins should be removed, obviously not. Why is it servers should be immune to this kind of 'security' (it's a very false sense of security, what you guys are suggesting) and the game client should not? 1nsane wrote: Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.com wrote: They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server plugins that stop client plugins are only checking PUBLICALY known cvars such as sm_version,if those cvars are renamed or don't exit, you get to load any plugin you want and be a major HAXXOR besting this detection. Also the Source engine was just fine for years before people figured out how to make/use client plugins. Disabling client side plugin loading would probably be the easiest way of fixing this. Why should the game client load a VSP (Valve SERVER Plugin) unless it's a listen server? On Fri, Apr 2, 2010 at 12:52 AM, Scott Highland
Re: [hlds] Plugin Loading on clients, enough is enough.
Yeah, I seriously am failing to see what a malicious plugin could possibly be. To some people, this coming from me should be saying something. Some people might consider some plugins to be minorly annoying, but there really isn't any way for a game server to install spyware on your computer or something equally retarded. As somebody said, if you go to a server that is running malicious text ad spam or something... then leave. On Fri, 2010-04-02 at 19:13 -0400, Steven Crothers wrote: The most a plugin can do is change your name and a few other cvars. It's not like srcds is an open window to your harddrive or anything... -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 7:09 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. I've never run malicious plugins so I really don't know what's out there. Here's a good website where you might find some more examples for your reference. http://www.google.com On Fri, Apr 2, 2010 at 6:01 PM, Steven Crothers steven.croth...@gmail.comwrote: I honestly thought you were going to give a good reason. I guess slapping is pretty bad in the servers you visit eh? -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 6:24 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. In the instance where a player can leave a modded server he or she likes, it's not really that big of a deal. Now when you have people coming on to legitimate community servers and causing problems with modded files and plugins it's a different story, as in the first scenario, the person running the server has malicious intent, whereas in the second scenario, the malicious user is joining a server where plugins may give them an unfair advantage against other players. While I agree that server operators can load plugins that do nasty things, the player has the option to leave, whereas if a malicious client plugin user joins a server, the server operator has to ban that person, if they even know they're using a plugin in the first place. I agree with the notion that clients should not be able to load plugins. Why? Because if you really want a lan server for 20 minutes you can run the server tool off your computer, a VM, or something of that nature. The people who are using plugins for legitimate reasons (such as testing) KNOW how to setup a server. To Saul, A server owner can run malicious programs to spam users with text, sounds, slap the player, and just make the game unplayable to the person. It could be subtle as well, such as making clients do differing amounts of damage (way lower, way higher than usual, etc.) But the client has the option to leave said server without much toil. On Fri, Apr 2, 2010 at 5:03 PM, Scott Highland tgnwe...@gmail.com wrote: How would disabling it be best? Again, no one on the list seems to get it. I don't doubt that it's possible to load addons on the client, I'm very sure it is. You guys seem to want to make the assumption that anything that could be loaded into the client that can be malicious, IS in fact malicious. Server administrators can install malicious plugins that can do things 100x worse than any plugin on the client could do. Am I going to make the argument that the whole system that allows servers to load custom plugins should be removed, obviously not. Why is it servers should be immune to this kind of 'security' (it's a very false sense of security, what you guys are suggesting) and the game client should not? 1nsane wrote: Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.com wrote: They're loaded at launch, like any other DLL. It's basically treated like another game DLL (in terms of callbacks). If plugins are loaded when a listen server is created, what about after that? Even if the plugin is unloaded, the plugin could have injected anything into the engine without VAC noticing. Like I keep saying: the only way to prevent this is to have plugins for dedicated servers only. Thanks, - Saul. On 2 April 2010 16:40, 1nsane 1nsane...@gmail.com wrote: So tell me, if I make my own hacking plugin and have it privately shared with trusted people, how will any server admin be able to detect it? The server
Re: [hlds] Plugin Loading on clients, enough is enough.
Malicious as in using the plugin to cheat. There is ways to control damage dealt by bullets and projectiles, as well as controlling crit factor, player speed and a number of different important gameplay aspects using SourceMod. All you need is to know how to write a simple script. And Cc that doesn't really do anything to justify the breaking of mods designed to be installed on the client. You know what, this whole thread really just puzzles the pinkhearts out of me, I really can't be arsed to defend this position anymore, if theres any single person out there who believes in surviving developers rights then good luck. msleeper wrote: Yeah, I seriously am failing to see what a malicious plugin could possibly be. To some people, this coming from me should be saying something. Some people might consider some plugins to be minorly annoying, but there really isn't any way for a game server to install spyware on your computer or something equally retarded. As somebody said, if you go to a server that is running malicious text ad spam or something... then leave. On Fri, 2010-04-02 at 19:13 -0400, Steven Crothers wrote: The most a plugin can do is change your name and a few other cvars. It's not like srcds is an open window to your harddrive or anything... -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 7:09 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. I've never run malicious plugins so I really don't know what's out there. Here's a good website where you might find some more examples for your reference. http://www.google.com On Fri, Apr 2, 2010 at 6:01 PM, Steven Crothers steven.croth...@gmail.comwrote: I honestly thought you were going to give a good reason. I guess slapping is pretty bad in the servers you visit eh? -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Cc2iscooL Sent: Friday, April 02, 2010 6:24 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. In the instance where a player can leave a modded server he or she likes, it's not really that big of a deal. Now when you have people coming on to legitimate community servers and causing problems with modded files and plugins it's a different story, as in the first scenario, the person running the server has malicious intent, whereas in the second scenario, the malicious user is joining a server where plugins may give them an unfair advantage against other players. While I agree that server operators can load plugins that do nasty things, the player has the option to leave, whereas if a malicious client plugin user joins a server, the server operator has to ban that person, if they even know they're using a plugin in the first place. I agree with the notion that clients should not be able to load plugins. Why? Because if you really want a lan server for 20 minutes you can run the server tool off your computer, a VM, or something of that nature. The people who are using plugins for legitimate reasons (such as testing) KNOW how to setup a server. To Saul, A server owner can run malicious programs to spam users with text, sounds, slap the player, and just make the game unplayable to the person. It could be subtle as well, such as making clients do differing amounts of damage (way lower, way higher than usual, etc.) But the client has the option to leave said server without much toil. On Fri, Apr 2, 2010 at 5:03 PM, Scott Highland tgnwe...@gmail.com wrote: How would disabling it be best? Again, no one on the list seems to get it. I don't doubt that it's possible to load addons on the client, I'm very sure it is. You guys seem to want to make the assumption that anything that could be loaded into the client that can be malicious, IS in fact malicious. Server administrators can install malicious plugins that can do things 100x worse than any plugin on the client could do. Am I going to make the argument that the whole system that allows servers to load custom plugins should be removed, obviously not. Why is it servers should be immune to this kind of 'security' (it's a very false sense of security, what you guys are suggesting) and the game client should not? 1nsane wrote: Right, having it disabled entirely would be the best. As I said before, there's the Steam SRCDS that practically installs itself with Source engine games/mods if you need plugins and don't want standalone SRCDS. On Fri, Apr 2, 2010 at 12:53 PM, Saul Rennison saul.renni...@gmail.com wrote: They're loaded at launch, like any other DLL
Re: [hlds] Plugin Loading on clients, enough is enough.
side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeperhl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information
Re: [hlds] Plugin Loading on clients, enough is enough.
clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeperhl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4995
Re: [hlds] Plugin Loading on clients, enough is enough.
on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeperhl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4995 (20100402
Re: [hlds] Plugin Loading on clients, enough is enough.
--- Scott Highland wrote: Maybe you could explain why this whole list, and the company that runs it should all agree to completely remove the ability to incorporate modifications just because it would suit YOUR needs as an anti-cheat function to thwart the .3% of TF2 players that are abusing it in this fashion? That's a pretty self-centered way of thinking and kind of ridiculous, it's sad so many of you don't seem to see it this way. --- The only suggestion I have seen that seems appropriate is a server CVAR that forcefully unloads any non-valve released client plugins. (sv_pure extension could be pretty good, but has a couple of issues). Which would allow everyone a decent options. A CVAR was added to effectively disable Mic spam, remove the wait command from client scripts. Of which a very small portion of the population actually used, however, it only takes one aimbot to hop into a full server and empty it in a matter of minutes and does a number to the games overall population. How many games that made zero efforts against cheating and other aspects do you think hold an audience? That is what most of this discussion is about. A new threat is out there, all be it small at the moment, but might as well get the counter measures in place now. Some client side plugins are legitimate as I pointed out, and loosing those functions would be a hinderance to many players, but asking for Valve to give server ops an option to disallow client plugins on their servers isn't too much of a stretch since there is now a very public website and scripts that from what I read serve no purpose other than exploiting the game environment. Rather than having multiple parties code anti-cheat plugins, a bunch of server ops with something extra to worry about, it be a nice addition if Valve could give an option to server admins to disable non-valve released client plugin. I don't think that is an unreasonable thing to ask for if it's possible. I think the blanket removing of the feature entirely is a bit over the top myself. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
So consider Valve does disable clientside plugins, what will change? Absolutely nothing. All the cheaters will continue to use their cheats that don't rely on clientside plugins. Everyone else will use a network proxy, which can replication all the malicious exploits you're worried about. With a network proxy you just send net_SetConVar to force any cvar on the client. There's also the magic of the exploits in the netcode that aren't fixed, like net_StringCmd before you do any sign on, which is what the NULL player crash is. There's also the client disconnect control command, which is again being exploited by the lua clientside plugin, but is trivial to do with a network proxy. In the end Valve needs to fix the real exploits, which are the source of the issue, not disable a very useful feature. On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net wrote: --- Scott Highland wrote: Maybe you could explain why this whole list, and the company that runs it should all agree to completely remove the ability to incorporate modifications just because it would suit YOUR needs as an anti-cheat function to thwart the .3% of TF2 players that are abusing it in this fashion? That's a pretty self-centered way of thinking and kind of ridiculous, it's sad so many of you don't seem to see it this way. --- The only suggestion I have seen that seems appropriate is a server CVAR that forcefully unloads any non-valve released client plugins. (sv_pure extension could be pretty good, but has a couple of issues). Which would allow everyone a decent options. A CVAR was added to effectively disable Mic spam, remove the wait command from client scripts. Of which a very small portion of the population actually used, however, it only takes one aimbot to hop into a full server and empty it in a matter of minutes and does a number to the games overall population. How many games that made zero efforts against cheating and other aspects do you think hold an audience? That is what most of this discussion is about. A new threat is out there, all be it small at the moment, but might as well get the counter measures in place now. Some client side plugins are legitimate as I pointed out, and loosing those functions would be a hinderance to many players, but asking for Valve to give server ops an option to disallow client plugins on their servers isn't too much of a stretch since there is now a very public website and scripts that from what I read serve no purpose other than exploiting the game environment. Rather than having multiple parties code anti-cheat plugins, a bunch of server ops with something extra to worry about, it be a nice addition if Valve could give an option to server admins to disable non-valve released client plugin. I don't think that is an unreasonable thing to ask for if it's possible. I think the blanket removing of the feature entirely is a bit over the top myself. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
While you may not be removing all the cheaters by giving a cvar to disable
client side plugins, you will be preventing the people who are too stupid to
do some of the more complex cheats. Why make it easier to cheat? Learning
how to Lua script (Or script in sourcepawn) isn't all that hard, especially
if you have a shell to plug into that handles all the major hooking you need
to do. The fact is, there are a lot of people who know how to read
instructions and can install sourcemod into the client directory pretty
easy. And from the sounds of it, there are pre-written lua scripts that they
can learn from to do whatever they want with the new client lua interface.
However, giving servers the option to disallow clients with plugins loaded
just like having the option to filter out clients that have failed md5
checksums for their textures isn't that bad of an idea. I can see where
client side plugins are useful, ESEA and such aside. However, they have no
place, or legitimacy being run on regular servers. While not all users do it
for malicious intent (Hey look, I was at a LAN!), the fact is most users
that use that interface, are doing so for malicious reasons.
Again, it may not stop the big boys, but making it easier to cheat just
doesn't make sense in my book.
On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet azuisl...@gmail.com wrote:
So consider Valve does disable clientside plugins, what will change?
Absolutely nothing. All the cheaters will continue to use their cheats
that don't rely on clientside plugins. Everyone else will use a
network proxy, which can replication all the malicious exploits you're
worried about. With a network proxy you just send net_SetConVar to
force any cvar on the client. There's also the magic of the exploits
in the netcode that aren't fixed, like net_StringCmd before you do any
sign on, which is what the NULL player crash is. There's also the
client disconnect control command, which is again being exploited by
the lua clientside plugin, but is trivial to do with a network proxy.
In the end Valve needs to fix the real exploits, which are the source
of the issue, not disable a very useful feature.
On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net
wrote:
--- Scott Highland wrote:
Maybe you could explain why this whole list, and the company that runs it
should all agree to completely remove the ability to incorporate
modifications just because it would suit YOUR needs as an anti-cheat
function to thwart the .3% of TF2 players that are abusing it in this
fashion? That's a pretty self-centered way of thinking and kind of
ridiculous, it's sad so many of you don't seem to see it this way.
---
The only suggestion I have seen that seems appropriate is a server CVAR
that
forcefully unloads any non-valve released client plugins. (sv_pure
extension
could be pretty good, but has a couple of issues). Which would allow
everyone a decent options. A CVAR was added to effectively disable Mic
spam,
remove the wait command from client scripts. Of which a very small
portion
of the population actually used, however, it only takes one aimbot to hop
into a full server and empty it in a matter of minutes and does a number
to
the games overall population. How many games that made zero efforts
against
cheating and other aspects do you think hold an audience? That is what
most
of this discussion is about. A new threat is out there, all be it small
at
the moment, but might as well get the counter measures in place now.
Some client side plugins are legitimate as I pointed out, and loosing
those
functions would be a hinderance to many players, but asking for Valve to
give server ops an option to disallow client plugins on their servers
isn't
too much of a stretch since there is now a very public website and
scripts
that from what I read serve no purpose other than exploiting the game
environment. Rather than having multiple parties code anti-cheat plugins,
a
bunch of server ops with something extra to worry about, it be a nice
addition if Valve could give an option to server admins to disable
non-valve
released client plugin. I don't think that is an unreasonable thing to
ask
for if it's possible.
I think the blanket removing of the feature entirely is a bit over the
top
myself.
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
--
All programmers are playwrights and all computers are lousy actors.
- Unknown
When I do good, I feel good; when I do bad, I feel bad, and that is my
religion.
- Abraham Lincoln
Mark J. Gunnett
[EoE]SniperFodder{AL}
Re: [hlds] Plugin Loading on clients, enough is enough.
Make it a launch option of srcds to allow plugins on the server. Not a cvar. And off by default. Then, for people who are serious about client plugins, maybe a way to have them signed by Valve. Think Apple App Store for iPhone. Allan -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mark Gunnett Sent: Saturday, April 03, 2010 12:14 AM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. While you may not be removing all the cheaters by giving a cvar to disable client side plugins, you will be preventing the people who are too stupid to do some of the more complex cheats. Why make it easier to cheat? Learning how to Lua script (Or script in sourcepawn) isn't all that hard, especially if you have a shell to plug into that handles all the major hooking you need to do. The fact is, there are a lot of people who know how to read instructions and can install sourcemod into the client directory pretty easy. And from the sounds of it, there are pre-written lua scripts that they can learn from to do whatever they want with the new client lua interface. However, giving servers the option to disallow clients with plugins loaded just like having the option to filter out clients that have failed md5 checksums for their textures isn't that bad of an idea. I can see where client side plugins are useful, ESEA and such aside. However, they have no place, or legitimacy being run on regular servers. While not all users do it for malicious intent (Hey look, I was at a LAN!), the fact is most users that use that interface, are doing so for malicious reasons. Again, it may not stop the big boys, but making it easier to cheat just doesn't make sense in my book. On Fri, Apr 2, 2010 at 9:43 PM, AzuiSleet azuisl...@gmail.com wrote: So consider Valve does disable clientside plugins, what will change? Absolutely nothing. All the cheaters will continue to use their cheats that don't rely on clientside plugins. Everyone else will use a network proxy, which can replication all the malicious exploits you're worried about. With a network proxy you just send net_SetConVar to force any cvar on the client. There's also the magic of the exploits in the netcode that aren't fixed, like net_StringCmd before you do any sign on, which is what the NULL player crash is. There's also the client disconnect control command, which is again being exploited by the lua clientside plugin, but is trivial to do with a network proxy. In the end Valve needs to fix the real exploits, which are the source of the issue, not disable a very useful feature. On Fri, Apr 2, 2010 at 8:22 PM, Charles Mabbott cmabb...@verizon.net wrote: --- Scott Highland wrote: Maybe you could explain why this whole list, and the company that runs it should all agree to completely remove the ability to incorporate modifications just because it would suit YOUR needs as an anti-cheat function to thwart the .3% of TF2 players that are abusing it in this fashion? That's a pretty self-centered way of thinking and kind of ridiculous, it's sad so many of you don't seem to see it this way. --- The only suggestion I have seen that seems appropriate is a server CVAR that forcefully unloads any non-valve released client plugins. (sv_pure extension could be pretty good, but has a couple of issues). Which would allow everyone a decent options. A CVAR was added to effectively disable Mic spam, remove the wait command from client scripts. Of which a very small portion of the population actually used, however, it only takes one aimbot to hop into a full server and empty it in a matter of minutes and does a number to the games overall population. How many games that made zero efforts against cheating and other aspects do you think hold an audience? That is what most of this discussion is about. A new threat is out there, all be it small at the moment, but might as well get the counter measures in place now. Some client side plugins are legitimate as I pointed out, and loosing those functions would be a hinderance to many players, but asking for Valve to give server ops an option to disallow client plugins on their servers isn't too much of a stretch since there is now a very public website and scripts that from what I read serve no purpose other than exploiting the game environment. Rather than having multiple parties code anti-cheat plugins, a bunch of server ops with something extra to worry about, it be a nice addition if Valve could give an option to server admins to disable non-valve released client plugin. I don't think that is an unreasonable thing to ask for if it's possible. I think the blanket removing of the feature entirely is a bit over the top myself
Re: [hlds] Plugin Loading on clients, enough is enough.
No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
What are you smoking Scott? You cannot block client side plugins as this has since been rectified by some scripting developers. If there are indeed some legitimate plugins out there that should be running on Clients, than they should contact VALVe like I'm sure the Xfire corporation did just to be able to not have their customers VACed anymore (Even though Xfire is an external application that hooks onto hl2, I'm sure that it would be the same concept never the less.) Now Scott, Stabbykat, Stabby Bacony Kitty, whatever you do go by. If you do honestly have a better suggestion, say it. Since Valve is a rather slow moving company as some of these short comings with the engine have been released to the public for over a year, this could save them some pain and suffering as it should be a quick fix even if some basic functionality is removed from the clients. Kyle. On Thu, Apr 1, 2010 at 9:52 PM, Scott Highland tgnwe...@gmail.com wrote: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Calling us idiots is very mature. I guess you also approve all the exploits in the game too? I'm sure many players would like to keep their free wallhack with sourcemod. Why should we have to install plugins to stop these serious holes in the dedicated servers that allow such tricks? Don't you think that it's Valves job in the end after all? I'd rather see all clients plugins blocked if no better solution can be reached. So far you haven't presented one either. There has to be a some kind of solution to running plugins on the client. Current way just allows free cheats with no fear of VAC ban. -ics 2.4.2010 7:52, Scott Highland kirjoitti: No offense, but this whole list sucks at problem solving, every single idea to deal with this issue suggested in this thread is just terrible, absolutely terrible. You can't disable clientside plugins just because a few admins are too lazy to want to install a plugin to block people using clientside plugins. People have the right to install clientside addons just as server administrators have the right to install whatever addons they want on their server. It's easy for you morons to want to impose this on everyone without seeing any consequences, Valve actually has to deal with the complaints from their customers who use legitimate uses for their plugins. Why don't you let professionals with their own companies reputation on the line deal with this intense decision making process. Suggesting valve should add a cvar to disable people with plugins is dumb, there's already plugins out there that does exactly this, go install it and quit complaining. Don't make Valve spent their time babying the few admins too stupid to know how to set up a serious dedicated server. This issue is basically the equivalent to the material hacks that are possible to use anywhere on servers that have sv_pure set to 0 still. It's not a big deal in the scope of things, and theres already ways of dealing with it. Now quit acting like this is Valve's fault and go back to blaming hackers and cheaters for your in-game shortcomings. Arg! wrote: I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennisonsaul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeperhl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET NOD32 Antivirus, version of virus signature database 4989 (20100331) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4993 (20100401) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
I doubt making a cvar would work as the plugins could simply override it as they do now. On Thu, Apr 1, 2010 at 2:04 AM, Saul Rennison saul.renni...@gmail.com wrote: If you aren't modifying game memory (i.e. hooking functions), then VAC won't mind. Thanks, - Saul. On 31 March 2010 16:00, Keeper hl2li...@afksoftware.com wrote: I don't know how VAC works, but if it's loaded via a client side plugin, I doubt VAC sees it as an external program altering the game's memory space. But not knowing how VAC works, there's no telling what they look for or how they are detecting it. Keeper -Original Message- From: Michael Krasnow [mailto:mnk...@gmail.com] Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weirds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Clients should never need any addons loaded. They can do just fine without them too. Having any plugins installed on client can do huge damage to servers so ability to run those on clients should be blocked. Players game shouldnt even start if there are something within addons folder on the pc or something else. Something that cannot be bypassed within 1 second. If clients need plugins, they should be separate from addons, like client-addons in which they could be used and not at all on a server. The current way is ridiculous that a CLIENT can have same plugin as SERVER and have free wallhack among other things. I seriously hope they are working for a fix for this and for the several other exploits that currently exist within the older CSS engine and the newer ones too. -ics 28.3.2010 22:50, Charles Mabbott kirjoitti: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn .anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeperhl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interfacehttp://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want
Re: [hlds] Plugin Loading on clients, enough is enough.
Sadly this would remove the ability for people to run a server with plugins through their client. I've done this in the past to host a LAN game using a few plugins to play some of the gametypes people have created. While I agree something must be done, I don't really want to see that functionality going away. On Tue, Mar 30, 2010 at 3:55 AM, ics i...@ics-base.net wrote: Clients should never need any addons loaded. They can do just fine without them too. Having any plugins installed on client can do huge damage to servers so ability to run those on clients should be blocked. Players game shouldnt even start if there are something within addons folder on the pc or something else. Something that cannot be bypassed within 1 second. If clients need plugins, they should be separate from addons, like client-addons in which they could be used and not at all on a server. The current way is ridiculous that a CLIENT can have same plugin as SERVER and have free wallhack among other things. I seriously hope they are working for a fix for this and for the several other exploits that currently exist within the older CSS engine and the newer ones too. -ics 28.3.2010 22:50, Charles Mabbott kirjoitti: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn .anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeperhl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interfacehttp://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have
Re: [hlds] Plugin Loading on clients, enough is enough.
Also, I don't think that removing the plugin functionality is going to fix anything. There are other ways to inject a DLL into a running process. What really needs to happen is for VAC to be updated to detect the cheater plugins. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Craig H Sent: Tuesday, March 30, 2010 3:35 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Sadly this would remove the ability for people to run a server with plugins through their client. I've done this in the past to host a LAN game using a few plugins to play some of the gametypes people have created. While I agree something must be done, I don't really want to see that functionality going away. On Tue, Mar 30, 2010 at 3:55 AM, ics i...@ics-base.net wrote: Clients should never need any addons loaded. They can do just fine without them too. Having any plugins installed on client can do huge damage to servers so ability to run those on clients should be blocked. Players game shouldnt even start if there are something within addons folder on the pc or something else. Something that cannot be bypassed within 1 second. If clients need plugins, they should be separate from addons, like client-addons in which they could be used and not at all on a server. The current way is ridiculous that a CLIENT can have same plugin as SERVER and have free wallhack among other things. I seriously hope they are working for a fix for this and for the several other exploits that currently exist within the older CSS engine and the newer ones too. -ics 28.3.2010 22:50, Charles Mabbott kirjoitti: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn .anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeperhl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interfacehttp://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can
Re: [hlds] Plugin Loading on clients, enough is enough.
What about GCFscape thats how people install SM and others on their listen servers, thats like the only thing valve uses, is GCF On Tue, Mar 30, 2010 at 8:31 PM, Arg! chillic...@gmail.com wrote: Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. On Wed, Mar 31, 2010 at 10:12 AM, Tony Paloma drunkenf...@hotmail.com wrote: Also, I don't think that removing the plugin functionality is going to fix anything. There are other ways to inject a DLL into a running process. What really needs to happen is for VAC to be updated to detect the cheater plugins. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Craig H Sent: Tuesday, March 30, 2010 3:35 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Sadly this would remove the ability for people to run a server with plugins through their client. I've done this in the past to host a LAN game using a few plugins to play some of the gametypes people have created. While I agree something must be done, I don't really want to see that functionality going away. On Tue, Mar 30, 2010 at 3:55 AM, ics i...@ics-base.net wrote: Clients should never need any addons loaded. They can do just fine without them too. Having any plugins installed on client can do huge damage to servers so ability to run those on clients should be blocked. Players game shouldnt even start if there are something within addons folder on the pc or something else. Something that cannot be bypassed within 1 second. If clients need plugins, they should be separate from addons, like client-addons in which they could be used and not at all on a server. The current way is ridiculous that a CLIENT can have same plugin as SERVER and have free wallhack among other things. I seriously hope they are working for a fix for this and for the several other exploits that currently exist within the older CSS engine and the newer ones too. -ics 28.3.2010 22:50, Charles Mabbott kirjoitti: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn .anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeperhl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading
Re: [hlds] Plugin Loading on clients, enough is enough.
what Michael Krasnow wrote: What about GCFscape thats how people install SM and others on their listen servers, thats like the only thing valve uses, is GCF On Tue, Mar 30, 2010 at 8:31 PM, Arg! chillic...@gmail.com wrote: Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. On Wed, Mar 31, 2010 at 10:12 AM, Tony Paloma drunkenf...@hotmail.com wrote: Also, I don't think that removing the plugin functionality is going to fix anything. There are other ways to inject a DLL into a running process. What really needs to happen is for VAC to be updated to detect the cheater plugins. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Craig H Sent: Tuesday, March 30, 2010 3:35 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Sadly this would remove the ability for people to run a server with plugins through their client. I've done this in the past to host a LAN game using a few plugins to play some of the gametypes people have created. While I agree something must be done, I don't really want to see that functionality going away. On Tue, Mar 30, 2010 at 3:55 AM, ics i...@ics-base.net wrote: Clients should never need any addons loaded. They can do just fine without them too. Having any plugins installed on client can do huge damage to servers so ability to run those on clients should be blocked. Players game shouldnt even start if there are something within addons folder on the pc or something else. Something that cannot be bypassed within 1 second. If clients need plugins, they should be separate from addons, like client-addons in which they could be used and not at all on a server. The current way is ridiculous that a CLIENT can have same plugin as SERVER and have free wallhack among other things. I seriously hope they are working for a fix for this and for the several other exploits that currently exist within the older CSS engine and the newer ones too. -ics 28.3.2010 22:50, Charles Mabbott kirjoitti: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn .anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeperhl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like
Re: [hlds] Plugin Loading on clients, enough is enough.
im saying even if the binaries are separated people will still use gcfscape to modify them On Tue, Mar 30, 2010 at 9:12 PM, mfan michael.fan...@gmail.com wrote: what Michael Krasnow wrote: What about GCFscape thats how people install SM and others on their listen servers, thats like the only thing valve uses, is GCF On Tue, Mar 30, 2010 at 8:31 PM, Arg! chillic...@gmail.com wrote: Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. On Wed, Mar 31, 2010 at 10:12 AM, Tony Paloma drunkenf...@hotmail.com wrote: Also, I don't think that removing the plugin functionality is going to fix anything. There are other ways to inject a DLL into a running process. What really needs to happen is for VAC to be updated to detect the cheater plugins. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Craig H Sent: Tuesday, March 30, 2010 3:35 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Sadly this would remove the ability for people to run a server with plugins through their client. I've done this in the past to host a LAN game using a few plugins to play some of the gametypes people have created. While I agree something must be done, I don't really want to see that functionality going away. On Tue, Mar 30, 2010 at 3:55 AM, ics i...@ics-base.net wrote: Clients should never need any addons loaded. They can do just fine without them too. Having any plugins installed on client can do huge damage to servers so ability to run those on clients should be blocked. Players game shouldnt even start if there are something within addons folder on the pc or something else. Something that cannot be bypassed within 1 second. If clients need plugins, they should be separate from addons, like client-addons in which they could be used and not at all on a server. The current way is ridiculous that a CLIENT can have same plugin as SERVER and have free wallhack among other things. I seriously hope they are working for a fix for this and for the several other exploits that currently exist within the older CSS engine and the newer ones too. -ics 28.3.2010 22:50, Charles Mabbott kirjoitti: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn .anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeperhl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would
Re: [hlds] Plugin Loading on clients, enough is enough.
Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weird On Tue, Mar 30, 2010 at 9:26 PM, Keeper hl2li...@afksoftware.com wrote: Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
I'm sure Valve will fix it immediately... once you show them how fixing the HLDS is profitable and worth the man-hours at $50-$60/man-hour. $0.02 -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Michael Krasnow Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weird On Tue, Mar 30, 2010 at 9:26 PM, Keeper hl2li...@afksoftware.com wrote: Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
The same way taking the entire 225 person company to Hawaii is profitable. :P On Tue, Mar 30, 2010 at 6:44 PM, Steven Crothers steven.croth...@gmail.comwrote: I'm sure Valve will fix it immediately... once you show them how fixing the HLDS is profitable and worth the man-hours at $50-$60/man-hour. $0.02 -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Michael Krasnow Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weird On Tue, Mar 30, 2010 at 9:26 PM, Keeper hl2li...@afksoftware.com wrote: Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
So you want to make VAC ban for Sourcemod? Nice one :) BTW There is a tutorial on how to make your own client side cheat plugin on some site, so a lot of people will have their own plugin which will be private, so a lot of people wouldn't be banned. Just disallow the client side plugins, I doubt much people care about having plugins on their LAN servers (I doubt much people even use LAN servers). 2010/3/31 Matt Hoffman lord.matt.hoff...@gmail.com The same way taking the entire 225 person company to Hawaii is profitable. :P On Tue, Mar 30, 2010 at 6:44 PM, Steven Crothers steven.croth...@gmail.comwrote: I'm sure Valve will fix it immediately... once you show them how fixing the HLDS is profitable and worth the man-hours at $50-$60/man-hour. $0.02 -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Michael Krasnow Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weird On Tue, Mar 30, 2010 at 9:26 PM, Keeper hl2li...@afksoftware.com wrote: Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
make it a cvar? don't just outright ban it sv_allowplugins 0 AnAkIn . wrote: So you want to make VAC ban for Sourcemod? Nice one :) BTW There is a tutorial on how to make your own client side cheat plugin on some site, so a lot of people will have their own plugin which will be private, so a lot of people wouldn't be banned. Just disallow the client side plugins, I doubt much people care about having plugins on their LAN servers (I doubt much people even use LAN servers). 2010/3/31 Matt Hoffman lord.matt.hoff...@gmail.com The same way taking the entire 225 person company to Hawaii is profitable. :P On Tue, Mar 30, 2010 at 6:44 PM, Steven Crothers steven.croth...@gmail.comwrote: I'm sure Valve will fix it immediately... once you show them how fixing the HLDS is profitable and worth the man-hours at $50-$60/man-hour. $0.02 -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Michael Krasnow Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weird On Tue, Mar 30, 2010 at 9:26 PM, Keeper hl2li...@afksoftware.com wrote: Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Or allow it if it is *only* a LAN server. Solves random internet asshats loading plugins on a local server while connecting to an internet server, but still allows local dev testing and lan party weirdness. Besides, if the cheater is on the lan, you can walk straight up to him and sock him in the teeth. On 3/31/2010 12:30 AM, mfan wrote: make it a cvar? don't just outright ban it sv_allowplugins 0 AnAkIn . wrote: So you want to make VAC ban for Sourcemod? Nice one :) BTW There is a tutorial on how to make your own client side cheat plugin on some site, so a lot of people will have their own plugin which will be private, so a lot of people wouldn't be banned. Just disallow the client side plugins, I doubt much people care about having plugins on their LAN servers (I doubt much people even use LAN servers). 2010/3/31 Matt Hoffmanlord.matt.hoff...@gmail.com The same way taking the entire 225 person company to Hawaii is profitable. :P On Tue, Mar 30, 2010 at 6:44 PM, Steven Crothers steven.croth...@gmail.comwrote: I'm sure Valve will fix it immediately... once you show them how fixing the HLDS is profitable and worth the man-hours at $50-$60/man-hour. $0.02 -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Michael Krasnow Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weird On Tue, Mar 30, 2010 at 9:26 PM, Keeperhl2li...@afksoftware.com wrote: Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com
Re: [hlds] Plugin Loading on clients, enough is enough.
Just block it entirely. If it's a lan or a temp server just use the Steam Dedicated Server from the tools tab. It practically installs itself with the games anyway. And if the main client crashes, the server will go on. That's a bonus. On Wed, Mar 31, 2010 at 1:37 AM, Matt Stanton inflatablesoulm...@brothersofchaos.com wrote: Or allow it if it is *only* a LAN server. Solves random internet asshats loading plugins on a local server while connecting to an internet server, but still allows local dev testing and lan party weirdness. Besides, if the cheater is on the lan, you can walk straight up to him and sock him in the teeth. On 3/31/2010 12:30 AM, mfan wrote: make it a cvar? don't just outright ban it sv_allowplugins 0 AnAkIn . wrote: So you want to make VAC ban for Sourcemod? Nice one :) BTW There is a tutorial on how to make your own client side cheat plugin on some site, so a lot of people will have their own plugin which will be private, so a lot of people wouldn't be banned. Just disallow the client side plugins, I doubt much people care about having plugins on their LAN servers (I doubt much people even use LAN servers). 2010/3/31 Matt Hoffmanlord.matt.hoff...@gmail.com The same way taking the entire 225 person company to Hawaii is profitable. :P On Tue, Mar 30, 2010 at 6:44 PM, Steven Crothers steven.croth...@gmail.comwrote: I'm sure Valve will fix it immediately... once you show them how fixing the HLDS is profitable and worth the man-hours at $50-$60/man-hour. $0.02 -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Michael Krasnow Sent: Tuesday, March 30, 2010 9:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. doesn't VAC check the memory? but +1 to the option for server admins, but somehow someone would find a way to change that or spoof it, idk, its weird On Tue, Mar 30, 2010 at 9:26 PM, Keeperhl2li...@afksoftware.com wrote: Once code is loaded into memory, it's open game. It doesn't matter what the server/client relationship is. If I have a binary/application that hunts for that code in memory, then I can change any value I want. I have written some code in my plugin that locks down certain values that I know people are using to alter game play, but to figure out all of the holes people are trying to exploit would be fruitless. Then you have 5 different games ( well L4D and L4D2 are pretty close so maybe 4 ), there's no way to handle that reasonably. If VALVe gave the server operators the choice to keep clients that have plugins running, that would cut some of them out. But even as COD6 has proved, you definitely don't need a client side plugin to cheat. Keeper -Original Message- From: Arg! [mailto:chillic...@gmail.com] Sent: Tuesday, March 30, 2010 8:31 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Im certainly no expert on how the libraries are being used here, but shouldnt the code explicitly state that certain cvars are to only come from the replicated source, eg the game server? Sure there might be ways around this with injection as mentioned but shouldnt the listen server (to cover the lan side) be using a seperate copy of the engine binaries which are affected here so when plugins are run in that context, they do not override the cvars being replicated from the actual gameserver the client is connected to? I was under the impression this problem existed because the client was sharing binaries with another server running on the local machine, so seperating the binaries being used would fix this surely. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com
Re: [hlds] Plugin Loading on clients, enough is enough.
im missing the same vgui material On Mon, Mar 29, 2010 at 12:11 AM, Dominic Marciano lambda1_...@hotmail.comwrote: Pov-Record 1.4.1 loadedRecording only curstomnamed demos--- Missing Vgui material vgui/..\vgui\icon_con_highYour version is 1.4.1Current version is 1.4.2. Updating is recommended.Please go to orangad.com.ua for releases and info. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 22:33:21 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Where can this plugin be located, and is there source code? Thanks, - Saul. On 28 March 2010 20:50, Charles Mabbott cmabb...@verizon.net wrote: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn . anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeper hl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players
Re: [hlds] Plugin Loading on clients, enough is enough.
I have also sent a few emails about this, no answer. It would be nice if they finally fix it. 2010/3/28 Michael Krasnow mnk...@gmail.com one day we will see this in a changelog: - Removed all commands so that people stop emailing us about fixing exploits. - All movements decreased by 100%. - Increased gravity to 9. - Removed chat features. Just wait for it, you will all see :) On Sat, Mar 27, 2010 at 9:08 PM, Kyle Sanderson kyle.l...@gmail.com wrote: David this was already rectified by the LSS developers, openscript is no longer the command as it can be easily renamed to anything. I've been getting hit numerous times by some new exploit which crashes clients / disconnects everyone ingame. From what I've been told, it's the new disconnect message feature in LSS which can clean out your entire server when they leave. This needs to be fixed as soon as possible, Kyle. On Sat, Mar 27, 2010 at 5:57 PM, David Kellaway david.kella...@member.fsf.org wrote: With regards to the LUA scripting plugin, the next version of KAC will treat it as a cheat. I completely agree that it's absurd the community has to write its own anticheat plugins to plug holes left by Valve's approach, though. --- Dave Kellaway david.kella...@member.fsf.org On 28 March 2010 00:33, Kyle Sanderson kyle.l...@gmail.com wrote: Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
While they're at it, maybe they'll fix the ghost player issue. Servers are being blacklisted for fake player counts because of this, because people don't know it's not our fault On Sun, Mar 28, 2010 at 4:32 AM, AnAkIn . anakin...@gmail.com wrote: I have also sent a few emails about this, no answer. It would be nice if they finally fix it. 2010/3/28 Michael Krasnow mnk...@gmail.com one day we will see this in a changelog: - Removed all commands so that people stop emailing us about fixing exploits. - All movements decreased by 100%. - Increased gravity to 9. - Removed chat features. Just wait for it, you will all see :) On Sat, Mar 27, 2010 at 9:08 PM, Kyle Sanderson kyle.l...@gmail.com wrote: David this was already rectified by the LSS developers, openscript is no longer the command as it can be easily renamed to anything. I've been getting hit numerous times by some new exploit which crashes clients / disconnects everyone ingame. From what I've been told, it's the new disconnect message feature in LSS which can clean out your entire server when they leave. This needs to be fixed as soon as possible, Kyle. On Sat, Mar 27, 2010 at 5:57 PM, David Kellaway david.kella...@member.fsf.org wrote: With regards to the LUA scripting plugin, the next version of KAC will treat it as a cheat. I completely agree that it's absurd the community has to write its own anticheat plugins to plug holes left by Valve's approach, though. --- Dave Kellaway david.kella...@member.fsf.org On 28 March 2010 00:33, Kyle Sanderson kyle.l...@gmail.com wrote: Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeper hl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn . anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeper hl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn . anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeper hl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _ Looking for a new home? With all the latest places, searching has never been easier. http://clk.atdmt.com/NMN/go/157631292/direct/01/ ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn . anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeper hl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _ Looking for a new home? With all the latest places, searching has never been easier. http://clk.atdmt.com/NMN/go/157631292/direct/01
Re: [hlds] Plugin Loading on clients, enough is enough.
Where can this plugin be located, and is there source code? Thanks, - Saul. On 28 March 2010 20:50, Charles Mabbott cmabb...@verizon.net wrote: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn . anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeper hl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Pov-Record 1.4.1 loadedRecording only curstomnamed demos--- Missing Vgui material vgui/..\vgui\icon_con_highYour version is 1.4.1Current version is 1.4.2. Updating is recommended.Please go to orangad.com.ua for releases and info. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 22:33:21 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. Where can this plugin be located, and is there source code? Thanks, - Saul. On 28 March 2010 20:50, Charles Mabbott cmabb...@verizon.net wrote: In a general sense, there are a couple of client side plug-ins that do in fact serve a valid purpose, POV-Recorder, the ESEA Client plug-in and a couple of others. At this point I am definitely for simply locking out plug-ins on the client side, but I would rather not lose some of the functionality these have. And on another note, the client plugin to intercept CVAR responses to the server has existed for quite a while now. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Dominic Marciano Sent: Sunday, March 28, 2010 11:14 AM To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. it takes someone to fall to their death before they put safety rails. From: saul.renni...@gmail.com Date: Sun, 28 Mar 2010 14:56:39 +0100 To: hlds@list.valvesoftware.com Subject: Re: [hlds] Plugin Loading on clients, enough is enough. How about just allowing plugins for dedicated servers? Just as a heads up, I'm gonna try to make a client plugin which hooks SVC_GetCvarValue, and just always responds with the default CVar value. This renders any server-side cheat detection (like KAC) completely useless. Hopefully releasing it as a POC will force VALVe to do something (why does it always have to come to this?) Thanks, - Saul. On 28 March 2010 14:49, AnAkIn . anakin...@gmail.com wrote: I don't think that's a good idea. Someone will just code a client side plugin to report false informations to the server. 2010/3/28 Keeper hl2li...@afksoftware.com I have e-mailed somebody at valve, and simply asked them if the server operators can see a list of plugins on the client ( like plugin_print ). This would give the operator the ability to kick if plugins are loaded on the client. But I think also looking at the GameBin will allow the server to see if they are loading anything outside of the standard VSP interface. I don't think stopping it will be completely possible on the client, but giving the server operator the choice would be a nice thing. But they did respond that they are working on it. Keeper -Original Message- From: Kyle Sanderson [mailto:kyle.l...@gmail.com] Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your
[hlds] Plugin Loading on clients, enough is enough.
Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Personally, I think that client side plugins should be allowed, but limited in their possible scope. Things like http://www.tf2newbs.com/newbs_blog/2010/03/15/console-in-plugin/ are damned useful, but don't really allow you to do anything you couldn't do by typing into the console manually. That is the kind of client side plugin I think should be allowed. I use the above because keeping track of what I have bound to where to get G-Keys to work for me is a PITA. (Not arguing that the LUA plugin should be allowed, for the record) -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kyle Sanderson Sent: Saturday, March 27, 2010 8:33 PM To: Half-Life dedicated Linux server mailing list; Half-Life dedicated Win32 server mailing list Subject: [hlds] Plugin Loading on clients, enough is enough. Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
valve really needs to beef up the exploit blocking, look how many exploits are still out there, http://wiki.alliedmods.net/SRCDS_Hardening On Sat, Mar 27, 2010 at 8:57 PM, David Kellaway david.kella...@member.fsf.org wrote: With regards to the LUA scripting plugin, the next version of KAC will treat it as a cheat. I completely agree that it's absurd the community has to write its own anticheat plugins to plug holes left by Valve's approach, though. --- Dave Kellaway david.kella...@member.fsf.org On 28 March 2010 00:33, Kyle Sanderson kyle.l...@gmail.com wrote: Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
Agreed, hopefully public disclosure will help Valve get a move on fixing this. On Sun, Mar 28, 2010 at 12:03 PM, Michael Krasnow mnk...@gmail.com wrote: valve really needs to beef up the exploit blocking, look how many exploits are still out there, http://wiki.alliedmods.net/SRCDS_Hardening On Sat, Mar 27, 2010 at 8:57 PM, David Kellaway david.kella...@member.fsf.org wrote: With regards to the LUA scripting plugin, the next version of KAC will treat it as a cheat. I completely agree that it's absurd the community has to write its own anticheat plugins to plug holes left by Valve's approach, though. --- Dave Kellaway david.kella...@member.fsf.org On 28 March 2010 00:33, Kyle Sanderson kyle.l...@gmail.com wrote: Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
David this was already rectified by the LSS developers, openscript is no longer the command as it can be easily renamed to anything. I've been getting hit numerous times by some new exploit which crashes clients / disconnects everyone ingame. From what I've been told, it's the new disconnect message feature in LSS which can clean out your entire server when they leave. This needs to be fixed as soon as possible, Kyle. On Sat, Mar 27, 2010 at 5:57 PM, David Kellaway david.kella...@member.fsf.org wrote: With regards to the LUA scripting plugin, the next version of KAC will treat it as a cheat. I completely agree that it's absurd the community has to write its own anticheat plugins to plug holes left by Valve's approach, though. --- Dave Kellaway david.kella...@member.fsf.org On 28 March 2010 00:33, Kyle Sanderson kyle.l...@gmail.com wrote: Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Plugin Loading on clients, enough is enough.
one day we will see this in a changelog: - Removed all commands so that people stop emailing us about fixing exploits. - All movements decreased by 100%. - Increased gravity to 9. - Removed chat features. Just wait for it, you will all see :) On Sat, Mar 27, 2010 at 9:08 PM, Kyle Sanderson kyle.l...@gmail.com wrote: David this was already rectified by the LSS developers, openscript is no longer the command as it can be easily renamed to anything. I've been getting hit numerous times by some new exploit which crashes clients / disconnects everyone ingame. From what I've been told, it's the new disconnect message feature in LSS which can clean out your entire server when they leave. This needs to be fixed as soon as possible, Kyle. On Sat, Mar 27, 2010 at 5:57 PM, David Kellaway david.kella...@member.fsf.org wrote: With regards to the LUA scripting plugin, the next version of KAC will treat it as a cheat. I completely agree that it's absurd the community has to write its own anticheat plugins to plug holes left by Valve's approach, though. --- Dave Kellaway david.kella...@member.fsf.org On 28 March 2010 00:33, Kyle Sanderson kyle.l...@gmail.com wrote: Since forever, players have been able to load plugins on their clients letting them get around cheat sensitive variables such as sv_cheats, allowing them to use r_drawothermodels, mat_wireframe, etc. We as server admins have had the option to install various anti cheat addons (Kigen Anti Cheat, VBAC, and than some rather lame ones for EventScripts) in order to get around these quite severe downfalls in the engine. However now, there is a LUA scripting interface http://www.3rdera.com/ that has been written, and is now fully supporting engine exploits in order to cause trouble for server admins and for other players. No one can justify it's use, every single script written has been made to get around server settings and protections put in place to keep order, and to keep the game fluently moving along. Right now, players cannot be VAC banned for using this, it's also going against every single reason why VAC was created. Instead of battling these antics with these scripters, I'm begging you Valve to please remove this function from clients as there's absolutely no reason for them to have it. I've sent two emails to a couple employees which were left unanswered, I know others have done the same. Here's a forum full of countless exploits: http://www.3rdera.com/forum/viewforum.php?f=5 If you don't want to read the wall of text explaining why players should not be allowed to load plugins, I'm sure your common sense on the issue will be more than sufficient to respond. Kyle Sanderson. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
