I think it's too late. Either it's because I'm part of that evil FTE gang where we apparently a few years ago ran a smear campaign against Ezquake, despite me not having touched the FTE code until more than half a year after the supposed incident, or maybe it's because I'm somehow 'helping' a leage Molgrum is running which I until a few minutes ago didn't even know he was running, and I still don't know which one it is. Or well, insert your own silly conspiracy theory here.


The thing is that you're being deceived by the 'closed-source' thing. Just because you don't easily have the source code does not mean you can't figure out how it works or even work around it without even knowing how it works.

What you described is pretty much how it works now, except that the server would be the other clients. The problem is not in the verifying the response from the obscurity module, which is the part you want to move to the server. The problem is that you're asking the client to reliably determine if it is cheating or not, which it's completely impossible as long as the player has access to the computer he is playing on.


Oh yes, absolutely. That's pretty much what's going on right now.

Oh yes. Why go from one evil to another?


Well, what you have now is about 0% safe. You just THINK it works.

Here's a few possible attack vectors which would go 100% undetected by the obscurity module:
1) Proxy cheat
2) GL library modifications
3) Driver modifications
4) Kernel modifications
5) Input faking
6) Modifying executable on disk (The Ezquake 1754 obscurity module only verified 1.08% of the binary, the rest is free for you to modify)
7) Modifying the executable in memory (even easier, that's completely unchecked)
8) Insert more suggestions here

The thing is that the current obscurity module detects 0 (zero) cheats as it is right now. It doesn't even attempt to detect any cheats.


Whatever cheat prevention you want, it must be on the server. See what Molgrum wrote earlier, for example.

http://lavacat.com/iMouseFix/

clearly incorrect as it prevents a (fairly large) percentage of potential cheaters due to the simple fact that as of today there doesn't exist a link to a download package containing modified cheat client + hacked security module for win32, the majority of people playing have no interest in cheating and the aim is to establish a level playing field of client

as it has been said, the client side protection cannot be made uncrackable, but it can easily be improved to the point where the time and effort to crack it becomes less and less worthwhile, especially with new release happening as often as they do

Didnt read all of the things you guys said here.

However... a ezquake security dll as it looks today will not stop the serious cheaters today (as bigfoot) among others have pointed out 1000times. We all know it wont stop cheaters that really want to use wallhacks, aimbots or pass f_modified with hacked models. But what it does tho, is that it forces the average player (who is not cheating) to actually keep qw-folder clean from modified models, bugged clients and other stuff. Which will help legit players to compete on more equal terms.

I think that's what I tried some time ago, and it kept forgetting the settings every time it started... Or rather, it remembered the setting in the GUI, it just didn't apply it.

While we're at it, do you know how to set the keyboard repeat rate to somewhere inbetween 'bloody insane' and 'I'm gonna fall asleep soon'?

OK, so you're agreeing that it doesn't prevent any cheats or what? If not, then please name a cheat it prevents.

Does it prevent or detect something like Enemy Detector for 3D Games?


It can? I'd very much like to see that

The easiest attacks don't involve the obscurity module itself at all. I just attack it to prove that you can't win.


You mean once every 2 years?

But you can easily do that without the disadvantages of an obscurity module.

are you using a proper mac or are you using one of the hacked intel versions on unsupported hardware? or some fruity external keyboard? i've never felt the need to change keyboard repeat rates from default

if the mouse fix gui doesn't work for you, grab the source and compile a small binary from the source http://www.knockknock.org.uk/mac/MouseFix_v1.2.tar.gz that disables the accel for you, then just set it to run on user login

It's a proper Mac. A G4 Mac Mini running MacOS X 10.4.10 using a Logitech UltraX keyboard (but I don't see how the keyboard could affect the repeat rate needed )

The thing is that if I set the key repeat rate to the second highest value, it repeats about 5 times per second and if I set it to the highest, it repeats 25+ times per second. I need somewhere inbetween that.


Thanks, I'll try that.

In what way would we do that today?

Its used frequently in european leagues!

Question to Bigfoot!

Can you join the mvdsv dev team and integrate a serverside security check for the last stable ezquake (1.8.2 in this case)?

Wallhack can be prevented serverside.
Simple aimbots can be prevented serverside.
Forward rocketjumping can be prevented serverside.
And assuming that the average player knows nothing about programming, the client can do the model/sound modification check without any module.

This would be the best way that I can think of.

afaik the only key i ever hold down to repeat would be backspace or cursor keys, why do you need key repeating so much?

I'm interested by the answer
You could be of great help to resolve a major issue it would seem.

Comedy!
"Aimbot detected server side" - haha, Molgrum, like there are 100 quakeworld developers dying to start coding a detection algorithm for this!
"Yes, the whole idea behind it is completely flawed." - mixing facts and own opinions in your posts
"server-side security" - again, SO MANY HORNY DEVELOPERS ready to start coding it! Not commenting that like noone who talked about it in this thread knows what it means or how it would work, haha.
"Peer reviewed code" - haha, bigfoot, the greatest joke in this thread. Wake up from your dream...

A) "Proxy cheat", "GL library modifications", "Driver modifications", "Kernel modifications", "Modyfying the executable in memory"
B) remove one line from the code, usually some 'if (!Ruleset_Allows_This()) return;', read compiling_on_windows.txt, make your own new executable.
How many ppl can do (A) and how many can do (B)?

Bigfoot's acts are not defended by any valid arguments, as has been said already, he only destroys other people's work and intentions. He had enough time to present his own solution, which still wouldn't be a reason to destroy other people work.
Why is his qw.nu account still active? I expect admins of this forum and EQL admins to express their stances on this issue. Not because I'm ezQuake admin (security module is a third-party software), but because this situation is fucking ridiculous.
I'd like to ask forum moderator to move all posts related to third party software to a new thread.

damm it this new ez security dont work good, it would be a mess , it replay f_version crc on random ,sometime it is or not ,more sometime it replay nothing.More i have alias with command weapon|attack and teamplay macro in it ,and it is blocked but when i reload config from menu it is working!

Just do the same thing. You've already got the build date of the client inside Ezquake. This way you can check which version they're running. Then put the code which checks the models inside the client. Problem solved at least as well as it already is, but with none of the disadvantages.

Well, I must be spectating the wrong games then, because I can't remember last time I saw it used

Short answer: No.

Long answer: It has nothing to do with the client, so it wouldn't depend on the client at all. Furthermore the MVDSV guys and I don't get along for various reasons, including disagreeing on development and release model and generally the MVDSV guys are the same as the Ezquake guys, and as you can see here, two of them think I should be banned from this very website. Furthermore, there's already a much, much better server than MVDSV out there. It's called FTE, and it already has some of this stuff.

Well, I think I mostly use the backspace key as well, but the problem is when I've got a lot of text to delete. 5 chars per second is just too slow, and 25+ per second is just too fast to be able to do it precisely

Considering your post from earlier, which either you or someone else deleted, which from my memory told me something along the lines of "bugger off", why exactly would I want to work with you again?

[ off topic ]: if a moderator has some free time, please can they split this thread into three separate threads, move all security discussion to this thread, and split all Mac related discussion (like that which follows) into a Miscellaneous thread.


Well you can get some vim/emacs/regex style movement in Cocoa input, Opt-Delete will delete to the word boundary for you (Opt+Arrow also jumps between words), Ctrl-K deletes from current position to the end of the line and so on

There is usually a better way to do something

As opposed to the single developer taking up the guaranteed 100% pointless task of writing client side 'security'?


I explained this to you several times over. You didn't understand it. I provided proof of concept several times, and you still don't want to understand it. Just because you don't understand simple logic doesn't mean it ain't so.


Well, quite obviously noone from your 'camp' knows how it would work, but please, speak for yourself.


Ask anyone who knows just a tiny bit of security, and they will tell you that security through obscurity doesn't work. The only way you can have security is releasing your work for EVERYONE to look and poke and, and if noone can break it, you can reasonably consider it secure. How many successful encryption algorithms do you know which are not public?

Luckily for you, I did review the Ezquake obscurity module, and I've got an analysis in the pipeline. It should be an interesting read for anyone who does programming, and a really good reason why nobody should ever trust the Ezquake obscurity module.


Have you ever compiled a program on Windows? It's pretty damn difficult First of all you need the right version of Microsoft Visual (C++|Studio), then you need to manually get all the includes and libraries needed, then pray that they actually work. Then you need to pray that the project actually also compiles on your machine, which might not be the case. Luckily I haven't done too much development on Windows, 'cause I think I would go crazy after not too long.

OTOH, anybody can use Google to find anything from category A


Listen, pal, I'm not the one breaking the rules of this forum. You did. Disconnect did. Allow me to quote:


Do I have to remind you once again that the Ezquake obscurity module contains GPL code and that no GPL notice nor source code is included with the obscurity module? This by definition makes the Ezquake obscurity module 'illegally-obtained software' and 'warez'.

Can we please ban Disconnect and JohnNy_cz for discussing and distribution warez?

Because you could prove you are not the one people describe in this thread... but you seem to make a point beeing the one NOT helping.

My old post was: If you guys hate ezq/mvdsv so much and the people developing them, why are you still trying to get attention here? Go to your nice little qw bubble. Seems fair considering your tone so far...

Well, I already developed quite precise backspace repeat timing, so usually I don't have any problems with this

But in case I had to do it the other way, I'd really prefer it to be configurable so I could either have it Unix-style (^W and friends) or Amiga-style (shift+backspace, alt+backspace and friends).

Oh well, suppose I can't have it all

afaik if any code is used or linked against by the dll then it is probably LGPL or BSD licensed and does not require source release

In what way am I not helping?

People posting in this thread can be divided into two groups: Those who say 'yeah, client side security can't really work' and those who insult me. The latter group by far outweighs the former group.

I can't really help people who can't discuss a problem but have to resort to insults and rallying for censorship. And that's the people you want me to help?

I've already helped by 1) Pointing out that the current 'solution' is placebo at best and discriminating against people at works, 2) There are better ways to do this. Today. You just choose not to do it.

Errr.... you quoted it yourself:


I did that without any knowledge of windows compilation and it worked... Hmmmm. Really tough.


Yet I find the read_how_to_do_it_in_steps for Win32 compilation way easier. Shitload of info on google for those things, not a single clue how to apply it to the code...
But whatever... I'm too noobie or ezquake friendly to be of any interest to you anyway