|
|
|
Member 5 posts
Registered: Apr 2006
Up2nOgOoD[ROCK]: I've copy/pasted Quake Unreal's thread into a private message to him (and saved a copy on my computer if he didn't receive it) with a message urging him to repost this topic. I apologize for hetman and I that we hijacked your thread.
News Writer 493 posts
Registered: Jan 2006
1. ez to use. Recommended for those who are new to using quake Clients. The ezStart feature helps you to recognize the use of each options available to the program. 2. Recommended for those who just wants to play and doesn't care about tweaking. Oh yeez! I do not know if you actually play QuakeWorld or just evaluate clients by their name. ezQuake is THE client for *competition*, not for beginners. One reason can be, that is has a *security module*. It is accepted in *leagues*. It is not a client for newbies only, as the name suggests! FTE is a more powerful client, but not when it comes to QW competition (and this is what, I assume, 90% of ppl here care about). Wake up, Quake Unreal! While it is a fact that EzQuake is currently the allowed client in most (if not all) Quake leagues, it is simply not because of the security module. IT is because there is no popular alternative. Furthermore and in addition to, a security module does not, in fact, provide any security; conversely and paradoxically, it poses a false sense of security for both the league administrators and the players. There have been (and will be, I can assure you) numerous players who cheat in tournament matches but pass all security measures put forth by EzQuake (and FuhQuake) with flying colors. It is simply unreliable and, if anything, makes hackers HARDER to catch. How does it make hackers harder to weed out? By creating a false sense of security. If Player_hacker_A passes all security tests, then Clan_B will incorrectly dismiss Player_hacker_A's increased aim and movement to skill. No investigation will take place. Without a security module, people would investigate Player_hacker_A more and he will come under closer examination - increasing the chances of validating his authenticity. You can argue that more (innocent) players would be termed as hackers or cheaters without security module. Let me prevent this by a fact: many people consider today's top dm'ers as cheaters - even though they pass security measures. For this reason, the developers at FTE have justly developed a strong hatred towards the security module. The reason why the dll is still in use is because many people (you) spread false rumors and praise the security module as something that is so great and wonderful. In reality, it hurts the community. Please take what I said into consideration. I am not arguing that FTE is a better client than EzQuake, nor the other way around. I am simply stating that the community should open its eyes and understand the truth behind the security module. A better system MUST be implemented. I frequently use both clients and I am a fan of both (giving both developers feature suggestions and bug reports). So, Hetman (AKA Shaman, creator and founder of EzQuake), let me stop you here before you reply that my post is fueled by our history or your involvement with EzQuake. My post is feuled by Quake's best interest in mind. If you are reading this and don't believe that the Fuh/Ez security modules can be hacked while still passing the test, I will post further proof (screenshots only since I would rather not spread a cheaty client). To quote you, "Wake up, Hetman! "
News Writer 493 posts
Registered: Jan 2006
My long-time friend and companion, Shaman:
>>"Despite your obvious prejudice that I will not take the message seriously or shall blindly defend the client I have started, it is my serious concern."
I thought I already addressed this, but if you want we can go over this again. I am NOT prejudice against ezQuake. I do NOT hate, despise, or even dislike ezQuake. I DO use ezQuake on a frequent basis. I DO have a good relationship with its two most active developers, Johnny_Cz and Disconn3ct. I DO recommend features to the aforementioned developers. I DO recommend bugfixes to the aforementioned developers. Once again, I do NOT post this in despite you. I DO respect you for the things you have done for the community. I do NOT hate you. I am NOT posting this to enrage you. I AM keeping Quake's interests in mind.
>>>"sound idea, all the code that one human has written, can be hacked by another clever human. Sometimes it takes little time, sometimes more."
Yes, you are right. This is what I am addressing. You may not realize this because you have a wide variety and many years of experience with computers and computer logic (I have read your CV), but many people do not understand that the security.dll could be hacked.
>>>"Therefore I challenge you, Up2nOgOoD[ROCK], to produce any reliable evidence (a build) against ezQuake. And if you do not, I hope you will have the decency to clear its name with the same publicity with which you now have besmirched it."
Judging by that quote, you are one of them. I will not spend my time contemplating how this is possible.
>>>"I hope you will have the decency to clear its name with the same publicity with which you now have besmirched it."
Have you read my post in its entirety or have you skimmed it? Please read the bottom. especially this:
"Please take what I said into consideration. I am not arguing that FTE is a better client than EzQuake, nor the other way around. I am simply stating that the community should open its eyes and understand the truth behind the security module."
I posted that in case your eyes wandered from the truth. I never said anything to tarnish ezQuake's name, therefore I have nothing to apologize for nor do I have anything to regret from my post.
>>>"Therefore I challenge you, Up2nOgOoD[ROCK], to produce any reliable evidence (a build) against ezQuake."
Alright. I'll have this for you. I will post the latest build of ezQuake that came with security.dll with the cl_NotSoSecure command. Please allow around seven days as I come off Spring Break Monday and will be returning to college.
Note: I incorrectly wrote EzQuake instead of "ezQuake" in my previous reply.
Member 810 posts
Registered: Jan 1970
While the idea of the security module is, in the opinion of majority of involved in the QuakeWorld scene, a sound idea, all the code that one human has written, can be hacked by another clever human. Sometimes it takes little time, sometimes more. Yes, I'm sure all those who don't understand it thinks it is a good idea How was MQWCL proven to be hacked in the USA? It was because a build (not a screenshot) was provided, which has generated all the valid respones for the authentication checks, however contained one thing that has not appeared in the original builds (it can be anything, for instance a /hacked command) released by Azazello. If one does not want to spread the hacked client, he should just withdraw from publishing its sources. For instance, an ezQuake 1144 with a /hacked command will not help cheaters in any matter (if no sources are released). What you are suggesting is illegal. Therefore I challenge you, Up2nOgOoD[ROCK], to produce any reliable evidence (a build) against ezQuake. And if you do not, I hope you will have the decency to clear its name with the same publicity with which you now have besmirched it. Say, would an obviously cheating client which you or anyone can come on a server and "authenticate" be good enough?
Member 810 posts
Registered: Jan 1970
What you are suggesting is illegal. No need to publish the build without sources. One can, for instance, mail it to anyone that is interested. And thus I would break the GPL if whoever I sent it to requested the source code and I didn't provide it. Say, would an obviously cheating client which you or anyone can come on a server and "authenticate" be good enough? Yes, if it passes /say f_version /validate_clients /say f_modified from a legal ezQuake 1144's POV and is obviosly cheatting, please provide such a proof as soon as possible! OK, so be it. Personally, I hope that this has nothing to with the fact that hexum is now listed in the FTE team at SF.net. Who the hell is Hexum? Are you able to produce such proof for the latest FuhQuake, too? You're new here, right? Dunno how relilable you consider screenshots to be, but several persons validated it themselves with me cheating on a server... http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_1.jpeg http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_2.jpeg This was done almost a year ago
Member 810 posts
Registered: Jan 1970
Who the hell is Hexum? You're new here, right? I am impressed with both your self-confidence and self-esteem. http://bigfoot.morphos-team.net/test/ezcrack.qwd http://bigfoot.morphos-team.net/test/ezquake_has_no_security_1.png http://bigfoot.morphos-team.net/test/ezquake_has_no_security_2.png Dunno how relilable you consider screenshots to be I will enlighten you - I do not believe any of the security-related screenshots. Well, there you go, a demo as well. This was done almost a year ago I have handled over the ezQuake project in Jan, 2005. Since then I am not a developer. I have not played QW since Sep, 2005. Anyway, where was this announced? Well, IRC, as you see Otherwise, whenever someone has claimed that Fuhquake was secure.
Member 810 posts
Registered: Jan 1970
Well, there you go, a demo as well. Sorry, I do not want your demos (see my tutorial on QWD editting) or screenshots or movies done out of screenshots or whatever else you will think of to avoid providing a serious proof (which is a build I can validate on my own with own ezQuake 1144). And, yes, I have seen the demo and it passes /validate_clients. Still, I do not consider this a proof, please provide me a build so I can check this on my own. If you are not going to do that, please state it at very beginning. Say, would an obviously cheating client which you or anyone can come on a server and "authenticate" be good enough? Yes, if it passes /say f_version /validate_clients /say f_modified from a legal ezQuake 1144's POV and is obviosly cheatting, please provide such a proof as soon as possible! Demo was the quickest to do, but as we agreed on earlier, we can find a public server where I'll give you a good zapping on povdmm4 and then you can validate how secure my client is And no, I will provide no binaries to anyone. If you even after a public demonstration will refuse to believe it, so be it.
Member 55 posts
Registered: Mar 2006
muhahaha some people just won't budge i guess
Member 810 posts
Registered: Jan 1970
I will provide no binaries to anyone Very well. So when it comes to our discussion here it is EOT. Have a good day and good luck in your projects. Rght, so you keep demanding more and more. I offer you the perfect proof, I go on a server with you, get 90% lg against you on povdmm4, and you can f_version and do what you want, you agree... And then when I post a demo and screenshots, you suddenly want something else. Well, why not. People with religious beliefs are usually quite hard to convince. As for me, now I am only awaiting for up2's I will post the latest build of ezQuake that came with security.dll with the cl_NotSoSecure command. If he is smart, he doesn't, but up to him. You have plenty of proof waiting for you to work with, come pick it up.
Member 810 posts
Registered: Jan 1970
As I have stated write before the first post of up2nogood, I will accept only binaries (that I can check myself) as a sufficient proof. I do not know if you read this or not, but somehow you have told yourself that I will accept any proof whatsover (and now you are saying I am demanding more and more, whereas you have not satisfied my one and only demand). Say, would an obviously cheating client which you or anyone can come on a server and "authenticate" be good enough? Yes, if it passes /say f_version /validate_clients /say f_modified from a legal ezQuake 1144's POV and is obviosly cheatting, please provide such a proof as soon as possible! I asked you if a public demonstration was good enough, you agreed, then later you refused. Whatever And yet, if you want to go into details, once I have written you that I have not played QuakeWorld since Sep 2005, you have offered me a public demonstration (I hope that the readers see this). The reason why I do not play QuakeWorld atm is that I have all the ports blocked (except WWW, e-mail, and SSH) in the dormitory in Portugal, where I shall stay until July. Anyway, I can assure you I would be happy to experience your demonstration and do some /validate_clients, f_modified, f_version, f_servers checks. That's OK, anyone else can see it too. Vleesch just saw it. I'll happily demonstrate it to anyone else as well. I don't need you to believe that the model is flawed, but if at least the common QW player finds out that the "security" model is flawed, maybe something will be done about it. BTW, clients and proxies which can connect over TCP do exist. Try it some time SSH+port forwarding even makes it stupidly easy Still, screenshot proofs are no proofs (since GIMP is freeware) and QWD proofs are no proofs either (since tools like LMPC are available). If someone does not follow, I convert QWD to semi-code and cut the part where a player rotates before shooting, then I convert this to a new QWD. True, it was just an appetiser till you come and see it with your own eyes. I cannot see a reason why cannot you post a binary (not with an aimbot, I do not need it, just with a /hacked command) except: a) hiding behind the GNU GPL, b) not being able to produce a binary that I ask for, c) being afraid that I will win the next Duelmania thanks to a dummy /hacked command. Lazyness is a quite good option as well. But as I said, people with religious beliefs are hard to convince. The proof is there for you to see, that you choose to look the other way is not my problem, really.
Member 693 posts
Registered: Jan 2006
']While it is a fact that EzQuake is currently the allowed client in most (if not all) Quake leagues, it is simply not because of the security module. IT is because there is no popular alternative. Furthermore and in addition to, a security module does not, in fact, provide any security; conversely and paradoxically, it poses a false sense of security for both the league administrators and the players. There have been (and will be, I can assure you) numerous players who cheat in tournament matches but pass all security measures put forth by EzQuake (and FuhQuake) with flying colors. It is simply unreliable and, if anything, makes hackers HARDER to catch.
How does it make hackers harder to weed out? By creating a false sense of security. If Player_hacker_A passes all security tests, then Clan_B will incorrectly dismiss Player_hacker_A's increased aim and movement to skill. No investigation will take place. Without a security module, people would investigate Player_hacker_A more and he will come under closer examination - increasing the chances of validating his authenticity. You can argue that more (innocent) players would be termed as hackers or cheaters without security module. Let me prevent this by a fact: many people consider today's top dm'ers as cheaters - even though they pass security measures. Yeah, that would be awesome, we'd end up like the CS community with everyone accusing everyone else of being a cheat. The situation we have now is not ideal but it is the best available solution.
Member 55 posts
Registered: Mar 2006
so hetman, you aren't convinced until you've got the binaries and checked them yourself? when a person(bigfoot) is putting this amount of efforts in it trying to convince you, giving you different examples of proof and so on, i think you may assume that he's true. why would he do this to prove something thats just untrue?
bigfoot showed me, and another player, that his modified client just validates and passes all those checks. this client also gave gim 90% lg.
Member 693 posts
Registered: Jan 2006
http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_1.jpeg http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_2.jpeg Don't the CRC values have to be identical for it to truly pass validation?
Member 810 posts
Registered: Jan 1970
http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_1.jpeg http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_2.jpeg Don't the CRC values have to be identical for it to truly pass validation? Nah, that would kinda defeat the purpose. If the same reespons was all that was needed, it would be even easier to claim to be a "secure" client. This way each client emits a different checksum, which includes things such as the player's name etc, which the other clients can then "verify". Try /auth_viewcrc 1 and go on some server and do f_version, you'll see everyone has a different checksum
Member 810 posts
Registered: Jan 1970
Say, would an obviously cheating client which you or anyone can come on a server and "authenticate" be good enough? We have misunderstood each other. I understood it as "if you provide me with a build that anyone can check", you understood that as my agreement for a public demo without giving a build. Too bad. Others will believe If you mean a solution as Qizmo "TCP/IP connection". A great idea, really. I would have to run Qizmo with ./qizmo -x 23 or something like that. Oops, that (using ports <1024) requires a root access on a remote machine. Oops again, I do not have one in .pt. SSH+port forwarding works pretty well for TCP ports here. However, I could not find a good solution for QuakeWorld + UDP. Machine with SSH server and proper connectivity: ./qizmo -x 1234 Machine with limited connectivity: ssh -L 1234:127.0.0.1:1234 machine.with.good.connectivity There you go, on 127.0.0.1:1234 will now be redirected to the other machine's 127.0.0.1:1234. No need for root access. For demonstration I can put up an FTE server with TCP support enabled, if you're interested.
Member 1011 posts
Registered: Feb 2006
any interesting statements in this thread are mostly ruined by the extremely gay attempts to use unnecessary legalese language to make the person sound like they know what they are talking about "Furthermore and in addition to, a security module does not, in fact, provide any security; conversely and paradoxically, it poses a false sense of security for both the league administrators and the players." ^ this just makes me want to say 'fuck off' And no, I will provide no binaries to anyone. If you even after a public demonstration will refuse to believe it, so be it. i don't see the reasoning behind not posting binaries? you lose nothing by posting them - you gain everything by keeping things secret on your site And as a final comment. the anti-security.dll posts and comments always seem to come from the FTE-camp who apper to be using it as a means of discrediting other clients rather than being in any way helpful few people believe that security.dll is flawless security but it would/will prevent the majority of players from easily cheating and for that reason it is worth having rather than wasting your time trying to put screenshots up of 'lol we hacked ezquake' why don't you actually write an amazing new security feature into FTE that makes it the required client for all Quakeworld tournaments. Until then go back to looking in law dictionaries for words to try and impress people
Member 810 posts
Registered: Jan 1970
any interesting statements in this thread are mostly ruined by the extremely gay attempts to use unnecessary legalese language to make the person sound like they know what they are talking about Mmm, yeah... And no, I will provide no binaries to anyone. If you even after a public demonstration will refuse to believe it, so be it. i don't see the reasoning behind not posting binaries? you lose nothing by posting them - you gain everything by keeping things secret on your site What have I got to gain? Personally I don't really care much. The only time I played in a competition, some team had signed me up as playing for them without asking me, so I thought what the hell and went ahead an played - with my illegal and big, bad MorphOS port, even. I do not wish to make things easier for those who *really* wish to cheat. Any publishing of any methods would do so. And as a final comment. the anti-security.dll posts and comments always seem to come from the FTE-camp who apper to be using it as a means of discrediting other clients rather than being in any way helpful Ouch, are we into camp wars now? Didn't know that. I can't speak for others, but personally it just makes me want to try when someone comes along and touts something which is inherently secure as being the best thing ever. But since we're apparently into camp wars now, maybe the people who choose to work on FTE are just sensible, while people who choose to work on that other client are ignorant? Yes, that's a joke, don't take it seriously. But it fits well with your "FTE developers are eeehvil!"-theory. few people believe that security.dll is flawless security but it would/will prevent the majority of players from easily cheating and for that reason it is worth having hetman apparently does. As are many QW players convinced that it is so. rather than wasting your time trying to put screenshots up of 'lol we hacked ezquake' why don't you actually write an amazing new security feature into FTE that makes it the required client for all Quakeworld tournaments. Until then go back to looking in law dictionaries for words to try and impress people "Oh, so you don't think believing it makes it possible to walk on water? I challenge you to find a better way to walk on water, then!" I'd say, walking on water is impossible(*), as is having a client try to prove that it has not been tampered with. I'm sorry if you feel offended by hard facts, but that's really not something I can do anything about. Though I must admit I fail to see what all this reference to law is about, unless it is about me stating that distributing a GPL binary without offering the source code would be a breach of copyright. But then again, I can't see the problem with that either. But it's funny. Person A claims something is secure. Person B claims it is insecure. Person A demands proof. Person B delivers proof. Person A starts rambling about how Person B has a personal problem with person A (while in fact person B had never heard of person A before this day), is accused of having a big ego and is accused of participating in camp wars. Wow. Look at that again. So, let's sum it up the possible scenarios: Hetman claims that ezquake is better because it has a "security module" which supposedly provides some security. I claim that the "security module" provides no security at all Hetman demands evidence From here: a) I deliver the evidence and get accused of a billion things. Without acknowledgement of the evidence, of course. b) I don't deliver the evidence, and then clearly ezquake must be secure. How can I win here? (*) Before anyone tries to prove that walking on water is possible, or start talking about using extra equipment for it, whatever, please notice that it is meant as an example and not a claim that walking on water is, in fact, impossible.
Member 810 posts
Registered: Jan 1970
Is FTEQW into bad PR as once ezQuake was under my management? Boy, are we busy associating me with FTE and trying to smear FTE now? Clientside client validation can't work. Not for Fuhquake, not for Ezquake, not for FTE. I have nothing against ezquake (except maybe its Makefile . I have nothing against hetman, in fact I never even knew such a person existed untill today. But obviously I must hate him because I've done some minimal work on FTE and he's apparently associated with ezquake. Obviously I hate him then. Obviously. I don't even have anything against people who think that clientside client valiation can work, just as I don't have anything against christians or members of other religions. However, when they try to enforce their flawed views of the world upon others, I feel obligated to prove them wrong. Don't take it personal, I just want to stop the misinformation. That's it.
Administrator 2058 posts
Registered: Jan 2006
this thread is rediculous
Member 1011 posts
Registered: Feb 2006
I do not wish to make things easier for those who *really* wish to cheat. Any publishing of any methods would do so. well a) without widespread cheating there is little chance of anything being changed and b) the non-fte developers who have commented on this thread refuse to believe screenshot or .qwd evidenceyou could quite easily send the 'hack' to an ezquake developer who would have no interest in making it publicly available, but its proven availability would prompt a re-think on the ezquake security implementation. you have nothing to lose by doing this...
Member 810 posts
Registered: Jan 1970
I do not wish to make things easier for those who *really* wish to cheat. Any publishing of any methods would do so. well a) without widespread cheating there is little chance of anything being changed and b) the non-fte developers who have commented on this thread refuse to believe screenshot or .qwd evidence... which was why I offered to show it live, something noone so far has taken me up on (except Vleesch and Hedfuk). Would a live demonstration be any less evidence than a copy of the method used? you could quite easily send the 'hack' to an ezquake developer who would have no interest in making it publicly available, but its proven availability would prompt a re-think on the ezquake security implementation. you have nothing to lose by doing this... And neither have I any interest in making it publically available. Nor have I any interest in disclosing the method. The "hack" took a whopping 20 minutes to do. As an excuse, I'll say it's been a long time since I did it with Fuhquake, and there was something obvious which had temporarily slipped my mind. I do not wish to make the method publically known either, since I have no doubt someone will then try to just make that method harder (not impossible, because THAT is impossible), and then claim that version X+1 is secure. I have no interest in having to provide proof for every damn version released, when it's quite obvious to anyone who takes 10 minutes to think about the issue, that it simply cannot work.
Member 1011 posts
Registered: Feb 2006
I do not wish to make the method publically known either, since I have no doubt someone will then try to just make that method harder so you have no interest in helping to make security better may as well lock the thread then
Member 810 posts
Registered: Jan 1970
I do not wish to make the method publically known either, since I have no doubt someone will then try to just make that method harder so you have no interest in helping to make security better Which shows that you just didn't get the point. Neither did you take 10 minutes to think about it. I'll repeat: Walking on water is impossible. How can I help making walker on water possible, when I know it is not possible? I never claimed I wanted to make walking on water possible either - that's what Hetman claimed. I claimed that walking on water was impossible, and delivered the proof. Apparently I'm the antichrist now for showing that walking on water is impossible. may as well lock the thread then Yes, let's silence the issue, always works But oh well, I won't stop you from trying to walk on water. If you drown, don't ask me for help, though.
Member 810 posts
Registered: Jan 1970
Clientside client validation can't work. Not for Fuhquake, not for Ezquake, not for FTE. It can work and works for the first two thank to the security module. Noone in this topic has said it is perfect. It can contain bugs. However, your reasoning reminds me of the following logic: every website with a "log in" form can be hacked, so let's no provide any authorization at all, because it cannot work. And this is where you completely missed the point. There is a small difference between the two examples, which makes a huge d ethe ifference. In the case of QW, the server sends the password to the client, then asks the client to ask the user to enter the password, the client then compares the password and tells the server if the user entered the right password or not (figuratively speaking, it's not how it *really* works) In the case of a webserver, the client sends the password to the server, the server then compares the password and depending on if they match, it let's the client in or not. This is where the big difference is. Fuhquake and Ezquake is asking the user to verify that the user is not cheating. I never even knew such a person existed untill today. Great, pal. In contrast, it has came to my attention that you are an FTE developer back in the times when I was the head of the ezQuake project. I was? Damn. When I first heard of FTE, I had never heard of ezquake even. My interest in FTE has always been, and still pretty much is, making it run on MorphOS. Besides the MorphOS port and the endian fixes, I have done an incredible small amount of work on FTE. I don't even remember when I did my first commit to the FTE CVS. I know the first I did on FTE was fixing the endian problems, and the most obvious one was committed by me on the 17th of May 2005 I have handled over the ezQuake project in Jan, 2005. Since then I am not a developer. Right, so the first time I touched FTE CVS was several months after you left Ezquake. Sorry I have written Mr. Balcom has hacked the MQWCL's security resulting in getting MQWCL banned in North America still you have classified me as a person who thinks that Quake security is flawless. I don't believe I said you claimed that it was flawless. However, you did claim that Ezquake had an advantage over FTE because of its "better security". When it comes to the FuhQuake/ezQuake security module, I have expected the following proof at the very beginning: produce any reliable evidence (a build) against ezQuake Too bad you don't accept equally good proof, but would rather close your eyes, cover your ears and yell "lalalalala" instead of taking the 10 minutes it requires to think the whole issue through. See my example above. For me, the proofs you have produced are not reliable. You refused to see the proof. If you cannot admit, that you have not read my parenthesis. I have not written "e.g. a build", "like a build", "for instance, a build", I have written "a build" as a synonym of a reliable proof. I hope you that you have finally understood what do I expect from a proof. Sure, and as a proof that the Fuhquake/Ezquake/MQWCL/whatever security model works, I expect a paper going into details with all issues with regards to the authentication and disproofs any possibility of tampering. I know it doesn't work. I've thought it through. I've even done it in practice to prove it (to myself, and to others who refuse to believe the theory. All you've done so far is "lalalalala" What you have provided me with were so-called proofs for me, while for you it were completly reliable proofs. No, you still refuse to see the proof. What can I do then? I can show a religious person that the earth is not flat, but if he doesn't want to see it, what can I do? Just a different point of view. If you feel unhappy with our different point of views on how the proof should look like, I am sorry. Life goes on! Yes, I'm sure that most other people will accept a person who demonstrates an aimbot with a client which validates by Ezquake clients proof that Ezquake authentication isn't worth anything. Person A claims something is secure. Person B claims it is insecure. Person A demands proof. Person B delivers proof. Person A starts rambling about how Person B has a personal problem with person A (...) Sorry, I do not follow. Did you mean Person C after the fourth full-stop? As he is a FTE developer, I can assume that he has reasons to discredit FuhQuake/ezQuake security. I cannot agree more, oldman, even under oath - this is my affidavit! Let noone contradict a sworn statement. Is FTEQW into bad PR as once ezQuake was under my management? Why was the whole personal agenda/smear campaign/FTE developers hate Ezquake thing needed at all? Can't you please discuss the issue at hand?
Member 1011 posts
Registered: Feb 2006
what is left to discuss though?
there are two states
1) lets assume, as you claim, that you have succesfully hacked an ezquake executable that can pass all authentication and can be seamlessy used to cheat in official games. As you have not made information publicly available on how this can be achieved - its impact is extremely limited. No security alternatives currently exist that would be legal within the confines of the GPL. People complain to leagues that FTE should also be allowed to be used as a client in the competition. Admins say no because FTE has no security whereas ezquake has some and no publicly available cheat clients exist that can fake as ezquake. Things stay as they are.
2) Your claims are false and you have infact achieved nothing. Admins have less spam. Things stay as they are.
Member 1011 posts
Registered: Feb 2006
offtopic: btw hetman are you sure udp traffic is disabled on your permitted ports? usually both tcp/udp is allowed. when i was at uni under a restrictive firewall i used to use a public qizmo that ran on port 80
Member 810 posts
Registered: Jan 1970
what is left to discuss though?
there are two states
1) lets assume, as you claim, that you have succesfully hacked an ezquake executable that can pass all authentication and can be seamlessy used to cheat in official games. As you have not made information publicly available on how this can be achieved - its impact is extremely limited. No security alternatives currently exist that would be legal within the confines of the GPL. People complain to leagues that FTE should also be allowed to be used as a client in the competition. Admins say no because FTE has no security whereas ezquake has some and no publicly available cheat clients exist that can fake as ezquake. Things stay as they are. I don't know of any publically available Quake clients which have built-in cheats and which can validate as Ezquake. Do you know of any publically available Quake clients which have built-in cheats and which can validate as FTE? If you answer no to that, and given your above logic, what is the advantage of Ezquake again? Also, the amount of times I have seen anyone actually use f_version in a competition can be counted on one hand, probably. What if I, or anyone else who plays Quake on anything but Windows and Linux/x86 wants to play in a competition? Would we have to install a different OS, maybe buy a completely different computer altogether, just to satisfy a tournament rule which is based on false security? That makes no sense at all, IMO.
Member 810 posts
Registered: Jan 1970
I have not refused to see your proof (note: your not the). I have simply the ports blocked and have not tried to work out your solution (on Win32 atm) to overcome this issue. If you want to accelerate this, drop me a PM how can I contact you (IRC, ICQ, MSN). If the SSH client is the problem, get Cygwin. It has one. As also previously stated, I can put up a server accepting TCP connections on port 23. Unfortunately I don't think Ezquake supports this (but please do correct me if I'm wrong , so your only choice is Qizmo then, I guess. I could also put up a Qizmo for you on port 23 bigfoot.morphos-team.net:23 has a Qizmo accepting TCP connections now. IRC: IRCnet - #amiga Freenode - #morphos Quakenet - #fte Enter The Game - #fte ICQ: 11522161
Member 1011 posts
Registered: Feb 2006
hetman: you only need root for ports less than 1024, ask for a qizmo on port 8080 I don't know of any publically available Quake clients which have built-in cheats and which can validate as Ezquake. thats good Do you know of any publically available Quake clients which have built-in cheats and which can validate as FTE? no i don't. But I could instantly cheat in fte by commenting out a couple of lines of code and recompiling. Anyone with gcc could do this. I cannot do this in ezquake as I would need to know how to perform the hack which you are not making public and that would require an amount of knowledge that the average quakeworld player does not possess. If you answer no to that, and given your above logic, what is the advantage of Ezquake again? see above Also, the amount of times I have seen anyone actually use f_version in a competition can be counted on one hand, probably. well thats an issue with the competition, not the clients What if I, or anyone else who plays Quake on anything but Windows and Linux/x86 wants to play in a competition? Would we have to install a different OS, maybe buy a completely different computer altogether, just to satisfy a tournament rule which is based on false security? That makes no sense at all, IMO. you can run Linux/PPC on your machine - that could be supported immediately. More obscure OSes are less likely to be added I am afraid.
Member 810 posts
Registered: Jan 1970
Do you know of any publically available Quake clients which have built-in cheats and which can validate as FTE? no i don't. But I could instantly cheat in fte by commenting out a couple of lines of code and recompiling. Anyone with gcc could do this. I cannot do this in ezquake as I would need to know how to perform the hack which you are not making public and that would require an amount of knowledge that the average quakeworld player does not possess. Does the average Quakeworld player know which lines to remove from FTE? If you answer no to that, and given your above logic, what is the advantage of Ezquake again? see above See above Also, the amount of times I have seen anyone actually use f_version in a competition can be counted on one hand, probably. well thats an issue with the competition, not the clients But still proves that not only doesn't it work, but it's mostly unused as well, thus it is a pretty dull restriction to make. What if I, or anyone else who plays Quake on anything but Windows and Linux/x86 wants to play in a competition? Would we have to install a different OS, maybe buy a completely different computer altogether, just to satisfy a tournament rule which is based on false security? That makes no sense at all, IMO. you can run Linux/PPC on your machine - that could be supported immediately. More obscure OSes are less likely to be added I am afraid. Right, I rest my case
|
|
|
|