335 ответов в теме

[escurko]

посмотрели с федом код. РАНДОМ РУЛИТ. ССР рпандом любит больше всех других слов. Рандом - решения всех проблем. Видимо програмируя всё рандомом ССР получает экстаж от последущей нагрузки на проц ^^

[Evilman]

Боты это самое мало из бед что может принести сорс. А как насчёт того чтоб лететь в пермо клаке, стерлять от туда и всё прочее? или ещё чего удумают...

Сама идея выполнять код на стороне клиента порочна. Да, разгружает сервер. Но - создает дыру, плюс у десинков именно из этой идеи ноги растут.
Дело клиента - принимать команды игрока, отсылать их на сервер и отображать то, что присылает сервер. Все.

[Shaeto]

посмотрели с федом код. РАНДОМ РУЛИТ. ССР рпандом любит больше всех других слов. Рандом - решения всех проблем. Видимо програмируя всё рандомом ССР получает экстаж от последущей нагрузки на проц ^^

этим страдают не тока ццп но и остальные разработчики мморг, особенно самый главный

что поделаешь, рандом рулит

[Chinkueda]

учитывая как у спп все поднимается после патчей, из этих сорсов собрать рабочий клиент может быть нетривиальной задачей.
а уж анализ кода на поиск сложных багов в логике это совсем непросто.
вот если бы сорсы сервера утащили, это было бы в разы интереснее, а кому этот клиент нужен

[feddkin]

Сама идея выполнять код на стороне клиента порочна. Да, разгружает сервер. Но - создает дыру, плюс у десинков именно из этой идеи ноги растут.
Дело клиента - принимать команды игрока, отсылать их на сервер и отображать то, что присылает сервер. Все.

Спорить не буду что бы не нарушать правила форума, так как придётся выкладывать доказательства бредовой идеи, но скажу что это возможно судя по кхм... буквам

[Morgano]

посмотрели с федом код.

а за просмотр на банят ?

[MaestroRED]

нашли лагогенератор в исходнике?

[Tenkuu no kaze]

нашли лагогенератор в исходнике?

кстати да.. как там в этом направлении?
имхо уже давно это юзали - лаги и десинки при встрече с флотом бобов, "дикторы фасолек подключены напрямую к серваку"(ц) etc.. да и тот же абузер наверняка юзал дыры. просто теперь или ему хвост прищемили, или к нему попала инфа, что скоро халяву прикроют.. ну он так сказать при "выходе на пенсию" и поднасрал, немного рассказав о маленьких тайнах игровой индустрии..

вряд ли он настолько наивен, чтобы выкладывать сырцы для бескорыстной стимуляции девов в исправлении кода ради блага комьюнити, как тут утверждалось. честных людей нет, обязательно за этим стоят корыстные мотивы. как не бывает и бесплатного сыра.

Сообщение отредактировал Tenkuu no kaze: 14 April 2008 - 20:21

[MaestroRED]

Прочитал диалог. Неприятно, но познавательно.
Трудно сказать, кто тут прав, с одной стороны, ССР конечно в первую очередь должны были ввести защиту на стороне клиента и сервера. Даже если это пожрет дополнительные ресурсы.
А на офф-форуме есть темы по этой бодяге, или трут сразу?

ссыльнек на диалог моно?

[aLinix]

полюркай код - найдешь и диалог. Ссыльняков не будет, чтобы еулу не нарушать.

[QuakeMan]

этим страдают не тока ццп но и остальные разработчики мморг, особенно самый главный

что поделаешь, рандом рулит

Это ты про БГ или Товарда?

[Ariru]

может кто-то в личку скинет линк?

[MaestroRED]

аналогично
скиньте в личку

[cOMAT0ZE]

И мне если не затруднит.
оч интиресно что там за диалог.

[DarkPhoenix]

Старые бабки у подъезда собрались... %)

Хочу кому-нибудь прямо в ухо шепнуть

5-й точкой, конечно

[Harris Nordwood]

Некто Абьюзер, кто он?

[Hedge]

As title says...

Guy asked to spread it, why not?

History:

[20:16] <Abuser> So. Talking with Arkanon wasn\'t fruitful.
[20:17] <[IA]Morpheus> Not quite, what are you trying to achieve?
[20:17] <Abuser> Make CCP confirm some things they are refusing to confirm ...
[20:18] <Abuser> Make intelligent approach to fixing bugs and perfomance issues instead of messing with game balance
[20:18] <Abuser> at least
[20:18] <[IA]Morpheus> You have no idea how we even work, theres 350 employees working at CCP and you don\'t know the slightest about our processes.
[20:18] <Abuser> I don\'t know HOW you work
[20:19] <Abuser> i see the RESULT of this work
[20:19] <Abuser> and UNDERPANTS of it
[20:19] <Abuser> I have enough experience researching MMO\'s
[20:19] <Abuser> eve isn\'t first
[20:19] <Abuser> and won\'t be last
[20:20] <Abuser> so if you want to tell i don\'t have the understanding of CCP infrastructure related to eve - you are somewhat wrong
[20:20] <Abuser> but question isn\'t about this
[20:20] <Abuser> from what i know previous sourcecode leak
[20:20] <Abuser> was couple years ago
[20:20] <Abuser> and from what i see, nothing changes in terms of quality
[20:21] <Abuser> neither things, allowing people to exploit eve (for botting) - were fixed
[20:21] <Abuser> is that how 350 people (i doubt if at least 1/5 - 1/7 of them are programmers)
[20:22] <Abuser> work?
[20:22] <Abuser> Customers without in-depth knowledge will not notice this
[20:22] <Abuser> but what if somebody will explain the situation for them?
[20:23] <Abuser> or you consider USD14.95 people pay you every month aren\'t enough to be fair with them?
[20:26] <[IA]Morpheus> This is the wrong way to go about things and will not lead to a revolution in how CCP does things internally.
[20:26] <[IA]Morpheus> Sorry if thats what you were after.
[20:26] <Abuser> I\'m not looking for revolution
[20:27] <Abuser> Do you know such term as \"Proof of Concept\"?
[20:27] <Abuser> It\'s only enough it to get into hands of people who consider themselves to be programmers
[20:28] <Abuser> Currently eve don\'t have any clientside (and i\'m 100% no serverside, except logs) routines to detect bots
[20:28] <Abuser> Even stupid ones, using OCR and called Macroses
[20:28] <Abuser>
[20:29] <Abuser> Won\'t the wave of intelligent bots make CCP work at least in the direction of securing the engine?
[20:29] <Abuser>
[20:29] <[IA]Morpheus> Of course it will, that\'s obvious.
[20:29] <Abuser> Nice
[20:29] <Abuser> that\'s at least part of the plan
[20:29] <[IA]Morpheus> If thats what you want to achieve then congratulations, we are always working on improving security and plugging holes. If you want to help with that, try a normal approach like say sending us an email with suggestions.
[20:30] <Abuser> No, you are lying
[20:30] <Abuser> Security wasn\'t improved since last theft
[20:30] <Abuser> except some CryptoAPI and zlib
[20:30] <Abuser> so don\'t try to fool me
[20:31] <[IA]Morpheus> Security is always being worked on, I trust you know programming takes a lot of time and effort.
[20:31] <[IA]Morpheus> You say we have no ways to detect bots, yet we continue to ban thousands of exploiters who sell ISK and so forth.
[20:32] <Abuser> And that\'s all?
[20:32] <Abuser> And what if people start using some hypothetic people2people trading service
[20:33] <Abuser> that will avoid of using sellers who are constantly monitored via logs?
[20:33] <Abuser> so there will be signle and not interconnecting trades
[20:33] <[IA]Morpheus> Then we\'ll pick up on that and fix it..?
[20:33] <Abuser> that\'s how Blizzard can\'t do anything with such theme
[20:33] <Abuser> don\'t think you will manage
[20:33] <Abuser> they are losing more than you
[20:33] <Abuser> Why not to add client-side routines to detect bots?
[20:34] <Abuser> Why using petitions?
[20:34] <Abuser> People can lie, people can put a bucket of dirt on player who never violated eula
[20:35] <Abuser> And he will be banned, if petition will contain only right details describing the things you will never log, but that are surely be bot\'s actions
[20:36] <Abuser> EVE Clientside is enough to put bot-detecting routines there
[20:36] <Abuser> you can even use
[20:36] <Abuser> your spyware approach
[20:36] <Abuser> similar to when downloading PC identification python object during authentication as payload
[20:37] <[IA]Morpheus> Let it all out, I\'ll be sure to forward the conversation to all of our programmers, if thats what you want.
[20:37] <Abuser> No, your programmers are just following the plan
[20:37] <Abuser> they aren\'t that bad guys who caused all this anarchy
[20:37] <[IA]Morpheus> Care to tell me who did?
[20:38] <Abuser> Those who plan eve development and/or who decide the priority of client upgrades to be implemented.
[20:39] <Abuser> Currently Shiny Features have more priority than solidifying security and fixing bugs, from what i see
[20:40] <Abuser> Or how else you can explain the ability for the bots to use same approach to exploit eve engine as when previous sourcecode leak was?
[20:41] <Abuser> Nothing changed to prevent this?
[20:41] <Abuser> But we\'ve got tons of content patched
[20:41] <Abuser> but still lagging jita and deadly lagging blobs
[20:41] <Abuser> but from patchnotes i see that these things aren\'t your priority
[20:42] <[IA]Morpheus> I see that your intentions are good but this isn\'t playing out nicely for either parts.
[20:43] <Abuser> Guys, theres no other way that will play better.
[20:43] <Abuser> You simply ignore community requests to fix the core of eve, rather than add new coats to it, to make community forget about the bugs.
[20:43] <[IA]Morpheus> I despise bots and hacks over everything, but this is also a business, we\'ve got developers designing content and EVE needs to grow. I know for a fact that there are programmers working on security, more than that I can\'t really say.
[20:43] <[IA]Morpheus> If you think we are releasing new content to make you forget about bugs then I\'m not sure what I can say to convince you.
[20:44] <[IA]Morpheus> Patches have always been 50% bug fixes 50% content or so.
[20:44] <Abuser> Could you certainly say me what your programmers did to secure clientside from exploiting Eve?
[20:44] <Abuser> what\'s certainly
[20:45] <Abuser> I don\'t have anything against content makers - their ideas are good, really good
[20:45] <Abuser> I have full eve sourcecode, so you know what\'s did, and what\'s not;)
[20:46] <Abuser> From all security i saw - were ROLE permissions for logins with priviliges higher than usual player, and some minor things in relation to prevent some remote service calls (some with potentially bad payload)
[20:46] <Abuser> nothing else
[20:47] <Abuser> is that called \"programmers working on security\"?
[20:47] <[IA]Morpheus> Are you cruising for a job or something?
[20:47] <Abuser> Nah
[20:47] <Abuser> neither job, neither anything else
[20:47] <Abuser> you may think of in such direction
[20:48] <Abuser> Digging the situation to uncover the truth
[20:49] <Abuser> You may compare me to fox mulder from x-files series
[20:49] <Abuser> it\'s the best description of why i do this
[20:49] <[IA]Morpheus> Ah, well, nice to meet you Mr Mulder.
[20:50] <Abuser> So... would you like to answer what AWESOME ccp programmers did in relation to client/server security (at least for client?)
[20:51] <[IA]Morpheus> No, we won\'t respond to blackmail. If you think we don\'t care or aren\'t working on improving security you are sadly mistaken.
[20:51] <Abuser> IA
[20:51] <Abuser> did you saw the code yourself?
[20:51] <[IA]Morpheus> Yeah, and?
[20:51] <Abuser> or you are just telling me someone else\'s words?
[20:52] <[IA]Morpheus> Nop, I\'m all alone.
[20:52] <Abuser> And where do you see security fixes or bot catching routines in client?
[20:52] <[IA]Morpheus> I wouldn\'t know, I\'m not a programmer.
[20:52] <Abuser> YAY
[20:52] <[IA]Morpheus> If you think we are gonna tell you everything we\'ve done or are going to do then I\'ve got a bridge to sell you.
[20:53] <Abuser> so how you can tell if there are security pathces?
[20:53] <Abuser> Morpheus, i have a client sourcecode
[20:53] <Abuser> and have a people who can supply me with updates
[20:53] <Abuser> of each new version
[20:54] <Abuser> (where my python decompiler won\'t be able to handle optimized bytecode)
[20:54] <[IA]Morpheus> There\'s probably more to it than meets the eye, Fox Mulder.
[20:54] <Abuser> so in relation to client i have the same about of knowledge as you
[20:55] <Abuser> So you insist that security patches are applied to client and client is secure and non-exploitable?
[20:55] <Abuser> Maybe i should release a small hack with portion of eve sourcecode to eve forums that will exploit something?
[20:55] <Abuser> or you will continue to talk that everything is fine?
[20:56] <[IA]Morpheus> Heh, I\'m not saying there aren\'t exploits, don\'t be naive..
[20:56] <Abuser> o
[20:56] <Abuser> there\'s 1 big exploit )
[20:56] <[IA]Morpheus> There are and probably will always be, however we will continue to work against them. What else do you want?
[20:56] <Abuser> and tons of small ones
[20:56] <Abuser> not the ones requiring people to do queue of actions ingame to achieve the result
[20:57] <[IA]Morpheus> And you want this fixed?
[20:57] <Abuser> i\'m talking about the ones, that are coming to light when you are exploiting eve python engine (oh god they said me it\'s impossible)
[20:57] <Abuser> Easiest way was to start using c++ and completely rewrite the code some time ago
[20:57] <Abuser> but i assume it\'s too late
[20:58] <Abuser> so you will not get rid of python injections
[20:58] <[IA]Morpheus> Time will tell, I suppose.
[20:58] <Abuser> but you can think of coding anti-bot routines
[20:58] <Abuser> I wonder if your programmers and qa know at least 1/20 of they ways possible to use to inject the code
[20:59] <Abuser> starting from most stupid approach
[20:59] <Abuser> and ending with ring0 injector
[20:59] <Abuser> trust me
[21:00] <Abuser> you can try
[21:00] <Abuser> ugh
[21:00] <Abuser> you COULD try
[21:00] <Abuser> but nothing was done in this direction for years
[21:00] <Abuser> i know people who are safely botting (first with ocr, then on python code bots) from early years of eve
[21:01] <Abuser> and they also agree nothing was changed in terms to stop or make the bots function wrong
[21:02] <[IA]Morpheus> You know, if you want that to stop you should let us know exactly how those bots function instead of threatening to leak source code.
[21:02] <Abuser> only if i will have public guarantess and confirmation that certain list of things will be fixed
[21:03] <Abuser> confirmation on each exploit
[21:03] <Abuser> otherways - there\'s no sense
[21:03] <Abuser> i\'m not only want to see these things fixes
[21:04] <Abuser> it also requires CCP to confirm that these bugs existed (and exist) over years
[21:04] <Abuser> you understand what i mean
[21:05] <Abuser> i\'m thinking of some patching for trinity graphic engine
[21:05] <Abuser> to show that it\'s possible to make client show much more fps
[21:06] <Abuser> at least in space, during large fights
[21:06] <Abuser> (and that\'s one more stone to the window of your programmers, who must be forgot of such thing as level of details)
[21:07] <Abuser> there are many things - some interesting constants, that should be controlled by server, but they are not; ability to faster change sessions, unloading unnecessary services in runtime when they are not required
[21:08] <Abuser> truth on some strange session roles like viplogin
[21:08] <Abuser> 10 megabytes of code are enough to find a lot of things that should be there
[21:10] <Abuser> *should not
[21:11] <Abuser> And How these bots are functioning?
[21:12] <Abuser> Executing python code inside of eve python interpreter
[21:12] <Abuser>
[21:12] <Abuser> Or calling python api (these are less intelligent ones) to call objects, methods from eve python
[21:14] <Abuser> Untile eve uses python, there\'s no way to prevent these bots from using it too
[21:14] <Abuser> Untile=>*While
[21:15] <Abuser> It\'s possible to catch them, but not prevent from appearing and being more and more intelligent.
[21:15] <Abuser> In near perspective, other people who also have eve sourcecode (not from me) - will be able to release the bot that will be able to keep in control every single in-game activity usual player can do ingame.
[21:16] <Abuser> So only way (if you are not going to stop using python) - is to implement a bot catching routines on clientside
[21:22] <[IA]Morpheus> Well, thanks for all the advice.
[21:23] <Abuser> so
[21:23] <Abuser> i assume there will be no public excuse and to do list of bugs to fix from CCP?
[21:27] <[IA]Morpheus> Not quite, however, we are prepared to talk if you want your EVE Accounts reopened. This would also be a chance for you to give and receive feedback on the horrible bugs and exploits you know about.
[21:27] <Abuser> I\'m not interested in my eve accounts
[21:27] <Abuser> The ones you closed
[21:27] <Abuser> weren\'t involved in testing
[21:27] <[IA]Morpheus> Then we have nothing more to discuss, thank you for your time and have a good day.
[21:32] <Abuser> It\'s was nice you agreed to talk with me.
[21:32] <Abuser> Personal thanks for your patience, Morpheus.
[21:32] <Abuser> Have a good day.
[21:32] <[IA]Morpheus> Sure thing. Farewell.

<[IA]Morpheus> Hi, give me a few minutes to reply to your mail.
<Abuser> Sure
<[IA]Morpheus> Do you have a list of bugs and exploits, the ones that you want us to fix?
<Abuser> 1. List of exploitable clientside things.
<Abuser> 2. Description of ways to exploit python engine (with examples)
<Abuser> 3. Ways to detect the bot(-s)
<Abuser> but
<Abuser> only in case terms i listed during our last discussion yesterday
<Abuser> *case of accepting
<[IA]Morpheus> Can you list them again please so I can run this by some people?
<Abuser> 1. List of places in clientside code that allows to code small client-side hacks.
<Abuser> 2. Descriptions of the ways to intrude in EVE python engine and execute arbitary code there
<Abuser> 3. Ways to detect existing bot(-s) (at least know 1 serious enough)
<Abuser> 4. General ideas to improve EULA.
<Abuser> Only when:
<Abuser> 1. CCP published press release with:
<Abuser> a) confirmation of some bugs/holes existed for years
<Abuser> or
<Abuser> publishes in-depth reports on these bugs, and reports on what fixes were made for them
<Abuser> 2. CCP starts work in direction of serverside+clienside bot detection routines, also with public press releases (less detailed ofc)
<Abuser> That\'s all.
<[IA]Morpheus> Alright, give me a few please.
<Abuser> Sure.
<[IA]Morpheus> Going to forward this to someone who can make a decision.

Вроде размещение диалога не попадает под нарушения правил этого форума... буду надеяться

[markel]

Диалог есть в этой теме. На бухте он процитирован.
Линк на рапиду и дубль на айфолдер кину кому нибудь одному - дабы не утруждать модераторов простыми загадками. Передайте по цепочке

[gobobo]

Блин, так если целая куча скриптов и тд, выполняется на стороне клиента (что кстати и объяняет такую нагрузк на проц и свопы) то тут можно вообще что хочешь творить. Теже лаги, фигаги, боты и все это тупо закрыть от посторонних глаз ЦЦП правкой скрипта проверки на целостность клиента. Мдаа... Грустно это все. Я всеже считаю что Абусер не был первым, кто смог расковырять клиент до сорцников, так что читерство таки отдельных личностей вполне могло бы быть...

И новая версия питона скорее всего ничего не решит, только выявит тех кто уже юзает какие то уязвимости, тот кто может, расковыряет и новую версию, там отличий то не особо много, если вообще есть.

Сообщение отредактировал gobobo: 14 April 2008 - 22:15