Project Exists #22
Comments
|
Agreed with flux. I haven't had any big issues with this on my server yet, but this is just a problem waiting to happen. The client may be useful for debugging & cheat playing, but this should not be a client that is used on actual minetest servers - for reasons which should be obvious - which is what you are asking to happen by making this public. ~CalebJ (admin on Tunnelers' Abyss) |
|
I disagree with taking this project down, you are removing what is exploiting issues with cheat detection in Minetest without solving the problem. Cause and effect. Additionally, anyone, for example me, could just reupload the source with instructions for compiling to Github or another website again and they probably should to stop things like this happening. |
|
Please do not shoot the messenger. The problem is not that this project exists, but that MT is so easily exploited. |
|
Current action in the forums when related to exploits and such is to wait till the problem/bug is patched before making the exploits public. This happened with CSMs. |
|
If it is not removing the project, I think making it private is the best thing to do. ~Lanhild, ex-administrator |
The fact that MT is "easily" exploited isn't the problem, because that can't realistically be fixed. The problem is that this project is currently making it trivial for anyone to exploit the game if they want to, and that's ruining a lot of player's experience on a lot of servers, as well as the experience of the server operators who don't want cheaters around. Hyperbolically, it could eventually lead to the complete death of the minetest project, because no-one left is playing by the rules. Yes, hacked clients will absolutely continue to exist. They've been around before, and will be around after. Yes, people can just re-upload the binaries of this project somewhere else if they want to. I'm asking you people, the main developers of what currently seems to be the most popular hacked client by far, to do the right thing and to stop publishing it. To quote JWZ,
|
We already knew that MT is easily exploited, people compile their own hacked clients all the time and anyone who is a dev (or even a modder) knows that MT can be easily exploited. The main player base may not know this, but I see no reason why they should. Telling them that MT is easily exploited is basically begging for someone to exploit it, and gives the player base no valuable information.
So, by the same logic, people should just let trojans, ransomware, and other nasty viruses run loose because the exploits they take advantage of haven't been patched? Just because there's a cause doesn't mean we shouldn't try to mitigate the effect.
This is true. However, most trolls aren't that bright or that diligent and probably couldn't compile their way out of a wet paper sack (especially not on windows). Furthermore, the devs don't seem to be particularly concerned with hackers / cheaters since "just ban them" is a "viable" solution. I doubt they would care much even if all the trolls on minetest got hold of this software. So advertising this software just gives server owners a headache without doing anything to fix the issue. Finally, if the owner of this project really cared and was creating this for non-malicious reasons, he'd dedicate his time to patching the anti-cheat code instead of adding new exploits here. |
|
the problem is this project doesn't even go after the developers in the first place. it just hurts the community, damages servers people work hard on, and causes undue pain and headache to moderators who take time out of their day for their server. in the same amount of time, you could have come up with a way to prevent this kind of cheating, either by a mod or by contributing code to minetest. you're killing the community that makes minetest relevant, not making it better. --Edgy1 |
|
Excuse me, I am a server admin myself (Elidragon Skyblock, Crafter Dev, Fleckenstein SMP). Just be a bit more chilled about it. |
Well, a hackclient is mostly not about exploits. There were some critical exploits, but I made sure that they get fixed (EntitySpeed patched by myself, InventoryExploit patched by appgurueu with my help). It's mostly about bots etc. at the time. Good server software needs to be prepared for the client to do weird stuff. If you want to know what security gaps exist, contact me on discord or IRC. I'll always be open about helping to patch things; but I will also not stop working on this client. The reason why I have stopped to contribute anticheat fixes to minetest is that I was very dissatisfied with how the core devs handle pull requests. It happened to me that I made a PR with a trivial API addition, easy to test and fully documented and it was just ignored for several weeks. Anyways, if somebody wants to patch things, I'll help, but I'll probably not patch things myself anytime in the near future. Currently I'm busy with MineClone2 development. |
|
Also, I find it very funny how people discuss "shutting the project down". Its not gonna happen. A community has developed about the client; and if you are to ignorant to recognize and respect it that's your problem. This is my project, and what people use it for is their decision. |
|
Its open source. We can do with the mt code whatever we want. If you dont want that put it in another license. As for server owners. There are a number of anti cheats mods. If those are not enough for your needs noone is stopping you from making your own. |
|
pls add the "wontfix" label lol |
|
I added the invalid label xD |
|
Can you just close this issue, it is absolutely ridiculous. |
While i see where this is coming from it completely ignores that there are completely legitimate use cases for hacked clients – anarchy servers. Which is as a matter of fact the reason this project exists. |
|
I agree with removing the precompiled executables. Make them suffer, I always say. |
Completely proving my earlier point. He's one of those players who would like to have more power because he knows how to compile. no offense 1+ ;) |
If it is a viable solution then can't servers that don't allow hacks just ban hackers. |
|
that is an overly simplistic thing to say. we have jobs and families. and it causes undue stress on our lives to track them all down. my statement still stands. you are damaging the community, and you think it's cool. |
|
As I said earlier, I think that a bit more chill is required. You are damaging my community, have you thought of it that way? |
Slander. I would never think of taking away precompiled executables from small children to accumulate power for myself. However, in all seriousness, I do think it is funny that people are even trying to take down this project at all. I'm not sure if they understand how futile their mission is. It is probably impossible to completely eradicate DF or even stop it from spreading, since others can and probably will still distribute DF. |
I'm hosting your community. have you thought of it that way? |
|
Do you really want to start that kind of power struggle? |
|
I have a proposal: make it send /banmeifhacksarentallowed on join and servers that don't allow hacks can install a mod to ban anyone who uses that command. |
|
I think I'm being reasonable, considering you are likening some critical reviews to a piece of software destroying communities, giving headaches to staff, leading to servers shutting down, people quitting minetest, and overall making this world a darker place |
Might not work. Somebody is going to make a fork that removes it anyway. Of course, if the hackers are dumb enough, they might fall for it. |
if it can be well hidden in the code, that would be a good idea |
|
if it was done in c++ people would have to recompile to remove it |
|
I’ve read all 116 comments (now 117) several times |
|
Ok then |
|
I see. In that case. By all means rehash all the points made before :) |
|
@TechDudie I reported you for Spam. |
|
Fine |
this is still important |
|
Peace |
|
Version strings end in -dragonfire now, servers not wanting hackers can block clients with version strings ending with that. Can this issue be closed now? |
that sounds like a good solution |
|
hacker comes along hacky hack hack ok there we go now I can use this client for no-anarchy servers |
|
The problem of people cheating on non anarchy servers should not even considered to be solved clientside. This is like complaining to google they should fix chrome because there's an sql injection on some server. |
|
If servers are given a way to detect hacked clients it would be appreciated. Don't need to go as far as removing the client |
|
We should be grateful that this project exists. Demanding to shut it down is pathetic. Take the opportunity and fix the bugs in Minetest instead. This client is an excellent tool to be used to harden Minetest. |
to be clear I never called for removal, but for effects on other servers to be taken seriously. custom version string would be a huge improvement |
Would be? It's done. |
ik, and appreciate that |
|
God, there's a lot of chat here. I haven't read most of it. Having suitable tools is good for security. The infosec community has a wide range of freely available tools which you can use to test for common vulnerabilities. These tools improve security of applications by making it easier for white hackers to audit systems. Having a cheat client can make it easier to test and fix vulnerabilities. The dragonfire developers have also submitted bug reports and fixes for issues they've found. You don't make software more secure by limiting these tools, you make it more secure by actually working on cheat prevention and fixes. Getting fly/noclip is as simple as changing a single line of code in Minetest, Dragonfire doesn't really make this much easier. The primary issue with these tools is making it very easy for "script kiddies" to cheat - people will bad intentions and low technical skill. Dragonfire helps with this by at least identifying itself in its version string. It could even be more obnoxious with this by sending a chat message like Cheat clients are inevitable, and it's lucky to have one with developers that have been helpful |
I agree, thank you @EliasFleckenstein03, that change change to the version string certainly helps server operators, and I didn't realize at the start of this conversation that you'd submitted a bunch of bug fixes upstream. Thank you for that as well. |
|
agreed. as long as they take the effects on other servers seriously, I'm happy |
Hi do you know how I can use this custom version string in a anticheat mod im coding? |
you can't do this with a mod, you need to modify the minetest engine source code, something like this: diff --git a/src/network/serverpackethandler.cpp b/src/network/serverpackethandler.cpp
index b3008bb50..89507c896 100644
--- a/src/network/serverpackethandler.cpp
+++ b/src/network/serverpackethandler.cpp
@@ -40,6 +40,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
#include "util/pointedthing.h"
#include "util/serialize.h"
#include "util/srp.h"
+#include "util/string.h"
void Server::handleCommand_Deprecated(NetworkPacket* pkt)
{
@@ -391,6 +392,15 @@ void Server::handleCommand_ClientReady(NetworkPacket* pkt)
std::string full_ver;
*pkt >> major_ver >> minor_ver >> patch_ver >> reserved >> full_ver;
+ std::string playername = playersao->getPlayer()->getName();
+ if (str_ends_with(full_ver, "dragonfire")) {
+ warningstream << "Server: " << playername << " tried to connect w/ dragonfire client " << full_ver << std::endl;
+ DisconnectPeer(peer_id);
+ return;
+ } else {
+ actionstream << "Server: " << playername << " connected w/ version " << full_ver << std::endl;
+ }
+
m_clients.setClientVersion(peer_id, major_ver, minor_ver, patch_ver,
full_ver); |
yes but actually no because that would imply you have the freedom to use this client on any server and therefore would make this entire argument hypocritical and retarded. Even CSMs can be stopped form being used in minetest.conf when setting up a server. Your "freedom" argument is very grand but completely disregards all previous "cooperation" and "this client is for anarchy servers only" arguments. I'm trying to make a mod to detect dragonfire and ban users that use it, and some silly custom version string doesn't seem to be getting me anywhere. Please add this, or something similar, so that server owners can use a simple 10 line mod to stop people from ruining everyone's gaming experience. |
|
Please stop the ideology discussion. You're not going to convince me to do something you think is a good idea this way. It's up to the engine devs to add the API for getting the version string. When the minetest server is compiled in Debug mode, the version strings of clients can already be accessed by the server. I suggest changing this to work with release builds, too. |
well thats annoying, because that makes everyone's life harder. However, I don't really get how I can actually blacklist the version strings that indicate a player is using dragonfire. Like, okay, the server now has access to the version strings, but now what? How can I then selectively ban the players? |
I'll answer this question on the forum thread, please stop bothering Elias. |
To be honest, I don't really care who or where it's answered, but please, someone answer! |
and others
This project is making a majority of player's and admin's experience of playing minetest much less enjoyable. Please remove this project, or at least make it private.
~flux, admin on BlockySurvival
The text was updated successfully, but these errors were encountered: