Register
Events
Popular
More
Post #1481
Yeah, internet ads do that all the time to choose what ad you see
-
-
Not stored alongside your personal info, like name and address, they use cookies. this new anticheat act like spyware, and I'm pretty sure it's border-lining to something not legal.
I'm for all that can catch cheaters, but this seems to be way to invasive IMHO.
-
-
It looks like the SDK handled it fine, and GMod just didn't follow the specification, however this means that clients would have to auth their Steam accounts to the Amazon slice that is running CheatPunch or it could still be exploited. However being as the posted code seems to be just a piece of the implementation I couldn't gather if we do auth with CheatPunch on top of servers or not.
Edited:
Yeah as someone that typically deals with application security on pretty much a daily basis as my job, I like to discuss the hows, not just take people's word for it (considering 99% of the time people say "it's secure" they're wrong). Garry's put out patches detailing how things were no longer possible (such as tampering with boxes), however we're seeing hackers blow away entire official servers, so I'm very skeptical that an extremely new anti-cheat system is tamper-proof.
Not 100% sure, but I'm pretty sure the binaries included are not signed (not even sure Unity games support signed binaries), hence why hackers tampering with binaries are such an issue in the first place with client-side code. It's possible he does it for server-side code, but pretty unlikely given the track record (and a lot of these binaries would [should] be shared, and why sign one stack but not the other?)
I got off my lazy ass and checked: the files are signed, not sure if Unity enforces the signatures being as I haven't poked at the hacks provided whether they tamper with binaries or memory live, if the rely on the later only server code can't really be tampered with.
I got off my lazy ass and checked more than file level digital signatures (which are very common among Steam games): Rust doesn't used strong named signed assemblies, so Unity won't enforce a binary hasn't been tampered with (not even sure the Unity stack supports that being as there are restrictions with doing that), so outside of 3rd party signature checks, binaries can be tampered with. Additionally tampering can be prevented with proper filesystem permissions, but if I had a dollar for every host that doesn't do that, I'd be more rich than Bill Gates.
The majority of problems with Rust is due to the lack of sanity checks.
There are few sanity checks you can do when you're passing a handful of pretty straightforward parameters, outside of the ones I've pretty much already mentioned (network source level restrictions, a 3-way trust auth [though CP doesn't seem to hint at this yet], unique server tokens [though if you have access to the server's files this wont help outside of rolling back spoofed reports]).
As someone who came here due to the exact same kind of code I'm talking about, I'd take the "it's over my head so it must be Star Trek levels of mumbo jumbo" lightly.
TLDR/I don't understand but I'm still going to argue: fite me irl m8
-
NA1 Stress test needs a roll back or a wipe(To reduce lag). Everyone is being killed by some guy named (Omega *Symbol*). He is also decaying everyones houses, boxes, and loot.
-
Thats nice !
It is probably for private cheats that using connection with cheat site.
Now with cheatpunch and imporved Vac and plus sometime Rust will get 3rd anti-cheat it will be so nice.
Only thing that now makes my Rust unplayable is desync bug but welp and that will be fixed hopefully.
-
No, I don't think you quite understand. I do expect wipes and welcome wipes. Not from hackers, though.
If not a server rollback to restore the balance again, I'd definitely be in favor of a server wipe to put everyone back on the same level.
-
Agreed. A rollback would be best, but, if it can't be done, a reset is in order.
-
They can try to bypass... but it won´t be the banned people anymore hahahahaha
-
Nope, on playrust.eu servers you can't enable it.
-
He did the same on NA4, I had a mini-base set up for creating one-off videos where I didn't want to be recognized, and I logged in today to a completely empty base except for the structure (inc. doors, walls, etc.), beds, and a workbench. We also saw it on my custom server today, one person was targeted and had ~90% of his house decayed when it was perfectly fine hours before. The decay hack is extremely nasty, I have no idea how they're pulling it off as not even admins have the ability.
-
How are people not losing their shit about this? This can literally log everything you do on the net, it's not even restricted to websites you visit, but also any sites that you load images from, etc. And this can happen at any time you open CS:GO and send everything you've visited in the last 24 hours to Valve's servers. That's a straight up violation of privacy, and the last time it happened people went up in arms until they corrected it.
-
Becasue first there is no any relevent source,it came from cheating site and why I would trust them.
2nd even if it is true when you signed for steam you agreed to subscriber_agreement
"Steam and the Software may include functionality designed to identify software or hardware processes or functionality that may give a player an unfair competitive advantage when playing multiplayer versions of any Software or modifications of Software (“Cheats”)."
Steam and the Software may include
Functionality
designed to identify software or hardware processes, etc.
By signing up for Steam, you're willingly submitting to the functionality of VALVe's software in an attempt to identify whether or not you've been cheating.
You're agreeing to these terms, willingly, when you sign up for an account. And you are going to argue that, suddenly, it's unjust because they're checking your DNS, versus checking which processes you're running or digging through your hard drive?
DNS reading, hashing and communicating is a functionality designed to help identify software processes, such as those that need to send back verification to work.
Edit, source: http://store.steampowered.com/subscriber_agreement/
Section 4, paragraph 2, word 7: functionality
And it is Valve,if this help them to catch cheaters I don't mind.
-
The issue at hand for that was one individual did actually break into Blizzard's system on that and showed that he had access to anything he wanted. Although he didn't take it, it just changed thousands upon millions of computers into just one.
I support the idea of having an additional program to snoop around, that's no issue. The problem is if their system isn't 100% (Which we all know, no system can't be broken into) then others can utilize a program to help, into a program to profit.
-
I'm definitely not happy about it. Has anyone contacted Valve on this?
How do you feel about your entire DNS history getting dropped by someone in relation to your Steam account, which is related to payment methods which is related to your actual person?
-
Find a source detailing this problem that doesn't originate from a site with "hacks" in the name before getting upset.
-
Steam is extremely tight lipped about how VAC works, so I doubt there will be any official statement, but I'll see about poking at the libraries myself after I'm out and about today (assuming this isn't a test deploy someone is on) and do a write-up on my findings.
Edit:
I'd do anything for IDA right now, it's really pretty much the only decompiler worth using (and is the one used in the screenshots), it's like nearly $1000. :\
-
How do you feel about the OP in that reddit post getting his information from a hacking site and claiming it's still legit?
Hacker site = just trying to defame Valve so they don't lose money from people not wanting to cheat and get VAC banned.
Edited:
You won't find anything. Any code that steam deems sensitive probably won't run until you start a game and it will only come from steam(that's why you need an internet connection). Do you really think they are stupid enough to leave code for their anti cheat program on your computer? No. What that hacker site found is most likely bullshit. I can find some random assembly code on the internet too and claim it does something even if it doesn't do jack shit, and people will believe it what I tell them if I throw in that it might be violating your privacy.
-
A hacker talking about what is fair? LOL
You stupid kid. Enjoy the ban. If you cared about what is fair or unfair, you wouldn't be cheating in the first place. Cya trash.
-
The thread details what process to dump the streamed binaries from, so it should be pretty trivial to prove (which this would honestly be like 99.9% of the work I'd have to do, outside of putting up with a decompiler that isn't IDA).
-
The thread was on a HACKER SITE. Why the fuck are you going to trust the word of a HACKER?
-
Because some days I get called one when I'm testing application security, so I take all the "you can't trust hackers" rather lightly. Especially in this circumstance they're programmers that are making money in a market that has quite a bit of demand that for all intents and purposes just ruins some game experiences, not some nefarious guy dumping millions of credit cards to some foreign country and disappearing (I deal with security on the later [though I usually have access to the original source code], so this game stuff is mild).
Let alone I really doubt it's entirely fabricated being as it can be reproduced with anyone that has experience in this (and the right tools).
-
The fact that there isn't much for them to gain from spoofing this kind of information
-
Spreading FUD could gain a little (obviously though not many are concerned about the DNS thing, so obviously they're not gaining much!), but all it takes is one guy to step in, decompile the same code you did and call you a liar.
You're not dealing in some super secret documents, you're dealing in the same binaries on everyone's machine when playing Steam games.
-
Well, let me put it like this then: Why would you trust a site that is NOT there to test security of anything? Why would you trust a site that is dubious at best and could possibly be giving you malicious software in whatever you download from said site? These aren't security people that run this cheat sites. They're ass holes who want to shit on everything. They don't care about your personal security. They don't care about your privacy. Why would you trust a goddamn thing they have to say on ANY subject?
Edited:
You are so naive. They have SO MUCH to gain because they will get people go after steam and Valve for shit that isn't real. They could be trying to force Valve to make the code for their anti cheat program public. I don't trust a site, whose sole purpose is to help you violate your user agreement with Steam.
-
He don't, that's why he will look into it himself, as far as I understand.
-
If you're going to quote me, then use the full context of the quote. It's not like I wrote a fucking novel.
I've also already pointed out how pointless it is to try to look into it yourself because Valve isn't going to let the code for their cheat program sit on your computer for very long. It's server side only.
-
For the most part I would (because of the high level of "why spoof this" and the amount of effort involved to do so for gain of only a select few individuals that know what is going on), but some people on this site need to get off my dick so I'm kind of providing the proof that people need to stop flapping their lips on subjects they don't even begin to understand.
-
Sorry to burst your bubble, VAC is very much clientside too, if it wasn't they could not gather all the info they do, you do know that it's possible to take "snapshot" of what's in your memory at any given point, and then dump it to a file? If not, then you know it now.
-
god, the 'internet', where everyone knows everything, don't argue with them! Everyone is a Programmer/Cop/Developer/everything they could argue about.
-
Oh, I'm sorry, I didn't know it was a crime to google shit and have at least a BASIC understanding of what is going on. Fuck off and die, ass hole.
-
Start google "anger-management", it appears to be the one you need.
-
Problem #1. Don't believe everything on the internet.
#2 You're googling, see above.
#3, You're the asshole, douche, I was atleast being somewhat nice. Quit pretending you know anything though.
-
Please post a screenshot-proof of following Steam ID - he plays on my server since the beginning and want to be an admin sometime. Now i found out he got banned by cheatpunch.
ID: 76561198039881587
-
Believe i was wrongly banned...
Steam ID: STEAM_0:1:77935442
This is a shared acc but i doubt they hack, college students cant afford to :). I had been playing on a server and had got a lot of them Violation Kicks when i started to lag. Came on next day and banned.
-
lol people still use this excuse
-
College students are also poor enough to buy bottles of booze weekly. They're poor, but hot damn not that poor.
-
Just a response to all those people claiming Valve is sending all the sites you visit back to them, I just want to post some helpful info.
First, my reddit comment has information on why this might be completely unfounded: http://www.reddit.com/r/GlobalOffens...isited/cfgj8up
Second, don't believe everything you read on the internet. So far there has been absolutely zero proof provided that this information is sent to Valve, or even what the information is used for. All the snippet gives us is the fact they loop over the DNS cache and store it in a variable. This could be used in many ways, and until there is proof otherwise I'm personally going to trust that valve knows what they're doing.
Third, even if this module ended up sending the information collected to valve, it is NOT a list of visited web pages, it is a list of hashes of the domains your system has looked up. Valve would then have a hashed list of "bad" domains they compare to, but they would be unable to get the original text back from the data this function is storing in memory without brute forcing every valid domain name, which would be a waste of time and resources.
-
Is it even ok to share account with other than your family, it used to be a big NONO, has that changed?
-
Above and beyond the fact that there is Steam Family or whatever its called that allows multiple people to have a mini profile on a Steam account, its moreso a case of "if you *insert family member/friend/individual who isn't you here* does something to get VAC'ed/Banned, you can't get it overturned as your account is still your responsibility". Beside, my brother has been using my Steam account for a good while, even to play Rust and because he has common sense I'm surprisingly not in any sort of trouble.
Agree x 1
Winner x 1
Funny x 2
Informative x 6
Dumb x 1
Disagree x 1
Zing x 1
Artistic x 1
