Ini-file modding
-
True, with client hooks its possible⌠but its not easy to get the code for that as it makes the code owner a mighty person because he / she can run everything they want on the client machine.
The best is to use the update program and sync that during the startup of it.Really, really sorry for the bump, BUT⌠When you say âeverythingâ do you mean âeverything Freelancerâ or everything âeverythingâ (ala ActiveX)? 'Cause thatâs a really scary thought for anyone thinking about logging into a modded server. I know an ethical admin would (or should) advise about that capability before you join, but what about organized groups with more nefarious intentions?
Donât mean to be paranoid, but âŚ!
-
If you hook into the client, itâs as if you inserted a virus into the program; you can do anything the program already can (although I know itâs not totally the same since DLLs have quite a few restrictions on what they can and cannot execute, but they still could do some damage or pry over some valuable data).
-
If you hook into the client, itâs as if you inserted a virus into the program; you can do anything the program already can (although I know itâs not totally the same since DLLs have quite a few restrictions on what they can and cannot execute, but they still could do some damage or pry over some valuable data).
Thanks for the response , FF, sometimes this kind of question is pointedly ignored on some forums.
-
I am not looking to turn this thread into anything hugely controversial. Still, this is, at least to me, an important topic. SoâŚ.
-
I am not a programmer or a developer. I am a mature (AARP member), knowledgeable layman, who did dabble in DOS debug.com assembly a long time ago. I have a somewhat abstract understanding of how the Windows API works, but much much of it is over my head.
-
My understanding of a hook is, that it is a function in an executable app that can be induced to call an external app, or a library call, not originally written into the app. The hooks themselves are either written in intentionally for a) debugging, b) expanding future functionality, or c) unintentionally due to sloppy programming. Am I reasonably correct so far?
-
Being old and gray, Iâm an SP player, not sure I could handle the Wild West out on the net servers, but I am playing about with setting up a LAN server, so I have been exploring the server side topics on the forums, trying to glean the details of server-client interaction, how the process works, how files get read and written, etc.
-
I know if I download a mod, I can scan it for viruses or trojans, and then assume it is trustworthy. But you seem to be saying that that same trustworthy mod could theoretically be a backdoor into my machine were the server side being controlled by someone with questionable scruples. While I appreciate your disclaimer about what dllâs can do, what about the executable? Anything with a read/write function, and internet access is potentially lethal.
-
I understand server admins in general should probably be given the benefit of the doubt as honest, dedicated people, but it is a dangerous world out there. Is anyone advising players about this security hole?
-
I see a big push for anti-cheat apps for the server side of things to prevent exploits by hackers. Has anyone anywhere given any thought to a âsandboxâ environment for the players, to keep any potential intrusion at bay? Or is it really just âplay at your own riskâ?
I know thatâs a lot to throw at you, and I donât expect you to have quick and ready answers, but anyone else care to join in?
-
-
Is it possible to automatically update an ini-file on the client, when it was changed on the server during freelancer is runnning. I think, that this is needed for a dynamic economy, for example.
The simple answer is yes you can. I appreciate most usesrs who run a server use FLHook, but itâs not the only thing to use to run a server. I use FLAC which has a dynamic economy plugin that updates on the fly, meaning i donât have to turn the server off for updates as it does it continuosly.
There are many other hooks you can plug into the server only that stops 99% of clientside ini modding, everything from speed modding, thruster hacks, commodity price changing, cloaks, you name it. I think some of you are being a tad paranoid tbh. Yes there are idiots who try to disrupt servers, trick is to be ready for them, FLAC does an excellent job of protection, not free but seriously worth the expenditure.
-
@Gibbon:
I think some of you are being a tad paranoid tbh. Yes there are idiots who try to disrupt servers, trick is to be ready for them, FLAC does an excellent job of protection, not free but seriously worth the expenditure.
All due respect, Gibbon, but if you are refering to my post, Iâm talking from a playerâs perspective, not an admin. Are you saying that pirates only exist in the Freelancer universe? If I, we, us, out here in player land are a little paranoid, maybe thatâs a good thing. To use a metaphor, wander out into the badlands with a plain vanilla Starflier. If youâre not a little paranoid, youâre probably an idiot, and quickly dead.
I can envision a (Nigerian, French, Somalian, US, N.Korean, Canadian, take your pick) group setting up a cheap game server (not necessarily Freelancer), let it run a few months, hook their stuff to scan playerâs machines, and choose just the 1 or 2 that might provide a nice payoff. Say the 14 yr. old who logs in from his CEO dadâs home machine. Itâs not inconceivable, I just conceived it.
And Iâm not talking about some script-kiddie sneaking a cloak onto his ship and becoming a player-killer. Iâm talking about really sneaky hacker intrusions into your servers, people who try their best to keep you from noticing they have been there.
Iâm asking if you server admins have really thought about the wisdom of client-side hooks, from the viewpoint of protecting the player machines, not just the integrity of your server game files.
-
Not to this extent. And I agree with Gibbon. Youâre being extremely paranoid, mate. Thatâs fine if you want to be like that, but Iâd rather have these hooks that add incredible functionality to this game than worry about people pirating people through a 6 yr old game that has less than 500 people online, at a given time, with the majority of those said 500 being on 15 servers that have been around for years.
-
Not to this extent. And I agree with Gibbon. Youâre being extremely paranoid, mate. Thatâs fine if you want to be like that, but Iâd rather have these hooks that add incredible functionality to this game than worry about people pirating people through a 6 yr old game that has less than 500 people online, at a given time, with the majority of those said 500 being on 15 servers that have been around for years.
Actually, Iâm a surprisingly âun-paranoidâ person. I am, however, a notorious skeptic, and cynical, to boot. The issue doesnât really affect me, as I indicated, Iâm an SP player, and the only MP I do is on my personal LAN. Iâm simply making an observation about what I perceive as a potential security hole. You say, âyouâ (as the admin), want to have this. I understand that. Those features attract players to your servers and the community. Iâm asking if you are willing to advise your players about this, and give them a choice on whether they want to expose themselves to this (admittedly) potential threat.
-
Without wishing to seem overly paranoid myself, i have to ask the question, why are most of us using Windows then? Here is an operating system thatâs full of holes so does that mean we shouldnât turn our pcâs on? Of course not, but most of the server admins i know have taken great steps to make their servers as secure as they can, to make the MP experience as safe and interesting for their communities as posible. To not go and play MP for fear of attack is like not wanting to use an internet browser because of possible contamination. Best to sit indoors and not go out really, itâs scary outside
Someone asked about the SP dynamic economy earlier as well. There is one buried in the code but i donât know how to activate it. Tunicle posted some code that i came across to activate an SP dynamic economy ,which in fact is more a price randomiser that Cold Void originally worked out moons ago, that i reprinted so to speak and that works wonderfully in SP by changing the prices of commodities, equipment and ships everytime you land.
-
@Gibbon:
Without wishing to seem overly paranoid myself, i have to ask the question, why are most of us using Windows then? Here is an operating system thatâs full of holes so does that mean we shouldnât turn our pcâs on? Of course not, but most of the server admins i know have taken great steps to make their servers as secure as they can, to make the MP experience as safe and interesting for their communities as posible. To not go and play MP for fear of attack is like not wanting to use an internet browser because of possible contamination. Best to sit indoors and not go out really, itâs scary outside
Câmon Gibbon, youâre not hearing what Iâm saying. It isnât âI donât play net MP because Iâm afraid of hacker attacks!â I (personally) donât play net MP, because Iâm an old, gray, antisocial curmudgeon, who doesnât want to compete with a lot of young gunslingers. My LAN is set up to play MP as an experimental tool for me. Iâm an SP player.
My point, if youâll hear it, is the player has a right to hear about security weaknesses you may introduce on their machine. Sure Windoze is bloated, and buggy, and full of holes. BUT, as security holes are discovered, people try to get the word out, try to patch, etc. And I, we, us, out here in M$ land have a responsibilty to at least try to keep abreast and take measures to keep our machines secure. You, as an admin, want me to allow you permission to get through my firewall, and anti-virus in order to play the game. I, then, am faced with the question, do I trust you enough to say âYesâ.
So, if your attitude is, the player doesnât need to know, my answer would be a resounding âNO!â If on the other hand, you advise a player that your server makes changes to the players machine, that those changes are generally considered non-destructive, but have some possible potential to harm, and that accepting such conditions requires the player check or click on âI Acceptâ, Iâm a lot more likely to give you a grudging, âWell, OKâ
None of this would necessarily be an issue with Freelancer, except the previous posts that started this thread, talked about certain types of mods requiring client-side hooks. Is that the only way to do it? Many of you are brilliant modders. Maybe there are other ways. Is that particular mod really necessary to improve gameplay? I appreciate you all (admins) seem to know and trust FLHookâs and FLACâs developers to provide sound working code. Eventually, there will be a 3rd, then a 4th, latest, greatest server admin app. Sweeping the issue under the rug as âUnjustified Paranoia!â, is just asking for trouble. I realy think you admins ought to get together, and think about this, and, yes, get some player feedback.
I really donât think I can add much more to this.
-
Melwoc, I for one take your point.
2 things: -
1. I always get a virus or trojan eventually, despite my machine being at latest update levels and with firewall, antivirus, and antispyware which slow my machine down noticeably. I know this because sooner or later I get âmail failed to deliverâ notifications which I did not send, and itâs usually advertising viagra. So itâs time to wipe my machine clean and reload windows yet again.
I have perfected this to the point that I can restore it in 15 minutes, so itâs no big deal. Hereâs howâŚ
http://forums.seriouszone.com/showthread.php?t=55706
and hereâŚ
http://forums.seriouszone.com/showthread.php?t=56258So if you set yourself up in similar fashion you can wipe off everything except a clean operating system in similar time and have peace of mind.
2. On gameplay - Not sure if itâs the case so much these days, Iâve been working on our new mod for 2 years and havenât played much at all, but on most servers the cowboy blasters lose interest and depart, leaving the older and more mature gamers. As an example most of our players at the RRJDS Guild are over 40 (yeh, Iâm even older!). Itâs a bit slack running TNG at the moment until I get this mod out, hope it will be this month finally. But we have been together for a long time now, enjoying teamplay. We have not needed to kick or ban anyone for 3 years or so now, we think itâs because we keep our players involved with us and interested. We have Fugitive characters with bounties on their heads, player-bountied characters, Hare and Hounds from time to time, one-day clan wars and similar events. We could use a new Event Organiser if you are interested, I hope you are. Check out our website for the connection, the link is in my signature below.
Regards from an old fogie! ;D
-
Hi StarTrader,
Glad someone understood, I was beginning to feel paranoidâŚ.
Frankly, I (and I just know Iâm going to regret saying this, tempting fate & all that), but I havenât had a virus, trojan, or spyware in years. Good clean living, I guess. Iâm also pretty adept at recovering from crashes, I havenât had to re-install for years, either.
Thatâs a gracious invitation, and much appreciated, but Iâm really not into RP, and I really am (cross my heart) an anti-social curmudgeon. I donât even post very much, this one just touched a nerve. But, thank you, anyway.
Just remember, we old fogies need to stick together, or the yungâins 'll bury us.
-
Heheheh. See the other thread you hijackedâŚ
;D
-
A lot of players on my server and by that i mean most of them are over 40, me included. As i donât run an RP server i donât have to put up with everything to do with running one. The young ones soon realise this and settle down, some stay some go, and although i have a dynamic economy running on my server, one thing i can tell you for a fact, is it doesnât change any of your files. 'There is no ini modification of any kind between server & client, only the mod itself that you have to download. That last part is the same for all mods otherwise you canât play them.
I just feel its not my responsibility to warn people of the so called dangers of using the internet or in our case, using FL. I canât be responsible for what people have on their machines, i mean if someone has a virus on their system and that infects my mod, they pass that onto a friend, am i responsible? The point here is as soon as you open up any ports to the net, youâre inviting attack. Itâs up to every player to make sure they play from behind a firewall and have some form of antivirus software loaded, something that most gamers are aware of. If they donât do these basic things, it really isnât my concern
-
What you must know is that while client-side hooking is being investigated, itâs still in its infancy. It currently barely runs a cloak mod and a dynamic economy if youâre lucky, but other than that itâs all done server-side.
Playing online introduces virtually no risks other than being online, which you already are seeing you browse our forums. I personally have never seen a mod which could be a potential threat. You have many more risks getting a virus just by browsing the web.
-
Look guys, Iâm not trying to provoke a controversy, just intelligent discussion.
Let me take these in reverse order.
What you must know is that while client-side hooking is being investigated, itâs still in its infancy. It currently barely runs a cloak mod and a dynamic economy if youâre lucky, but other than that itâs all done server-side.
Playing online introduces virtually no risks other than being online, which you already are seeing you browse our forums. I personally have never seen a mod which could be a potential threat. You have many more risks getting a virus just by browsing the web.
FF, I get that it is still experimental. Thatâs part of the problem, in that all of the brilliant modding that has been done is based on perceptive and intelligent hacking of an app whose source code is unavailable. That should imply , for any reasonably intelligent mod developer, careful debugging and testing. Iâm not talking about the ini files here, they are just basically data. And I appreciate that much of the dll content is also basic data. But my understanding of a hook, is that you are taking external control of an executableâs functions. In this case, an executable whose innards are still not fully understood. If you are hooking the server side executable, and the hooking program has a bug, or triggers a bug in the hooked program, the server (and by extension, the admin) has to deal with the cleanup. At worst, for the player, his machine might lock, and require a reboot, maybe replacing some trashed data files.
But now we are talking about a 3rd party executable, maybe a well designed, thoroughly debugged app, hooking into the not thoroughly understood in-memory executable process of a number of player machines at the same time. Each of those machines are uniquely different, in hardware, OS, drive configurations, registries, etc. Each of those players have allowed you passage through their firewall, so the firewall is probably irrelevant. I suspect it would take a pretty hardcore antivirus program with heuristics for uknown threats set, sniffing every packet, and constanlty scanning memory to detect any kind of hook like this. Given so many players are concerned with lag, they may have disabled this. Ok, their decision, their problem. Now a good programmer of an admin app, who had a thorough knowledge of the target executable could probably design pretty thorough error-checking and control functions to anticipate a wide variety of problems, but even he would concede he couldnât anticipate everything. As brilliant as our modders are, I donât think that is the case here. Keep in mind here, atm Iâm only talking bugs, not malicious code. Can you honestly say, that, as an admin, you fully understand all this code interaction, and that you feel comfortable executing code on a player machine without at least giving them some kind of warning that this hasnât even reached the beta stage?
Now I know players who play modded games (any game), even just locally on their machines, almost expect bugs and crashes. Thatâs why there are forums. People help each other, and the developers, and it all, hopefully, gets better.
But to not at least give them a clue that this is a consideration, is, at least in my mind, a little cold.âPlaying online introduces virtually no risks other than being online,âŚâ
If you amended this to, âPlaying Freelancer online, without client-side hooks, introduces virtually no, etc.â I would agree 100%. And, honestly, I donât think we are actually talking about a mod here in the sense of new ships, systems, etc. Iâm specificaly talking about a server-side admin app, that hooks into the playerâs operating in-memory processes. Also, please, Iâm not a child, stop with the âIf you donât know being online is dangerous, donât go in the forest.â Iâm well aware that choosing not to get out of bed doesnât keep me from dying. Iâm talking here about the the trust a server admin is asking for from a player, and an ethical obligation of the admin to at least try to do no harm to the player.
@Gibbon:
A lot of players on my server and by that i mean most of them are over 40, me included. As i donât run an RP server i donât have to put up with everything to do with running one. The young ones soon realise this and settle down, some stay some go, and although i have a dynamic economy running on my server, one thing i can tell you for a fact, is it doesnât change any of your files. 'There is no ini modification of any kind between server & client, only the mod itself that you have to download. That last part is the same for all mods otherwise you canât play them.
I just feel its not my responsibility to warn people of the so called dangers of using the internet or in our case, using FL. I canât be responsible for what people have on their machines, i mean if someone has a virus on their system and that infects my mod, they pass that onto a friend, am i responsible? The point here is as soon as you open up any ports to the net, youâre inviting attack. Itâs up to every player to make sure they play from behind a firewall and have some form of antivirus software loaded, something that most gamers are aware of. If they donât do these basic things, it really isnât my concern
ââŚi have a dynamic economy running on my server, one thing i can tell you for a fact, is it doesnât change any of your files. 'There is no ini modification of any kind between server & client, only the mod itself that you have to downloadâŚ.â
Then, you are, in fact, using client-side hooking? I can understand this might be a touchy subject for you, but please donât stick your head in the sand. You can be harmed here too, because that capability makes your server a target. I agree it doesnât change the player files. It hooks the playerâs in-memory operating process. That is the specific danger. With a little tweaking, the 3rd party server admin app (please note, not the admin, the app) could potentially control a great deal on the player machine. Without being a programmer, I can think of several ways a vanilla freelancer.exe in-memory process could be hijacked to write executable code to a player machine and execute it.
Gibbon, I donât know what server you run, or what mod you use. That doesnât matter to me, because I belong to no factions, or clans, have no feelings one way or the other about any particular server or mod, and again, I donât play online, for reasons that have nothing to do with computer security.
âI just feel its not my responsibility to warn peopleâŚif someone has a virus on their system and that infects my mod, they pass that onto a friend, am i responsible?â
Again, Iâm a big boy. My mommy and daddy are long dead. âThe internet is dangerousâ is a straw man argument. And Iâm not talking about a virus-infected mod being downloaded. They can be virus-checked. The technical issue here is not data being passed to the client executable to be parsed by the client executables original functions, but the server app altering the way the client app functions, and your ethical obligation to insure your server doesnât f**k the playerâs machine.
Let me make this clear. I am not against the development of server tools that do client-side hooking. I am not against servers offering mods that require client-side hooking to expand functionality or gameplay. But I would expect that both developers and admins recognize this is a potentially huge security hole, AND, advise me, as a player upon first logging in to a server that such activity takes place, point me to at least a readme outlining the issues, and let me make the choice whether to participate. To not do so, to me, sounds a lot like what malware does, wresting control of the machine from the owner without his knowledge.
Let me make just a couple of more points. Iâll admit my earlier hacker example may have seemed a little hyperbolic, but it is not unreasonable. First letâs draw a distinction between a script-kiddie trying to blow up your server, versus a true hacker with an agenda, be it passing a virus, identity theft, whatever. Can you honestly say your server is absolutely hacker proof? If you say âNo.â, then you have to accept at least half my argument. If you say âYes.â (donât say it, some hacker would take it as a direct challenge), then you are ill-informed. The US Dept. of Defense has admitted to having their machines hacked. BTW, some script-kiddies do grow up to be true hackers, some are psychologically pre-disposed to revenge, so a brutally, or cruelly banned script-kiddie, could well decide to come back in a year with a lot more knowledge, and an agenda. Be kind (or at least not too malicious) when you kick 'em.
Now, Iâm a hacker, The Great And Powerful MELWOC. By nature, I do unexpected things. Iâm really, really sneaky. I want to spread a virus, my masterpiece. Do I hack into the NASDAQ server, or the IMF. No, let me look around for weaknesses. Let me spend a few months trolling around the net, look at forums that talk about servers, admin apps, client side. (Trust me, when I bumped this thread, it was already 4 months stale, so Iâm sure Google-bots had already linked this thread to âserverâ, âadminâ, âclientâ, âhookâ, âautoupdateâ, etc.) Hm, game servers. An old game, available on warez sites, modded server and admin apps, already written, some with source code available. Gee, let me grab up this stuff and see what it is capable of, 'cause Iâm a genius, and I know I can do something with this. Not a whole lot of servers around, not a lot of players, but it seems to attract an older crowd. Well, older people have more money than younger people, might have better computer hardware, might link to corporate stuff. Gee, this has possibilitiesâŚ
I donât think Iâm being melodramatic or paranoid. Iâm being realistic. I think these issues should probably be discussed in the community before people start pumping out client-side hooked mods. And it would be nice if maybe one of FHook, or FLACâs developers would pop in and give their 2 cents.
I donât know that there is anything more I can say. If I havenât convinced you there is an issue here, then I doubt anything else I can say could. On that note⌠Hope to run into you all on a different thread, hopefully on more positive topics.
-
Some excellent points as usual melwoc but i think weâre simply going to have to agree to disagree on various points youâve raised.
I stand by the NOT having to inform players of the dangers for one thing. In my case because iâm using a payware product, itâs not up to me to to make the product secure, but the developer. Itâs his responsibilty as a software programmer to ensure this is the case, hence the reason i pay the man. This argument is also solid regarding ANY payware item as we all click on the EULA agreement that comes with said software and keep our fingers crossed it does what it says on the tin. Should this not be the case, then we all have a valid case, so we can all call our respective lawyers and cry foul.
The point i think iâm also trying to make here is that we simply canât forecast any form of hacker attack due to exploited code. Youâve made the point yourself that if someone is capable enough to exploit code then they will, no matter if itâs an FL related item or the Ministry of Defence mainframe. It therefore follows that even if we did give out warnings, they wouldnât make a blind bit of difference as the dedicated hacker will simply get past any potential safeguards.
Itâs the same with anything that is open to abuse, we take driving lessons so we can drive cars, still doesnât stop us having accidents. By the same token, we use computers knowing that there are risks involved, common sense simply has to take over at some point, we canât warn evryone about all associated dangers of using any product, otherwise weâd all starve to death for worrying about the dangers of opening a tin can and wouldnât go outside for fear of something happening. Itâs like putting a sign at the top of a ladder that says stop, we know not to go any further. The same with software youâre not happy using, if youâre concerned about using it, then donât use it, it really is as simple as that.