Look guys, I’m not trying to provoke a controversy, just intelligent discussion.
Let me take these in reverse order.
@FriendlyFire:
What you must know is that while client-side hooking is being investigated, it’s still in its infancy. It currently barely runs a cloak mod and a dynamic economy if you’re lucky, but other than that it’s all done server-side.
Playing online introduces virtually no risks other than being online, which you already are seeing you browse our forums. I personally have never seen a mod which could be a potential threat. You have many more risks getting a virus just by browsing the web.
FF, I get that it is still experimental. That’s part of the problem, in that all of the brilliant modding that has been done is based on perceptive and intelligent hacking of an app whose source code is unavailable. That should imply , for any reasonably intelligent mod developer, careful debugging and testing. I’m not talking about the ini files here, they are just basically data. And I appreciate that much of the dll content is also basic data. But my understanding of a hook, is that you are taking external control of an executable’s functions. In this case, an executable whose innards are still not fully understood. If you are hooking the server side executable, and the hooking program has a bug, or triggers a bug in the hooked program, the server (and by extension, the admin) has to deal with the cleanup. At worst, for the player, his machine might lock, and require a reboot, maybe replacing some trashed data files.
But now we are talking about a 3rd party executable, maybe a well designed, thoroughly debugged app, hooking into the not thoroughly understood in-memory executable process of a number of player machines at the same time. Each of those machines are uniquely different, in hardware, OS, drive configurations, registries, etc. Each of those players have allowed you passage through their firewall, so the firewall is probably irrelevant. I suspect it would take a pretty hardcore antivirus program with heuristics for uknown threats set, sniffing every packet, and constanlty scanning memory to detect any kind of hook like this. Given so many players are concerned with lag, they may have disabled this. Ok, their decision, their problem. Now a good programmer of an admin app, who had a thorough knowledge of the target executable could probably design pretty thorough error-checking and control functions to anticipate a wide variety of problems, but even he would concede he couldn’t anticipate everything. As brilliant as our modders are, I don’t think that is the case here. Keep in mind here, atm I’m only talking bugs, not malicious code. Can you honestly say, that, as an admin, you fully understand all this code interaction, and that you feel comfortable executing code on a player machine without at least giving them some kind of warning that this hasn’t even reached the beta stage?
Now I know players who play modded games (any game), even just locally on their machines, almost expect bugs and crashes. That’s why there are forums. People help each other, and the developers, and it all, hopefully, gets better.
But to not at least give them a clue that this is a consideration, is, at least in my mind, a little cold.
“Playing online introduces virtually no risks other than being online,…”
If you amended this to, “Playing Freelancer online, without client-side hooks, introduces virtually no, etc.” I would agree 100%. And, honestly, I don’t think we are actually talking about a mod here in the sense of new ships, systems, etc. I’m specificaly talking about a server-side admin app, that hooks into the player’s operating in-memory processes. Also, please, I’m not a child, stop with the “If you don’t know being online is dangerous, don’t go in the forest.” I’m well aware that choosing not to get out of bed doesn’t keep me from dying. I’m talking here about the the trust a server admin is asking for from a player, and an ethical obligation of the admin to at least try to do no harm to the player.
@Gibbon:
A lot of players on my server and by that i mean most of them are over 40, me included. As i don’t run an RP server i don’t have to put up with everything to do with running one. The young ones soon realise this and settle down, some stay some go, and although i have a dynamic economy running on my server, one thing i can tell you for a fact, is it doesn’t change any of your files. 'There is no ini modification of any kind between server & client, only the mod itself that you have to download. That last part is the same for all mods otherwise you can’t play them.
I just feel its not my responsibility to warn people of the so called dangers of using the internet or in our case, using FL. I can’t be responsible for what people have on their machines, i mean if someone has a virus on their system and that infects my mod, they pass that onto a friend, am i responsible? The point here is as soon as you open up any ports to the net, you’re inviting attack. It’s up to every player to make sure they play from behind a firewall and have some form of antivirus software loaded, something that most gamers are aware of. If they don’t do these basic things, it really isn’t my concern
“…i have a dynamic economy running on my server, one thing i can tell you for a fact, is it doesn’t change any of your files. 'There is no ini modification of any kind between server & client, only the mod itself that you have to download….”
Then, you are, in fact, using client-side hooking? I can understand this might be a touchy subject for you, but please don’t stick your head in the sand. You can be harmed here too, because that capability makes your server a target. I agree it doesn’t change the player files. It hooks the player’s in-memory operating process. That is the specific danger. With a little tweaking, the 3rd party server admin app (please note, not the admin, the app) could potentially control a great deal on the player machine. Without being a programmer, I can think of several ways a vanilla freelancer.exe in-memory process could be hijacked to write executable code to a player machine and execute it.
Gibbon, I don’t know what server you run, or what mod you use. That doesn’t matter to me, because I belong to no factions, or clans, have no feelings one way or the other about any particular server or mod, and again, I don’t play online, for reasons that have nothing to do with computer security.
“I just feel its not my responsibility to warn people…if someone has a virus on their system and that infects my mod, they pass that onto a friend, am i responsible?”
Again, I’m a big boy. My mommy and daddy are long dead. “The internet is dangerous” is a straw man argument. And I’m not talking about a virus-infected mod being downloaded. They can be virus-checked. The technical issue here is not data being passed to the client executable to be parsed by the client executables original functions, but the server app altering the way the client app functions, and your ethical obligation to insure your server doesn’t f**k the player’s machine.
Let me make this clear. I am not against the development of server tools that do client-side hooking. I am not against servers offering mods that require client-side hooking to expand functionality or gameplay. But I would expect that both developers and admins recognize this is a potentially huge security hole, AND, advise me, as a player upon first logging in to a server that such activity takes place, point me to at least a readme outlining the issues, and let me make the choice whether to participate. To not do so, to me, sounds a lot like what malware does, wresting control of the machine from the owner without his knowledge.
Let me make just a couple of more points. I’ll admit my earlier hacker example may have seemed a little hyperbolic, but it is not unreasonable. First let’s draw a distinction between a script-kiddie trying to blow up your server, versus a true hacker with an agenda, be it passing a virus, identity theft, whatever. Can you honestly say your server is absolutely hacker proof? If you say “No.”, then you have to accept at least half my argument. If you say “Yes.” (don’t say it, some hacker would take it as a direct challenge), then you are ill-informed. The US Dept. of Defense has admitted to having their machines hacked. BTW, some script-kiddies do grow up to be true hackers, some are psychologically pre-disposed to revenge, so a brutally, or cruelly banned script-kiddie, could well decide to come back in a year with a lot more knowledge, and an agenda. Be kind (or at least not too malicious) when you kick 'em.
Now, I’m a hacker, The Great And Powerful MELWOC. By nature, I do unexpected things. I’m really, really sneaky. I want to spread a virus, my masterpiece. Do I hack into the NASDAQ server, or the IMF. No, let me look around for weaknesses. Let me spend a few months trolling around the net, look at forums that talk about servers, admin apps, client side. (Trust me, when I bumped this thread, it was already 4 months stale, so I’m sure Google-bots had already linked this thread to “server”, “admin”, “client”, “hook”, “autoupdate”, etc.) Hm, game servers. An old game, available on warez sites, modded server and admin apps, already written, some with source code available. Gee, let me grab up this stuff and see what it is capable of, 'cause I’m a genius, and I know I can do something with this. Not a whole lot of servers around, not a lot of players, but it seems to attract an older crowd. Well, older people have more money than younger people, might have better computer hardware, might link to corporate stuff. Gee, this has possibilities…
I don’t think I’m being melodramatic or paranoid. I’m being realistic. I think these issues should probably be discussed in the community before people start pumping out client-side hooked mods. And it would be nice if maybe one of FHook, or FLAC’s developers would pop in and give their 2 cents.
I don’t know that there is anything more I can say. If I haven’t convinced you there is an issue here, then I doubt anything else I can say could. On that note… Hope to run into you all on a different thread, hopefully on more positive topics.