TheWalkingDude (DayZ)

I'd recommend trying it on a private server or something to know for sure. I'm looking a forum post right now on a dodgy website which has the source for such a script and there are plenty of claims very recently saying it works fine.

Obviously there is a lot still left to the client side. Some basic data validation would be nice, but what I'm talking about is simple scope. There should simply not be code in the engine which allows any random client to change variables for another client. It is completely achieveable to make it as impossible a thing to do as is running a command which spawns a 3D model that doesn't exist in the game. If the extent of client side exploiting was modifying data your client sends back for your character and your session, and that was it, the hacking problem in DayZ right now would be absolutely nothing in comparison, and this is 100% doable and should have been how it was made.

Obviously I'm not going to link to anything, but there are scripts publically available which download server.cfg - it IS common knowledge if you know the basics of google.

Which also begs the question, why isn't the password in server.cfg hashed - at least make these hackers use a rainbow table. Hash it with BLOWFISH and use some unique identifier for the server the salt - good luck cracking that. The harsh reality is BI don't know a thing about security.

Dude, there are hacks now which can download server.cfg and get the RCON password. Hackers can then use the password and see everyone's GUID.

lol @ not blaming BI. It's a lame excuse - they could absolutely have made ARMA have just as flexible as it is now with a few simple security measures inbuilt. Anyone who has done any client to server programming knows the first rule is to not trust the client - it doesn't mean you can't give clients a lot of power it just means be responsible with handing out the power.

All they have to do is make sure only players with elevated privledges can run scripts during a game - in DayZ's case this should be noone basically, but in ARMA's case this should be people who have the access to do so (server admins, players server admins say so etc). For DayZ, the only domain which should be able to run scripts is the domain which DayZ itself runs in - i.e. localhost, within itself. Will there be exploits to trick DayZ servers into thinking a script has the necessary rights to run? probably. But these will be patched over once found and dealt with. This simple design change will make scripters influencing other people's location and inventory etc a thing of the past, as no client will have the rights to change this stuff. ARMA2 should have been designed like this in the first place.

I reserve the right to quit on suspicion of a hacker but it can be hard to tell these days - not that it has happened yet to me, but being killed by someone you didn't see has always been a reality in DayZ, hackers or not. Despite mapping a key to killing the ARMA2 process (i.e. very quick quits), I don't believe it will save me after a hacker caused death anyway (not tested, but it doesn't stop me loading where a hacker teleported me despite quitting almost instantly) so I now figure there is no point trying to "beat the hive" when killed - if it was a hacker then who cares if I leave loot for him, and if not, then obviously I was out played and they deserve it. So my quits are now about saving my life when hacking is obvious.

Obviously you want to focus on the % figures here..... but even then murders have risen.

Well given rocket works for BI, it would make sense to use an engine BI make. I just hope he turns off scripting, lol.

The difference is that hacking doesn't directly influence the experience for everyone so severely - wall hacks and aim bots suck for everyone but they don't utterly ruin your entire session rendering your last few hours completely meaningless like ARMA2's security problems can.

They don't care - they'll buy new keys for a few bucks and find a way around it. ARMA2 is broken fundamentally.

I can't remember the last game where I didn't experience a hack. Last one was I was given an AS50 with ghillie, NV, RF - the works. So this hack helped me, and I'm fine with that - if I'm going to play this game, may as well embrace it as no longer a game about apocolyptic survival but instead a game about apocolyptic survival which happens to have random super god like human beings who can do anything they want. Lets pretend that instead of a Cancer curing virus like in I Am Legend that scientists also discovered the full potential of quantum physics at the same time and a few people managed to have the knowlege beamed into their brains and now control every atom.

lol, no, no it was not. Not from a multiplayer security point of view. The only excuse I can figure out for having such lax client to server scripting security is because they wanted to make scenario building in real time easy, but even then that is terribly lazy.

Nowhere near in the same sense, unless standalone DayZ is made as crappy security wise as ARMA2 was. The problem with ARMA2's scripts is it allows client side scripting to effectively be run at a server scope, meaning it can change things for every user. While hacks like aim bots and wall hacking are bad, they pale in comparison to the shit that ARMA2 allows. Keep in mind all this "It will be fixed when standalone" talk translates into meaning ARMA2 is broken, which it is from a security point of view. Honestly BI should be thoroughly embarassed about this - I have never seen a commercial game with obvious multiplayer intents so poor at client -> server security.

BI could, and probably should given how much DayZ has meant for their back pockets. But I guess if there are real plans to move the mod away to standalone then so be it - probably not worth it now. Hopefully at least BI learned that taking shortcuts with security is not acceptable. I plan on never buying a BI game again.

Yeah my quick google on it seems to suggest it was related to the beta, and only came about because of BF3's leak. In any case once patched in a game like BF3 it stays patched - because as I said, it was probably an exploit in tricking the server into running code - the server doesn't normally allow it. The difference with ARMA2 is you don't have to trick it to run code - you have to trick an arbitrary cheat detecting software, which is much easier. If ARMA2 didn't allow it on principle then scripting wouldn't be a problem.

Ok fair enough - but part of this suggestion assumed some work may need to be done to improve the logging, so common hacking scenarios can be detected. Relying on client side detection will never work - it's a losing battle. Ideally you also want a game which simply doesn't accept random scripting commands from just anyone - I still can't stop laughing about how utterly insane that is. But with the cards ARMA2 has dealt, clearly there needs to be some work around server side method to at least detect hackers after the fact. At least force them to keep buying new CD keys.

Well if player X kills player A, B and C, and B and C happen to be nowhere near him, shouldn't that raise some red flag somewhere? And I'm sure it's self explanatory how it could be used to counter teleporting (assuming you quit before dying). I understand rocket has limited control over ARMA2, so its swiss cheese approach to security is always going to be a problem, but it appears to me he either didn't realize how bad it was, or didn't care, because DayZ doesn't seem to even try and cover some of the common problems with hacking. It pretty much boils down to data validation - not just accepting the data a client is sending the server and hence the hive, but checking it for plausibility. Perhaps there is simply too much else going on for this to be economical, but when it seems pointless to even play DayZ anymore due to hacking, it kinda seems to me it should have had the upmost priority.

Yes but I'm going to guess it is happening in BF3 because the hack involves an exploit in gaining the privledges to do it - ARMA2 apparently treats every client like they're the administrator and then uses some patchwork crap called BattleEye to try and stop them doing stuff. Exploits which grant privledges are too always going to happen, but they are usually fixable without having to rethink your entire approach like BI would have to do if they cared about how terrible ARMA2 handles security.

Not only is BattleEye not prepared but it seems the game itself (ARMA2) was designed under the assumption people wouldn't try to run scripts to cheat. There is an easy way to stop people doing this - you don't let clients run scripts online, period. At the very least not scripts which directly interact with other players. Someone being able to teleport another player is laughable in its stupidity - this isn't a normal problem because no other respectible game could possibly allow this to happen. Most hacks and cheats are limited to the scope of the player - aim bots, wall hacks etc. These things will always exist. But ARMA2 by way of DayZ has redefined what it means to be affected by cheaters online, to previously unprecedented levels. In other words, this isn't a case of "oh well every game has cheaters", this is well beyond that. It doesn't mean you have to kill scripting entirely - you just add some framework around it so it isn't this easy. I can understand a closed "by request only" simulator being this open, but ARMA2 is a publically released game with at least some effort given by BI to market it directly to PC gamers. For them to not address these gaping security loopholes and rely on a cheat detector which is clearly incapable of doing the job is appauling. DayZ has simply exposed ARMA2 for what it is - an abortion of a game from a security point of view.

With the state of hacking at the moment, can you really blame anyone for not knowing BattleEye even existed?

Patience indeed, so you can muster up the interest to try again after being spawned into a death trap because ARMA2 doesn't give a shit if clients run a script that influences everyone on a server.

lol. So what I have learned today is BI didn't design ARMA2 for "gamers", they designed it for "army contractors" who don't expect things like basic security practices to be followed in a client server environment. What other shortcuts did BI take? Who would have thought PC gamers would have higher security expectations than real military people.

Turning scripts off isn't necessary - they just need to make them server side only. They need an interface for admins to authenticate to so they can run scripts remotely. Scripts run by the local ARMA2/DayZ on the server are fine. Simply put, BattleEye shouldn't be the first and only line of defense against scripting, common sense in how its implemented would go a long way. The very first rule of ANY client -> server application is you NEVER trust client data. And whilst it's fine to say the game is meant for non-gamers etc, it's on steam for everyone to buy, and if I bought it to play online and found out its ability to even enjoy it online at all is entirely at the whim of hackers, I'd be pissed.