DayZ SA - Hosting & Security

[gummy52 57]

EDIT: I've revised this original post to be more clear and to the point.

In a recent thread on reddit a user created a topic quoting Matt Lightfoot stating that "server hosting will be available day 1 for all". Another user commented with a quote that "server files available to all on release".

Rocket, posting under the name rocket2guns, replied with the following,

Linux server build is very likely. Server footprint is only 1.2gb. Bandwidth is TBA, but we're doing formal systems testing soon to get some metrics.

In doing so he seemingly qualified that servers will be hosted by players and that server files will be "available to all on release". His comments on operating system compatibility further suggest that individuals will in fact have access to server files and that DayZ SA will follow in DayZ Mod's footsteps where you can play your character on servers owned by other players. Moderators at DayZMod further qualified these facts in conversation.

I am here to tell you that this is by definition a security hole. Allowing characters from third party servers to join official Bohemia servers (if there are any) is a huge mistake. Team Fortress 2 uses a similar model and that brings comfort to some. What I am here to tell you is the fundamental difference and why Bohemia is the only company in the world to ever attempt using this model and why it is a mistake.

If there are servers and they are allowed to interact with a central server then the communication is either trusted or it is not trusted. If the communication between the two is not trusted then that is a security hole. The communication between a third party server can not be trusted. Valve knew that and that is why loot is not gained based on what a third party server says. In Team Fortress 2 you gain loot by and only by the total amount of time the central server sees you playing the game. It does not allow any third party servers to tell it what to do. Bohemia plans to do the opposite and it is a mistake.

Bohemia is currently planning for the players to shoulder the burden of server hosting. They are also planning for servers hosted by third parties to be a part of the whole that defines where your character can play. That is a huge mistake and there must not be any third party servers.

Based on this information, regardless of any additional information, here are some things that professional programmers / software engineers are capable of doing to their servers without possibility of detection.

• Read the application's memory during run time (cheat)
  
• Modify the application's memory during run time (cheat)
  
• Modify incoming packets to their server (cheat & harass other players)
  
• Block incoming packets to their server (soft ban player's ip address)
  

Here are some things that professional programmers / software engineers are capable of doing that would be nearly impossible to detect (with the exception of cases with extreme abuse)

• Send fake information to the central server (cheat)
  
• Make fake requests to the central server for sensitive information
  

Edited July 1, 2013 by gummy52

[AmberHelios 2071]

lots of game have open server files but if a program has to connect to a central repo they can add a check for modified files that wont let you connect all i get from that is that server files will be available maybe on linux

[Fraggle (DayZ) 15720]

Now I'm in no way qualified, knowledgable enough or furnished with enough facts to really enter this debate so I'll leave you guys to it.

All I would say is that it does strike me that they may have thought through the security implications thouroughly considering that is pretty much the number one issue in terms of the early development of DayZ SA.

Carry on.

[creature 1189]

OK. So, no different than the public hive where anyone can host a server.

I think your reading too much into the small amount of info that's been given so far

And if you have a problem with admin while playing, play on servers that aren't run by kid clans. Pretty simple concept.

[gummy52 57]

The only possible way anyone can not consider this a train wreck is if you fill in the gap by saying "oh well I'm sure they'll do something to make it secure". Based on the information available, it's not. It will be possible to cheat.

You don't even need to modify the server program to make this a train wreck. The program will have the locations of everything in memory. Anyone with access to the server now has access to that program's memory.

People talk about how exciting it will be to know that an item someone has was gotten legit. All of that goes right out the window based on the information available.

[AmberHelios 2071]

you can cheat in every game they are minimizing the amount of cheating that goes on ... the only train wreck here is your logic ... first your modifying the server files now your reading the memory whats next .

[gummy52 57]

first your modifying the server files now your reading the memory whats next

What? What's next? I'm saying that there are security concerns for letting the server files be publicly available on machines hosted by private individuals. I gave two examples.

Are meme pictures and triple dot's really necessary?

Edited June 20, 2013 by gummy52

[AmberHelios 2071]

Are meme pictures are triple dot's really necessary?

your missing punctuation there mate

and yes .... yes they are

[GOD™ 2795]

and yes .... yes they are

That's four dots you're out.

[AmberHelios 2071]

you really think for one moment that they haven't thought of security concerns when it comes to the server files. i mean really they have spent months on this and you think it hasn't entered the mind of the guy behind it once. the only thing that will happen by only having only bis servers is the lack of server that will be available. you can get a lot of the locations from the memory of the client anyways as the client renders the map as well. im not saying that there will not be cheats available but whatever way you do it they will always find a way to cheat in popular games

Peace to you my angry little friend

[cautoad 216]

I allways thought that gummys avatar was a ghost with hands raised and mouth open :/

Edited June 20, 2013 by WoodleDoodle

[hiroshi (DayZ) 2]

AmberHelios tooling out in this thread hard. I like how you're calling out gummy for punctuation, yet your English is absolutely atrocious.

At least Gummy is trying to bring some attention to this issue, which is a valid security concern. Your opinion, and attitude here, are both indicative of fanboyism... therefore, invalid.

[jovial 17]

The only possible way anyone can not consider this a train wreck is if you fill in the gap by saying "oh well I'm sure they'll do something to make it secure". Based on the information available, it's not. It will be possible to cheat.

You don't even need to modify the server program to make this a train wreck. The program will have the locations of everything in memory. Anyone with access to the server now has access to that program's memory.

People talk about how exciting it will be to know that an item someone has was gotten legit. All of that goes right out the window based on the information available.

Which actually isn't very much. Seeing as security was the main concern in the move over to a MMO architecture, I wouldn't read too much into any tidbits of information released so far. At the end of the day, there will be some cheating of course, but hopefully far removed from what was possible in the mod.

Edited June 22, 2013 by jovial

[BarryManalow 1]

I am afraid, this will be a a grave error.

Private servers saved the mod.

However, there is no such thing as an impartial admin when they themselves play on the server.

Every single server has admin abuse or admins helping buddys you might not notice it because it maybe subtle .But its there.

I wouldnt mind if those private servers stayed out of the main hive. Like it is now.

|The current problem is client side saving of settings.

For crying out loud you can just load the mission map as is(recieving mission file) in your editor and stroll around the map looking for camps etc. Recon without rules i call it. You do have a to find a workaround for single player not being available on mod launch:D but there is a workaround.

Or better yet just De-PBO datt shyte and just look at the coords given.

If anything ANYTHING in these type of games is stored client side(or private server side same thing) you open the way to abuse and unfair play. Admins are only people and eventually will cave to powerlust if they play on they own server.

Edited June 22, 2013 by BarryManalow

[sausagekingofchicago 4711]

yeah... i too don't know enough about this but I was under the impression that a separate computer/server connected to the actual hive would control the item spawning/economy. Just thought I'd toss that out.

Maybe someone will come up with a map tool for asshole admins to use but I think private hives are more likely to come from this than anything.

And... did you guys think BI was going to host or rent the servers? :|

[BarryManalow 1]

yeah... i too don't know enough about this but I was under the impression that a separate computer/server connected to the actual hive would control the item spawning/economy.

Elegant solution, just keep the keys of the server under guard:)

But why would anybody want a private hive to begin with?

It started as a way to combat cheaters(not hackers they are cheaters).

But if that would be hypotheticly solved in SA, you would basicly only want a private server ? for what exactly?

Edited June 22, 2013 by BarryManalow

[sausagekingofchicago 4711]

To lock out or punish server hopping combat logging idiots. I guess that too depends on the changes to the SA but that's one reason.

[fluxley 2228]

People need to stop jumping to conclusions when we hardly have any facts.

They have said from the start that there wont be any private hives at least to start with,and now people are getting worked up over one unofficial and most likely misinterpreted comment from reddit.

[sausagekingofchicago 4711]

People need to stop jumping to conclusions when we hardly have any facts.

They have said from the start that there wont be any private hives at least to start with,and now people are getting worked up over one unofficial and most likely misinterpreted comment from reddit.

Don't underestimate the community. There were private hives before they were given the green light by Rocket and Co. Someone will figure it out.

But I agree, very little info to get worked up over.

[gummy52 57]

I've moved the content of this reply to the original post of this topic

Edited July 1, 2013 by gummy52

[Fraggle (DayZ) 15720]

It's certainly interesting to read your points and I guess only time will tell.

Edited June 24, 2013 by Fraggle

[jovial 17]

Here's what we know.

• Server files will be public
  
• People may host on machines they have root access to
  
• Bohemia Interactive will not host any servers of their own
  

Based on this information, regardless of any additional information, here are some things that professional programmers / software engineers are capable of doing without possibility of detection

• Read the application's memory during run time (cheat)
  
• Modify the application's memory during run time (cheat)
  
• Modify incoming packets to their server (cheat & harass other players)
  
• Block incoming packets to their server (soft ban player's ip address)
  

Here are some things that professional programmers / software engineers are capable of doing that very few companies are capable of managing

• Send fake information to the central server (cheat)
  
• Make fake requests to the central server for sensitive information
  

I've been reading posts here and on Reddit, and I think a big over sight many people make when considering the security of a game is forgetting that programmers and software engineers typically like to play video games, test their abilities, or simply cheat because they enjoy the technical aspect. There are plenty of people in this world much smarter than I am or anyone at Bohemia Interactive is.

The best of the best try to prevent cheating the Client, and fail. Expecting to prevent cheating the Server will fail.

I do not believe Bohemia is using this server model simply because "most people want it". I believe the lead factor is that it carries no financial risk. If the game flops, they lose almost nothing and have no pending contracts with any server providers.

Simply put, Bohemia Interactive needs to host the servers privately.

Good points, I'm nowhere near knowledgeable enough to comment on anything there specifically, but given the server model they are using it sounds plausible.

While Bohemia hosted servers would be preferable, looking at the type of company they are, it seems unlikely. Even given the huge success DayZ was and is, there is still a risk, and such a server model would indeed carry more financial risk for them.

So at the end of the day, I just hope we don't see the type of rampant cheating going on in the mod, and that at least certain aspects (like item spawning and the economy) will be harder to breach. If all else fails, back to private hives I guess. :P

Edited June 23, 2013 by jovial

[HazZarD87 166]

They have sacrificed a crapton of stuff during development just to focus on security and an MMO architecture. Now I'm nowhere near knowledgable on this whole thing but no doubt rocket and the guys at BI are.

To read a single forum post on some far of corner of reddit and jump to the conclusion that they're basically leaving the gates white open is, to say the least, an extremely jumpy reaction and a grave underestimation of the devs.

In a broader sense, so is any speculation from the scraps of info we've been getting. Guess this is kinda the area-51 syndrome. You don't know what's going on so the wildes theories start flying around and some people are always convinced they "must" be true.

[sausagekingofchicago 4711]

Gummy has some points. I'm sure hacks and griefing will be just as bad as it is in the mod. You know, where any kid could download a script, become a god, get banned, and buy another key for two bucks.

[Surt 9]

No game is ever going to be 100% secure, especially no popular game. Sure you can minimize exploits but somebody will always find another one. That's the joy of software.