BonoBGood 10 Posted April 25, 2013 I respectfully disagree.What he achieved is to: a) Upset a lot of people and stop them from playing/testing b) Mess with BIS's schedule regarding fixing stuff. Regarding b): Instead of doing whatever they were doing, folks at BIS now have to mess with his attention-whoring exploiting... "look at me, I can fck with you and you have to do what I say or...." I mean, how immature and irresponsible does one have to be? I don't think this hole would have been left open, gotta give at least some credit to people writing all that code. There are such things as "plans", and in writing software they are made so that time and resources spent are used wisely. Fixing security holes at an early stage is not efficient, since new holes are bound to appear later in the development process. It's good to keep an eye out, so as not to go deeper along a certain avenue if you know it's gonna have to be rewritten/adapted. Hence the bug trackers, so that folks can acknowledge a security hole, analyze and schedule the plugging. "OMFG, they didn't fix it within a week" (month, two, however long someone other than people at BIS thinks is quick enough) is just... selfish. This sums up my opinion exactly. Share this post Link to post Share on other sites
eddieck 10 Posted April 25, 2013 Problem with Java is, is that it's an even WORSE security flaw..... The hacker could make a botnet out of all Arma clients and DDOS BIS websites or something crazy.A whole new can of radioactive worms with frickin laser beams on their heads. Yeah, I mentioned that on reddit, but they seem set on Java for some reason. Which means I'll be playing A3 in a VM (and sticking to non-K Intel CPUs for VT-d)... Pretty much replacing one problem with another, but hey, at least we're getting 'somewhere'. (http://java-0day.com/) Share this post Link to post Share on other sites
Milyardo 10 Posted April 26, 2013 (edited) Yeah, I mentioned that on reddit, but they seem set on Java for some reason. Which means I'll be playing A3 in a VM (and sticking to non-K Intel CPUs for VT-d)... Pretty much replacing one problem with another, but hey, at least we're getting 'somewhere'.(http://java-0day.com/) Most(1) of those Java Zero day exploits don't apply to context outside the Java Web Start plugin(2) and could not be exploited via applications running in the JVM via JNI. Regardless of how insecure you think Java is, Java is light years ahead of SQL/SQF in terms of performance, security, and correctness. Just out of curiosity, what do you propose as an alternative to Java? 1)One exploit in the past few months did abuse reflection APIs to execute methods outside the context of the security manager, that that bug is fixed. 2) As an aside, even though the problems had to be fixed from Java, these security problems are more the failing of web browser plugin architecture. There isn't a web browser plugin out there that doesn't have constant security problems, and the same problems have to fixed individually for each plugin. Web plugins as a whole suck and you should be worried about all plugins you have installed not just Java. Ironically, the very website you linked warns against this same thing in it's footnote. EDIT: For example, in classes in Java once loaded cannot be redefined. This exploit wouldn't exist in a JVM based environment. Edited April 26, 2013 by Milyardo Share this post Link to post Share on other sites
eddieck 10 Posted April 26, 2013 Most(1) of those Java Zero day exploits don't apply to context outside the Java Web Start plugin(2) and could not be exploited via applications running in the JVM via JNI. Regardless of how insecure you think Java is, Java is light years ahead of SQL/SQF in terms of performance, security, and correctness. It certainly doesn't inspire confidence in the overall product. Java definitely > SQF & SQS, no question/argument there. Just out of curiosity, what do you propose as an alternative to Java? Lua seems to have done well for other engines. AngelScript could also be worthy of further exploration, although it doesn't seem to be in very wide use. 2) As an aside, even though the problems had to be fixed from Java, these security problems are more the failing of web browser plugin architecture. There isn't a web browser plugin out there that doesn't have constant security problems, and the same problems have to fixed individually for each plugin. Web plugins as a whole suck and you should be worried about all plugins you have installed not just Java. Ironically, the very website you linked warns against this same thing in it's footnote. Click to play FTW. :) Share this post Link to post Share on other sites
dave_beastttt 135 Posted April 26, 2013 Well passwording and trusting a responsible person in TS is working for us so far, restarts and pw changed when someone comes in without restarting their client. When it gets to 40 I lock so no more can join. On the bad side, free TS3 32 slots now maxed out and we can't get a NPL for 500 slots :[ Share this post Link to post Share on other sites
netshark 10 Posted April 26, 2013 Could we not take his code, Set the spawn to normal, and set the hint text to blank, and re spread it. Essentially fixing it while using the hack? I second SPJESTER in this question. Could this be possible? Like a ghetto-vaccine? Share this post Link to post Share on other sites
SomeGuyWithARock 1 Posted April 26, 2013 Well passwording and trusting a responsible person in TS is working for us so far, restarts and pw changed when someone comes in without restarting their client. When it gets to 40 I lock so no more can join. On the bad side, free TS3 32 slots now maxed out and we can't get a NPL for 500 slots :[ Here you go (hopefully still working): Share this post Link to post Share on other sites
anthropoid 1 Posted April 26, 2013 I fully ignore what you just wrote except quoted...He could do everyone a favour in using the feedback tracker like everyone else . . . Maybe he did use the feedback tracker? Still, I condemn his/her methods; most likely he/she could have achieved the same thing without breaching the EULA and impacting gameplay for so many other people. Asking a few moderators here at BIS forums to _please_ get onto a server and demonstrate his hack, or demonstrating it to his clan mates would likely have served sufficiently. I don't think the phrase 'taking the whole community hostage' is too strong or inaccurate and that is it seems precisely what he/she has done. Very likely this was illegal and seems to warrant some sort of penalty if his/her identity is discovered. But it also seems to be true that this sort of 'gaping hole' in security is a longstanding tradition that might not have been addressed even before the final product was released had something this dramatic not occurred. I cannot help but suspect a clever, mature, conscientious and sociable person would have achieved the same effects without creating so much disturbance. Share this post Link to post Share on other sites
chortles 263 Posted April 26, 2013 (edited) Would be good if this is hotfixed into the stable build ASAP, since it will kill the current problem within a few hours.Here's Dwarden two pages ago:I repost what I posted in other threadsome of the security fixes needs first to be tested and expanded before they can even reach the stable version, so calling for rush hotfix of stable version isn't good idea in this situation Also:Personally, I'm disappointed that it took a mass outrage to finally make them to see the problem and start doing something about it.I'm not so sure that they see it as a problem in the first place, which is why it was left open for so long, and the announced fixes sound like they're not in a rush to hotfix it either, especially after (I believe) Dwarden's comment that it's multiple fixes for multiple issues instead of just a one-stop anti-cheat hotfix... heck:25-04-2013EXE rev. 04517 Small first of many stages to reduce MP security vulnerabilities: should no longer be needed to restart the whole game to undo the common functions breach. This should also prevent it from spreading (but does not help the current situation on default branch servers of course). More on the topic in the next SITREP. Considering that... yeah, this is going to take a while seemingly. Edited April 26, 2013 by Chortles Share this post Link to post Share on other sites
carolusx 1 Posted April 26, 2013 First off, do any of you morons actually know what a script kiddie is? Since this exploit is a 1 of 1, he obviously can't be a script kiddie since he discovered and wrote it himself. The irony is that the majority of people flaming this guy as a script kiddie probably couldn't even replicate his results with his script, much less actually write it in the first place. Second, this guy has done this community a huge favor. This vulnerability was presented to BIS awhile ago and they completely ignored it. So blame BIS for terrible security implementation, don't blame the guy that's trying to ensure that the final product isn't ruined by future exploits. He could have made the exploit a whole lot worse, ie, waited until the product neared final release and then made the exploit much more subtle but still game ruining and completely destroyed the game right before release, but he didn't. Instead he made it dramatic and overly obvious, effectively ensuring it would never be used again while also forcing BIS to fix this gaping whole while there's still time. Stopping the exploit now gives BIS time to put it off. The only thing unacceptable is BIS's tradition of enormous security flaws. So waaaa, here's to 41 more pages of the biggest whiners on the internet, and more importantly, a sincerely heartfelt thank you to whoever this guy is that literally saved Arma 3. First you can't be sure if it's a script kiddie aka scidiot that did this. Since we can't be sure that it acctually was the original hacker that infected the servers or if he published a script and peoples started to use it and then infected the servers. But your right my guess is that its the hacker that did it. Second, I absolutely don't agree with you on this one and when it comes to that "He could have made the exploit worse" part that just an idiotic resasoning. You can easily translate this situation to IRL. Let's say you have 1000 $ in your house. You dont lock the door everyday when you leave the house. Someone notices this and goes to your house, open the door get's in and takes 300 $ of your 1000 $. Later on the thief is catched. Now would you then say, in court: "ooohhhh it wasn't that bad. He made me and my neighbours a favor. He didn't take all, He left 700 $ and just pointed out that I had a security hole that someone further on could exploit by opening the door and take all of my money....." It's still a crime to get in to your house and steal the money right? The way of saying "it's for the best of the public" is just a way to try to justify hacking/black hats/grey hats and it's always the same thing. When someone hacks a website, a internetbank, a government, a households computer or what ever it is. It's always the same story "He/She was just pointing out security holes so no one else could explot them further on....." I've been a network IT security consultant since 1992 (yes that's right, I'm an old dude but I can at least say that I was part of creating the Internet boom) and over 21 years I've heard the same story over and over again. "We just did it to show the exploit to make sure that no one else exploited it later on, it was for the publics best" and in trust me on this one. It's never in the best of the public..... If you find an exploit contact the issuer of the software/game or what ever it is. If you don't get a respons, publish how it might be done, in this case the forum. That's the best of the public. As someone else was ponting out on the forum. Some peoples (thats the public) are paying mney to have a ARMA3 server up and running and now they can't play on the server...... Share this post Link to post Share on other sites
SPJESTER 10 Posted April 26, 2013 (edited) Hey guys A guy named Will Smith joined my server 2 after he crashed server 1, It caught his Steam ID and soon after he fully connected, it CHANGED and we started flying!! in the server command box and said (id=02:20blah blah) or some shit. I banned him! He also said when we called him out that he was the one that did it, and he said he was "gonna fuck all of us up!" I had about 16 witnesses 2:29:55 Player WillSmith connecting. 2:29:57 Player WillSmith connected (id=76561198063115431). Check this out, He's actually only played the game 2.3 hours in the last 2 weeks , and Has only had it open 22 hours. http://steamcommunity.com/profiles/76561198063115431 Sounds fishy, Like just enough time to build a hack, and spread it on a few servers and close out. I mean how would someone that doesn't even play the game, just magically come in with the hack and start spreading it. Haven't had a problem since! Currently 31 people online Edited April 26, 2013 by SPJESTER Share this post Link to post Share on other sites
Radioman 6 Posted April 26, 2013 Just imagine if this virus hit, when BE was implemented. The virus could have spread from a non-BE configured server to many clients, then, those clients would go join another server, and get BE banned. Result? A lot of banned players, and an even bigger mess. Share this post Link to post Share on other sites
A3_Melle 40 Posted April 26, 2013 Hey guysA guy named Will Smith joined my server 2 after he crashed server 1, It caught his Steam ID and soon after he fully connected, it CHANGED and we started flying!! in the server command box and said (id=02:20blah blah) or some shit. I banned him! He also said when we called him out that he was the one that did it, and he said he was "gonna fuck all of us up!" I had about 16 witnesses 2:29:55 Player WillSmith connecting. 2:29:57 Player WillSmith connected (id=76561198063115431). Check this out, He's only played the game 2.3 hours. http://steamcommunity.com/profiles/76561198063115431 Could also just be a anoying guy who wants to fool around and piss people off, if he moves from infected server to a "clean" server he would bring the infection over to (for example) your server, probely on purpose so i look like he the "creator". Realy dont think that the script creator wil publicly anounce it is him because you got most of his "game details" a good hacker never leaves such a trail as this (player id, steam account), lets just hope there will be a fix soon, they are working on it but it takes time and we just got to be patient. Send with tapatalk. Share this post Link to post Share on other sites
SPJESTER 10 Posted April 26, 2013 (edited) Yea well no other player had a magic ID swap lol. And a smart ass attitude with weird game stats. Well we just had another attack, But get this, No id swaps happened! So apparently he is going around keeping his hack in rotation. Edited April 26, 2013 by SPJESTER Share this post Link to post Share on other sites
A3_Melle 40 Posted April 26, 2013 Yea well no other player had a magic ID swap lol. And a smart ass attitude with weird game stats. How do you know this guy has a ID swap? Seen these types of "people" on ARMA2 also (battle eye was turned.off), they just join the server and send a script just to piss the other players off, but hopefully as soon as the securty fix is up this will stop, also dont forget steam game can also be cracked to a non steam game with MP functions, as long as there is no update because than they need to crack it again to get on the new version servers. Send with tapatalk. Share this post Link to post Share on other sites
SPJESTER 10 Posted April 26, 2013 Because the server is on my 2nd screen and i watched with my own eyes the id change in the server dialog. No one else's changes even when they come in infected. He planted his hack and went offline. That's all he had to do. Share this post Link to post Share on other sites
A3_Melle 40 Posted April 26, 2013 Because the server is on my 2nd screen and i watched with my own eyes the id change in the server dialog. No one else's changes even when they come in infected. He planted his hack and went offline. That's all he had to do. Strange as earlyer post made by people state he had NO player name and they couldend see is player ID (or were to late because.it was a hit and run) and also that he got in the server and diddent say a word and only to let his script run on the server. The msg also states that the creator wanted to warn BI about the weaknes in the securty and that we (the.commumity) need to complain on these forums, the hack script is "harmless" just restart your game and server an it.is gone. This guy probely is not going to make a scene in a server and tell he is the creator, just not fits his profile, if he realy wanted to do harm he could have created a script that realy could do harm to our player files and servers. I know for sure the creator will be watching this forum to see how we all react, he made his point and got BI working on a securty update as for now we got over 400 reactions from people in this topic so 1 guy put this all together. Send with tapatalk. Share this post Link to post Share on other sites
Hammerballz 10 Posted April 26, 2013 Maybe he did use the feedback tracker? I guess not... Enlighten me, if someone finds something better than this! Share this post Link to post Share on other sites
A3_Melle 40 Posted April 26, 2013 The hit and run is his profile yes, just upload and move on to another server, its just strange that earlyer post about the "hacker" state they diddent see a name or player ID(or were to late to see it), also that the guy came in without saying a word so not telling he was THE MAN. Personaly think you were dealing with a copycat, the real creator was making a statement about the securty and the script is harmless (anoying yes) as we just restart te game and server and it will be gone, he was just out to get us all complaining on the forums wich worked. The statement was to get attention on this leak in the script, he made his point as BI is working on it and we are discussing it as this topic with over 400 reactions shows and i am sure he is reading all these reactions just to see what he realy wanted to created: the entire community screaming for a fix! This guy in my eyes had no real bad intentions but probely wanted to see this securty update go up fast(dont forget he made his point for all the players who dont know about this leak). He probely also could have created a ticket and diddent get the reply he hoped for because it.doesnt go fast enough, or he was 1 of the small group of people who found this leak in the script and diddent get taken serieus (at least what he thinks). Of course thats my personal point of view on this case. Send with tapatalk. Share this post Link to post Share on other sites
jw custom 56 Posted April 26, 2013 This guy in my eyes had no real bad intentions but probely wanted to see this securty update go up fast(dont forget he made his point for all the players who dont know about this leak). Really, i hope the little script kiddies parents find out about this so they can help him/her overcome his/her mental illness. Share this post Link to post Share on other sites
A3_Melle 40 Posted April 26, 2013 Really, i hope the little script kiddies parents find out about this so they can help him/her overcome his/her mental illness. Dont forget that these types of persons also look for securty leaks in banks and websites enz enz.enz, and you call that a illness? Lol you just want to trow your money on the streets as theire is noone who tries to hack securty systems because they are all in a mental hopsital? Saving it at a bank wont have any cause with no securty created by those "ill" people. As soon as your bankaccount got a withdraw on it you diddent make and the person at the bank on the phone told you: "we diddent test our securty" you would go mad dont you? ;) well i would but apperently you want all those people who can hack but also defend our personal stuff in a mental home with a illness. Of course i am not happy in this situation for ARMA3 but the guy got my attention and made me look at this forum alot more the same with a alot of others . ;) Send with tapatalk. Share this post Link to post Share on other sites
Aciidiux 10 Posted April 26, 2013 (edited) The hit and run is his profile yes, just upload and move on to another server, its just strange that earlyer post about the "hacker" state they diddent see a name or player ID(or were to late to see it), also that the guy came in without saying a word so not telling he was THE MAN.Personaly think you were dealing with a copycat, the real creator was making a statement about the securty and the script is harmless (anoying yes) as we just restart te game and server and it will be gone, he was just out to get us all complaining on the forums wich worked. The statement was to get attention on this leak in the script, he made his point as BI is working on it and we are discussing it as this topic with over 400 reactions shows and i am sure he is reading all these reactions just to see what he realy wanted to created: the entire community screaming for a fix! This guy in my eyes had no real bad intentions but probely wanted to see this securty update go up fast(dont forget he made his point for all the players who dont know about this leak). He probely also could have created a ticket and diddent get the reply he hoped for because it.doesnt go fast enough, or he was 1 of the small group of people who found this leak in the script and diddent get taken serieus (at least what he thinks). Of course thats my personal point of view on this case. Send with tapatalk. I would like to add that Cyrillic characters on your player name wont be shown on logs or in the game if you are running ISO-5899-1..... So if you change your profile name on ARMA 3 to КЛМÐѮѺП , it will show as blank on server logs and on game. Cheers Edited April 26, 2013 by Aciidiux Share this post Link to post Share on other sites
jw custom 56 Posted April 26, 2013 Here's a fix for current hack/plague. It seems to work, don't kill me if not! http://forums.bistudio.com/showthread.php?153916-Fix-for-current-annoyance-hack-plague Share this post Link to post Share on other sites
A3_Melle 40 Posted April 26, 2013 I would like to add that Cyrillic characters on your player name wont be shown on logs or in the game if you are running ISO-5899-1.....So if you change your profile name on ARMA 3 to КЛМÐѮѺП , it will show as blank on server logs and on game. Cheers Diddent know that, so it could just (probely will be) a guy using this methode. Send with tapatalk. Share this post Link to post Share on other sites
Aciidiux 10 Posted April 26, 2013 Diddent know that, so it could just (probely will be) a guy using this methode.Send with tapatalk. We have a ton of logs of guys who are using these kind of names. Also tons of guys who are running modified .sqf's..... Share this post Link to post Share on other sites