galzohar 31 Posted April 25, 2013 setVehicleInit might have been there since forever, but saving stuff in a name space that is persistent between missions was not. There really needs to be better control of the scope of variables so they can't be easily overridden in such a harmful way. Not just for countering hackers, but also for preventing poor scripted features from breaking the entire game long after the buggy mission was over. Even something as simple as allowing one to set a variable as "final"/"constant" would go a long way. Even if just for allowing you to prevent yourself from accidentally overriding your own constant variables. But heck, that sounds like almost as big of a request as asking for them to make SQF strongly typed... Share this post Link to post Share on other sites
Vincent Edwards 10 Posted April 25, 2013 (edited) I hope this guy is identified soon and sued as well. He violates the Arma III license agreement and the steam one as well. So they can void his Alpha Key and maybe even his entire steam account. If he at least made his hack some way, that the missions are still playable after a few of his "events" are fired. Or maybe stop the attack after 1 or 2 days. Ok, I could understand that to a certain point, because there is a security gap, as he proved. - But no, he is disabling all public playing and takes the whole community hostage. But for now my patience is depleted. Playing public on random servers is not possible for 3 days now. Please find out, who it is. And I am really looking forward for the fix to the problem, because I want to be able to open my server for public players again. Edited April 25, 2013 by Vincent_Edwards Share this post Link to post Share on other sites
Alo Keen 7 Posted April 25, 2013 As far as hoping goes, if I wrote what I'm hoping for him, I'd get banned :D @everyone who's complaining and/or being dramatic: Lads (& lasses?), we should be happy the alpha is as playable as it is... (or actually not playable at the moment, before someone else points it out. again.), it's all a part of testing. Chill. Please. Demanding, crying, or otherwise being a PITA, does absolutely nothing to help. Share this post Link to post Share on other sites
SPJESTER 10 Posted April 25, 2013 Hey guys, As of now all of you know the situation we are in... It's bad. But if you miss playing the game feel free to join our servers! Both are currently running my version of Wasteland and hold up to 66 people. I miss having a full server :( So please guys restart your game to stop this hacker, and join up on our game! Plus this little scripter doesn't realize he's costing us money, We pay for our server. Join the Teamspeak for the password to get in at TS: ObliviousGaming.tk:9070 But just a side note. If you do not restart your game, and deliberately come in and spread the hack in the game. I will ban you. Enjoy! Hope to see you guys in there! Original Thread Post: http://forums.bistudio.com/showthread.php?153885-server-oblivious-gaming-servers-24-7-uptime Share this post Link to post Share on other sites
red29 10 Posted April 25, 2013 First off, do any of you morons actually know what a script kiddie is? Since this exploit is a 1 of 1, he obviously can't be a script kiddie since he discovered and wrote it himself. The irony is that the majority of people flaming this guy as a script kiddie probably couldn't even replicate his results with his script, much less actually write it in the first place. Second, this guy has done this community a huge favor. This vulnerability was presented to BIS awhile ago and they completely ignored it. So blame BIS for terrible security implementation, don't blame the guy that's trying to ensure that the final product isn't ruined by future exploits. He could have made the exploit a whole lot worse, ie, waited until the product neared final release and then made the exploit much more subtle but still game ruining and completely destroyed the game right before release, but he didn't. Instead he made it dramatic and overly obvious, effectively ensuring it would never be used again while also forcing BIS to fix this gaping whole while there's still time. Stopping the exploit now gives BIS time to put it off. The only thing unacceptable is BIS's tradition of enormous security flaws. So waaaa, here's to 41 more pages of the biggest whiners on the internet, and more importantly, a sincerely heartfelt thank you to whoever this guy is that literally saved Arma 3. Share this post Link to post Share on other sites
Alo Keen 7 Posted April 25, 2013 The only thing unacceptable is BIS's tradition of enormous security flaws. Unacceptable, yet you are still here.... Share this post Link to post Share on other sites
Hammerballz 10 Posted April 25, 2013 Second, this guy has done this community a huge favor. This vulnerability was presented to BIS awhile ago and they completely ignored it. So blame BIS for terrible security implementation, don't blame the guy that's trying to ensure that the final product isn't ruined by future exploits. I fully ignore what you just wrote except quoted... He could do everyone a favour in using the feedback tracker like everyone else and take it that this is just an ALPHA where content still lacks until Beta/full. There is a VOTING Option in the Tracker aswell.. I am pretty sure people who understand this problem would vote up! I´m not saying you are wrong or right and I won´t blame BIS, but annoying players who can´t script or let´s say are not working on the Game is not a solution to "ensure that the final product isn´t ruined by future exploits" Share this post Link to post Share on other sites
Chanassa 10 Posted April 25, 2013 Hi, this may be a dumb question. But how does the "hacker" do this? Where is the file? Locally or on server? Do it run as an process or something? Is it possible to make a "counter" script, one that detects for example the process? Share this post Link to post Share on other sites
eddieck 10 Posted April 25, 2013 He could do everyone a favour in using the feedback tracker like everyone else and take it that this is just an ALPHA where content still lacks until Beta/full. There is a VOTING Option in the Tracker aswell.. I am pretty sure people who understand this problem would vote up! And you think that's going to get it fixed? Unacceptable, yet you are still here.... He's right though. Share this post Link to post Share on other sites
Hammerballz 10 Posted April 25, 2013 And you think that's going to get it fixed?He's right though. I was not aware of that Topic.. I only threw in my few words. Still we all know that this Games lacks on Security. Though what I recently found out was, that if theres something voted up on the bug tracker, it get´s reviewed and possibly fixed. We did not have such tracker in ArmA 1/2... Share this post Link to post Share on other sites
SomeGuyWithARock 1 Posted April 25, 2013 Well said, Hammerballz. Red29 is just being immature in that he calls some of us whiners and morons. And since the hacker implied that he wouldn't stop until the issue was discussed just shows how insincere he is. We've discussed it, Bohemia has responded and is working on a fix, he still hasn't stopped. He's just showing off his hacking talent and isn't trying to improve the game. He doesn't care about the community. Share this post Link to post Share on other sites
rundll.exe 12 Posted April 25, 2013 Someting that would fix this "spreading" problem, and should be implemented by BIS (long time ago) is a proper reset of ALL game variables and configs after EACH mission start (SP, MP, load game, and also on the server) Prolly it would also fix the MP #restart bug. Seems at least something of this has made it into the DEV build, which should stop the spreading via persistent namespaces (which is in my view the worst security problem that we're facing now) Would be good if this is hotfixed into the stable build ASAP, since it will kill the current problem within a few hours. And it sounds stupid, but one day we will be thankful to this "hacker", since he realized probably that this is the only way to get BIS' priorities to this problem, because some code example in the feedback tracker would never get any votes, while nobody experienced it yet (the seeing-is-believing-syndrome). Of course he should have just put a hint box or smth, instead of spawning in the air, but that would not create this big stirr. And that points out the major flaw in the feedback tracker, since fixes that are not "Sexy" enough (who cares about a Uinamespace when you never heard about it?) will never make it to the top, and may be buried in the more popular issues. Share this post Link to post Share on other sites
Alo Keen 7 Posted April 25, 2013 He's right though. I respectfully disagree. What he achieved is to: a) Upset a lot of people and stop them from playing/testing b) Mess with BIS's schedule regarding fixing stuff. Regarding b): Instead of doing whatever they were doing, folks at BIS now have to mess with his attention-whoring exploiting... "look at me, I can fck with you and you have to do what I say or...." I mean, how immature and irresponsible does one have to be? I don't think this hole would have been left open, gotta give at least some credit to people writing all that code. There are such things as "plans", and in writing software they are made so that time and resources spent are used wisely. Fixing security holes at an early stage is not efficient, since new holes are bound to appear later in the development process. It's good to keep an eye out, so as not to go deeper along a certain avenue if you know it's gonna have to be rewritten/adapted. Hence the bug trackers, so that folks can acknowledge a security hole, analyze and schedule the plugging. "OMFG, they didn't fix it within a week" (month, two, however long someone other than people at BIS thinks is quick enough) is just... selfish. Share this post Link to post Share on other sites
Vincent Edwards 10 Posted April 25, 2013 And since the hacker implied that he wouldn't stop until the issue was discussed just shows how insincere he is. We've discussed it, Bohemia has responded and is working on a fix, he still hasn't stopped. You're dead right! Period. Share this post Link to post Share on other sites
Alo Keen 7 Posted April 25, 2013 Not like he can stop it now that the "virus" is everywhere... Share this post Link to post Share on other sites
SPJESTER 10 Posted April 25, 2013 Could we not take his code, Set the spawn to normal, and set the hint text to blank, and re spread it. Essentially fixing it while using the hack? Share this post Link to post Share on other sites
SomeGuyWithARock 1 Posted April 25, 2013 Doesn't the "virus" reside in memory and disappears when you restart the game and the servers are restarted? I think he is still actively injecting it onto servers, otherwise, in its current form, the hack would disappear after everyone restarted. Or is that not working anymore? Share this post Link to post Share on other sites
Hammerballz 10 Posted April 25, 2013 And it sounds stupid, but one day we will be thankful to this "hacker", since he realized probably that this is the only way to get BIS' priorities to this problem, because some code example in the feedback tracker would never get any votes, while nobody experienced it yet (the seeing-is-believing-syndrome). Of course he should have just put a hint box or smth, instead of spawning in the air, but that would not create this big stirr. And that points out the major flaw in the feedback tracker, since fixes that are not "Sexy" enough (who cares about a Uinamespace when you never heard about it?) will never make it to the top, and may be buried in the more popular issues. Yes, we´ll be thankful to this hacker since this security issue has been discussed by (other?) persons already over and over again. He was not the only one realized those issues. All he did was trying to force BIS implement Security Content first. But that´s a goal, every Server Administrator likes. Do we hack because we want it? - No! We play by BIS rules and report it to the Tracker. All in all... I have to totally agree with gamesturbator again. He got his attention, his goal that BIS will discuss it. So please dear Hacker: Stop it and use Forums plus Feedbacktracker like everyone does. Share this post Link to post Share on other sites
eddieck 10 Posted April 25, 2013 What he achieved is to:a) Upset a lot of people and stop them from playing/testing b) Mess with BIS's schedule regarding fixing stuff. I agree with the 1st. This has been a problem forever. Clients are trusted way too much. BIS knows about this (they're changing the MP architecture for DayZ SA). While this isn't the way I would go about bringing attention to this problem, I think he's achieved a lot: the problem is being discussed here! (And honestly, I can't see too many other ways to achieve that.) Some people will say "don't give him attention" - I say, it's not about giving _him_ attention, it's about giving the problem attention (because it is a problem). And I think his intentions are good, especially as his message is asking people to come on here and discuss the security problem. If he was just one of the typical script kiddies he'd be going on servers and bombing the whole map. Regarding b):Instead of doing whatever they were doing, folks at BIS now have to mess with his attention-whoring exploiting... "look at me, I can fck with you and you have to do what I say or...." I mean, how immature and irresponsible does one have to be? Good. Maybe there will be some renewed focus on security. (but let's be realistic, there won't) I don't think this hole would have been left open, gotta give at least some credit to people writing all that code. Which exploit are we talking about specifically? Because there are a ton. Using PV to replace functions (BIS_ or mission-specific functions)? It's been an issue forever. There are such things as "plans", and in writing software they are made so that time and resources spent are used wisely. Fixing security holes at an early stage is not efficient, since new holes are bound to appear later in the development process. It's good to keep an eye out, so as not to go deeper along a certain avenue if you know it's gonna have to be rewritten/adapted. Hence the bug trackers, so that folks can acknowledge a security hole, analyze and schedule the plugging. Sure, but these issues have been around literally forever, and there don't seem to be any actual improvements being made (besides the awesome BattlEye filters, which are still only a band-aid fix - but awesome work from BE and just shows that BE does all they can). It's nice that someone is bringing them out into the open. Of course DayZ SA gets the fixes. Share this post Link to post Share on other sites
Alo Keen 7 Posted April 25, 2013 BE- band-aid / issues forever I believe that BIS is not coding security related stuff into the game, but rather relying on 3rd party software in order to have security optional - code that is loose (security-wise) tends to run faster (or is easier to implement, translates to the same benefit essentialy) Since (I suppose) development of VBS and ARMA is closely connected, the basic software is left "open" so that it can run unhindered in trusted environments. For VBS it's all the implementations, since I don't see Cpt. Johnny of an army that paid thousands for the software cheating and scripting, and for Arma it's private community servers (or all the servers of the old days, when Arma players were.... different :) ). So, we're left with the MP aspect that must be policed, in a game that wasn't initially conceived as something that needs policing. Yes, the times change and so should we... But then we get back to the topic of Arma's architecture, which makes it what it is etc. Share this post Link to post Share on other sites
eddieck 10 Posted April 25, 2013 Since (I suppose) development of VBS and ARMA is closely connected, the basic software is left "open" so that it can run unhindered in trusted environments. No functionality would be lost by moving to a more secure architecture (as DayZ SA is doing). It's purely a question of "are they going to do it" at this point. Share this post Link to post Share on other sites
Radioman 6 Posted April 25, 2013 Doing a winmerge of the dev build's functions_f.pbo contents, with the non-dev's one, shows not a lot of difference. Looks like they ADDED functionality to the exploit, not remove some. They implemented a function recompile to execute at mission start, but that's been ineffective for at least a day already. Playing on the dev servers, they were infected just hours after this new dev build went live... Share this post Link to post Share on other sites
Alo Keen 7 Posted April 25, 2013 Pfff... dunno how easy it is to do it mid-life of a project. Anyways, I'm off to bed, nice chatting to someone who can carry a civilized discussion, rare thing on the net... Cheers! Share this post Link to post Share on other sites
eddieck 10 Posted April 25, 2013 Pfff... dunno how easy it is to do it mid-life of a project. Anyways, I'm off to bed, nice chatting to someone who can carry a civilized discussion, rare thing on the net... Cheers! Hehe :) Night. The best thing for them to do is maintain backwards compatibility with SQF and implement this in a new (Java or something) API, like I've mentioned before. But yeah, who knows if they'll do it (already have my guess). Share this post Link to post Share on other sites
Radioman 6 Posted April 25, 2013 Hehe :) Night.The best thing for them to do is maintain backwards compatibility with SQF and implement this in a new (Java or something) API, like I've mentioned before. But yeah, who knows if they'll do it (already have my guess). Problem with Java is, is that it's an even WORSE security flaw..... The hacker could make a botnet out of all Arma clients and DDOS BIS websites or something crazy. A whole new can of radioactive worms with frickin laser beams on their heads. Share this post Link to post Share on other sites