Arma scripting changes to prevent insane hacks? Any chance?

[CervidaeKosmonaut 10]

Hi there,

I've been reading some threads about BattleEye and hacking and whatnot and the biggest problem is usually brought up by people, but then it's just ignored, hence me making this thread.

The thing that makes Arma so insecure is the fact that a large part of the scripting/engine trusts the user. If there's anything that you learn in programming it's to never trust the user. I believe it would be great if Arma 3 had a clear client and server state, where the client state has functions and event handlers just for the game client running on the server, and the server state handles all the big stuff like damage and permission handling.

Letting scripts network for the engine, rather than having the engine decide what goes where would take a load of it as well, allowing people to send a message to the client for example to trigger some client side function that handles the rest.

If you need a more clear example of what I'm talking about have a look at this other game called "Garry's Mod", it's a HL2 modification that has Lua as a scripting language for servers. When you join a server it can be a completely different experience to any other server. This game is made by 1 guy and he managed to make a relatively hacker-safe game by having clear client/server states. The only problem with hacking in that game is client-side hacking (wallhacks/aimbots etc.) and because of the large set of functions that the creator provides for use with Lua scripting there's people making their own anti-cheats for their servers, catching and banning players themselves.

I guess I'm just hoping that by posting this BI will think "well that's it, let's do this". But I'm probably just gonna get either no response or be tracked down and killed by some other community members.

I hope you all see that I really want to see Arma 3 become something big. Having a safe script system will attract more modders to use Arma 3 and will mean profit for BI (look at DayZ which chose Arma 2 even though it had the same insecurities)

So is there any chance of something like this happening? Or will I have to go back and make mods for other games?

[nimrod123 11]

thats fine until you have 128 man missions and a couple of hundred AI plus all the waypoints and triggers, because at that point you either have a massive server, or your server fails since most of the server side stuff process at server FPS (like AI). they have to chose between the massive coop/PVP options or reduce the scale.

the second that scale goes and it basically become RO2 with a bit more sand box they will lose a-lot of the original player base (probally to something like VBS2 or simply back to a depopulated ARMA2).

this game was built on playing with people you trust in a very non pub atmosphere, the growth of pubs is what F'ed it, not the insercurites in the engine that let it be what it is

you also clearly don't know the history of dayz

[CervidaeKosmonaut 10]

thats fine until you have 128 man missions and a couple of hundred AI plus all the waypoints and triggers, because at that point you either have a massive server, or your server fails since most of the server side stuff process at server FPS (like AI). they have to chose between the massive coop/PVP options or reduce the scale.

the second that scale goes and it basically become RO2 with a bit more sand box they will lose a-lot of the original player base (probally to something like VBS2 or simply back to a depopulated ARMA2).

this game was built on playing with people you trust in a very non pub atmosphere, the growth of pubs is what F'ed it, not the insercurites in the engine that let it be what it is

I guess if you put it in that way then there's no use for what I suggested. I'll just go off then and make shit for a game which is actually secure as I don't want to waste any time and money on something that will get ruined by hackers so easily.

you also clearly don't know the history of dayz

I don't and I don't really care for it, I just meant to say that BI made a lot of money off people buying their game for a third party mod.

[chortles 263]

To the OP:

The hacking hasn't been reported to be nearly as rampant ever since BI made some changes, i.e. removing certain commands... albeit for some time it broke several scripts and missions that relied on those commands.

As far as what the official BI stance is:

We pride ourselves on the open platform that Arma games are built on. Unfortunately this extremely flexible platform can both be used for creative modding and malicious purposes like MP griefing. Most solutions for improved security mean taking away freedom and putting restrictions in place (there are obviously many real world comparisons to draw here). For a very practical example of this you can see the response to deliberately removing three scripting commands: improved security, but broken community content.

I do not believe for a moment we can have both freedom and fully secure MP without serious restrictions. The only seemingly valid method would be an approach taken by the DayZ project via its MMO architecture. Keep in mind this concept does not gel with Arma 3 as it was designed - it means all client actions are validated on a server, and this makes client-side modding and scripting much more difficult. Acceptable for DayZ, not for Arma 3. We will however do our best to improve security, reduce vulnerabilities and walk the fine line between freedom and security based on your feedback.

It should be noted/added that initially the DayZ standalone won't even have mod support.

As far as the changes made that I'm aware of, a compileFinal command was added, while setVehicleInit, clearVehicleInit and processInitCommands were removed.

Haven't heard of any dev stance on further changes beyond this, although it was acknowledged that BE just wasn't even being used in the alpha, but this quoted statement above (boldfacing mine) from the Arma 3 project lead is the most recent I'm aware of to any official response re: the scripting aspect.

Edited June 3, 2013 by Chortles

[nimrod123 11]

I guess if you put it in that way then there's no use for what I suggested. I'll just go off then and make shit for a game which is actually secure as I don't want to waste any time and money on something that will get ruined by hackers so easily.

I don't and I don't really care for it, I just meant to say that BI made a lot of money off people buying their game for a third party mod.

you mean something so sercure, that your methods (which i will point out are basicly hacking), are blocked.

thats the problem, either you allow alot of unsupervised user content in a MP context and risk people abusing that, or you make it sercure and don't let people change stuff

[chortles 263]

you mean something so sercure, that your methods (which i will point out are basicly hacking), are blocked.

thats the problem, either you allow alot of unsupervised user content in a MP context and risk people abusing that, or you make it sercure and don't let people change stuff

I'd disagree that it's a zero-sum thing as you seem to make it out to be, BI has already moved to "supervise"/restrict it somewhat, even if it was mainly to block after the simplest exploits.

[eddieck 10]

That official "explanation" from the sitrep is complete BS. It doesn't make anything impossible or even harder.

I posted about this before.

[nimrod123 11]

I'd disagree that it's a zero-sum thing as you seem to make it out to be, BI has already moved to "supervise"/restrict it somewhat, even if it was mainly to block after the simplest exploits.

for a multiplayer game? with MP mods? its normally a zero sum game, espically many player (so FPS) mp

That official "explanation" from the sitrep is complete BS. It doesn't make anything impossible or even harder.

I posted about this before.

your suggestion plays absoulte hell with stuff like the headless client.

and if you make a exception for that client you leave a massive loophole.

Edited June 3, 2013 by nimrod123

[eddieck 10]

your suggestion plays absoulte hell with stuff like the headless client.

and if you make a exception for that client you leave a massive loophole.

Well, the real solution isn't headless clients, but actual multithreading for AI. (I've talked about this before, they don't need to do any real rework of the AI engine; all they need to do is distribute AI groups across multiple threads, much in the same way missions distribute them across HC instances now.)

Also there is no reason object ownership of AI _has_ to be server-side even with those suggestions, i.e. headless client (or even distributing AI across your normal clients - which I wouldn't do because it increases client system requirements, but it has been done) should still work.

[chortles 263]

Well, the real solution isn't headless clients, but actual multithreading for AI. (I've talked about this before, they don't need to do any real rework of the AI engine; all they need to do is distribute AI groups across multiple threads, much in the same way missions distribute them across HC instances now.)

At this point, if they haven't achieved "actual multithreading for AI" then I'm not sure if they even know how to do any of what you described here...

[nimrod123 11]

Well, the real solution isn't headless clients, but actual multithreading for AI. (I've talked about this before, they don't need to do any real rework of the AI engine; all they need to do is distribute AI groups across multiple threads, much in the same way missions distribute them across HC instances now.)

Also there is no reason object ownership of AI _has_ to be server-side even with those suggestions, i.e. headless client (or even distributing AI across your normal clients - which I wouldn't do because it increases client system requirements, but it has been done) should still work.

the whole point of headless client is to remove server load completely from the server, so the server can worry about what everything but AI, and the AI has a dedicated system, multithreading dosn't do that, as the load is still on the server and depending on quality you will bottle neck it no matter what

multi threading may improve the single player experince and make servers with significant dormant resources work better, but not the majority of the mid range stuff

[eddieck 10]

At this point, if they haven't achieved "actual multithreading for AI" then I'm not sure if they even know how to do any of what you described here...

The concept is pretty simple:

• provide a server option for # of AI threads
  
• when an _AI group_ is created (group being defined as the in-game groups, obviously - i.e. F2/F3/...), check how many AI units are assigned to each thread and assign the group to the thread with the lowest number.
  

HC is still useful for distributing across multiple machines and shouldn't be removed, but for the vast majority of current uses of HC, this is sufficient.

the whole point of headless client is to remove server load completely from the server, so the server can worry about what everything but AI, and the AI has a dedicated system, multithreading dosn't do that, as the load is still on the server and depending on quality you will bottle neck it no matter what

Pretty much everyone runs their HCs on the same box.

[Colonel-ONeill 11]

is there any chance to build an option into the game when you click on a box and you enter a fully secure game-mod?

(where may some of the acceptable futures will be sacrificed for the sake of the stronger security)

just recently happens to me during game play,

- suddenly re spawning with all players into same place and get killed instantly,

- receiving red messages in German servers saying (in German)your anti-hack is not working

- spawning into water or air, instant death to all players for no reason

I am just asking as a customer and a ARMA 3 fun :-)

I wish if i could be the part of the team and working on Arma 4 but i am mechanical engineer :-( so don't ask me to make it happen and learn to program:-) unless u tell me how lol

All the Best I am going to have a nap

[Masharra 10]

is there any chance to build an option into the game when you click on a box and you enter a fully secure game-mod?

(where may some of the acceptable futures will be sacrificed for the sake of the stronger security)

just recently happens to me during game play,

- suddenly re spawning with all players into same place and get killed instantly,

- receiving red messages in German servers saying (in German)your anti-hack is not working

- spawning into water or air, instant death to all players for no reason

I am just asking as a customer and a ARMA 3 fun :-)

I wish if i could be the part of the team and working on Arma 4 but i am mechanical engineer :-( so don't ask me to make it happen and learn to program:-) unless u tell me how lol

All the Best I am going to have a nap

I think that secure mode is called "single player".

Note the mode that you were probably playing probably wouldnt exist under said mode either.

[Bobylein 1]

The OP is right, I modded a lot for Garrys Mod, as we came to Arma and saw that MESS called scripts I was like: Fuck this shit, I will not mod for this game before they are using a proper client-server structure.

After some time I started to play a bit with scripts and discovered how easy it is to kill or teleport other people you can even spawn vehicles and set your fucking health!

This is just plain stupid and as I and my friends heard that the DayZ standalone will use a proper system we really hoped they will add this system to Arma 3 as well, right now we are really disappointed and disturbed by the stupid hackers in Arma 3...

in Arma 2 you saw an army of cows with parachutes and everyone had a good laugh but in Arma 3 you only see all people dying, one time I tested a script which showed me all people on the map and as I watched the game I saw how 3 other peoples on the same server just teleported around and that's something very obvious on other servers I saw people who just did not die while getting shot by a whole squad, people with handheld full automatic grenadelaunchers and people killing someone without even aiming or shooting and that's just the things I saw.

You could still load vehicle and ai processing on the clients, it would not be 100% secure but much much more!

I understand that this game was never meant to be a pvp public game but it was made as a coop game which you play with good friends, a clan or in other trusty community environment.

Yet I think the game would benefit from a clear client-server system and it would not be "much more difficult" only different, for me it was much more difficult to understand that arma scripting and I still do not get it entirely.

Edit:

And we would get rid of all that old scripts... you know you want to!

Edited July 18, 2013 by Bobylein

[Smurf 12]

A3 was running without an anti-cheat until this week.

DayZ MMO like arquiteture won't come to A3.

[Bobylein 1]

Yea I already realized that it won't come to A3 and it's a shame.

We will see how much BE will help, at least the hackers now can't easily get a new key if banned.

[chortles 263]

The Arma 3 project lead explained that the DayZ-style/MMO-style architecture won't be in Arma 3 specifically because of how much it locks down -- "acceptable for DayZ, not for Arma 3".

[Bobylein 1]

The Arma 3 project lead explained that the DayZ-style/MMO-style architecture won't be in Arma 3 specifically because of how much it locks down -- "acceptable for DayZ, not for Arma 3".

From my point of view this is Bullshit, of course it would be much work for BI but it would not lock it down as everyone says, at least I have no idea why it should.

See Garrys Mod, it's easier to mod and you can do there much more than in arma.