Use verifySignatures now!

[Doolittle 0]

BIS was kind enough to make their game very open and modifiable. A lot of people have taken up this opportunity and made a lot of creative models and maps. A small group of people, lacking self-control, have decided to ruin it for the rest of us. So I wanted to warn all dedicated server operators to please please run your server with verifySignatures turned on.

Without it turned on, someone could log onto your server, play a little like a normal person, and then leave... and then say a few minutes later the whole map could explode and everyone get locked out of their game. I won't say how this is done, but having worked for a little while now on trying to make an anti-cheat my eyes have been opened to how much a client can change the game and change it for others playing as well.

So, the only way I know how to stop them is to prevent them from logging on in the first place. Even my method earlier in my anti-cheat where we let them log on and then see they are a cheater and lock up their keyboard... what if they have a script that can run without their assistance? Locking them up would do nothing. Right now the only really annoying cheats they have are those that are using BIS's game system: they're PBOs and they run the same kind of script commands we run when making maps. Don't let them load their game with these PBOs running. Have your server check the PBOs they have loaded and only allow signed PBOs on that have KEYS that match the key collection your server has. Thank you!

Doolittle

P.S. If you have verifySignatures on, you don't need to set checkFiles[] = {}.

EDIT: raedor mentioned keys here and crawler75 suggests using regularCheck = "{}" and onDifferentData = "{}" to avoid disconnects

[Anunnaki 0]

BIS was kind enough to make their game very open and modifiable. A lot of people have taken up this opportunity and made a lot of creative models and maps. A small group of people, lacking self-control, have decided to ruin it for the rest of us. So I wanted to warn all dedicated server operators to please please run your server with verifySignatures turned on.

Without it turned on, someone could log onto your server, play a little like a normal person, and then leave... and then say a few minutes later the whole map could explode and everyone get locked out of their game. I won't say how this is done, but having worked for a little while now on trying to make an anti-cheat my eyes have been opened to how much a client can change the game and change it for others playing as well.

So, the only way I know how to stop them is to prevent them from logging on in the first place. Even my method earlier in my anti-cheat where we let them log on and then see they are a cheater and lock up their keyboard... what if they have a script that can run without their assistance? Locking them up would do nothing. Right now the only really annoying cheats they have are those that are using BIS's game system: they're PBOs and they run the same kind of script commands we run when making maps. Don't let them load their game with these PBOs running. Have your server check the PBOs they have loaded and only allow signed PBOs on that have KEYS that match the key collection your server has. Thank you!

Doolittle

P.S. If you have verifySignatures on, you don't need to set checkFiles[] = {}.

You have right, but Signatures was not working all time. They works now only on latest BETA server v1.08.5169. On standard v1.08.5163 (from official patch 1.08) was most players kicked for "signature verify timeout". 90% new connecting players was kicked, sometimes they was connecting 10-15 times to server to pass signature. And that all was making big desync. So signature checking was not possible on servers with many people. But now, its look working, but only on latest betaserver v1.08.5163.

[Guest]

I fully agree, but in order to be able to keep using some really nice addons the makers should start using the keys when they update their addons right?

I know we could sign the addons ourselves but IMHO that wouldnt make sense since each server will have the same addon signed differently.

Or am I talking $#^&^$& now?

[Anunnaki 0]

I fully agree, but in order to be able to keep using some really nice addons the makers should start using the keys when they update their addons right?

I know we could sign the addons ourselves but IMHO that wouldnt make sense since each server will have the same addon signed differently.

Or am I talking $#^&^$& now?

You right, something like "addon hash check" would be probally better, server simply chceck own addons folder and make for every pbo file detailed hash, that same make client too beffore he connect to the arma server. So they only hash can be compared. Of course, it is need to test that thru the game on clients in memmory too, but hash can prevent people to connect when they have wrong od errored addon to the server.

[PositiveG 0]

I just passworded my servers.  Problem solved, normal adults and most importantly KNOWN users are able to access it.

[ANG3L 0]

I fully agree, but in order to be able to keep using some really nice addons the makers should start using the keys when they update their addons right?

I know we could sign the addons ourselves but IMHO that wouldnt make sense since each server will have the same addon signed differently.

Or am I talking $#^&^$& now?

No your not talking bollocks m8t, I fully agree with this 100%

Only way to have some decent security on the server's and still allow certified addons.

Sick and tired of the server being crashed by inconsistent addons.

edit and Gits

[.kju 3245]

Quote[/b] ]the makers should start using the keys when they update their addons right

You might wanna ask em nicely to do so.

I guess many don't even know about it and how its done.

[cross 1]

Add

Regularcheck="{}"

to your config in order to eliminate the "session lost" issue due to time outs. We are running the sig verification and this eliminated the problem.

Also add;

ondifferentdata="{}"

If you are having disconnections from server. This is advised by Suma and solves disconection issue resulting from inconsistency between player and server due to QG.

Signature check works fine and keeps your server clean. If the addons you want are not signed, you can sign them yourself and post at your website so that people can dl and use at your server.

[Guest]

Quote[/b] ]the makers should start using the keys when they update their addons right

You might wanna ask em nicely to do so.  

I guess many don't even know about it and how its done.  

Well, I dont want to spam each addon topic with a request as such.

I guess you are right though, many may not know about it and if they do they do not know how to use it.

But my question wasnt meant to sound like "they must do it or else......". It was purely meant to get a confirmation on my thoughts

Anyway, I think in the future when bigger mod/addon projects are released we will see an increase of signed addons anyway.

The bigger projects have more people working on things (not always offcourse, but generally speaking) so its easier to "know more"

[edit]

made a sentence more readable

[Hyrax0740 0]

Signatures are a good thing but cant find the Signatures for any of the addons, and sound packs:(

[ANG3L 0]

This is the trouble, no one has created a signed key for there addons, if these keys where available I'd put them on the server.

Chammy's sound mod, FDF sound, BPA real sound, Madmatts arma effects, Modern warfare sound, eu.sixsence tracers, etc.

Its no good server admins doing this, we need universal keys by the mod makers them selfs.

[celery 8]

It's frustrating to see some servers being "protected" by a signature check. It denies access from players like is me with my editor addons and non-QG official files. And goodness forbid when I have Queen's Gambit and there are vanilla servers with signature checking.

[ANG3L 0]

Add

Regularcheck="{}"

to your config in order to eliminate the "session lost" issue due to time outs. We are running the sig verification and this eliminated the problem.

Also add;

ondifferentdata="{}"

If you are having disconnections from server. This is advised by Suma and solves disconection issue resulting from inconsistency between player and server due to QG.

Signature check works fine and keeps your server clean. If the addons you want are not signed, you can sign them yourself and post at your website so that people can dl and use at your server.

Queens Gambit user's should be fine if the server admins do this, this is how signature checking is set up on ours at the moment.

Signature checking is the last resort along with Doolittle's hack scanner to try to keep a clean secure stable server. I don't want to have to stop people using mentioned addons above but when the servers being caused to crash every 2 hours they is no other choice.

[raedor 8]

You can get the public keys of some mods here and with some luck this is going to become the main key database.

[Mehmehmeh 0]

Only 5 days more and Victor will have all hacks removed.....

Remember remember 5th of November......

All problems will be gone.....

[Yoma 0]

Hmm looks like i'll have to continue my yoma addon synchroniser work so server admins can easily deploy mods with signed keys, allowing people to sync their addons.

It's in the freezer for now. Link to topic here

Download and try it

If any server admins are interested, gimme a pm.

[ANG3L 0]

Sign your addons.

http://community.bistudio.com/wiki/ArmA:_Addon_Signatures

[whisper 0]

Bump (because I think it's important to remind to server admins)

And btw my "pingZero 2" is now a signed server. Still needs parameters tweaking, but mah.... I do my best.

Dual Xeon 2.5GHz, 4G RAM, 1000Mb/s connection ar your service.

Current accepted addon is the sprintfix.

Berzerk and few others PvP maps there (I still need to install MCY and others CTF packs, didn't found them yet).