Hacking and anti hacking strategies

[Obidose]

I am sure I am not the only one to notice how common hacks are becoming in trem now. People don't even bother hiding it a lot of the time and can sometimes feel proud to be doing it.

As tremulous is open source I suppose it is pretty easy to make hacks for. Also it would be pretty hard to program and implement a system like punkbuster. The only thing that can really work consistently is having admins on servers.

So how about having a system where by people have to register an account. Once they have registered they become a trial member. As a trial member the will only be able to play on a select few servers which are heavily watched by admin. After they have logged a certain number of hours/referals from admin or something they can then become a full member and get access to all the servers around. Hopefully that would filter out most of the hackers, and also require only minimal admin on the normal servers. People would be afraid of being reverted back to trial account if they were caught hacking. A step further and better would be some kind of reporting system in the normal servers which could be accessed by an ingame menu, members who were reported too much would be investigated or maybe just demoted instantly. Other tiers could also be introduced rather than just trial and normal.

I don't know how hard to make work this would be. The way I see it, as long as there could be a central account server with details on it, and everyone had to log in to play it would be achievable.



I know this has no chance of actually happening. I am really only posting this as I have been so frustrated with cheaters recently, and my mind starts thinking of crazy schemes like this. I liked this idea and so thought I would write it down. Also by posting it on the forum it will at least spark a little more discussion. Who knows, one day we might have a hack free tremulous.

[Rocinante]

I don't know how hard to make work this would be. The way I see it, as long as there could be a central account server with details on it, and everyone had to log in to play it would be achievable.

That there's yer problem </auto-mechanic-voice>

I'm pretty sure ideas like this, or other centralized methods, have been discussed here before and they all suffer the same problem - the central authority.  Either people that you wouldn't necessarily trust to admin your own servers would be having their say as to who can and cannot play there, or it would be a small group of people who wouldn't likely be able to keep up with the playerbase.  Who chooses those people?  What happens if someone slips up or decides they've had enough and lets everyone in (or bans everyone from playing)?

The closest to a workable idea like this that I've seen is one which is an optional hook in the server.  In this way, let's say you run 5 Tremulous servers yourself.  You could have all five of them contact your own authentication/authority/whatever, thereby sharing that trust between those servers.  Perhaps a friend of yours sets up a server, and they want to trust whomever you do, they could also tie into your system.  More advanced ideas implement the web-of-trust model where you may trust one authority more than another, and therefore take their reply with more weight than that of other places.  But then you run into other issues, such as what happens when the centralized system is down.

The best way to keep cheaters/abusers/etc out of the game is to have good administrators.  I realize that might not be a consolation in your particular case, but a centralized system for determining who is good and who is evil has a lot of flaws (I've only named a few, I'm sure a couple others will join in shortly with more - kevlarman for example has said numerous times why something like this wouldn't work).  But if you're the type to be handy with a compiler, don't let the above verbiage stop you from trying to make it happen :>

Edit: Thinking about it, this might better be served in the Feedback section too.

[ODDity]

Interesting.

I think limiting a new users' experience of Tremulous by way of a kind of probation period would only serve to reduce player numbers overall. People like to get stuck in and play, wherever and whenever they want.

I suppose you've just got to find good servers with Admins who give a shit about what happens there.

Having an account based system in order to play on certain servers would, perhaps, be a feature that could be implemented. It would of course require the server owner(s) to register with the system and some kind of reporting mechanism put in place to ban users that infringe the rules.

There is nothing to stop new servers being put up and i suppose that is one of the good things about Trem. Having no regulation perhaps increases the userbase, but then you've got to deal with the few bad apples that pop up from time to time.

Above all, it should stay as open as possible and i think the majority of people respect fair play. Those that dont, well, mores the pity really.

Its a game. If one finds value in cheating instead of being skilful i think its a real shame and just demonstrates the kind of personal character those people have.

[daenyth]

The idea as stated has been proposed and refuted more times than I can recall.

The web of trust idea, however, while looking better at first, is also flawed. The problem is how to tell who is who between servers -- short of a registry process, there is no way that will work in all cases. And a decentralized registry system would be shitty as hell. A player would either have to register for _every_ server that they play on, or we'd have to again turn to a centralized service, which, as we've stated, won't work either. You can't use GUID to track users across servers, because having a unique GUID for every server is needed to avoid impersonation. (Quick version: Player Foo, who is admin on server Bar, joins server Baz. Baz's admin is a bad person and copies Foo's GUID, then uses it connect as an admin to server Bar.)


TL;DR version: This shit doesn't work. Play on servers with admins.

[temple]

The problem is creating identities.  Tremulous is a free game so anyone can download a copy and play.  That means that a player has no solid identity to associate them with.  If you try to use IP addresses, they can change those.  If you try to use GUID, they can change them too.  In most games, your identity is linked to your copy of a game.  What prevents people from abusing servers is basically the player's ability to buy new copies.  But with Tremulous, there is no 'token' or way to award identities and therefore tracking methods to each player. 

[Eeeew Spiders]

The only thing that can really work consistently is having admins on servers.

I agree!
And i think its good enough. There are enough servers with a descend admin coverage.
I think others people hacks are only a problem if the only joy you have is in winning games.

Though there are open source free games where a centralized authentication system works pretty well (not perfect, but limiting the annoyance to an acceptable limit), tremulous is a place where they think everything works different here. But as long as there are servers with good administration and a pleasant, consistent and continues player base, I have no problem with it, since the annoyance on those servers is far within acceptable limits.

[blood2.0]

better would be some kind of reporting system

agree

[Kaleo]

Individual servers could implement an accounts system, I guess. You're GUID gets registered at their website, and you can only enter with that GUID.

Might be a bit bugged though.

[temple]

Individual servers could implement an accounts system, I guess. You're GUID gets registered at their website, and you can only enter with that GUID.

Might be a bit bugged though.

So, how do you stop someone from registering another account to circumvent a ban?

[techhead]

So, how do you stop someone from registering another account on the forums to circumvent a forum ban?

Ask yourself this question also.
There is no good way of getting around this problem.

Some possible ideas. (and a couple problems of each)
A. White-lists (Subjective, cumbersome)
B. IP address tracking (Dynamic IPs, proxies)
C. Re-ban offending users (Cumbersome, wasted resources)
D. MAC-address tracking (Easy to spoof)
E. Passworded servers (Password distribution, also see A.)
F. Player-run moderation (Subjective, mob-mentality)

[sticks]

Implementing something like punkbuster can become a real pain in the ass, since there are always updates and its not always accurate. As of right now the best we can do is have the active admins. While not the most efficient system it is the easiest.

[blood2.0]

my solutions
1) have a site that admins post IPs GUID and name of potential hackers. On that site there is a page that has the hackers names GUID and ip assembled so you can paste them into your serverconfig and they will be banned from your server.  unless a video was included that proved the player an aimbot it would take 2 or 3 people posting for it to be included in the part you copy and paste. although hackers can change there ip and stuff it would be a big pain after a wile and they would soon stop hacking or quit tremulous.

another idea is to make it so there are hidden aliens in walls that show up on radar so aimboters will start shooting at walls

[kevlarman]

my solutions
1) have a site that admins post IPs GUID and name of potential hackers. On that site there is a page that has the hackers names GUID and ip assembled so you can paste them into your serverconfig and they will be banned from your server.  unless a video was included that proved the player an aimbot it would take 2 or 3 people posting for it to be included in the part you copy and paste. although hackers can change there ip and stuff it would be a big pain after a wile and they would soon stop hacking or quit tremulous.

another idea is to make it so there are hidden aliens in walls that show up on radar so aimboters will start shooting at walls

the first idea won't work because 1) it's easy for a few people to get someone they don't like blacklisted (or even if they have nothing against that person, there are quite a few players that would get reported by a lot of people even without cheating if they are under an alias) and 2) it's a much bigger pain to ban them than it is for them to get a new guid and ip (fortunately the only REALLY big idiot i've met so far didn't have any other players in the pool of ips he had access to, so banning the whole /13 was an option). the second won't work because anything that would keep fake players from being rendered could be used by aimbots to ignore those fake players.

[blood2.0]

how about if more people back up the person saying that they dont hack then the people who proposed the hack get banned for 5 days 

[mooseberry]

how about if more people back up the person saying that they dont hack then the people who proposed the hack get banned for 5 days 

IT WONT WORK GET OVER IT AND LEARN SOMETHING FOR ONCE.

Hi, did you read what was posted above you and think intelligently about?

If someone were hacking and got reported by an honest player, than his friends could team together and say it was not true and the honest person would get banned. IT DOES NOT WORK.

Anyone could ban innocent people or hack without getting caught.

[Lava Croft]

Best anti-hacking strategy is also the oldest and most simple:

Play on good servers, with friends.

Evade crap servers, and lamers.

Problem solved.

[Lakitu7]

And in addition to what Lava said, there's also an element of "who gives a damn?"

The bots that are wildly better than humans are very easy to catch and ban.

The bots that are "smarter" and appear mostly human are only performing at the level of a decent human, so... who cares? If you're any good, you can still whoop them because the players using them generally can't dodge for crap. It's not worth developing elaborate schemes and spending tons of times speccing people who aren't actually that good, even with their bots.

[froofroo123]

I think server admins are doing fine the way it is now. Just last night I was banned from one server for deconning floor trappers, and another for aimbotting with a grenade. So its really unnecessary to implement any new anti-hack features.

[Rocinante]

Ahh, but your problem is related to a completely different issue, namely that of "stupid admins."  Unfortunately there's no known software patch that can fix a problem that exists between the keyboard and chair.

[Amtie]

Maybe, using the MySQL database idea Paradox posted in this forum, linking up all players to master server? Or something such as having players register on a website activating their account or something similar. If their account is not activated, then no play for them. This would eliminate unnamedplayer-ism as well as asshole-ism (mostly). Aimbotters on the other hand, if caught, could be warned > banned from trem (if sufficient evidence warrants such actions).

[sticks]

i think it just comes down to a, "why bother". all games have botters all games have hackers; the admins are there to hopefully take care of that but short of screening every player to get the game you wont be able to fix the problem.

[Paradox]

Need i say more?

[Rocinante]

For those who don't know the name of the game, maybe you do :>

[Paradox]

Its in the url.

[ChaosSquirrel]

So how about having a system where by people have to register an account. Once they have registered they become a trial member. As a trial member the will only be able to play on a select few servers which are heavily watched by admin. After they have logged a certain number of hours/referals from admin or something they can then become a full member and get access to all the servers around. Hopefully that would filter out most of the hackers, and also require only minimal admin on the normal servers. People would be afraid of being reverted back to trial account if they were caught hacking. A step further and better would be some kind of reporting system in the normal servers which could be accessed by an ingame menu, members who were reported too much would be investigated or maybe just demoted instantly. Other tiers could also be introduced rather than just trial and normal.

This would not work. No one wants to have to play the game 10 hours just so they can get away from the rest of the pack. Also, it would be a major pain if you lose your GUID. Having admins can't save a game. The community is what matters. If you find a hacker, start a thread!

[Paradox]

If I find a useless thread, I lock it!

[doomagent13]

Rather than start a thread, just notify the admins in-game.  If you cant identify the admins, try the "/a" command.

[ChaosSquirrel]

I think server admins are doing fine the way it is now. Just last night I was banned from one server for deconning floor trappers, and another for aimbotting with a grenade. So its really unnecessary to implement any new anti-hack features.

Even the best players mess up in the sight of... adminies. Don't fret. Those aren't your fault. (except maybe the nade one... but that is a question of if.)

[jit]

One suggestion but i don't know if it's possible. That is a program or something that is programmed into the server qvm. It would track where players hit someone on the hitbox location. If the person consistently hits on the same spot on that hitbox maybe like 5-10 times for aliens and 15-25 times for humans, then that player would get automatically kicked. For example, if human A shoots the goon in the same spot everytime like on the exact center of the hitbox, the player would be kicked or, a message would pop up for any admins on that server to spec that player. I'm not sure if tremulous has the ability to track where a person hits on the hitbox because all i know that maps have certain locations and i don't think hitboxes have locations. They probably do have but ya, i don't know. This would have to be a trial and error kind of application because it could end up kicking many skilled players.

[Amanieu]

I promise you that 2 days after that's released aimbots will be upgraded to lock on a random point in the hitbox.