So auto-downloading is by design about more than maps / models / and any other eye candy?
the people who coded it are actually aware that this qvm/scripting-stuff can be downloaded and executed?
has it been confirmed that the developers have actually been informed of the exploits? ioquake3 devs?
btw, this poll is useless as the people who are voting are not fully informed and they might even think that the only way it can be abused is for downloading porn, i read this thread and i still don't feel like i'm qualified to even vote on this, i don't know which opinions are those of experts or trash, there are conflicting opinions. there might be a huge history on patched security problems for this game i don't know about because people are still afraid of talking about it. do things get properly fixed? buried in a changelog or not even included in a change log? does the ioquake3 project get the relevant patches/reports?
On the subject of buffer overflows: there will always be buffer overflows everywhere, the network protocol can be buffer overflowed, on a game with millions of players and autodownloading enabled by default i don't believe there has been a single case of people buffer overflowing through the maps / eye candy. People can buffer overflow you through the forums, with external images, links, flash, internet explorer.
I expect to see a future full of much simpler exploits than buffer overflows, like clients downloading a config with the rcon password, servers downloading files from clients, mods containing back doors, a guid system that never really gets fixed, never ending confusion about mods/qvm/dlls/scripts/security, anti cheat methods backfiring.
On the subject of abusing the download system to ddos people: if the game clients send the game servers IP in the referer variable to the web server, a simple php script or .htaccess file can prevent other servers from using their fast download service.
Multiple security risks? how many? how do we even know which we're talking about? is someone assuming that everyone else knows about an exploit that only that person knows about?
- All executable code off, but with the option to turn it on (QVMs, etc) with a very stern warning of why it's a bad idea
- An in-game "Do you want to do this" kind of option which can ask if you really want to trust that QVM you just downloaded
What is the history of autodownloadable QVMs doing good things? aren't the server side only mods capable enough?
I think popping up a question for this is a bad idea, no matter how stern you are the end user is not qualified to make the decision like this, the end user will either be left confused and uncomfortable or carelessly vulnerable. I see this as a bad way of transferring responsibility.
Poll