bknht
-
Posts
5 -
Joined
-
Last visited
Posts posted by bknht
-
-
Then why are player coordinates of the others even relevant if they are teleported to the attacker regardless? The premise to break this core function was "use a list of usernames to teleport players to attacker and kill them" which can still be done with or without this function being useless now. If this is such a huge risk maybe putting it behind some anti cheat setting is a good idea then, so server owners can decide on their own, like with the other twenty something codes where nobody really knows what they do. Want a player list to be available? Enable anti cheat xyz, done.
-
Can you please confirm what you will be looking into so modders can prepare for this?
8 hours ago, EnigmaGrey said:Per my last comment:
”
I don’t see how this can affect anything other than radios in the vanilla game and from testing that seems unrelated to this change. It should have been broken for the last 2 or 3 weeks.”
We’re looking into it.
If you're leaving the getOnlinePlayers useless then I'll prepare getting the username list from the ISScoreboard instance instead, like a hypothetical hacker would.
I am still very curious of the motivation why this change serves to prevent hacking. To be able to teleport a player across the map or to the attacker that means that the server has to greenlight the teleport. To greenlight it, the user has to have an access level allowing that. When you have an access level you also get the full getOnlinePlayers return, so I really see no logic in this decision.
Think of it this way: If i want to prevent a hacker deleting subpages on my website I would not delete the sitemap showing him which ones exist, as
1) he would still need privileges / backend access to do that
2) he would still be able to access the pages via the normal website navigation (like the scoreboard on escape)
The only consequence of this is to make it worse for everybody depending on an agreed upon part of the website to exist and function, same as mods who need a way of getting a full list of users.
-
1 hour ago, EnigmaGrey said:
Yes. Any client had a full list of online players. A compromised client could teleport to each one and kill then rapidly.
Any client can listen to the scoreboard update events too and get the list from there. Policing teleports and ranks associated with commands should not be a client issue as the server is supposed to validate teleportto commands, nor should this undocumented change cripple every mod out there relying on this function without warning, documentation, or changelog entry. If this is about "being done" with B41, I could understand the "we do not want to fix it" approach but selling this as security feature is iffy at best.
-
From discord: https://discordapp.com/channels/136501320340209664/1037775705871753266
QuoteI don't know if this is the right way to go at it but the basic issue is that people pirate a lot, meaning they create those convenient modpacks in the hundreds of megabytes, if not a few gigabytes. People tend to migrate between servers and if some of them use a mod that is being used properly on the server they are trying to join, yet they picked up one of these modpacks along the way, they get a mismatch error like the one shown here: https://media.discordapp.net/attachments/930528426597683263/1037736867862413343/unknown.png?width=1340&height=754
After they share this screenshot (if at all) they are often told to unsubscribe from all PZ mods. This happens extremely often on larger servers. So the big question would be: Could you implement a solution that the mod id of the mods to load is taken exclusively out of the list of workshop items the server already transmits? If the server is not using that modpack there should be no reason for PZ to even consider it a valid choice to satisfy the mod id requirement.
[Multiplayer] GetOnlinePlayers() returning empty for non-admin players
in Bug Reports
Posted · Edited by bknht
"Any client had a full list of online players. A compromised client could teleport to each one and kill then rapidly."
I read this as "could teleport each one and kill them rapidly", so my bad. I did not go back and verify the exact phrasing again as you were already dismissive of any and all input, criticism and pleas with a "what we say goes" attitude in regards to mods. Yes, what you say goes, but at least take into consideration the people who supported your game during 10 years and kept it fresh with new things for the playerbase to enjoy while the core game matured.
Oh, the question above: it broke every single mod out there needing a fully qualified list of people. Examples are everywhere around the mod scene, smaller and large. I have a mod that allows vehicle claiming with permissions management. When somebody wants another to be able to enter they get a context menu to add them. Another mod is an economy mod allowing people to wire each other money via ATM and here i need an instance because i need to get first and last name instead of usernames, as it is in an RP environment. Also wiring money to somebod 10 tiles away is not really sensible. It is an "across the map" feature.