Jump to content

[Multiplayer] GetOnlinePlayers() returning empty for non-admin players


Morceaux
 Share

Recommended Posts

Apparently this is related to issues with VOIP in-game as well.

 

This "proximity" changes on the code (players must meet ingame) doesn't seem to be working well. I don't understand what devs wanted to accomplish with that, but at least it could persist the "players have met" info across logins, but not even that.

 

Link to comment
Share on other sites

1 hour ago, EnigmaGrey said:

Yes. Any client had a full list of online players. A compromised client could teleport to each one and kill then rapidly.

 

Any client can listen to the scoreboard update events too and get the list from there. Policing teleports and ranks associated with commands should not be a client issue as the server is supposed to validate teleportto commands, nor should this undocumented change cripple every mod out there relying on this function without warning, documentation, or changelog entry. If this is about "being done" with B41, I could understand the "we do not want to fix it" approach but selling this as security feature is iffy at best.

Link to comment
Share on other sites

Very much agree, and if it is a security feature why does it not have a toggle like other anti-cheat options? I have zero interest in this feature and now my 100+ players are suffering with a broken map mod, a broken vehicle claim player list, broken walkie talkie communication without visiting a player in person (I know Spiffo insists that you made no changes to this, but without any changes on my end it broke with 41.78.12 and remains broken, reproduced with no mods and a fresh save), and more all since 41.78.12. All sorts of things broken because of it, making me run around troubleshooting instead of playing the game or making new mods and content for the community.

 

I really don't mean to be rude, but it seems like a really bad idea to silently roll out changes like this, particularly at the end of a patch cycle. If it had been clearly noted in the changelog I would have tested that unstable version and I'm sure others would have, but we have to prioritize and nothing in that changelog made me think breaking changes were included. I also really don't understand how this suddenly became a critical issue in need of fixing at the end of a patch cycle when it's been this way for the entire time and I've only seen someone hack the game two times in my year or more of serious online play.

 

Frankly there are much larger security holes like being able to decompile, modify the java, recompile, and join a server with any code you like. This includes enabling debug mode on someone's server without admin privileges and running whatever code you like. I'm not sure why the ability to quickly go between players to do something like kill them is somehow a big threat. I'm not personally even worried about that, though, because that's what backups are for and if it happens it happens. In fact I have a repository with added security features via modifying the java on the server end and I haven't bothered rolling them out because it isn't worth the hassle of having to recompile when the game is updated to me at this time.

 

I think I speak for a large portion of the community when I say we're far more concerned about being able to enjoy a stable experience without wrenches being thrown into things like this, and to be able to modify the game without the carpet being pulled out from under us with little-to-no warning. I realize there is also a portion of the community that is very concerned about hackers and cheating because it's more PVP focused and largely vanilla, but I would ask that you consider that this is not everyone who plays your game.

 

We really appreciate what you do - we love the game. I've spent about 2400 hours in it so far. That said, it is very frustrating when our experiences with the game are marred by things like this. I hope you don't take my bluntness here as being overly entitled or rude, I really don't mean it that way, but I feel I'd do you a disservice by not speaking up at this point as dozens of users are frustrated in my community alone, and I know mine can't be the only one.

Edited by UdderlyEvelyn
Link to comment
Share on other sites

This is an early access game. It’s expected things will break, more so than we as gamers expect things to break with any game update.

 

In this case, some loss of functionality is worth not having entire severs wiped out in seconds upon joining (far less work) as was happening. Yes, this is efficiently the end of 41 aside from, possibly, another small patch + some anticheat that may of may not be held off until 42.

 

I don’t see how this can affect anything other than radios in the vanilla game and from testing that seems unrelated to this change.  It should have been broken for the last 2 or 3 weeks.


We can’t guarantee anything when it comes to mods, though we try to avoid being disruptive if we can (and are aware of it).

Link to comment
Share on other sites

Can you please confirm what you will be looking into so modders can prepare for this?

 

8 hours ago, EnigmaGrey said:

Per my last comment:

 

I don’t see how this can affect anything other than radios in the vanilla game and from testing that seems unrelated to this change.  It should have been broken for the last 2 or 3 weeks.”

 

We’re looking into it.

 

If you're leaving the getOnlinePlayers useless then I'll prepare getting the username list from the ISScoreboard instance instead, like a hypothetical hacker would.

 

I am still very curious of the motivation why this change serves to prevent hacking. To be able to teleport a player across the map or to the attacker that means that the server has to greenlight the teleport. To greenlight it, the user has to have an access level allowing that. When you have an access level you also get the full getOnlinePlayers return, so I really see no logic in this decision.

 

Think of it this way: If i want to prevent a hacker deleting subpages on my website I would not delete the sitemap showing him which ones exist, as

1) he would still need privileges / backend access to do that

2) he would still be able to access the pages via the normal website navigation (like the scoreboard on escape)

The only consequence of this is to make it worse for everybody depending on an agreed upon part of the website to exist and function, same as mods who need a way of getting a full list of users.

Edited by bknht
2nd coffee, better phrasing
Link to comment
Share on other sites

No. To use the teleport command* the server needs to be involved.

 

The client can, however, set its own coordinates, especially if they work around anticheat. Not that they necessarily need to to create mischief. PZ, partially because it’s heavily moldable and because of its history as a sp game, is very client centric. Websites are not: the server controls everything.

 

I very much doubt there’s many mp game out there that gives clients a complete list of everyone down to their position when they connect. The problems with that should be obvious.

 

So, in short: we plugged an exploit that involved killing everyone on a server. It bugged radios (which have had several patches since) and broke a car claiming mod?

Link to comment
Share on other sites

Then why are player coordinates of the others even relevant if they are teleported to the attacker regardless? The premise to break this core function was "use a list of usernames to teleport players to attacker and kill them" which can still be done with or without this function being useless now. If this is such a huge risk maybe putting it behind some anti cheat setting is a good idea then, so server owners can decide on their own, like with the other twenty something codes where nobody really knows what they do. Want a player list to be available? Enable anti cheat xyz, done.

Link to comment
Share on other sites

What?

 

How do you teleport to someone if you don’t know they’re there?

 

Ergo: it’s no longer a problem. You can tell its no longer problem because no one is contacting us telling us their server got wiped out or sending us the cheats anymore.


I’m fine with putting in an option if the other devs feel it’s prudent and they have time for it, but turning it off seems like a significantly worse trade off than usual. Lol

 

Link to comment
Share on other sites

"Any client had a full list of online players. A compromised client could teleport to each one and kill then rapidly.
I read this as "could teleport each one and kill them rapidly", so my bad. I did not go back and verify the exact phrasing again as you were already dismissive of any and all input, criticism and pleas with a "what we say goes" attitude in regards to mods. Yes, what you say goes, but at least take into consideration the people who supported your game during 10 years and kept it fresh with new things for the playerbase to enjoy while the core game matured.

 

Oh, the question above: it broke every single mod out there needing a fully qualified list of people. Examples are everywhere around the mod scene, smaller and large. I have a mod that allows vehicle claiming with permissions management. When somebody wants another to be able to enter they get a context menu to add them. Another mod is an economy mod allowing people to wire each other money via ATM and here i need an instance because i need to get first and last name instead of usernames, as it is in an RP environment. Also wiring money to somebod 10 tiles away is not really sensible. It is an "across the map" feature.

Edited by bknht
Link to comment
Share on other sites

It might feel I’m being dismissive because for me it’s simple: you need players to be alive to have a functioning server to even use those mods.

 

You seem to be intentionally ignoring that while second-guessing anything I reply with to try and force the issue.

 

Really, I get that it sucks to have mods break, but it really sucks to die to hacking ingame as well, especially on an rp server. I’m sure we can look at options or alternatives for this in the future, but you do have to understand that as a modder, things will change with the game and you might have to do things differently when it happens. Like, why do you need to know every player online for a car claiming mod, for example? Limit it to the players near the car. Store the money and let someone pick it up instead of send it directly. I don’t know, I don’t use this stuff.

Link to comment
Share on other sites

We can adapt to changes, we are happy to help with tests and report issues, but just being caught by surprise wears down everyone. Modders and server runners got completely blindsided by it. This entire situation could be avoided with more concern about backwards compatibility, a feature toggle. We got nothing, again, just a "deal with it".

 

I understand TiS, like every company, has limited resources and can't cover all the bases and it's ultimately your decision but you might agree with me that this was an unnecessary blow. Sometimes, strategy is deciding what we are NOT going to do. And it seems that modders and server runners are frequently in the list of what TiS decide to not care about.

 

I don't mean to keep nagging at it but this change doesn't even persist across relogs. And it works for a few seconds upon login. A half-baked feature breaking mods without giving us a chance to test. I swear, since patch 41.71 I DREAD every patch TiS releases.

Edited by Morceaux
Link to comment
Share on other sites

No. I don’t agree. Empathize? Sure. I get it’s frustrating not to have full insight or control over things in life, but you get used to it.

 

Frankly I find the whole reaction pretty extreme, unreasonable, and increasingly manipulative as this continued. It’s insulting to pretend  we don’t care just because you don’t personally get your way. Obviously we care, or we’d not be here. We just can’t pick your mod and/or server over all servers. 

 

In a world where we had infinite time and far more testers and didn’t have hackers bringing down servers, sure, my position would be different. But otherwise this is the norm for most games and if you’re going to mod them, you do need to expect that things will change, and if it does, that you’ll not necessarily have full knowledge and a long time to prepare for it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...