Feb 2, 2016, 06:57 PM
Pages: 1 2
Feb 2, 2016, 07:02 PM
(Feb 2, 2016, 02:48 PM)Rayts5 Wrote: [ -> ](Feb 2, 2016, 02:14 PM)Burnett Wrote: [ -> ]No profit, no salary = donations.
Money is spent on server, development and security costs. Once our public expenditure report is out, everyone will see it.
What security costs? (1) There isn't even SSL on the forums. (2) If it's DDoS, then move to AWS or something. (3) I still know like 3-4 exploits in the gamemode which all works. (4) But to be fair, one of them is so complex that only me would be capable of patching it. (5) The anti-cheat is trash too (oh yeah screengrabbing is a 10/10 detection method, not like that can be bypassed or anything).
(6) They even used SVN on the VPS back on FL. I mean, what is this, 2006? I really hope that it is still not being used.
* Burnett slams his head
(1) Just because we don't offer TLS (your so called 'SSL'), doesn't mean there aren't any other security-costs. However. TLS for a simple forum ain't a priority for us. Payments are fully protected via Paypal's TLS and we might add it for the forums in the near future. As said, that is not a priority.
(2) "Hey look, a DDoS expert". Do you really think we don't know what we're doing in terms of DDoS? Have you ever fought a massive gbp/s DDoS attack? If so, you should know that every single mitigated gigabyte costs "real" money. That ain't peanuts. Moving to AWS does not even solve the problem. The DDoS would still be there and you gotta pay the traffic anyways. So what is your point? Simply don't get it, as it doesn't make any sense. We have two staff-members with networking-skills, yet one of them studies network-technology (Faustie).
(3) You're free to report them - your choice.
(4) Well if thats the case we should get you into a Full-Devloper position and promote you soon ... ...
(5) Glad you know about one method. There are many others.
(6) Have you ever worked with a repository system? SVN is stable and a mature system with a decent stream of updates. (
Feb 3, 2016, 12:40 PM
I don't play GMod anymore, and I promised someone here that I would never use any of my dupes on LL.
I am going to mention two 'clues' (I guess you can call it) of them. The rest will go with me in my grave because they are global exploits, and have existed since the dawn of the Source Engine. There is one dupe even Lexi (Old coder of Applejack) wasn't capable of fixing.
First one is related to adv duplicator. Yes, there actually is an exploit with it. That can be fixed by moving to Adv Dupe 2, or by finding the exploit itself. Your choice.
The second one is a way to execute any Lua code client-side. Mavis/CodedBrain was never a good coder, I can tell you. I guess some people forget to check over things when looking at addons. If you look at the code of Garry's Mod, you'll see that it is easy to trigger client-side Lua code without the scriptenforcer enabled, but this can definitely be classified as an exploit nevertheless.
My point with bringing up exploits, was to tell that nothing is checked over. Everything is thought inside the box, while exploiting requires you to think outside that box. I mean, if I had a gameserver, I would go over the source code from time to time and analyze whetever things could be exploited or not.
Oh and Burnett, BeyBlade anti-cheat is not going to protect against anything. I spoke ages ago about the fact that the networked strings in ScreenGrab were hardcoded (even got banned for posting client-side files lmao, on FL forums), and how that was a terrible thing. I noticed that Temar had obfuscated them. Well guess what? That's not going to stop anyone. I mean, that's incompetence at a whole new level. The least you could do is to make a random string generator and generate a whole new networked string per server start. That can also be bypassed, but it definitely makes it sorta harder.
And also, to prevent what happend a year or two ago where the init.lua got posted on pastebin by the 'hackers', you could encrypt the server-side features in there. It's just a proposal.
Anyways, it got very off-topic. I'm out, and good luck.
I am going to mention two 'clues' (I guess you can call it) of them. The rest will go with me in my grave because they are global exploits, and have existed since the dawn of the Source Engine. There is one dupe even Lexi (Old coder of Applejack) wasn't capable of fixing.
First one is related to adv duplicator. Yes, there actually is an exploit with it. That can be fixed by moving to Adv Dupe 2, or by finding the exploit itself. Your choice.
The second one is a way to execute any Lua code client-side. Mavis/CodedBrain was never a good coder, I can tell you. I guess some people forget to check over things when looking at addons. If you look at the code of Garry's Mod, you'll see that it is easy to trigger client-side Lua code without the scriptenforcer enabled, but this can definitely be classified as an exploit nevertheless.
My point with bringing up exploits, was to tell that nothing is checked over. Everything is thought inside the box, while exploiting requires you to think outside that box. I mean, if I had a gameserver, I would go over the source code from time to time and analyze whetever things could be exploited or not.
Oh and Burnett, BeyBlade anti-cheat is not going to protect against anything. I spoke ages ago about the fact that the networked strings in ScreenGrab were hardcoded (even got banned for posting client-side files lmao, on FL forums), and how that was a terrible thing. I noticed that Temar had obfuscated them. Well guess what? That's not going to stop anyone. I mean, that's incompetence at a whole new level. The least you could do is to make a random string generator and generate a whole new networked string per server start. That can also be bypassed, but it definitely makes it sorta harder.
And also, to prevent what happend a year or two ago where the init.lua got posted on pastebin by the 'hackers', you could encrypt the server-side features in there. It's just a proposal.
Anyways, it got very off-topic. I'm out, and good luck.
Feb 3, 2016, 03:05 PM
(Feb 3, 2016, 12:40 PM)Rayts5 Wrote: [ -> ]I don't play GMod anymore, and I promised someone here that I would never use any of my dupes on LL.
I am going to mention two 'clues' (I guess you can call it) of them. The rest will go with me in my grave because they are global exploits, and have existed since the dawn of the Source Engine. There is one dupe even Lexi (Old coder of Applejack) wasn't capable of fixing.
First one is related to adv duplicator. Yes, there actually is an exploit with it. That can be fixed by moving to Adv Dupe 2, or by finding the exploit itself. Your choice.
The second one is a way to execute any Lua code client-side. Mavis/CodedBrain was never a good coder, I can tell you. I guess some people forget to check over things when looking at addons. If you look at the code of Garry's Mod, you'll see that it is easy to trigger client-side Lua code without the scriptenforcer enabled, but this can definitely be classified as an exploit nevertheless.
My point with bringing up exploits, was to tell that nothing is checked over. Everything is thought inside the box, while exploiting requires you to think outside that box. I mean, if I had a gameserver, I would go over the source code from time to time and analyze whetever things could be exploited or not.
Oh and Burnett, BeyBlade anti-cheat is not going to protect against anything. I spoke ages ago about the fact that the networked strings in ScreenGrab were hardcoded (even got banned for posting client-side files lmao, on FL forums), and how that was a terrible thing. I noticed that Temar had obfuscated them. Well guess what? That's not going to stop anyone. I mean, that's incompetence at a whole new level. The least you could do is to make a random string generator and generate a whole new networked string per server start. That can also be bypassed, but it definitely makes it sorta harder.
And also, to prevent what happend a year or two ago where the init.lua got posted on pastebin by the 'hackers', you could encrypt the server-side features in there. It's just a proposal.
Anyways, it got very off-topic. I'm out, and good luck.
You might wanna speak to Temar about the anti-cheat stuff. I'm definately the wrong contact for that, cus my area is network(backend)-sec stuff.
Regarding init.lua:
I could publish the init.lua on pastebin if you like. No classified information is stored in it.
But as you can see we take "security" very serious. Just ask one of our Devs. They can confirm that's frustrating when the security-team needs to sort access - one by one. We rather check/manage things manually than automatic.
The community should know by now: Limelight's security concept is not a Kindergarten concept. That's why we spent so much money on upgrades. Without donations that would not be possible.
We always strive to make things secure. If we fucked up, well then. We learn from mistakes.
Feb 3, 2016, 04:36 PM
Lol I reached page 2 and read everything then I went back to page one and it was a whole other topic.
First it was about donations then about anti-cheat, and DDOS protections then I completely forgot about the main thread.
First it was about donations then about anti-cheat, and DDOS protections then I completely forgot about the main thread.
Mar 29, 2016, 11:16 PM
Archived.
If this is still an issue, please re-post.
If this is still an issue, please re-post.
Pages: 1 2