Prevent noclip hacking by removing the spectator camera | aswell as a hacker report - Rust

Hi, I don't know if you saw it yet, but there's plenty of noclip hackers. There's a public hack going around in some Russian's forum which use some kind of spectator camera function in order to allow the player to noclip around. Please remove this from all assemblies. Another hack allows the player to change x,y and z coordinate with memory hacks. Please add some server side checks to see if the player passed a collision path which is not possible and would trigger a kick/ban. And/Or simply check how long the player didn't touch the ground, should prevent a few hackers at least. I just lost my base due to some Russian guy he spammed like hell with his mic and noclipped into my base, destroyed everything. It was a 3x3x3 full armored base with multiple doors inside. Dunno how but he threw multiple c4's like 15 or so at the same time ruining our base. He first clipped inside killed me and my mate in our panic room then destroyed everything with c4. Nearly 4 days of work gone within seconds. Me and my mate can confirm that he's noclip hacking (maybe more ppl at Amsterdam server). Profile: [url]http://steamcommunity.com/profiles/76561198173555525/[/url] That's all, already quitted the game as there's no real point to continue for me. I know it's Alpha but with such huge security holes it's not fun anymore.

Spectator camera is what admins use for free cam mode. Removing that function would remove an important tool from an admin's arsenal. PS: If you want to avoid hackers, play on a community server with active admins. Official servers are unmoderated.

learn to play. i ddnt hax shit at all cuz im over 9000 legit [highlight](User was permabanned for this post ("Terrible poster" - postal))[/highlight]

Being able to spectate is a critical tool at detecting hackers / glitchers / sploiters, as well as helping users troubleshoot problems. "Admin! Help! This stupid building system sucks and nothing works!" "That's because you're trying to place a foundation floating in midair."

[QUOTE=Crunchmeister;47910221]Spectator camera is what admins use for free cam mode. Removing that function would remove an important tool from an admin's arsenal. PS: If you want to avoid hackers, play on a community server with active admins. Official servers are unmoderated.[/QUOTE] I know that you need such a function as an administrator, no doubt. But the hackers are modifying the assemblie files by patching a few bytes and voila, they can noclip instead of move. This needs an urgent fix. It's not fun putting endless hours into this game, then a hacker comes along and destroys everything within seconds and there's nothing you can do about it. I mean if I would've lost everything due to a legit raid it's k, but not like this.

I agree that combating hackers should be a high priority. But removing one of the main tools that an admin uses to combat hackers in order to try to combat hackers is not the way to do this. That's like curing the disease by killing the patient. Not exactly the right course of action IMO. If you took away an admin's ability to fly, noclip, and freecam, perhaps you're removing that ability from a hacker as well. But how is an admin to observe a suspected cheater using speed hacks or aim bots (something NOT in the admin tool set) or any other future hacks without said tools?

How much of this hack development is aided by Rust allowing anyone access to the server files? Does it help them?

[QUOTE=IanH;47914750]How much of this hack development is aided by Rust allowing anyone access to the server files? Does it help them?[/QUOTE] Not just "anyone" can access the server files. You need to have write access on the server (IE, be the server owner or have FTP access). Let's kill this rumor before it starts.

[QUOTE=Maximum Over;47914974]Not just "anyone" can access the server files. You need to have write access on the server (IE, be the server owner or have FTP access). Let's kill this rumor before it starts.[/QUOTE] Anyone can run a server. I have one on my PC for testing.

[QUOTE=Maximum Over;47914974]Not just "anyone" can access the server files. You need to have write access on the server (IE, be the server owner or have FTP access). Let's kill this rumor before it starts.[/QUOTE] The hacks are running on the client, not the server. These hacks are 3rd party programs that are run on top of Rust. They may modify CLIENT resources and intercept info going back and forth between the client and server allowing them to manipulate the game world in ways not intended. The servers aren't being hacked. Having your own server on your own computer and accessing its files is irrelevant. That's like saying your car won't start because your wiper blades are worn out.

[QUOTE=Maximum Over;47914974]Not just "anyone" can access the server files. You need to have write access on the server (IE, be the server owner or have FTP access). Let's kill this rumor before it starts.[/QUOTE] Everyone can download the server files from Steam CMD.

[QUOTE=Warm;47915166]Everyone can download the server files from Steam CMD.[/QUOTE] And that does nothing for anyone building or using hacks other than being able to test them out in a closed environment. Hacks happen on the client side.

[QUOTE=Crunchmeister;47915148]The hacks are running on the client, not the server. These hacks are 3rd party programs that are run on top of Rust. They may modify CLIENT resources and intercept info going back and forth between the client and server allowing them to manipulate the game world in ways not intended. The servers aren't being hacked. Having your own server on your own computer and accessing its files is irrelevant. That's like saying your car won't start because your wiper blades are worn out.[/QUOTE] Understand but being able to examine the server code and "test" your hacks locally without the chance of being detected and banned must help?

[QUOTE=IanH;47915040]Anyone can run a server. I have one on my PC for testing.[/QUOTE] That's not the same as saying "anyone has access to the server files". Nobody has access to my server files but me, but anyone has access to the server installation. [QUOTE=Crunchmeister;47915148]The hacks are running on the client, not the server. These hacks are 3rd party programs that are run on top of Rust.[/quote] I know -- my post was in response to his ambiguous "anyone can access the server files". Server installation, yes. Server files, no. I don't think access to the server application itself is a prerequisite to creating hacks, since so much is done in the client without validation on the server.

[QUOTE=Maximum Over;47915254]That's not the same as saying "anyone has access to the server files". Nobody has access to my server files but me, but anyone has access to the server installation. I know -- my post was in response to his ambiguous "anyone can access the server files". Server installation, yes. Server files, no. I don't think access to the server application itself is a prerequisite to creating hacks, since so much is done in the client without validation on the server.[/QUOTE] I think you're missing the point bro.

[QUOTE=IanH;47915277]I think you're missing the point bro.[/QUOTE] Probably. In any event, getting rid of spectate mode would be a terrible idea, nobody but me (and possibly the GSP) has access to my server files, and access to the server application doesn't facilitate creating hacks any more than blocking said access would prevent creating them.

I doubt that any hacker is particularly interested in accessing your server files. The question is, if admin functions like spectate and other bits of server code have vulnerabilities then to what extent does a would be hacker being able to create his/her own server help them find the vulnerability and develop a hack that can be used on any server?

[QUOTE=Maximum Over;47915254]That's not the same as saying "anyone has access to the server files". Nobody has access to my server files but me, but anyone has access to the server installation. I know -- my post was in response to his ambiguous "anyone can access the server files". Server installation, yes. Server files, no. I don't think access to the server application itself is a prerequisite to creating hacks, since so much is done in the client without validation on the server.[/QUOTE] Actually, I didn't mean to quote you in that message. I must have mis-clicked. I meant to reply to IanH. [editline]9th June 2015[/editline] [QUOTE=IanH;47915438]I doubt that any hacker is particularly interested in accessing your server files. The question is, if admin functions like spectate and other bits of server code have vulnerabilities then to what extent does a would be hacker being able to create his/her own server help them find the vulnerability and develop a hack that can be used on any server?[/QUOTE] So you would suggest that Facepunch stop offering a free download of the server to address this? How would people be able to run games then? How would there be community servers? How would mod makers make Oxide and all the associated mods? Perhaps only Facepunch could run their unmoderated servers? I see what you're getting at, but I I don't think what you're suggesting would be an improvement.

[QUOTE=Crunchmeister;47915443] So you would suggest that Facepunch stop offering a free download of the server to address this? How would people be able to run games then? How would there be community servers? How would mod makers make Oxide and all the associated mods? Perhaps only Facepunch could run their unmoderated servers? I see what you're getting at, but I I don't think what you're suggesting would be an improvement.[/QUOTE] It was a question bro. There is no suggestion in there.

In any case, the server files are irrelevant. The people who create these game hacks aren't stupid. They always find ways to circumvent obstacles put in their way and stay a couple of steps ahead of those trying to shut them down. It's the same with people who program viruses. The best you can do is proactively try to detect them and shut them down. To me, there are 2 ways to do this. Server admins need to be more active to keep hackers off their servers (which won't happen on official servers). This is probably the most effective way of taking care of hackers. And EAC needs to step up its game and go through its ban waves more frequently. And as I always say, the best servers to play on are community servers with active admins. Hackers get shut down rather quickly there.

[QUOTE=IanH;47915438]I doubt that any hacker is particularly interested in accessing your server files.[/quote] I agree, but you brought it up: [QUOTE=IanH;47914750]How much of this hack development is aided by Rust allowing anyone access to the server files? Does it help them?[/QUOTE] [quote]The question is, if admin functions like spectate and other bits of server code have vulnerabilities then to what extent does a would be hacker being able to create his/her own server help them find the vulnerability and develop a hack that can be used on any server?[/QUOTE] Very little. The only way to find out is to replicate the hack. But if you take away the server distribution package, then hack developers are just going to black box it, and you've punished all the legit players in the process.

[QUOTE=Crunchmeister;47915536]In any case, the server files are irrelevant. The people who create these game hacks aren't stupid. They always find ways to circumvent obstacles put in their way and stay a couple of steps ahead of those trying to shut them down. It's the same with people who program viruses. The best you can do is proactively try to detect them and shut them down. To me, there are 2 ways to do this. Server admins need to be more active to keep hackers off their servers (which won't happen on official servers). This is probably the most effective way of taking care of hackers. And EAC needs to step up its game and go through its ban waves more frequently. And as I always say, the best servers to play on are community servers with active admins. Hackers get shut down rather quickly there.[/QUOTE] Wouldn't disagree but wasn't there a community server owner on here a couple of days back that had gotten himself an EAC ban for hacking? Might be useful if there was a way of telling which community servers were "professionally" administered. Some sort of Facepunch stamp of approval that was short of being admitted to the Official server list.

[QUOTE=IanH;47915598]Wouldn't disagree but wasn't there a community server owner on here a couple of days back that had gotten himself an EAC ban for hacking? Might be useful if there was a way of telling which community servers were "professionally" administered. Some sort of Facepunch stamp of approval that was short of being admitted to the Official server list.[/QUOTE] There are always going to be some 'bad apples'. If he was testing out hacks with the intent of using them, then he got what he deserved. If he was testing them for the sake of testing them out, what he should have done is the smart thing and disabled anti-cheat on the server before trying it out. Either way, that EAC ban is legit IMO and comes down to the admin doing something incredibly stupid where he should have known better. If you ask me, that's like digital Darwinism. And considering official Facepunch servers are by far the worst, hacker infested servers out there, I don't think that's a good suggestion. [QUOTE=Maximum Over;47915585]Very little. The only way to find out is to replicate the hack. But if you take away the server distribution package, then hack developers are just going to black box it, and you've punished all the legit players in the process.[/QUOTE] And this is what I was alluding to earlier. Removing the accessibility of server files from people only hurts people that want to run servers, not hackers. You'd be punishing the 99.5% of people who are legit in order to try to stop the 0.5% who are hacking.

[QUOTE=Crunchmeister;47915702] And considering official Facepunch servers are by far the worst, hacker infested servers out there, I don't think that's a good suggestion. [/QUOTE] I think you misread.

[QUOTE=IanH;47915760]I think you misread.[/QUOTE] [QUOTE=IanH] if there was a way of telling which community servers were "professionally" administered. Some sort of Facepunch stamp of approval[/QUOTE] I don't think I misread. That's the part I was replying to. If Facepunch Official servers are by far the worst servers to play on, how could a Facepunch seal of approval be of any value? Getting a Facepunch seal of approval under current circumstances would be like getting a "Diversity, tolerance and acceptance" seal of approval from the KKK.

You guys are hard work. Being an Official server and being listed as one aren't the same - Rustafied. But Listing as Official wasn't what I was suggesting anyway.

I found a good server by playing on a bunch of community servers. I found one with a good, active admin that was easy to get in touch with if there was a problem. And I stuck with that server. It's really that simple. And now I'm also an admin on that server. We've had 1 hacker since I was made admin, and the problem was taken care of in less than 5 minutes.