[QUOTE=pondefloor;20574846]specific details on the vulnerability (which i am fully aware of) would be mostly useless to anyone except for maybe the steam developers.[/QUOTE]
The VAC team was already notified a long while ago about Serenity with a plethora of information and evidence. That youtube video I posted was only a small fraction of a much larger recording I received from an inside source Avaster may or may not think is close to him =p (Screenshots and various files are also included in the evidence sent)
Gotta love loyalty among thieves....er....hackers, right?
P.S. No I do not intend to release any of the evidence, for the sake of this thing possibly being shut down I obviously cannot risk releasing what I have other than that small clip.
[QUOTE=LombaxPE;20578870]The VAC team was already notified a long while ago about Serenity with a plethora of information and evidence. That youtube video I posted was only a small fraction of a much larger recording I received from an inside source Avaster may or may not think is close to him =p (Screenshots and various files are also included in the evidence sent)
Gotta love loyalty among thieves....er....hackers, right?
P.S. No I do not intend to release any of the evidence, for the sake of this thing possibly being shut down I obviously cannot risk releasing what I have other than that small clip.[/QUOTE]
Ok so Valve gets the info, what are they going to do? There's not good was of guarding this stuff.
[QUOTE=LombaxPE;20578870]The VAC team was already notified a long while ago about Serenity with a plethora of information and evidence. That youtube video I posted was only a small fraction of a much larger recording I received from an inside source Avaster may or may not think is close to him =p (Screenshots and various files are also included in the evidence sent)
Gotta love loyalty among thieves....er....hackers, right?
P.S. No I do not intend to release any of the evidence, for the sake of this thing possibly being shut down I obviously cannot risk releasing what I have other than that small clip.[/QUOTE]
Well now you told us hiding the truth, lol.
[QUOTE=Gbps;20579243]Ok so Valve gets the info, what are they going to do? There's not good was of guarding this stuff.[/QUOTE]
There are ways to block it.
@Cubar: Uhh....what?
I'm sure there is a way to block it, but the actual idea is pretty undetectable.
[QUOTE=LombaxPE;20579637]There are ways to block it.
@Cubar: Uhh....what?[/QUOTE]
Ignore him, hes retarded.
[QUOTE=Kopimi;20579955]Ignore him, hes retarded.[/QUOTE]
No i'm not you might be though as i can tell.
[QUOTE=Kopimi;20579955]Ignore him, hes retarded.[/QUOTE]
He's just bipolar. *Cough*
Where did my sarcasm tags go? :wink:
[QUOTE=|FlapJack|;20582218]He's just bipolar. *Cough*
Where did my sarcasm tags go? :wink:[/QUOTE]
Isn't that you?
[QUOTE=Cubar;20582238]Isn't that you?[/QUOTE]
Hey, I'm not the one who started up thousands of servers with someone's IP after a little trolling.
Server name was: [code]¦FlapJack¦ - 89.242.32.198:27005 - STEAM_0:0:10839552 [FAIL].[/code]
and the entire top of the GMod server search was filled with it, along with your little rage against everyone else in my community.
Google cache is great, eh?
I don't have a rage against your community, nice trolling, i am here to code thank you very much.
[QUOTE=Cubar;20582351]I don't have a rage against your community, nice trolling, i am here to code thank you very much.[/QUOTE]
You did, at least.
[QUOTE=|FlapJack|;20582377]You did, at least.[/QUOTE]
No, you just hate me..
Flamedy flame flame
As for this exploit, probably best to wait till valve addresses it, and tell your admins to watch where they play?
So who is cubar a alt of?
[QUOTE=|King Flawless|;20587963]So who is cubar a alt of?[/QUOTE]
Cub3 , ecabc
still never heard of him
I guess one stopgap way of doing it could be to check the name of the person to see if he is on the banlist, then kick him with a message about SteamIDs, but you could easily get past that :saddowns:
[QUOTE=VoiDeD;20289623]None of that will ever work~
I talked to Avaster he said that none of those will stop Serenity.[/QUOTE]
He's the developer of the software whom is charging people for it, of course he is gonna say "nah that won't work"
[QUOTE=Terabit;20304925]I have something. I know it works. If you want it cough up 5 dollars.
[email]donate@havocgamers.net[/email]
[b]EDIT:[/b] It uses gate keeper.[/QUOTE]
GTFO you proprietary cunt, people like you are responsible for people not wanting to play garrys mod. Shame on you!
[QUOTE=Cubar;20551916]If ip doesn't match old steamid then ban.[/QUOTE]
Problem with that is with dynamic IPs ranges are assigned to the same ISP, the range never changes and the pool of IP addresses remain the same, given an ISP like Australia's Internode who about 60% of their customer base are gamers, the chances are people may end up with someone elses IP address and the get the steamid not match.
[QUOTE=Ice05;20308749]Avaster just added my steam id to their client,im getting banned from 80% of the servers now?
Damn it!
I think azu's anti-serenity should work.[/QUOTE]
Lodge a complaint to VaVLE, don't be stupid and threaten legal action but just say it how it is, they prolly don't care but you never know.
[QUOTE=Neux;20282765]I have it, and yes it does spoof your steamID - and there's some huge irony in AzuiSleet's post.
There is one server that has it blocked (that I know of) if any more have them - please tell me them and I'll test it out.[/QUOTE]
Can you please fire me a pm and I will talk with you, lets see if we can't find a fix that works (for sure) and be able to release it for FREE (the good karma is worth it).
--------------------------------------------------------------------------------------------------------------------
I'll also look into it, seeing what I have read is that the change isn't permanent, it get's ass fucked shortly after joining.
edit:
[QUOTE=|King Flawless|;20570965]Cant read my name?[/QUOTE]
No one likes an arogant ass, please don't be one...
edit 2:
The [b]BEST[/b] fix, is one that's forced.
Someone work out how this works and then release it OPEN SOURCE, make sure it works for CS:S as well. It will make VaLVE shit bricks and they'll fix it prettyf fucking quick once it gets out.
A closed source proprietary program won't gain VaLVE's attention because they'll right it off as a scam, even if it works...
Avaster isn't the developer; VoiDeD is. Avaster is merely the guy that sells it for VoiDeD.
I'm getting pretty tired of these baseless accusations!!
Who the hug is rating me funny?
-snip-
Hmm well being able to spoof an admin's SteamID isn't such a big deal. Simply add a login process to the SteamID checking.
edit : And make the login process automated too, that way it's not even more of a hassle for the admins.
Of course if it's automated then there's the risk you could join a malicious server which would collect the info. Plain login would be better..
[QUOTE=Crazy Quebec;20624962]Hmm well being able to spoof an admin's SteamID isn't such a big deal. Simply add a login process to the SteamID checking.[/QUOTE]
It's not that simply. Clients get a hash allocated which is valid for 24 hours and the whole steamid allocation works by checking the hash against one in the database of the steamservers.
I heard Serenity works that way that there are fake servers. As soon as someone joins them, the hash is stolen and put into a database. Then when someone logs in into Serenity, they get allocated a random hash from the database so they can spoof the steamid by sending this hash instead of their own.
Note: I just got these information from several rumours. So they might not be all over correct. Further investigation has to be done. But if this is true, all valve could do about it is checking the account with the hash clientside - But even that is exploitable.
[QUOTE=aVoN;20627563]It's not that simply. Clients get a hash allocated which is valid for 24 hours and the whole steamid allocation works by checking the hash against one in the database of the steamservers.
I heard Serenity works that way that there are fake servers. As soon as someone joins them, the hash is stolen and put into a database. Then when someone logs in into Serenity, they get allocated a random hash from the database so they can spoof the steamid by sending this hash instead of their own.
Note: I just got these information from several rumours. So they might not be all over correct. Further investigation has to be done. But if this is true, all valve could do about it is checking the account with the hash clientside - But even that is exploitable.[/QUOTE]
Knowing valve they won't do anything, neither will garry. He is the head of the community yet he let's shit like this happen.
[QUOTE=Terabit;20628222]Knowing valve they won't do anything, neither will garry. He is the head of the community yet he let's shit like this happen.[/QUOTE]
Stopping this would involve changing the Source engine in a way to stop the hash being taken/ sent in the current methods. Garry cannot do this, he is not allowed to modify and re-distribute source completely, only the bits required to integrate Lua and other crap into the mod.
[QUOTE=hexpunK;20628290]Stopping this would involve changing the Source engine in a way to stop the hash being taken/ sent in the current methods. Garry cannot do this, he is not allowed to modify and re-distribute source completely, only the bits required to integrate Lua and other crap into the mod.[/QUOTE]
I thought he was allowed, just that he didn't want to, because of all the fuss that would arrive from having to sync, update, compile and upload his version of the engine every time a source update came out.
Garry's Mod got it's own engine files, but those are unused as far as I know (just like Lexic said).
[QUOTE=Lexic;20628692]I thought he was allowed, just that he didn't want to, because of all the fuss that would arrive from having to sync, update, compile and upload his version of the engine every time a source update came out.[/QUOTE]
Huh, he might be, the last I heard was the contract allowed him to peek into the source code to see how things worked, then fix up his files which he could distribute.
Though that may have changed, but I just can't see Valve being incredibly happy with their engine being redistributed, seeing as it relies on a game anyway.
Just some reasearch into serenity its self turned up this
[code]
216.218.224.241 // This is website used to check if your auth to serenity
204.45.55.242 // Voideds dedicated it connects to this after the web check
[/code]
Useless to most people but im sure someone will find something to do with them
Sorry, you need to Log In to post a reply to this thread.
