[QUOTE=Nexus435;24550495]Can't wait until the new update.[/QUOTE]
Got a while to wait yet. Tuesday. :v:
Well, at this point Valve has found the issue regarding the GSClientDeny_t callback not kicking a player, so that should be fixed with the next engine update.
That update alone will make it (nearly) impossible to connect to a server with a spoofed steamid for more than 5 minutes. Then it's a matter of waiting for the faulty GSClientApprove_t callbacks to be fixed on the backend side of things, something that Valve was made aware of a few days ago, and then hopefully they can also make sure that the GSClientDeny_t callback gets sent in a reasonable amount of time.
Combined with the new method we're getting with the next garrysmod update, the issue will be fixed.
[QUOTE=|FlapJack|;24545813]And since when could you not write hashing algorithms in pure lua?[/QUOTE]
What does that have to do with what I said?
I said malicious servers can override functions on the client.
[editline]06:08PM[/editline]
[QUOTE=ComWalk;24528302]*apparently off-topic*[/QUOTE]
Okay, I'll make a thread.
[QUOTE=tepholman;24486021]Avaster, how much have you made from this? :aaa:[/QUOTE]
Around 2 thousand dollas :p
[QUOTE=Avaster;24556183]Around 2 thousand dollas :p[/QUOTE]
and i will make sure nobody ever pays for it again
You can't stop retarded people, no matter how hard you try.
[QUOTE=blackops7799;24557002]You can't stop retarded people, no matter how hard you try.[/QUOTE]
This person is soo correct :P
[QUOTE=blackops7799;24557002]You can't stop retarded people, no matter how hard you try.[/QUOTE]
Avaster is a prime example of this
[QUOTE=King Flawless;24558172]Avaster is a prime example of this[/QUOTE]
It's not like ops didn't direct it to avaster or anything.
[QUOTE=Nexus435;24558717]It's not like ops didn't direct it to avaster or anything.[/QUOTE]
It was directed at the people who pay for it
Is it safe to say that after this update it will no longer be possible to use a proxy server to mask a user's true IP address unless both Steam and GMod are using the proxy?
I apologize if this was answered somewhere in this thread.
[QUOTE=ers35.;24564957]Is it safe to say that after this update it will no longer be possible to use a proxy server to mask a user's true IP address unless both Steam and GMod are using the proxy?
I apologize if this was answered somewhere in this thread.[/QUOTE]
This shouldn't affect that at all, I imagine that it will remain possible. That behavior is a function of the Steam backend, not the source engine. The backend bug is separate and I'm not sure if/when that bug will be fixed.
[QUOTE=ComWalk;24565365]This shouldn't affect that at all, I imagine that it will remain possible. That behavior is a function of the Steam backend, not the source engine. The backend bug is separate and I'm not sure if/when that bug will be fixed. [/QUOTE]
What I mean is, if a player can mask his IP address and stay connected to a server, is it not the same as someone spoofing his SteamID?
Will the following be possible after the update:
[CODE]A player connects via a proxy to a server.
The player's IP address changes but his SteamID is the same.
The proxy owner now controls the player's communications to and from the server.
The proxy owner now has the same power as someone who spoofs the player's SteamID, [B]meaning SteamID spoofing is not fixed[/B].[/CODE]
[QUOTE=ers35.;24565581]What I mean is, if a player can mask his IP address and stay connected to a server, is it not the same as someone spoofing his SteamID?
Will the following be possible after the update:
[CODE]A player connects via a proxy to a server.
The player's IP address changes but his SteamID is the same.
The proxy owner now controls the player's communications to and from the server.
The proxy owner now has the same power as someone who spoofs the player's SteamID, [B]meaning SteamID spoofing is not fixed[/B].[/CODE][/QUOTE]
Yes, it's different, because of the single-use token contained in the auth ticket. This isn't handled by the engine update or garrysmod update. This behavior will have to be changed in the Steam backend. It's actually more severe than simply stealing a ticket because it will result in a GSClientApprove_t being issued.
The scenario you described is identical to stealing an auth ticket and using it quickly enough that the user doesn't have a chance to generate a new single-use token. This is another issue that has already been acknowledged but not an issue that will be fixed in the updates already on their way.
Am I correct in thinking if you join a server that steals your auth ticket relogging into steam will no longer let them use it?
[QUOTE=Nexus435;24556705]and i will make sure nobody ever pays for it again[/QUOTE]
This better end with a fistfight between Nexus and Avaster on a rainy DarkRP server while lightning flashes in the sky and buildings explode.
Am I the only one who's noticed that this thread has turned into Avaster Chat? Start getting on topic. This is a warning.
[QUOTE=King Flawless;24568406]Am I correct in thinking if you join a server that steals your auth ticket relogging into steam will no longer let them use it?[/QUOTE]
That only worked in v14.
v15 auths have a generation and expiration date that spans approximately a month.
So they can use my SteamID a Month now? ... Oh my.
[QUOTE=Ideal-Hosting;24577113]So they can use my SteamID a Month now? ... Oh my.[/QUOTE]
No, the patches are fixing that. Yes, it will pass initial verification but the backend will now correctly disconnect you.
The backend patch is already live and already breaking serenity. The engine and garrysmod updates will be the final nail in the coffin.
All the idiots who bought serenity are probably crying about this on avasters site
[highlight](User was banned for this post ("Derailing" - grea$emonkey))[/highlight]
Welp I can confirm Serenity 2.5 does not work... Just tested it I'm glad everyone is happy now :D but there will always be hacks :P
[highlight](User was banned for this post ("Derailing" - grea$emonkey))[/highlight]
What do your customers and coders say?
[highlight](User was banned for this post ("Derailing" - grea$emonkey))[/highlight]
Get back on topic.
[QUOTE=q3k;24476174]You are absolutely right. But wouldn't it be better if the exploit was available to everyone, and not just a couple of skiddies who paid for it?[/QUOTE]:cawg:
I can't decide who's dumber: The one who sold it or the one who bought it.
Good to see Valve is finally taking notice. Good job people that helped with that.
snip
Sorry, you need to Log In to post a reply to this thread.
