When you make a character system in Garrys Mod based off popular MMOs, with HTML image support (these are all gifs lmao)
[IMG]https://steamuserimages-a.akamaihd.net/ugc/849346783103451474/67868381FDE2BDABB0C394DFF812AD5E36602F9D/[/IMG]
(This is just an old snippet of the addon, but it's pretty cool I must say)
[QUOTE=JacobsReturn;52606940]gif[/QUOTE]
Must ask, how was the performance using that many HTML materials? I'd imagine that gifs could destroy performance.
Also, it is your* not. (Time Master) - Sorry, had to :)
[QUOTE=!cake;52606905]I'm making a noncompliant SVG renderer[/QUOTE]
Really nice! How is the performance?
[QUOTE=Kamshak;52607641]Really nice! How is the performance?[/QUOTE]
Really bad (4 ms). I haven't tried making it fast yet.
[LUA]
function checkForBackdoors()
local directoryName = "backdoorscan" -- rename this to something to prevent maliscious bad peepz
-- start --
local tableOfAllConsoleCommands = concommand.GetTable()
local whitelistCreated = file.Exists( directoryName.."/whitelistedcommands.txt", "DATA")
local defaultCommandsToBeWhiteListed = ""
local commandsThatArePhishy = {}
local commandsThatRequireWhitelisting = {}
if !(file.IsDir(directoryName) then
file.CreateDir(directoryName)
end
if !(whitelistCreated) then
file.Write(directoryName.."/whitelistedcommands.txt", defaultCommandsToBeWhiteListed)
end
local whitelistedCommands = util.JSONtoTable( file.Read( directoryName.."/whitelistedcommands.txt", "DATA") )
for _,v in pairs( tableOfAllConsoleCommands ) do
if !(table.hasValue()) then
-- not whitelisted
concommand.Remove( v )
table.insert( commandsThatArePhishy, v )
end
end
-- we've got a list of all the commands we aren't sure about
-- implement a derma menu here
for _,v in pairs( commandsThatRequireWhitelisting ) do
table.insert( whitelistedCommands, v )
end
file.Delete( directoryName.."/whitelistedcommands.txt" )
file.Write( directoryName.."/whitelistedcommands.txt", util.TableToJSON(whitelistedCommands))
end
[/LUA]
Making a simple - skid tier concommand.Add backdoor stopper. In an effort to curb some backdoors.
Need ideas for:
1) What to hook this to - it should be run often because workshop addons update.
2) Implementation idea for derma menu
3) anything else
-snip-
I got some inspiration today, so I decided to make a plugin that integrates
Discord into gmod
[video=youtube;zyGlh0H9VBA]http://www.youtube.com/watch?v=zyGlh0H9VBA[/video]
[QUOTE=Pigsy;52569471]Ignore mouse detection, I know it's off but it's still WIP
[video=youtube;LwIIIlaBlZA]http://www.youtube.com/watch?v=LwIIIlaBlZA[/video][/QUOTE]
[video=youtube;mZrcL3iib6U]https://www.youtube.com/watch?v=mZrcL3iib6U[/video]
:suicide:
[QUOTE=Yashirmare;52610135][video=youtube;mZrcL3iib6U]https://www.youtube.com/watch?v=mZrcL3iib6U[/video][/QUOTE]
You should probably check your microphone for lost bees
[QUOTE=!cake;52606905]I'm making a noncompliant SVG renderer[/QUOTE]
What parts of it will be noncompliant? What features are you gonna ignore? That looks really accurate so far.
[b]3[/b]
[QUOTE=zeaga;52610164]You should probably check your microphone for lost bees[/QUOTE]
You know damn well I got a new one 2 weeks ago.
[QUOTE=Moat;52610244]don't mount addons you don't trust, use [URL="https://maurits.tv/data/garrysmod/gmadownloader.html"]this[/URL] for easy extraction and you won't have to worry
98[/QUOTE]
Sorry, the specific idea was to prevent registration of concommands without *some* kind of verification - in an effort to stop really simplistic backdoors. Shouldn't be a question of what addons I trust because in reality I shouldn't *trust* any addon by default surely?
[QUOTE=Milkshaker;52611534]Sorry, the specific idea was to prevent registration of concommands without *some* kind of verification - in an effort to stop really simplistic backdoors. Shouldn't be a question of what addons I trust because in reality I shouldn't *trust* any addon by default surely?[/QUOTE]
I'd say you shouldn't install any addon you don't trust.
:toot:
Edit: well this is awkward. Maybe 2001?
Edit: nope! just takes a while apparently! :toot:
[QUOTE=NeatNit;52611551]I'd say you shouldn't install any addon you don't trust.
:toot:
Edit: well this is awkward. Maybe 2001?
Edit: nope! just takes a while apparently! :toot:[/QUOTE]
It really isn't all it's cracked up to be :v:
[QUOTE=code_gs;52611684]It really isn't all it's cracked up to be :v:[/QUOTE]
I know it isn't, but it's still neat :D
[QUOTE=NeatNit;52611551]I'd say you shouldn't install any addon you don't trust.
:toot:
Edit: well this is awkward. Maybe 2001?
Edit: nope! just takes a while apparently! :toot:[/QUOTE]
Scenario: Workshop autoupdate of an addon. Necessary because security updates require deployment fast but also means that you can't trust addons fully because that deployment can have a backdoor.
My only question is why not make that security hole a little bit more difficult to exploit? (Didn't that exact thing happen with 3D2D Text at one point)
[QUOTE=Moat;52612747]After analyzing 100 random backdoors found on the workshop, omitting maps, [URL="https://imgur.com/yX9hWZw"]less than 20% use console commands[/URL] to run another command (usually ULX set group), and only a few utilize it to run string. Making a script that whitelists console commands is ultimately a white elephant. Especially since you just posted your code publicly, what if the author of the backdoor integrates their command to your text file of whitelisted commands? If you're not going to extract the addons yourself, which eliminates the chance of a backdoor on your server by 100% after you look through everything, then I recommend creating a script that loops over every player every 15-30 secs or so and checks if they're superadmin and in a defined local table of whitelisted SteamID's for superadmin. That is the best lazy solution to preventing people from utilizing a backdoor in my eyes. That way, if someone does backdoor an addon on your server and transpires to abuse it, albeit the likelihood of that happening is profoundly slim, you will have [I]at least some[/I] sort of protection where you can automatically ban them and their IP.[/QUOTE]
Why not both? You can't auto append to the whitelisted cmds file because it's contained within a folder with a variable it can't access with its name. 19% of backdoors being prevented a little bit more seems like a win. The idea isn't to completely eliminate backdoors - you still exercise same level of care but it makes it more difficult to compromise a server. We can do a similar system for http library calls - possibly. We can hook into admin system and relevant commands and create a whitelisted SteamID set for root-tier access that ULX itself can't mess around with. Not to mention those http calls might be registering console commands but even supposing - the third most common method of backdooring being reduced seems like a good idea?
The idea being that actually extracting an addon and reading through the hundreds of files in Wiremod is not a feasible expectation for users. Reading through 100-200 console commands that it registers + having monitoring of user access would be much safer because in reality I sincerely doubt every owner has read through the entire structure of Wiremod.
[editline]25th August 2017[/editline]
I just think the model you present has unfair presumptions and expectations of *every* GMod user.
[QUOTE=Milkshaker;52613171]Why not both? You can't auto append to the whitelisted cmds file because it's contained within a folder with a variable it can't access with its name. 19% of backdoors being prevented a little bit more seems like a win. The idea isn't to completely eliminate backdoors - you still exercise same level of care but it makes it more difficult to compromise a server. We can do a similar system for http library calls - possibly. We can hook into admin system and relevant commands and create a whitelisted SteamID set for root-tier access that ULX itself can't mess around with. Not to mention those http calls might be registering console commands but even supposing - the third most common method of backdooring being reduced seems like a good idea?
The idea being that actually extracting an addon and reading through the hundreds of files in Wiremod is not a feasible expectation for users. Reading through 100-200 console commands that it registers + having monitoring of user access would be much safer because in reality I sincerely doubt every owner has read through the entire structure of Wiremod.
[editline]25th August 2017[/editline]
I just think the model you present has unfair presumptions and expectations of *every* GMod user.[/QUOTE]
Maybe if you're too lazy to check every add-on then you shouldn't be allowed to run a server and complain when it gets backdoored. It's really just natural selection for server owners
Yeah, making servers are for big servers men, please stay out of the business since fuck this, this is not a game for kids
It's pretty sad the argument "is your fault that I've introduced backdoors in your server"
[QUOTE=gonzalolog;52614109]Yeah, making servers are for big servers men, please stay out of the business since fuck this, this is not a game for kids
It's pretty sad the argument "is your fault that I've introduced backdoors in your server"[/QUOTE]
thats not the argument hes making.
hes saying dont bitch when ur shit gets backdoored when you didn't bother checking if it's trustworthy. i completely agree with him lol
[QUOTE=gonzalolog;52614109]Yeah, making servers are for big servers men, please stay out of the business since fuck this, this is not a game for kids
It's pretty sad the argument "is your fault that I've introduced backdoors in your server"[/QUOTE]
We shouldn't be having this conversation in the first place. People don't get banned from the workshop and the moderation is next to none. If you want to stop backdoors then you have to inform the public. It's facepunch's fault that no one moderates the workshop, and that there are no bans.
I don't really get what your point is, if the workshop has no moderation then it's YOUR responsibility to check shit. I know it's sad for kids and bad people, but that's how it is atm.
[QUOTE=bobbleheadbob;52612579][video=youtube;f91Y_vXoLic]http://www.youtube.com/watch?v=f91Y_vXoLic[/video][/QUOTE]
Bombard! The castle walls! I loved this map/game since Sassilization was alive! Great work making me relive old times on Sassilization.
Bobbleheadbob, you amaze me. :V
[QUOTE=Kevlon;52613448]Maybe if you're too lazy to check every add-on then you shouldn't be allowed to run a server and complain when it gets backdoored. It's really just natural selection for server owners[/QUOTE]
Substitute "add-on" with any other piece of (open source) software one may be running to find out that it's principally unreasonable. The code corpus is huge. Even the most obvious backdoors are somewhere among tens of thousands lines of code at [I]least[/I]. Also, unlike many of the obvious backdoors posted on the forum, backdoors can be really well hidden, and could require a thorough audit to find. Finding good backdoors requires more than just simple programming skills as well.
In other news, are you running glualint? Did you audit the code looking for backdoors? Please read my glorious Haskell code.
[QUOTE=Kevlon;52613448]Maybe if you're too lazy to check every add-on then you shouldn't be allowed to run a server and complain when it gets backdoored. It's really just natural selection for server owners[/QUOTE]
It's not in any way a case of being too lazy. Take a pretty stupidly common addon like M9K with literally hundreds of files embedded in multiple directories. It is [B]unreasonable[/B] i.e. we shouldn't have to expect [B]every[/B] user to have to read through [B]every[/B] character of it. Yes, it's a good and preventative measure and should be done for every update - the reality is it isn't. Even small addons like cac-administration with 1200 lines of script or there abouts the likelihood is that a small backdoor designed to conceal into the line anyway would be easily missed by somebody.
The proposal is not that people shouldn't read through code - they still should if they do and that is still something which is encouraged more.
It is however instead that there is a backup for when a user inevitably misses something or for when workshop addons autoupdate.
The actual argument you have to make and the one I fail to understand is why fundamentally having a 'whitelisted' command set would decrease server security.
Its unreasonable to think that you can create an anti-backdoor when Garry's Mod, Source and Lua have no concept of a backdoor on their own. They have noway of knowing if code is malicious or not until it gets run which is why its going to be more or less impossible for you to make one yourself. In order for this to work you would need to setup an environment where you can un-execute code. That way, if I was to write something that changed _G to nil you could undo that and return _G to the correct Lua table in memory.
Theres an understanding among people who try to write anti cheats and really any security software and its that no matter how good you think your security is, there is someone who can get past it.
Everyone else is on the right, its improbable that you will be able to make any kind of meaningful or even working anti-backdoor script.
[QUOTE=G4MB!T;52614966]Its unreasonable to think that you can create an anti-backdoor when Garry's Mod, Source and Lua have no concept of a backdoor on their own. They have noway of knowing if code is malicious or not until it gets run which is why its going to be more or less impossible for you to make one yourself. In order for this to work you would need to setup an environment where you can un-execute code. That way, if I was to write something that changed _G to nil you could undo that and return _G to the correct Lua table in memory.
Theres an understanding among people who try to write anti cheats and really any security software and its that no matter how good you think your security is, there is someone who can get past it.
Everyone else is on the right, its improbable that you will be able to make any kind of meaningful or even working anti-backdoor script.[/QUOTE]
I feel like there's a misunderstanding. It isn't about solving backdoors. It's about creating the optimum environment for users to realise that there is a backdoor or that an addon is backdoored - or to minimise the effects of that backdoor.
I.e. we aren't checking the outcomes of a console command programatically - we simply alert the user to the console commands being registered by addons, he still has to do work in checking those console commands but it summarises the thousands of lines into maybe a hundred. We can check the outcomes programatically in a simple fashion by using an inaccessible whitelist of SteamIDs who can use root-tier commands/hold root access and checking that periodically.
The idea isn't to solve the security problem - it's simply realising what we have right now is inadequate and there needs to be a discussion about how to improve it.
We're cramming up WAYWO - I've put a thread at [url]https://facepunch.com/showthread.php?t=1576492[/url]
First thing I started ages ago, but have just come back to the project as I never finished it and still have quite a lot to do.
[video=youtube;P2gb3Dmr1K8]https://www.youtube.com/watch?v=P2gb3Dmr1K8[/video]
Second thing is something I started not so long ago and only really got around to finishing the UI.
[video=youtube;KC1h562Tzqg]https://www.youtube.com/watch?v=KC1h562Tzqg[/video]
I made a thing to replace `net.Read/WriteTable` and its actually better (size wise). Heres my test sample:
[code]
net.RegisterStructure("my_struct_weps", {
name = STRUCTURE_STRING,
ammo = STRUCTURE_NUMBER
})
net.RegisterStructure("my_struct", {
name = STRUCTURE_STRING,
gender = STRUCTURE_UINT8,
items = {"my_struct_weps"} -- denotes that `items` is a sequential array of the "my_struct_weps" structure
})
if (SERVER) then
util.AddNetworkString("my_struct_nws")
util.AddNetworkString("my_struct_nws_tbl")
function netStructureTest(ply)
net.Start("my_struct_nws")
net.WriteStructure("my_struct", {
name = "Gambit",
gender = 1,
items = {
{
name = "pistol",
ammo = 10
}
},
foo = 1337 -- Ignored since my_struct doesnt define a "foo" field
})
net.Send(ply)
net.Start("my_struct_nws_tbl")
net.WriteTable({
name = "Gambit",
gender = 1,
items = {
{
name = "pistol",
ammo = 10
}
},
})
net.Send(ply)
end
else
net.Receive("my_struct_nws", function(l)
print("net.ReadStructure", l)
PrintTable(net.ReadStructure("my_struct"))
end)
net.Receive("my_struct_nws_tbl", function(l)
print("net.ReadTable", l)
PrintTable(net.ReadTable())
end)
end
[/code]
And heres some results for you nignogs:
[code]
net.ReadStructure 216
gender = 1
items:
1:
ammo = 10
name = pistol
name = Gambit
net.ReadTable 648
gender = 1
items:
1:
ammo = 10
name = pistol
name = Gambit
[/code]
It supports string, vector, angle, color, entity, bit, number and sized numbers (signed, unsigned, 8, 16 and 32 which are all range checked, so no wrapping).
You can create your own "structures" which will be enforced when sending tables with that structure name.
Sorry, you need to Log In to post a reply to this thread.
