Jump to content

Somebody is impersonating me in OpenRCT2


Recommended Posts

Posted

Wolf's mod becomes pretty much useless once said impostor starts using a proxy. It's really irritating, I suggest that you track players with a unique ID linked directly to their account that can't be changed. Also you should probably somehow limit the amount of accounts someone can create.

Posted (edited)

Well then its good that I know WolfMod is about to incorporate hardware IDs in it's banning system. And unless you swap hard disks on a regular basis or do changes at the hardware level, I'd say that's almost the perfect parameter to identify a computer uniquely. I say almost, because UUIDs would be better, but this is the second best thing you can ask for. 

Edited by ziscor
Posted

For the umpteenth time, let me repeat: hw guids or uuids are useless in context of openrct2. You can forge anything you send to the server, including said ID. We wanted to implement a centralised authority for accounts, but met with substantial opposition to this idea, which resulted in us reaching for asymmetric cryptography as a way of identifying players.

Please stop throwing such ideas around, they are useless and infeasible.

Posted (edited)

I didn't say that's where main OpenRCT2 development is going. That's simply where wolfreak has decided to go with his fork.  I was replying to the point that WolfMod has become useless because proxies are easy to use for anyone. Hardware ID changing is not as easy as changing the external IP or using a proxy. Even more important is the fact that the external IP changes involuntarily because of the ISP's preferences, and so a ban implemented on one day is useless on the next (if we were to go by IP tracking). It's more about what will be harder to get through. This is only a temporary solution until your method is implemented and you should know this at this point. I would not expect these ideas to be taken seriously by you guys because I clearly know your stance on this issue.

It's always better to protect the hut when the winds are crashing rather than seeing it get blown away and making a better house when the winds are gone.

Edited by ziscor
Posted (edited)

You're missing the point. The server does not know the clients hardware ID unless the client sends that information. Therefore the client does not need to change the ID, just send a different value, and the server has no way to verify that. You cannot trust data that is sent by the client. This is especially true since this is an open source game, which means changing the code is trivially easy, and once one person does that and creates a fork that bypasses this check, the whole system is moot. That's what @janisozauris saying and he's absolutely right. Implementing this sort of check into an open source game is a terrible idea. Even if it was closed source, it would only buy time before somebody figured it out.

IP addresses can't be spoofed because you then wouldn't be able to connect to anything, but you can still get around an IP ban by routing through proxies, and some people have a dynamic IP in the first place so they are not a foolproof solution.

One option would be to make it more difficult to create new accounts - for example, you could make every new account have no build permissions until they've spent x amount of time on the server, require some sort of proof of work for new signups, or requrie an existing account on another website before you can sign up. The problem with any such approach is that it will also create a barrier for people new to the game.

You can, however, prevent people from impersonating another user who has already registered an account. There are various ways of doing that as @janisozaur already mentioned.

 

Edited by X7123M3-256
  • Like 1
Posted (edited)

You're proving my point for me; this is only a temporary solution (one the main develop branch isn't even using I should stress) that's only there before the actual solution can be brought in place. I've already addressed why any current "solution" we have can be worked around but the point still remains that it's not supposed to be permanent. Only the server needs to have a different branch and all clients would be able to come under affect of the modified code (for a non-deviated build). It's meant to be used for those who are willing to get some protection (as short-lived as it may be) from the problems we currently face.

In fact, do you expect 100% of impersonators and griefers to be capable of exploiting/ by-passing such measures? I certainly do not, and most servers would think the same. Again, this is not a permanent solution but only meant to fend off as much trouble as possible before an actual security barrier is in place. I might have said things multiple times, but that's only to stress my point.

I can see one very important use of hardware-ID tracking for now in WolfMod: Auto-grouping. For example, you've got a certain bunch of people who you want to be instant Moderators or Admins when they join forever. Now, the person can't unknowingly change their hardware ID (unlike IP Addresses) unless they are motivated to do so for some reason. This should be great for AFK servers I imagine.

Edited by ziscor
Posted
1 hour ago, ziscor said:

Only the server needs to have a different branch and all clients would be able to come under affect of the modified code (for a non-deviated build).

I'm not sure how that works since your proposal requires clients to send the server information that I'm pretty sure the official build doesn't send. I'll see if I can find this mod you're talking about and see if this is actually what it's doing. Is the mod itself open source or is it only distributed in binary form?

 

1 hour ago, ziscor said:

In fact, do you expect 100% of impersonators and griefers to be capable of exploiting/ by-passing such measures?

Perhaps not 100%, but it only takes one to bypass it and then upload their modified version somewhere. There was a post a while ago where somebody noticed that some of the cheat permissions weren't validated server-side and posted a tutorial to Reddit on how to bypass them.

 

2 hours ago, ziscor said:

I can see one very important use of hardware-ID tracking for now in WolfMod: Auto-grouping. For example, you've got a certain bunch of people who you want to be instant Moderators or Admins when they join forever.

Yep, that would work, but so would a password. My point is that sending hardware IDs can't prevent people from circumventing bans. It could be used as authentication but I still think a password is better, as it would allow people to access the same account from multiple computers, and it can be changed if it gets leaked.

Posted (edited)

Well, WolfMod does not require all clients to be running it to access most features. Only the server host requires to. Gymnasiast is one of those folk who said he knew this was possible before-hand, I think. Anyway, it's not a proposal per se, only what I've seen to be apparently the update to the only solution we've had for a month and a half now (before the long awaited login-system plus the unique server distributed keys proposal, both of which have been in the shipping line for a while now). 

1 hour ago, X7123M3-256 said:

Perhaps not 100%, but it only takes one to bypass it and then upload their modified version somewhere.

Yes, that is very much possible, but the likely hood of that happening aren't very fat. People know about WolfMod but from what I've seen happen on Multiplayer no one is that serious. For it to be a thing of concern, this would have to be treated as a permanent solution (which it's still not supposed to be). People know that a better method is incoming, so no one cares to by-pass this (not so far at least). It's not like this is the main gaming scene where DRMs are by-passed in the same week as a game is released and the copy is distributed through P2P all over the world or anything. This is all hear say, but I do see your point. 

1 hour ago, X7123M3-256 said:

That would work, but so would a password. My point is that sending hardware IDs can't prevent people from circumventing bans. It could be used as authentication but I still think a password is better, as it would allow people to access the same account from multiple computers, and it can be changed if it gets leaked.

Look, I've followed most conversations that have been opened on GitHub about security measures for our Multiplayer. I've seen the faults in IP tracking (and hardware IDs for that matter), the pros in Login systems and I've also read about the unique-key-distribution-to-each-client also. The last two were proposed quite some time ago and while I agree they are rather though out ideas, the thing I see here is that something is better than having nothing for now. I never implied hardware ID tracking is the way we should go. It's only what I think is a decent 'quick' solution, one that's been almost implemented already (hardware ID tracking I mean; IP tracking is already a go), so no idea throwing going on. I'm starting to think my initial post was misread by you two. I can only hope it's not the case anymore.

Edited by ziscor
Posted
1 hour ago, ziscor said:

Well, WolfMod does not require all clients to be running it to access most features. Only the server host requires to. Gymnasiast is one of those folk who said he knew this was possible before-hand, I think

Do you have a link to that comment, because I'm really confused now. I'm assuming this is the mod and commit you're talking about. It implements a function named platform_get_hw_profile which is responsible for returning the hardware IDs. There is no implementation provided for Linux or Mac, only Windows, and that one in turn calls GetCurrentHWProfile(), which is a Windows API function that returns information about the hardware. There is no corresponding function in the main OpenRCT2 develop branch, so I'm assuming this is a function added by the mod, in which case, OpenRCT2 does not send or even collect this information, and WolfMod can only check hardware IDs for clients using WolfMod on Windows (as far as I can tell, it does allow clients using the official build to connect, but it does not check hardware IDs in that case). If I'm incorrect here I'd like to know how it can obtain hardware information without being sent it (unless the official build does send this data after all?).

Posted

I'm sorry but I'm not directly involved with its development. All knowledge I have on hardware ID implementation in WolfMod is rather limited. I can certainly ask wolfreak_99 on his progress and how this feature is supposedly executed. I'll get back to you.

Posted

As part of #3699, user names should now be unique per server. If "john" joins, then another "john" joins, the latter will be assigned "john #2" name by the server. If then "john #2" joins, he will get assigned "john #2 #2" name. If yet another "john" joins, he will be "john #3". You get the idea.

User names are not tied in any way to keys (other than on client side we use this to select which key to use), we do not provide any facility to register user names.

  • Like 1
Posted

You can say what you want about my wolfmod, but heres one thing: I haven't brushed this off like you guys did for a long while. I seen not only myself, but a couple of other people ask about this in the dev chat. every time someone mentioned something about "when is the login system coming in" or something along those lines, some wouldn't even get a reply. Whenever I mentioned it, you guys would brush it off and ask how i'm doing on the whispering system in terms of making it a pull request for openrct, here's how it's going: I haven't even started it. I look at priorities, I don't see many people asking about needing a private messaging system, but i do see however a community frustrated by griefers, impersonators, trolls, and I see many server hosts saying they hated hosting. That they sometimes don't even want to host anymore, and lately i even see the majority of servers password locked. The break servers are down, people are frustrated. I see people mentioning "won't ip tracking work temporarily" (let me spell it out for you, t-e-m-p-o-r-a-r-i-l-y), and you guys mock me and you mock everyone else. You say it's pointless, and that any regular jackoff can bypass a ban. You say that we should wait for a login system that is (or was) supposed to be in 0.0.5. Hell, I also was threatened to be banned (ironically, by the same people that say i can easily bypass a ban) . that's when i said fuck it i'm going to make a seperate fork called WolfMod (name was temporarily because i'm shit with names).. Since then, I've been working on my own mod and it's got to the point i can actually leave it on overnight without it getting trashed like every other server, because some people are able to log in now and immediately get moderator. and while some trolls are able to bypass my ip bans it every now and then, the majority don't know enough knowledge to bypass it. Here's the thing you guys fail to realize: proxys can be banned too, and unless the troll is really bored, they will eventually grow tired of reconfiguring proxies to bypass a ban only to get banned 10 seconds into it again. i've seen it happen on myself back when i trolled transformice with glitches and using hacks on it. proxies are usually slow as fuck, especially the ones that most people find through google. it will lag the game to hell and back. I have been banned from many sites for trolling, my friends used to say i was a master of trolling and that i should write a book on how to do it, so I believe I know how to put myself in a common trolls shoes and figure out how to bypass them. If they're smart enough to know to change their ip, they're probably smart enough to get around any ban system, even the one that janisozaur is working on. though i don't even know if that system will include a banning interface. I know Janisozaur has group permissions inside it, as i've read some of the code, but i didn't see anything offhand about banning, and i don't even know if banning would be allowed in the main game. Intel mentions that grouping would be allowed but he seems to ben against any idea of banning people (which i'm just going to assume that, until i'm proved wrong, that we'll be stuck with the kick button, due to the idea that people can bypass bans with enough effort, so it's not worth having a ban system in at all apparently.). 

I do, however want to set this straight to janisozaur: janisozaur, i will give respect and kudos to you also working out a solution as well. You've done a great job and you've stuck through it, and you look like you do really know what you're talking about with your stuff. I would love to help you out with porting in a banning interface and solution if you would want me to help you with that, feel free to hit me up. if intel is against banning, we could throw this shit into wolfmod because if it has enough of the code to work in the main client and in a mod, i'd be more than happy to help you with making it happen. I already got the majority of a banning system and user interface worked out. I'm still polishing it up as time goes by, but that's because i only have my own thoughts on it, i don't have public feedback to go to. 

Likely, this post will get me banned from ever contributing to the openrct project, but i don't care, i'm not going to watch my shit get mocked without standing up for myself, especially when other people have said that i'm probably one of the best devs on this game (even though i have to clarify that i don't actually associate myself with you guys after you threatened to ban me and that you guys don't want a banning solution), and when one person said that i should be the main networking dev because i seem to care about the community more than the actual devs. while i may or may not agree with these peoples sayings, as i'm just some regular jackoff who sees a chance to throw in some shit that could benefit a server and the players on it. the thoughts should at least show something. 

Posted

There are so many things wrong with your post, it's hard to say where to begin.

First, the allegations towards us. Contrary to what you said: we haven't threatened banning you. In fact, we have been very permissive, choosing to ignore many bad aspects of your behaviour rather than banning you for it. Also: we haven't brushed you or anyone off: we simply want to implement things properly, and we have made it very clear from the start that multiplayer is not anywhere near release quality. You keep accusing us of all kinds of things, we have ignored it so far but our patience is running out. Most projects would probably have banned you a long time ago. Despite all our patience, you keep putting up a bad attitude.

Then, about your code quality: it's not as good as you, or the people that say you're one of the best devs, think. Far from it. Anyone calling you one of the best devs clearly hasn't seen your code or doesn't know much about programming. We have offered you numerous times to look into it together, but you even refuse putting features into separate branches and opening PRs for them. And then you have the guts to complain we don't accept your features in the game. How are we supposed to do so if you flat out refuse to cooperate?

In short, you have a bad attitude, you refuse to cooperate and you vastly overestimate your own contributions, but somehow it's all our fault. You're playing the victim here. This will get you nowhere, not on the internet and not in real life. Cut it out.

Posted
12 hours ago, wolfreak_99 said:

I seen not only myself, but a couple of other people ask about this in the dev chat. every time someone mentioned something about "when is the login system coming in" or something along those lines, some wouldn't even get a reply.

There aren't always people around to answer questions, and I haven't seen any unanswered questions myself. I'm active in the chat, and hate seeing people being ignored, we're only people, and we're doing this in our spare time. Not every developer works with networking, I for one don't know much about it at all. I'm very interested in seeing how the developments are going though. Don't expect us to rush things off. We take the grieving very serious too.

12 hours ago, wolfreak_99 said:

Hell, I also was threatened to be banned (ironically, by the same people that say i can easily bypass a ban) .

That was because of your behaviour in the chat. We told you our reasons, and you kept on pushing. They meant banning you from the chat, which is not as easy to bypass.

12 hours ago, wolfreak_99 said:

I see people mentioning "won't ip tracking work temporarily" (let me spell it out for you, t-e-m-p-o-r-a-r-i-l-y), and you guys mock me and you mock everyone else. You say it's pointless, and that any regular jackoff can bypass a ban.

This has been discussed with you countless times. You fail to see our point and are only complaining about it. The ones saying so have been permissive to you instead, and yet you continue complaining.

12 hours ago, wolfreak_99 said:

I have been banned from many sites for trolling

Is that a good thing?

The system janisozaur is working on is pretty secure. New users don't have rights. Trolls will need to behave properly before being given access by the host, mislead their trust, and then when given permissions they can finally do things. With the new system, hosts don't have to remember who can be trusted or not, someone that had been given build rights will keep it, even when rejoining. Their names also don't matter anymore.

 

12 hours ago, wolfreak_99 said:

other people have said that i'm probably one of the best devs on this game

Cooool!

 

Again, just to clarify: OpenRCT2 is a project made by developers for fun, we're not a company or highly organized group. We're just working on whatever we feel like, with of course the user always in mind. That does not mean we're ignore grievers. We take issues seriously. Not every developer knows how the networking works, and wants to work on it. And most of all, be patient.

Posted (edited)
13 hours ago, wolfreak_99 said:

I have been banned from many sites for trolling, my friends used to say i was a master of trolling and that i should write a book on how to do it, so I believe I know how to put myself in a common trolls shoes and figure out how to bypass them.

@Broxzier is it bad that I saw it as a good thing? He doesn't troll any more. Luke 15:7 tells us: "I tell you that in the same way there will be more rejoicing in heaven over one sinner who repents that over ninety-nine righteous persons who do not need to repent." (NIV)

Edited by YoloSweggLord
Posted (edited)
27 minutes ago, YoloSweggLord said:

@Broxzier is it bad that I saw it as a good thing? He doesn't troll any more.

Accusing us of things we haven't done, seeing everything as a personal attack, refusing to cooperate, being egocentric and playing the victim are all very troll-like behaviour. I wonder if wolfreak has ever asked himself why he has been banned so often and if that wasn't down to his behaviour.

Edited by Gymnasiast
Posted

Im not saying everything he did is right, I'm just saying that I don't find it as such a bad thing. He used to troll, but he has changed. He even uses his knowledge of trolling to work toward what he thinks is right.

Posted
1 hour ago, YoloSweggLord said:

He used to troll, but he has changed. He even uses his knowledge of trolling to work toward what he thinks is right.

Perhaps he has changed, but it doesn't look like he has matured enough. Instead of accepting some criticism and dealing with it, he accused us of mocking him. From my own experience I know the developers are helpful people, willing to guide anyone step-by-step when needed. They have been very patient with Wolfreak while trying to guide him and letting him know how to contribute to the project. Instead Wolfreak decided ignore all advice, continued to work his own way, making changes to his fork that cannot be merged as is (and wouldn't be merged because of poor quality anyway). Would he have made a pull request and listened to our feedback, his changes would perhaps already been included in the game.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...