[MUD-Dev] Quake II has gone GPL

[Daniel.Harman at barclayscapital.com]

Travis Nixon [mailto:tnixon at avalanchesoftware.com]
> From: "Vincent Archer" <archer at frmug.org>
 
>> Those two examples show why "the character is on the server,
>> there's not much players can do" isn't exactly right. There's a
>> lot of cheating that can go in the client.
 
> Yes, but both these examples of client side cheating (trading
> items that weren't meant to be traded and moving faster than was
> intended) were because they violated the prime law of online
> games.
 
> Never trust the client.
 
> They took shortcuts without considering the consequences of those
> shortcuts.
 
> And thank you for the two fine examples of why "security through
> obscurity" doesn't work.  :)

Well I disagree on this. The trading of no drops was inadequate
thinking on their part, but it was more involved than Vincent
described (and thus its easier to see why it slipped through the
net). For those who care the way it worked was as follows:

  a) Droppable bags become nodrop when they have a nodrop item in
  them. So put your no drop item in one.

  b) Hack the client memory to mark the bag as droppable (even
  though currently it isn't).

  c) Trade the bag with the no drop item in it.

I don't know about you, but this is exactly the kind of error that I
imagine can slip through the net however careful you are. Even if
they did server side checking, the naive approach would be to check
whether the bag itself was natively no drop (which I believe they
did).

As to the movement issue, there is no way that you can keep a game
responsive, whilst authenticating every client movement with the
current state of the Internet. AO had a go at it and it was like ice
skating attached to a bungie.

Sometimes you can't make things secure, and in that case obscurity
beats showing everyone the source!

Dan
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev