[ANY] Smacbans 0.2.0 (Updated 2013/05/13) - Page 6

asherkin · 05-07-2013 , 19:50 Re: [ANY] Smacbans 0.1.9

I've cleaned up this thread extensively, continue down that path yet again, and I'm just going to ban everyone involved. It's so hostile to our community that we're not going to tolerate it in the slightest.

HSFighter · *Last edited by HSFighter; 05-15-2013 at 16:25.*

Smacbans v0.2.0 is ready to use

In v0.2.0 is a new forward: "Smacbans_OnSteamIDCheck" aviable.
This make it no longer necessary to create a duplicate plugin to add new futures.

Informations to all forwards: https://github.com/Impact123/SmacBans-Block#forwards

Changelog:

Code:

# 13.05.2013 
# Version: 0.2.0    

- Include    
     - Changed all string parameters to const string    
     - Forward Smacbans_OnSteamIDCheck added    
     - Missing bool tags to SmacbansIsClientUsable and SmacbansIsClientUsableAuth added    

- Plugin    
     - Removed support for beta updates    
     - Forward Smacbans_OnSteamIDCheck added

Download can be found in the first post.

N-Joy

Smarmy · 05-15-2013 , 13:49 Re: [ANY] Smacbans 0.2.0 (Updated 2012/05/13)

Just thought I'd point out that you put 2012 in the thread title.

HSFighter · 05-15-2013 , 18:21 Re: [ANY] Smacbans 0.2.0 (Updated 2013/05/13)

Damn copy paste!

Thx & Fixed ;)

Mathias. · *Last edited by Mathias.; 05-16-2013 at 00:56.*

Hum, not sure if it the perfect solution but there a way to be able to make every bans from every communities from smac to actualy be added in your global ban list without being exploitable. But this will requiert a core modification in SMAC itself which you could ask for it.

Create a socket with a authentification md5 of the .smx file itself to your socket server? If the file = your add the ban, if the file != your just ignore or ip ban?

MD5 Extension: http://forums.alliedmods.net/showthread.php?t=145883
OR
MD5 Sourcepawn: http://forums.alliedmods.net/showthread.php?t=67683

Recommend you the extension since it not supose to break by updates, it have the file function which you won't have to make yourself in sourcepawn and it supose to be faster.

EDIT: Hum after thinking about it maybe it just better with a custom password, hardcoding it and not show it on the release .sp file since anyone could decide to just MD5 your file and it give them the raw password...

asherkin · 05-16-2013 , 01:00 Re: [ANY] Smacbans 0.2.0 (Updated 2013/05/13)

Quote:

Originally Posted by Black-Rabbit

EDIT: Hum after thinking about it maybe it just better with a custom password, hardcoding it and not show it on the release .sp file since anyone could decide to just MD5 your file and it give them the raw password...

This would be a breach of the SourceMod license, SourcePawn plugins are also trivial to decompile.

There is no way you can authenticate a ban "from the wild".

Mathias. · *Last edited by Mathias.; 05-16-2013 at 01:19.*

As far as I know, back in the time, KAC hide is MySQL information but release the rest so no one will have access to it. We talking about hiding 1 string from the code for a security purpose and even if they decompile, they should not be able to see the MD5 hash hardcoded password, isnt right?

HSFighter · *Last edited by HSFighter; 05-16-2013 at 03:22.*

We are always happy to hear about new idea's to make our service safer. Thx

// Edit:
At the beginning of the project we had a long discussion as we can make a import as safe as possible.

If a server admin has extrem truly evil intentions he takes the player and trigger a *legitimate* smacban.
Also a closed save import would be bypassing with this.

Of course we also have a lot security mechanisms to verify bans. ;D

The latest at a banprotest will put out if was cheated by a SteamID. (This procedure is public)

No system is 100% secure.
Even a private banlist are not 100% secure if there are lot of admins some have access to add bans.

For exceptions: A serveradmin can code a whitelist and a protestboard is aslo aviable to handle bans from our banlist;)

In my view: There are many more positive than negative arguments to use our service ^^

-

Impact123 · *Last edited by Impact123; 05-16-2013 at 02:56.*

The thing is, you don't even need access to the sourcecode.
I don't want to go into details, but you can fake a cheat on players with a plugin and trigger a ban via smac that way.

Yours sincerely
Impact

prom3th3an · 05-16-2013 , 03:18 Re: [ANY] Smacbans 0.2.0 (Updated 2013/05/13)

Quote:

Originally Posted by Black-Rabbit

As far as I know, back in the time, KAC hide is MySQL information but release the rest so no one will have access to it. We talking about hiding 1 string from the code for a security purpose and even if they decompile, they should not be able to see the MD5 hash hardcoded password, isnt right?

Releasing a source which is different to the binary is a violation of the Sourcemod License. It doesn't matter how different it is or for what reason it is different. The fact that you are suggesting this portrays a vast ignorance of open source projects such as these. Not only would it trash SMACBans reputation but it would also result in Allied Modders blacklisting the SMACBans plugin in Sourcemod due to violation of license.

Quote:

Originally Posted by HSFighter

Of course we also have a lot security mechanisms to verify bans. ;D

Could you be so kind as to enlighten us as to what measures you take to ensure all bans are valid instead of making broad statements? The only one which you have discussed this far is your personal trust of the communities involved (which are not explicitly named anywhere as far as I can tell) however this can only be interpreted as a relaxed attitude to the obvious potential for abuse. I'm sure this is a matter of public interest and would help address the many (valid) concerns that I and others have about SMACBans and the role in the community it is attempting to take.

Quote:

Originally Posted by HSFighter

For exceptions, a serveradmin can code a whitelist and a protestboard is aslo aviable ;)

Wouldn't it make for better public relations to provide the whitelist functionality built into the plugin so that you could empower server owners to make the decisions they wish to make? Further more even making it so that a server owner can pick and choose which "partner" communities they trust as sources for SMACBans? The fact that SMACBans' public pages do not provide the name of the community (or server) that the player was banned by raises some concerns over liability and chain of trust. Could you look at adding this kind of information to the site?

I'm also concerned of your bi-polar attitude to the potential for faked SMACBans, On the OP and the SMACBans.com website you are implacably opposed to any suggestion that a SMACBan can be faked and yet in your most recent discussion posts you accept it is possible. I feel like I'm in a Taylor Swift album. One minute she loves the guy next minute she hates him. Could you please clarify that there is a potential (doesn't matter how likely) that a trusted community could abuse it's involvement in the SMACBans.com website in a way which might result in innocent players being banned?

I hope that with your response I can have a greater understanding of how SMACBans operates and also continue a constructive discussion on improvements that can be made to it.

Note: Post #70 was edited by the original author after this response was posted.