Up2nOgOoD[ROCK]: I've copy/pasted Quake Unreal's thread into a private message to him (and saved a copy on my computer if he didn't receive it) with a message urging him to repost this topic. I apologize for hetman and I that we hijacked your thread.

While it is a fact that EzQuake is currently the allowed client in most (if not all) Quake leagues, it is simply not because of the security module. IT is because there is no popular alternative. Furthermore and in addition to, a security module does not, in fact, provide any security; conversely and paradoxically, it poses a false sense of security for both the league administrators and the players. There have been (and will be, I can assure you) numerous players who cheat in tournament matches but pass all security measures put forth by EzQuake (and FuhQuake) with flying colors. It is simply unreliable and, if anything, makes hackers HARDER to catch.

How does it make hackers harder to weed out? By creating a false sense of security. If Player_hacker_A passes all security tests, then Clan_B will incorrectly dismiss Player_hacker_A's increased aim and movement to skill. No investigation will take place. Without a security module, people would investigate Player_hacker_A more and he will come under closer examination - increasing the chances of validating his authenticity. You can argue that more (innocent) players would be termed as hackers or cheaters without security module. Let me prevent this by a fact: many people consider today's top dm'ers as cheaters - even though they pass security measures.

For this reason, the developers at FTE have justly developed a strong hatred towards the security module. The reason why the dll is still in use is because many people (you) spread false rumors and praise the security module as something that is so great and wonderful. In reality, it hurts the community.

Please take what I said into consideration. I am not arguing that FTE is a better client than EzQuake, nor the other way around. I am simply stating that the community should open its eyes and understand the truth behind the security module. A better system MUST be implemented. I frequently use both clients and I am a fan of both (giving both developers feature suggestions and bug reports). So, Hetman (AKA Shaman, creator and founder of EzQuake), let me stop you here before you reply that my post is fueled by our history or your involvement with EzQuake. My post is feuled by Quake's best interest in mind.

If you are reading this and don't believe that the Fuh/Ez security modules can be hacked while still passing the test, I will post further proof (screenshots only since I would rather not spread a cheaty client).

To quote you, "Wake up, Hetman! "

My long-time friend and companion, Shaman:

>>"Despite your obvious prejudice that I will not take the message seriously or shall blindly defend the client I have started, it is my serious concern."

I thought I already addressed this, but if you want we can go over this again. I am NOT prejudice against ezQuake. I do NOT hate, despise, or even dislike ezQuake. I DO use ezQuake on a frequent basis. I DO have a good relationship with its two most active developers, Johnny_Cz and Disconn3ct. I DO recommend features to the aforementioned developers. I DO recommend bugfixes to the aforementioned developers. Once again, I do NOT post this in despite you. I DO respect you for the things you have done for the community. I do NOT hate you. I am NOT posting this to enrage you. I AM keeping Quake's interests in mind.

>>>"sound idea, all the code that one human has written, can be hacked by another clever human. Sometimes it takes little time, sometimes more."

Yes, you are right. This is what I am addressing. You may not realize this because you have a wide variety and many years of experience with computers and computer logic (I have read your CV), but many people do not understand that the security.dll could be hacked.

>>>"Therefore I challenge you, Up2nOgOoD[ROCK], to produce any reliable evidence (a build) against ezQuake. And if you do not, I hope you will have the decency to clear its name with the same publicity with which you now have besmirched it."

Judging by that quote, you are one of them. I will not spend my time contemplating how this is possible.

>>>"I hope you will have the decency to clear its name with the same publicity with which you now have besmirched it."

Have you read my post in its entirety or have you skimmed it? Please read the bottom. especially this:

"Please take what I said into consideration. I am not arguing that FTE is a better client than EzQuake, nor the other way around. I am simply stating that the community should open its eyes and understand the truth behind the security module."

I posted that in case your eyes wandered from the truth. I never said anything to tarnish ezQuake's name, therefore I have nothing to apologize for nor do I have anything to regret from my post.

>>>"Therefore I challenge you, Up2nOgOoD[ROCK], to produce any reliable evidence (a build) against ezQuake."

Alright. I'll have this for you. I will post the latest build of ezQuake that came with security.dll with the cl_NotSoSecure command. Please allow around seven days as I come off Spring Break Monday and will be returning to college.

Note: I incorrectly wrote EzQuake instead of "ezQuake" in my previous reply.

Yes, I'm sure all those who don't understand it thinks it is a good idea


What you are suggesting is illegal.


Say, would an obviously cheating client which you or anyone can come on a server and "authenticate" be good enough?

And thus I would break the GPL if whoever I sent it to requested the source code and I didn't provide it.


OK, so be it.


Who the hell is Hexum?


You're new here, right?

Dunno how relilable you consider screenshots to be, but several persons validated it themselves with me cheating on a server...

http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_1.jpeg
http://bigfoot.morphos-team.net/test/fuhquake_has_no_security_2.jpeg

This was done almost a year ago

http://bigfoot.morphos-team.net/test/ezcrack.qwd
http://bigfoot.morphos-team.net/test/ezquake_has_no_security_1.png
http://bigfoot.morphos-team.net/test/ezquake_has_no_security_2.png


Well, there you go, a demo as well.


Well, IRC, as you see

Otherwise, whenever someone has claimed that Fuhquake was secure.

Demo was the quickest to do, but as we agreed on earlier, we can find a public server where I'll give you a good zapping on povdmm4 and then you can validate how secure my client is

And no, I will provide no binaries to anyone. If you even after a public demonstration will refuse to believe it, so be it.

muhahaha
some people just won't budge i guess

Rght, so you keep demanding more and more. I offer you the perfect proof, I go on a server with you, get 90% lg against you on povdmm4, and you can f_version and do what you want, you agree... And then when I post a demo and screenshots, you suddenly want something else. Well, why not. People with religious beliefs are usually quite hard to convince.


If he is smart, he doesn't, but up to him.

You have plenty of proof waiting for you to work with, come pick it up.

I asked you if a public demonstration was good enough, you agreed, then later you refused. Whatever


That's OK, anyone else can see it too. Vleesch just saw it. I'll happily demonstrate it to anyone else as well. I don't need you to believe that the model is flawed, but if at least the common QW player finds out that the "security" model is flawed, maybe something will be done about it.

BTW, clients and proxies which can connect over TCP do exist. Try it some time

SSH+port forwarding even makes it stupidly easy


True, it was just an appetiser till you come and see it with your own eyes.


Lazyness is a quite good option as well. But as I said, people with religious beliefs are hard to convince. The proof is there for you to see, that you choose to look the other way is not my problem, really.

Yeah, that would be awesome, we'd end up like the CS community with everyone accusing everyone else of being a cheat.

The situation we have now is not ideal but it is the best available solution.

so hetman, you aren't convinced until you've got the binaries and checked them yourself? when a person(bigfoot) is putting this amount of efforts in it trying to convince you, giving you different examples of proof and so on, i think you may assume that he's true. why would he do this to prove something thats just untrue?

bigfoot showed me, and another player, that his modified client just validates and passes all those checks. this client also gave gim 90% lg.

Don't the CRC values have to be identical for it to truly pass validation?

Nah, that would kinda defeat the purpose. If the same reespons was all that was needed, it would be even easier to claim to be a "secure" client. This way each client emits a different checksum, which includes things such as the player's name etc, which the other clients can then "verify".

Try /auth_viewcrc 1 and go on some server and do f_version, you'll see everyone has a different checksum

Too bad. Others will believe


Machine with SSH server and proper connectivity: ./qizmo -x 1234

Machine with limited connectivity: ssh -L 1234:127.0.0.1:1234 machine.with.good.connectivity

There you go, on 127.0.0.1:1234 will now be redirected to the other machine's 127.0.0.1:1234. No need for root access.

For demonstration I can put up an FTE server with TCP support enabled, if you're interested.

any interesting statements in this thread are mostly ruined by the extremely gay attempts to use unnecessary legalese language to make the person sound like they know what they are talking about


^ this just makes me want to say 'fuck off'


i don't see the reasoning behind not posting binaries? you lose nothing by posting them - you gain everything by keeping things secret on your site

And as a final comment. the anti-security.dll posts and comments always seem to come from the FTE-camp who apper to be using it as a means of discrediting other clients rather than being in any way helpful

few people believe that security.dll is flawless security but it would/will prevent the majority of players from easily cheating and for that reason it is worth having

rather than wasting your time trying to put screenshots up of 'lol we hacked ezquake' why don't you actually write an amazing new security feature into FTE that makes it the required client for all Quakeworld tournaments. Until then go back to looking in law dictionaries for words to try and impress people

Mmm, yeah...


What have I got to gain? Personally I don't really care much. The only time I played in a competition, some team had signed me up as playing for them without asking me, so I thought what the hell and went ahead an played - with my illegal and big, bad MorphOS port, even.

I do not wish to make things easier for those who *really* wish to cheat. Any publishing of any methods would do so.


Ouch, are we into camp wars now? Didn't know that.

I can't speak for others, but personally it just makes me want to try when someone comes along and touts something which is inherently secure as being the best thing ever.

But since we're apparently into camp wars now, maybe the people who choose to work on FTE are just sensible, while people who choose to work on that other client are ignorant?

Yes, that's a joke, don't take it seriously. But it fits well with your "FTE developers are eeehvil!"-theory.


hetman apparently does. As are many QW players convinced that it is so.


"Oh, so you don't think believing it makes it possible to walk on water? I challenge you to find a better way to walk on water, then!"

I'd say, walking on water is impossible(*), as is having a client try to prove that it has not been tampered with.

I'm sorry if you feel offended by hard facts, but that's really not something I can do anything about. Though I must admit I fail to see what all this reference to law is about, unless it is about me stating that distributing a GPL binary without offering the source code would be a breach of copyright. But then again, I can't see the problem with that either.

But it's funny. Person A claims something is secure. Person B claims it is insecure. Person A demands proof. Person B delivers proof. Person A starts rambling about how Person B has a personal problem with person A (while in fact person B had never heard of person A before this day), is accused of having a big ego and is accused of participating in camp wars. Wow. Look at that again.

So, let's sum it up the possible scenarios:

Hetman claims that ezquake is better because it has a "security module" which supposedly provides some security.
I claim that the "security module" provides no security at all
Hetman demands evidence

From here:
a) I deliver the evidence and get accused of a billion things. Without acknowledgement of the evidence, of course.
b) I don't deliver the evidence, and then clearly ezquake must be secure.

How can I win here?

(*) Before anyone tries to prove that walking on water is possible, or start talking about using extra equipment for it, whatever, please notice that it is meant as an example and not a claim that walking on water is, in fact, impossible.

Boy, are we busy associating me with FTE and trying to smear FTE now?

Clientside client validation can't work. Not for Fuhquake, not for Ezquake, not for FTE.

I have nothing against ezquake (except maybe its Makefile .

I have nothing against hetman, in fact I never even knew such a person existed untill today. But obviously I must hate him because I've done some minimal work on FTE and he's apparently associated with ezquake. Obviously I hate him then. Obviously.

I don't even have anything against people who think that clientside client valiation can work, just as I don't have anything against christians or members of other religions. However, when they try to enforce their flawed views of the world upon others, I feel obligated to prove them wrong. Don't take it personal, I just want to stop the misinformation. That's it.

this thread is rediculous

well a) without widespread cheating there is little chance of anything being changed and b)
the non-fte developers who have commented on this thread refuse to believe screenshot or .qwd evidence

you could quite easily send the 'hack' to an ezquake developer who would have no interest in making it publicly available, but its proven availability would prompt a re-think on the ezquake security implementation. you have nothing to lose by doing this...

... which was why I offered to show it live, something noone so far has taken me up on (except Vleesch and Hedfuk). Would a live demonstration be any less evidence than a copy of the method used?


And neither have I any interest in making it publically available. Nor have I any interest in disclosing the method. The "hack" took a whopping 20 minutes to do. As an excuse, I'll say it's been a long time since I did it with Fuhquake, and there was something obvious which had temporarily slipped my mind.

I do not wish to make the method publically known either, since I have no doubt someone will then try to just make that method harder (not impossible, because THAT is impossible), and then claim that version X+1 is secure. I have no interest in having to provide proof for every damn version released, when it's quite obvious to anyone who takes 10 minutes to think about the issue, that it simply cannot work.

so you have no interest in helping to make security better

may as well lock the thread then

Which shows that you just didn't get the point. Neither did you take 10 minutes to think about it.

I'll repeat: Walking on water is impossible. How can I help making walker on water possible, when I know it is not possible?

I never claimed I wanted to make walking on water possible either - that's what Hetman claimed. I claimed that walking on water was impossible, and delivered the proof. Apparently I'm the antichrist now for showing that walking on water is impossible.


Yes, let's silence the issue, always works

But oh well, I won't stop you from trying to walk on water. If you drown, don't ask me for help, though.

And this is where you completely missed the point. There is a small difference between the two examples, which makes a huge d ethe ifference.

In the case of QW, the server sends the password to the client, then asks the client to ask the user to enter the password, the client then compares the password and tells the server if the user entered the right password or not (figuratively speaking, it's not how it *really* works)

In the case of a webserver, the client sends the password to the server, the server then compares the password and depending on if they match, it let's the client in or not.

This is where the big difference is. Fuhquake and Ezquake is asking the user to verify that the user is not cheating.


I was? Damn. When I first heard of FTE, I had never heard of ezquake even. My interest in FTE has always been, and still pretty much is, making it run on MorphOS. Besides the MorphOS port and the endian fixes, I have done an incredible small amount of work on FTE.

I don't even remember when I did my first commit to the FTE CVS. I know the first I did on FTE was fixing the endian problems, and the most obvious one was committed by me on the 17th of May 2005


Right, so the first time I touched FTE CVS was several months after you left Ezquake. Sorry


I don't believe I said you claimed that it was flawless. However, you did claim that Ezquake had an advantage over FTE because of its "better security".


Too bad you don't accept equally good proof, but would rather close your eyes, cover your ears and yell "lalalalala" instead of taking the 10 minutes it requires to think the whole issue through. See my example above.


You refused to see the proof.


Sure, and as a proof that the Fuhquake/Ezquake/MQWCL/whatever security model works, I expect a paper going into details with all issues with regards to the authentication and disproofs any possibility of tampering.

I know it doesn't work. I've thought it through. I've even done it in practice to prove it (to myself, and to others who refuse to believe the theory. All you've done so far is "lalalalala"


No, you still refuse to see the proof. What can I do then? I can show a religious person that the earth is not flat, but if he doesn't want to see it, what can I do?


Yes, I'm sure that most other people will accept a person who demonstrates an aimbot with a client which validates by Ezquake clients proof that Ezquake authentication isn't worth anything.





Why was the whole personal agenda/smear campaign/FTE developers hate Ezquake thing needed at all? Can't you please discuss the issue at hand?

what is left to discuss though?

there are two states

1) lets assume, as you claim, that you have succesfully hacked an ezquake executable that can pass all authentication and can be seamlessy used to cheat in official games. As you have not made information publicly available on how this can be achieved - its impact is extremely limited. No security alternatives currently exist that would be legal within the confines of the GPL. People complain to leagues that FTE should also be allowed to be used as a client in the competition. Admins say no because FTE has no security whereas ezquake has some and no publicly available cheat clients exist that can fake as ezquake. Things stay as they are.

2) Your claims are false and you have infact achieved nothing. Admins have less spam. Things stay as they are.

offtopic: btw hetman are you sure udp traffic is disabled on your permitted ports? usually both tcp/udp is allowed. when i was at uni under a restrictive firewall i used to use a public qizmo that ran on port 80

I don't know of any publically available Quake clients which have built-in cheats and which can validate as Ezquake.

Do you know of any publically available Quake clients which have built-in cheats and which can validate as FTE?

If you answer no to that, and given your above logic, what is the advantage of Ezquake again?

Also, the amount of times I have seen anyone actually use f_version in a competition can be counted on one hand, probably.

What if I, or anyone else who plays Quake on anything but Windows and Linux/x86 wants to play in a competition? Would we have to install a different OS, maybe buy a completely different computer altogether, just to satisfy a tournament rule which is based on false security? That makes no sense at all, IMO.

If the SSH client is the problem, get Cygwin. It has one.

As also previously stated, I can put up a server accepting TCP connections on port 23. Unfortunately I don't think Ezquake supports this (but please do correct me if I'm wrong , so your only choice is Qizmo then, I guess. I could also put up a Qizmo for you on port 23

bigfoot.morphos-team.net:23 has a Qizmo accepting TCP connections now.

IRC:
IRCnet - #amiga
Freenode - #morphos
Quakenet - #fte
Enter The Game - #fte

ICQ: 11522161

hetman: you only need root for ports less than 1024, ask for a qizmo on port 8080


thats good


no i don't. But I could instantly cheat in fte by commenting out a couple of lines of code and recompiling. Anyone with gcc could do this. I cannot do this in ezquake as I would need to know how to perform the hack which you are not making public and that would require an amount of knowledge that the average quakeworld player does not possess.


see above


well thats an issue with the competition, not the clients


you can run Linux/PPC on your machine - that could be supported immediately. More obscure OSes are less likely to be added I am afraid.

Does the average Quakeworld player know which lines to remove from FTE?


See above


But still proves that not only doesn't it work, but it's mostly unused as well, thus it is a pretty dull restriction to make.


Right, I rest my case