Remove the possibility of Client-Sided Plugins

[GodlikeGER]

STILL REQUESTED

It would be cool if you removed the possibility of client sided plugins like .lua, ES etc.
There is no need to install ES on your client O.o
THis would fix many exploiters and make it harder to inject hacks

Some quotes:

Quote:

Originally Posted by freddukes

Code:

Quote:
Originally Posted by walkabout747 View Post
LSS wasn't originally intended to exploit the game. When HaloShadoW made the 1.5 update, he made sure that backwards crash all exploit wouldn't work. LSS changed the disconnect messages differently and @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ crashed YOUR game. He was not expecting huge exploits like crash-all or pause-all. Nor was he expecting MikE to leak his own disconnect exploit menu. It's also ***** that you're only giving out about client-side plugins that bypass sv_cheats,etc. now...

I've been moaning for AGES about client side addons. I don't care the original intentions of client side addons; that doesn't change the fact that they're used for exploits now. EventScripts was never meant for exploits; yet with 1 simple command you have a VAC proof wall hack. Client side addons should NOT be allowed IMO at all, but there are other solutions (read on).

Code:

Quote:
Originally Posted by walkabout747 View Post
There was a sourcemod bypasser made ages ago but then when LSS included one you all **** bricks...

What difference does SM, ES or LSS make? I want them all banned. I'm very big into server side programming (making many scripts for ES) which is why I know the power that these addons allow. They should not allow the client to do that much.

Code:

Quote:
Originally Posted by walkabout746 View Post
Also, don't blame LSS for the disconnect exploits. It's Valves fault they made disconnect messages client-side.Why not just fix that and kick somebody if they bypass a cvar?

Yeah that's right... That's just like saying "Hey, if I kill someone by running them over, it's the car manufacturers fault for supplying me with the car!"... No, that's just stupid ideology. You should not have the right to exploit bugs if they are found out; just like you're not allowed to shoot another human being just because you own a gun.

Now, in my opinion there are 3 solutions for this.

1. This is the by far the best / most reliable solution: simply don't allow any client-side addons.
2. Change sv_pure to handle libraries within the addons folder as well which should kick anybody for having files within the ../addons/ directory
3. This is probably the least problematic and abusive method; allow modders to retrieve loaded addons via the IPlayerInfo instance which returns information as a keyvalue; similar to the information provided from plugin_print. This means that we don't have to rely on the addon providing us with known client commands to filter out, or relying on public variables we can pick up. With the latest version of LSS they use a dynamic client command so no script knows the actual command; nor does it make itself public. This stops ANY addon from gaining information from it and thus is undetected.

Overall, something needs to be done about this. It's too simple for an abusive player to just walk onto a server, and type 1 command and cause devastation. I really hope something is done about this; with the rate that all these children are getting a hold of these exploit scripts, CSS will not be a very fun place any more.

-freddukes

Quote:

Originally Posted by Omega_K2

Code:

Quote:
Originally Posted by Pandora92 View Post
I can see the argument against allowing LUA plugins to run alongside your game, especially since the legitimate ones are (in my experience) not actually all that useful, and the game isn't intended to support them anyway, however I don't see an issue with letting people run something like ES on their client, lots of people use that in order to test plugins/scripts they've written in a local server first.

Code:

Quote:
Originally Posted by Owned|Myself View Post
I use Sourcemod, Metamod, ES and Mani client side to test things.

It's a false argument; You can test your plugins without any problems on a real local dedicated server (either the one from tools or the standalone one).
You don't need a listen server for that at all.

Code:

Quote:
Originally Posted by GunGravE View Post
It will only prevent total idiots from cheating.

So since total idiots seem to be a majority of the cheaters, that it's probably a lot of the hackers.
Even if it isn't, it's still less cheaters.

Code:

Quote:
Originally Posted by dungeonseeker_1 View Post
I am not sure of the feasability of this anyway.

I am not a developer and have very little knowledge of how things like MM, SM, ES etc interact with source servers however thinking it through, would it not take the developers of the tools themselves to write code into the tools which can differentiate between a dedicated server and a listen server?

The plugins (not ES/SM pluigins/addons) are usually designed to run on a dedicated server, not a listen server (infact, some don't work [properly] on a listen server).
There will be no rewrite whatsoever required.
And as for testing plugins, you don't need listen servers. Dedicated servers are sufficent.

[AnAkIn]

That's up to Valve I guess, it's their Engine. I doubt Hidden Path got the possibility to do Engine updates, they can just do CSS updates.

[ActionDragon]

I agree with the OP. Currently the only server side plugin that prevents client side plugin exploits is Kigen's Anti-Cheat. But as you know majority of people who rent servers don't know how to protect their server properly so big amount of cheating is happening.

[GodlikeGER]

Quote:

Originally Posted by ActionDragon

I agree with the OP. Currently the only server side plugin that prevents client side plugin exploits is Kigen's Anti-Cheat. But as you know majority of people who rent servers don't know how to protect their server properly so big amount of cheating is happening.

yeah but they cant check for all client sided plugins and thus there is still some cheating possible

[Omega_K2]

I completly support this. Cheating with clientside plugins has gone to far, and with a bit of knowledge, you can avoid detection though Kigen's Anti Cheat aswell.

[Nelson340]

No.
A client-side plugin a day keeps the sv_pure away.

[GunGravE]

The Lua scripting plugin wasn't ever intended for exploiting purposes. It's just that all of the French-Canadians and danish flocked to our forum when they heard the words CSS, script, and forum in one sentence. They post ♥♥♥♥♥♥♥♥ wallhack and speedhack scripts they made. Next thing you know, they get the plugin blocked by KAC.

I say allow client plugins.

[m4ster]

GunGravE:
its not too hard to make Lua plugin undetected by KAC.

[AnAkIn]

Quote:

Originally Posted by m4ster

GunGravE:
its not too hard to make Lua plugin undetected by KAC.

It is completely undetectable by KAC now, by the new methods they use.

Quote:

Originally Posted by GunGravE

The Lua scripting plugin wasn't ever intended for exploiting purposes. It's just that all of the French-Canadians and danish flocked to our forum when they heard the words CSS, script, and forum in one sentence. They post ♥♥♥♥♥♥♥♥ wallhack and speedhack scripts they made. Next thing you know, they get the plugin blocked by KAC.

I say allow client plugins.

Looks like someone using client side plugins. Am I right? The LUA scripting plugin is just a cheat, you are loading a 3rd party dll inside the game.

[lamuerteinhell]

I wouldnt minde client side plugins to dissapear. They aint used for anything anyway!

I can see the argument against allowing LUA plugins to run alongside your game, especially since the legitimate ones are (in my experience) not actually all that useful, and the game isn't intended to support them anyway, however I don't see an issue with letting people run something like ES on their client, lots of people use that in order to test plugins/scripts they've written in a local server first.

[GodlikeGER]

I just dont see the point in running client sided plugins
They only exist to give you an advantage over the other players

Quote:

Originally Posted by GodlikeGER

I just dont see the point in running client sided plugins
They only exist to give you an advantage over the other players

Read my post above yours.

"however I don't see an issue with letting people run something like ES on their client, lots of people use that in order to test plugins/scripts they've written in a local server first."

Quote:

Originally Posted by Pandora92

Read my post above yours.

"however I don't see an issue with letting people run something like ES on their client, lots of people use that in order to test plugins/scripts they've written in a local server first."

There is no problem if those plugins only work on the players listen server, but the fact is, that's just not how it is. You can somewhat use plugins like ES and others on public servers to gain an advantage.

[GunGravE]

Quote:

Originally Posted by AnAkIn

It is completely undetectable by KAC now, by the new methods they use.

Looks like someone using client side plugins. Am I right? The LUA scripting plugin is just a cheat, you are loading a 3rd party dll inside the game.

Well, of course I use client plugins. Lua Source Scripting opens up the possibility of making scripts that read game events, use commands or functions at precise intervals, and much more.

If people didn't use it for the purpose of exploiting vulnerabilities in the game, nobody would care whether or not it was used. The argument that it's a cheat because you're using 3rd party files with your game is plain dumb. It's only a cheat when people abuse its capabilities as a cheat.