How did this happen? [message #440237] |
Mon, 29 November 2010 10:06 |
|
GoTWhisKéY
Messages: 320 Registered: July 2004 Location: Canada
Karma: 0
|
Recruit |
|
|
I don't know the entire story, but from I gather:
1. Troop was somehow let into TT
2. He was given access to TT source code
3. He uploaded the entire thing and released it to the main renegade cheats forum where 0x90 resides
so....
Can we get an explanation from TT on how this happened?
Are we fucked or what?
Old School Renny
[Updated on: Mon, 29 November 2010 14:08] Report message to a moderator
|
|
|
Re: How did this happen? [message #440242 is a reply to message #440237] |
Mon, 29 November 2010 10:14 |
|
Crimson
Messages: 7430 Registered: February 2003 Location: Phoenix, AZ
Karma: 0
|
General (5 Stars) ADMINISTRATOR |
|
|
jonwil hasn't been online since the incident so I have not yet been able to get an explanation as to why he would share any of this information or code with someone who has been an indescribable moron from day 1. Troop was definitely NOT a member of TT and never would have been.
Once I know more, I will let you guys know.
To everyone: Do NOT post the link to the files or any other page that has a link to the files or you will be banned from this forum for whatever time period I deem necessary!
I'm the bawss.
[Updated on: Mon, 29 November 2010 10:15] Report message to a moderator
|
|
|
|
Re: How did this happen? [message #440245 is a reply to message #440237] |
Mon, 29 November 2010 10:49 |
|
GoTWhisKéY
Messages: 320 Registered: July 2004 Location: Canada
Karma: 0
|
Recruit |
|
|
0x90's gonna take that code, bend it over, fuck it, insemenate it with his cheat seed, and give birth to *cheat name removed* jr 2011 edition
Old School Renny
|
|
|
Re: How did this happen? [message #440247 is a reply to message #440245] |
Mon, 29 November 2010 11:06 |
|
EvilWhiteDragon
Messages: 3751 Registered: October 2005 Location: The Netherlands
Karma: 0
|
General (3 Stars) |
|
|
Since we're pretty much fucked anyway:
Quote: |
<jonwil> hi
<EvilWhiteDragon> hi
<EvilWhiteDragon> You, sir, are an idiot
<EvilWhiteDragon> So what did you want to talk about?
<jonwil> I just want to say that I did not give trooprm02 the <censor> file. How he got it I am not sure but I did not give it to him.
<jonwil> <censor>.zip and <censor>.exe came from the Reborn forums as he is a reborn tester
<jonwil> and the admin of the reborn test FDS
<EvilWhiteDragon> Still you shared information that you were not supposed to share in chat with him.
<EvilWhiteDragon> jonathanwilson623@hotmail.com says:
<EvilWhiteDragon> Dont tell ANYONE I am saying this but
<EvilWhiteDragon> Hex sent me a PM with the following
<EvilWhiteDragon> Someone emailed me a rar file months ago (no idea who) with almost 2000 source files in it that contains TT, scripts and Renegade (from westwood) code
<EvilWhiteDragon> cross platform tt.dll specific engine calls
<EvilWhiteDragon> Copyright 2009 Jonathan Wilson
<EvilWhiteDragon> This file is part of the Renegade tt.dll.
<EvilWhiteDragon> CONFIDENTIAL: DO NOT USE OR DISTRIBUTE WITHOUT PERMISSION
<EvilWhiteDragon> */
<EvilWhiteDragon> The only way someone would have that comment is if they had actual source code to 4.0
<EvilWhiteDragon> That gave troop at least a hint on where to look for it heh?
<jonwil> I think what happened is that I made this post
<jonwil> http://www.renegadeforums.com/index.php?<censor>
<jonwil> and somehow he discovered http://<censor>/<censor> in the brief window it was on that site even though no public link to it existed with the only link being the one in that post
<EvilWhiteDragon> YOU FUCKING IDIOT! DONT YOU SEE WHAT GAPING HOLE YOU HAVE ON YOUR WEBSITE? DIRLISTING IN A DIRECTORY YOU USE FOR PRIVATE FILES WITH NO PASSWORD OF ANY KIND! YOU IDIOT
<EvilWhiteDragon> http://<censor>/ <-- nice files stored there
<jonwil> at the time I had no idea it was possible to dirlist that directory. Once I found out that it was possible, I stopped using it for sensitive files.
<jonwil> Nothing currently uploaded is sensitive
<EvilWhiteDragon> TT is in that dir
<jonwil> no its not
<EvilWhiteDragon> I just downloaded TT
<jonwil> binaries are there
<EvilWhiteDragon> yes
<EvilWhiteDragon> so, those are private as well
<EvilWhiteDragon> Or did I miss the release of TT?
<EvilWhiteDragon> In that case I might be misinformed...
<EvilWhiteDragon> Have you verified that the code troop leaked is the same as Hex' version?
<jonwil> yes it is identical
<jonwil> same zip file
<jonwil> rar file
<jonwil> A whole pile of APB and reborn testers have those test binaries and have been testing 4.0 for months. There was a leak of an APB test build (by a tester who was promprly banned I believe) a while back and no-one said anything at the time about that leak compromizing 4.0
<EvilWhiteDragon> I mean the sourcecode
<EvilWhiteDragon> is it identical or not?
<jonwil> yes the source code is identical to the leak
<jonwil> the <censor> file is identical to the hex/jnz leak
<EvilWhiteDragon> Ok, So it's what? 4 months old?
<jonwil> older than that
<EvilWhiteDragon> Still, I think we should set a lot of new security rules.
<jonwil> yes true
<EvilWhiteDragon> like not putting up files on private hosting
<EvilWhiteDragon> with open dirs
<jonwil> yes definatly
<jonwil> but like I said, I had no clue that it was open dir
<jonwil> we should not post TT private stuff anywhere but 100% verified private locations
<EvilWhiteDragon> You could've attached the file to your forum post for ex.
<EvilWhiteDragon> or on a private ftp
<jonwil> As mentioned though at the time I posted <censor>, I had no idea that there was any way to get to it other than through the link in the post
<jonwil> had I known the dir was open, I would have not posted it to that space
<jonwil> /me smacks self in forehead for not knowing much about how to run a website
<jonwil> and not knowing how to tell if folders are open to the world or not
<EvilWhiteDragon> I would start with putting a .htaccess on the files dir
<EvilWhiteDragon> as there are plenty of files with which you violate the NDA you signed.
<jonwil> right now I will remove the sensitive stuff until it can be uploaded somewhere thats less public
<jonwil> I dont know what web server is running on that box or the right way to set up limited access
<EvilWhiteDragon> phpinfo.php :: <?php phpinfo(); ?> and you'll probably see apache named there
<jonwil> everything even remotely sensitive has been removed
<jonwil> everything that remains in that location has been made public before by me
<jonwil> i.e. C&C3/RA3 stuff
<jonwil> and some renegade stuff like the w3d importer work I did and published a while back
<EvilWhiteDragon> well as said, I dont mind the files published there too much, just the fact that its open dir is really bad
<jonwil> the only files on that server before I removed them that were even remotly sensitive were the test builds that had fairly wide distribution with APB, AR and reborn guys having them. But they are gone now .
<EvilWhiteDragon> It's the principle JW. If w don't care about security, other people will certainly not care for it.
<jonwil> well yeah true
<jonwil> hence why I removed all the sensitive stuff
<jonwil> and will not post stuff to public unprotected locations in the future
<jonwil> the real question is what the response to the leak is. What, if any, PR do we put out. What do we tell EA. What, if any, legal avenues do we pursue. etc. I for one intend to post absolutly nothing in public.
<jonwil> the other question (and one I am totally unqalified to answer) is which bits of code we will need to rewrite to be different to whats in that code dump so that if/when 0x90 and other cheaters get hold of it, they cant abuse it for bad things
<jonwil> but right now I will say nothing anywhere in public
<jonwil> I do however have the current EA community guy in my email should anything need to be sent to him (or if it needs to come from someone else, I can point him in their direction)
<EvilWhiteDragon> I know, I introduced you remember ?
<EvilWhiteDragon> I'm trying to get 0x90 not to abuse the code. Not sur if it'll work but it's worth a try
<EvilWhiteDragon> also, he doesnt have the code currently so thats good I guess
<jonwil> ok
<jonwil> I was going to ask you if you had gotten anywhere with your investigation into setting up "BlackIntel LLC" or whatever it is called over there. But all this kind of puts a hold on that
<jonwil> since we obviously couldnt go public even if we DID have fixes for the bugs on our list
<EvilWhiteDragon> I have gotten somewhere
<jonwil> ok
<EvilWhiteDragon> just some form issues I need to ahve answered before I can set it up actually
<EvilWhiteDragon> but once thats done i think the rest would be the matter of like 2-3 weeks
<jonwil> oh and btw I cant remember ever signing any bits of paper related to TT
<jonwil> being that at the time secret stuff was first added to scripts, I was the only developer
<jonwil> and no-one else had it
<jonwil> this is most definatly not the end of the world (or even the end of 4.0) though.
<EvilWhiteDragon> it does show that something has to change
<jonwil> yes
<EvilWhiteDragon> we really should apply proper project management tecniques
<jonwil> do we want to take legal action against trooprm02?
<EvilWhiteDragon> if anyone finds the money and time, why not?
<jonwil> we need someone who knows Candian copyright law
<jonwil> I think at this point though there is no way to put the genie back into the bottle.
<EvilWhiteDragon> DCMA
<EvilWhiteDragon> particularly US companies are sensetive to that
<jonwil> canada doesnt have a DMCA
<jonwil> but we can certainly issue one against any sites that host it
<EvilWhiteDragon> USA companies or companies operating in the uSA
<EvilWhiteDragon> indeed
<jonwil> but it wont stop it going up in places outside the USA
<jonwil> or being distributed among cheaters in private/semi private locations
<EvilWhiteDragon> I'm not that afraid of UC, I think they are rather tight on copyright and such
<EvilWhiteDragon> I could be wrong of course, but still
<jonwil> btw, a google search for the files (<censor>) shows no results
<jonwil> no relavent results that is
<jonwil> some links to things about cars called TT
<jonwil> but thats about it
<jonwil> Looking through my MSN logs, there is some evidence that trooprm02 knew of the existence of <censor> before the stuff at the top of "jonwil scripts leak.txt". Not saying that means anything though.
<jonwil> so yeah I shall let the right people handle this, I shall continue working through the list of bugs we have and leave it at that.
|
BlackIntel admin/founder/PR dude (not a coder)
Please visit http://www.blackintel.org/
V, V for Vendetta | People should not be afraid of their governments.
Governments should be afraid of their people.
|
[Updated on: Mon, 29 November 2010 11:39] Report message to a moderator
|
|
|
|
|
|
|
|
|
|
|
Re: How did this happen? [message #440260 is a reply to message #440237] |
Mon, 29 November 2010 12:30 |
|
GoTWhisKéY
Messages: 320 Registered: July 2004 Location: Canada
Karma: 0
|
Recruit |
|
|
LMFAO this is about as good as wikileaks...
Once EA finds out this has happened, I can't see them EVER approving it as an official patch anymore. How can they trust TT to do anything official for them after this?
I just downloaded the file... its loaded with conversations between Troop, Jonwil, EWD, and others... I've only read like a couple and already there is tons of info in there...
PS, Can I install Scripts 4.0 when I get home? Will it work?
Old School Renny
|
|
|
Re: How did this happen? [message #440262 is a reply to message #440237] |
Mon, 29 November 2010 12:39 |
|
GoTWhisKéY
Messages: 320 Registered: July 2004 Location: Canada
Karma: 0
|
Recruit |
|
|
Umm... just reading through Reneleaks and found this little TIDBIT:
Quote: | - [D4M1R] says:
now 1 thing im not supposed to talk about (lol) is another anticheat method
which is actually in existance already, but appearently nobody but a few of us are supposed to know about....
mapch.
its almost in the same boat tho...if more people know about it, the less effective it will become
I guess thats why we were asked to keep quiet about it
know what im talking about?
jonathanwilson623@hotmail.com says:
no
what is this mapch?
- [D4M1R] says:
server console command
im pretty sure the client (3.4.4) has the matching code for it tho....
initially was designed to be a simple command to check if a player has map example.mix
but with modified scripts, the .mix extension limitation was removed
and with a (private) matching brenbot plugin
you could run a command like !search example.exe, example.dll, example.w3d etc
search the clients data folder essentially
(effective for things like bighead, RoF, big bodies, and even advanatge skins)
THEN I realized wildcard even work
so I could search a ingame players entire c:\ drive lol
./././././rgh/ for example and etc
jonathanwilson623@hotmail.com says:
mapch as implemented by me in scripts has no check to see what file to check for
its not locked to .mix
- [D4M1R] says:
"has no check to see what file to check for"?
jonathanwilson623@hotmail.com says:
I mean its not locked to .mix
or any other extention
it will check anything
- [D4M1R] says:
ah
jonathanwilson623@hotmail.com says:
in any case it was intended for map checks
- [D4M1R] says:
well did you know about the wilcard thing? or did you ever think about using it as an anticheat?
jonathanwilson623@hotmail.com says:
I have the code in front of me, wildcard shouldnt work
- [D4M1R] says:
it does lol
jonathanwilson623@hotmail.com says:
if it does anything, its giving false results
- [D4M1R] says:
../
are you sure?
I put test.txt in a random directory, and it found it\
jonathanwilson623@hotmail.com says:
oh so you mean ../ amd not *.*
- [D4M1R] says:
yes, ../
jonathanwilson623@hotmail.com says:
ok
in that case yes it would work
- [D4M1R] says:
jonathanwilson623@hotmail.com says:
its not intended to be used like that
but I have no plans to change the command (since doing so wouldnt matter)
well wouldnt help
- [D4M1R] says:
leave it if anything,
|
So what I'm getting from it... is Scripts 3.4.4 has a loophole that allows server owners to SEARCH YOUR ENTIRE C DRIVE!!! EXPLANATION ASAP PLEASE
Old School Renny
|
|
|
|
|
|
|
Re: How did this happen? [message #440269 is a reply to message #440268] |
Mon, 29 November 2010 13:00 |
|
Prulez
Messages: 439 Registered: August 2005 Location: The Netherlands
Karma: 0
|
Commander |
|
|
GoTWhisKéY wrote on Mon, 29 November 2010 20:58 | oh god....
So who knows how many server owners have been browsing our C drives over the years.
wow.
|
Rest assured, not many people were aware of this (Like myself), I doubt that a lot of server owners knew..
..even though I've seen something at TmX that may have been using this "feature" to stop cheats.
nikki6ixx wrote on Fri, 08 May 2009 19:47 | Every so often, I get this positive feeling that humanity can somehow, possibly attain pure awesomeness, and enlightenment, and that there is light at the end of the road for us all. However, I only need to go to the latest HUD thread at RenForums to remind me of how dumb I was for thinking such stupid things.
|
|
|
|
Re: How did this happen? [message #440271 is a reply to message #440237] |
Mon, 29 November 2010 13:02 |
|
Hypnos
Messages: 683 Registered: August 2009 Location: Scotland
Karma: 0
|
Colonel |
|
|
Yeah, scary thought huh?
You can't tarnish all server owners with the same brush as a select few who would use this with malicious intent. The use that Bosnian was using it for, is actually pretty sound. It was an effective method of checking who was using what, and I can imagine if he was given permission to use it as evidence, then he, and many other server owners would of been able to remove more cheaters, such as people you and I probably both trust(ed)
@Prulez:- I take it you're referring to the capability to scan for the likes of Big Bodies, Big Heads, RGH, etc?
Caveman wrote on Fri, 21 January 2011 08:26 | Well this topic is still going on. I have to say I haven't watched much Anime recently (maybe a year or so) the last thing I saw was GITS (for the third time)
Im not too sure whether I just dont enjoy Anime anymore or whether its just I dont have time really to shit and watch it.
|
[Updated on: Mon, 29 November 2010 13:03] Report message to a moderator
|
|
|
Re: How did this happen? [message #440273 is a reply to message #440262] |
Mon, 29 November 2010 13:07 |
|
danpaul88
Messages: 5795 Registered: June 2004 Location: England
Karma: 0
|
General (5 Stars) |
|
|
GoTWhisKéY wrote on Mon, 29 November 2010 19:39 | Umm... just reading through Reneleaks and found this little TIDBIT:
So what I'm getting from it... is Scripts 3.4.4 has a loophole that allows server owners to SEARCH YOUR ENTIRE C DRIVE!!! EXPLANATION ASAP PLEASE
|
Technically... unless it also filters out D:\, E:\ etc it can search EVERY drive on your computer. However I have not looked at the code behind the command so I don't know if it does or not.
If it does block that, then it only allows you to search the drive Renegade is installed on, which in my case contains nothing but games.
[Updated on: Mon, 29 November 2010 13:07] Report message to a moderator
|
|
|
|
Re: How did this happen? [message #440275 is a reply to message #440273] |
Mon, 29 November 2010 13:15 |
|
GoTWhisKéY
Messages: 320 Registered: July 2004 Location: Canada
Karma: 0
|
Recruit |
|
|
The average person only uses a C drive.
So thanks to Scripts, People like Troop have had access to our private files.
Also, judging by their convo, it seems like that 'feature' was being left in Scripts 4.0 as well.
I only read 5 minutes of txt and found that out! What else is in those txt files? Reneleaks galore most likely.
Old School Renny
|
|
|
Re: How did this happen? [message #440277 is a reply to message #440237] |
Mon, 29 November 2010 13:17 |
|
Goztow
Messages: 9740 Registered: March 2005 Location: Belgium
Karma: 14
|
General (5 Stars) Goztoe |
|
|
There's a difference between being able to search for filenames and being able to open them. I agreet his is a privacy problem, but it's not as if people could watch your pr0n collection through Renegade.
You can find me in The KOSs2 (TK2) discord while I'm playing. Feel free to come and say hi! TK2 discord
|
|
|