How safe are these custom client, made by the fans

[Amph]

can this software be used as back door to control an innocent machine? i was thinking how safe are those clients that are made to play with the old games like this(all c&c) and the one from forged alliance forever(if you know about supreme commander)

 

since they are not supported by the original developers, they can hide in the future, a malicious code in one of the update, i know that it will not be the case, but one never know...

[Tore]

This is a tough question, but a valid one. Obviously a bunch of fans cannot be as vigilant as a company when it comes to malicious intrusions, however as we have seen time and time again even giant corporations make giant blunders when it comes to security. Adobe and Sony have for instance leaked personal information on their users many times. Sony has even gone so far as to rootkit PC's playing their music in the name of copy protection.

 

One can look at it this way:

 

What is more secure?

A currently maintained and frequently updated community client or a dead and abandoned official client? A dedicated malicious attacker can for example abuse the auto update mechanism of the old games and have it download false updates with DNS hijacking for example. (Same can be done with CnCNet until updates are done over SSL/TLS.)

 

Do you want to play?

For C&C games the only way to play them online is through community run services (save for C&C4) be it XWIS, CnCNet or C&C Online as the official servers for the games (WOL, 2003, Gamespy, 2014) have been offline for a long time.

 

It has worked for other games

Be it Forged Alliance Forever for Supreme Commander: Forged Alliance, ESEA, CEVO and Faceit for Counterstrike (1.6, Source, GO) and DoTA, iCCup for StarCraft and WarCraft 3 have gathered large communities (especially the clients for CS) either by filling holes the developers have not filled or providing something the original developers do not provide anymore. Some of them are businesses selling their services while many of them are community run services by fans. Out of all the non-official services I know for game only one has betrayed the trust of it's users: ESEA whose client one day started mining bitcoins.

 

Do you trust us?

This is the most important question out of them all. Without trust clients like CnCNet or anything really is useless. It is all up to you if you trust us or not, it is your computer after all.

 

To answer your question more directly:

Yes. Any software can one day update with a back door no matter who makes it. It can be done on purpose, it can be done by accident and it can be done without the developers not even noticing.

[Guest ehy]

-

[Tore]

It would be easier to trust CnCNet (or any software), if the source code is available for anyone to study.

Unfortunately CnCNet currently isn't free(libre) and open-source.

 

I agree with that and I wish CnCNet was still open source.

[SiRaLeX]

It would be easier to trust CnCNet (or any software), if the source code is available for anyone to study.

Unfortunately CnCNet currently isn't free(libre) and open-source.

Agreed.

 

I agree with that and I wish CnCNet was still open source.

Exactly! Seems like you guys are heading into a wrong direction.

 

As long as you're not not open but closed source, I can't help but regard you as a for-profit-organization (which you are) and hence can only offer you my help setting up ladder infrastructure (for RA2/YR) in exchange for $$$.

 

 

[Tahj]

As long as you're [...] closed source, I can't help but regard you as a for-profit-organization

There are plenty of closed source, legitimate non-profit organizations - with many good reasons for doing so.

http://programmers.stackexchange.com/questions/152654/reasons-not-to-open-source-not-for-profit-code

 

Either way, I'm currently developing an open source CnCNet client. Should be ready sometime between 2016-2048 

[Rampastring]

I have multiple reasons for keeping my client closed-source.

1) Security. There's things like anticheat code that would be easier to defeat if the client was open source

2) Credits. I don't want to make it easier for someone to steal my code and claim it as their own. In a big, well-known project this wouldn't really be an issue, but CnCNet isn't big enough

3) Extra effort, as shown in Tahj's link

4) Being forced to take responsibility for others' code if others take my code and modify it while not telling the public that they've modified it. I especially got burned when I opened my client for Iran, and he added a custom updater (making it harder for me to push updates) and implemented some features, and some bugs with those features. However, he kept the "Rampastring" name in error messages and such, so I got the blame for his bugs (and for not being able to fix my own bugs with quick updates). After he was done implementing his stuff and had released the YR client to the public, he just abandoned the client entirely and never fixed anything, so I had to clean up his mess later on. Basically, I got the blame for his bugs and him abandoning the client. This is why the YR client didn't get a single update from March until September, despite having some serious issues in it.

 

Because of 4) I now only open my code to people who have shown to be at least somewhat trustworthy.

 

While I still write the majority of the client's code myself, I recently gave Grant, FunkyFr3sh, hifi and Tahj source code access to my client, so multiple people can now check out any code that someone has written.

 

Now, generally more about the security of community projects like CnCNet (and unknown code in general):

 

When I evaluate the safety of community projects like CnCNet, there's multiple things I take into account:

- Do they have a proper website?

- Can you find information on the developers or can you contact them directly? Do the people behind the project seem trustworthy?

- Is the code open or closed source (note that while I generally view being open source as a good sign, open source doesn't guarantee safety - if there's only a few developers and the project isn't very popular, it's possible to sneak in malicious code that is never read by anyone)

- How popular is the project? If there's like dozens or hundreds of thousands of players / users it's unlikely for the project to contain malware - it would've been detected by someone.

 

Also, even if the project seems safe, I tend to first run the executables under a sandbox or something else that makes it possible to see what the application exactly does on my system. Also, I never give anything full admin rights unless there's a good reason for why the application needs it. I've adapted this principle to my own programs - I never request admin rights without telling the user why they're necessary.

[Nyerguds]

As long as you're not not open but closed source, I can't help but regard you as a for-profit-organization (which you are)

Yeah right. "kept online by donations" isn't the same as "for-profit". There is no one making any profit off cncnet.

[Tore]

1) Open source or not with enough dedication any "anti cheat" can be bypassed. With more eyes looking at the code it is more likely that weaknesses can be found and patched. Some of the people who might have otherwise made a cheat might even patch the "anti cheat" and fix the vulnerability they found. The more robust the program gets the harder it is to exploit.

2) This can even happen to closed source programs. If someone repackage it in an incorrect way the original author can be blamed for things they have not done. If the client is open source and licensed properly (like with the GPL) you can hold people liable for abusing your name and force anyone "ripping it" to release their code. If the program is open source anyone can trace who did what.

3) Extra effort or less effort. With enough documentation anyone can submit a patch adding a feature or fixing a bug so you do not have to. If you think the patch isn't good enough don't accept the pull request...

4) See 2. I will also ad that this was a special case where the adapted client was made the "official" one for YR. If the client was open source from the start then only code submitted to the official repository would've been used.

 

As long as you're not not open but closed source, I can't help but regard you as a for-profit-organization (which you are)

Yeah right. "kept online by donations" isn't the same as "for-profit". There is no one making any profit off cncnet.

 

Being "for-profit" would also be a good way to incur the wrath of EA. EA tolerates fan/hobby/community projects such as CnCNet because they are just that non-profit fan projects. That is why CnCNet has no advertisements anywhere, no premium accounts or any pay wall of any kind. Those who donate get no bonuses or priorities of any kind, hopefully just a feeling of helping keeping the servers online.

 

In addition to that being "for-profit" would be a slap in the face to anyone contributing as everyone who has worked on CnCNet has done it for free, expecting nothing in return. I can remember once where someone got $20 for spending an entire weekend working on something non-stop. That was one occasion in the almost 7 years CnCNet has existed.

[Rampastring]

1) Open source or not with enough dedication any "anti cheat" can be bypassed. With more eyes looking at the code it is more likely that weaknesses can be found and patched. Some of the people who might have otherwise made a cheat might even patch the "anti cheat" and fix the vulnerability they found. The more robust the program gets the harder it is to exploit.

This is true, but in the client's case I think keeping it closed source is more secure. After all, it is impossible to make a client-based anticheat strong. It will always be possible to avoid the client's anticheat by hacking the game itself. A "proper" anti-cheat would need to be coded into the game executable itself. Basically, I see the client's anti cheat as something that is simply making cheating take more a bit effort, you can't just drop a rules.ini to the game folder and give yourself free radar, PlaceAnywhere=yes or something like that.

 

2) This can even happen to closed source programs. If someone repackage it in an incorrect way the original author can be blamed for things they have not done.

True, but modifying closed source programs takes more effort than modifying open source programs.

 

If the client is open source and licensed properly (like with the GPL) you can hold people liable for abusing your name and force anyone "ripping it" to release their code. If the program is open source anyone can trace who did what.

People could use copy my code and use it in closed-source programs though, in which case it could be difficult to show that they ripped the code.

 

If the client was open source from the start then only code submitted to the official repository would've been used.

More like Iran wouldn't have adapted my client for YR, and so YR would have no client at all. He would've wanted the anticheat and such to be closed.

 

I'm happy with the current state of the client, where I can give trustworthy people who are interested on working in the client access to the source code, while still controlling the development process. I doubt I'm going to make my client open-source, at least as long as it remains widely used.

[SiRaLeX]

1) Open source or not with enough dedication any "anti cheat" can be bypassed. With more eyes looking at the code it is more likely that weaknesses can be found and patched. Some of the people who might have otherwise made a cheat might even patch the "anti cheat" and fix the vulnerability they found. The more robust the program gets the harder it is to exploit.

I agree, man.

 

Security shouldn't be defined by whether the code is open source or not. As soon as you're releasing your work it all boils down to simple physics, if the computer is able to read it a dedicated enough human will be, as well (albeit, it will be a little bit harder).

 

If your code is open source, then honest people can help. If your code is not open source, then honest people can't help. In any case, your code not being open source doesn't really stop malicious people from abusing it. You're just hampering honest people's ability to help you.

 

Olaf's auto screenshot uploader was never open source, in any kind or way, yet, I've abused it to flood XWIS with pornographic images en masse and it took me 2 minutes to figure out how.

 

Honestly, if you have any sort or kind of education at all, you'd know that security is not defined by whether an algorithm is public, but by whether the algorithm is well designed and secure to begin with. 

 

In fact, the most secure encryption algorithms are all public. Things you hack up yourself, as obscure as they might be, will always lose to a tried and proven public encryption algorithm. Good game. 

 

 

[Rampastring]

An anticheat system for a game isn't really comparable to an encryption algorithm though, as you probably know

 

I don't think having the client's anti-cheat open source would help. It could still be defeated by pretty much anyone with some programming experience and a bit of extra time. Right now you need to either hack the client or the game, while with the client being open-source it could be as easy as removing most anti-cheat code from the client, and sending manually crafted information about file hashes to the game host. Basically, anyone who knows the basics of C# could do it.

 

Also, no matter how many people have worked on a game anti-cheat system, it's always possible to defeat it. Even big game companies that surely don't lack resources and people for developing an effective anti-cheat system aren't having too much success. Wallhackers and aimbotters are common in CSGO, while League of Legends has camera hacks, automatic skill-use cheats and such.

 

Basically, every anti-cheat system used by games can be defeated, and so they're meant to only make cheating take more effort. The client's current anti-cheat does that, it's mainly meant to prevent casual modders with little to no programming skill from making cheats, and it appears to do that well enough.

 

If you want to make an actually powerful anti-cheat mechanism, you can do it even if the client is closed source. Disassemble gamemd.exe, research it and start doing things. The real way to make a good anti-cheat system is implementing it to the game itself.

[SiRaLeX]

Maybe you should think about an automatic screenshot uploader for ranked ladder games, like Olaf has.

 

Nonetheless, Rampastring and Tore, I respect you guys for your honesty and devotion, you're the guys that really make this site special.

 

 

[Amph]

we are lucky that for cnc net the game are very easy to run you don't need a nasa computer, so i can run them on a virtual environment and be relatively more safe

[SiRaLeX]

In my humble opinion, the best anti-cheat you can create or at least add is to add mandatory automatic screenshots for ranked games that are played on the ladders.

 

There's really no going around it and if someone tries, then it's just a matter of time before they get caught.

 

So that being said, by this definition, strong algorithm, there really wouldn't be a need to keep CnCNet closed source and whoever wanted to could contribute and help you, Rampa.

 

 

The problem with XWIS at the moment is that there's a lot of disconnecting going on and a player who keeps ban dodging and using the control-opponents-units cheat. Often times the admins don't react quickly enough or adequately. Olaf is slow at implementing anti-cheating features. So if you get this done and consequently ban cheaters when they do these things in ranked games you will definitely have the edge over XWIS.

 

 

 

[fir3w0rx]

can this software be used as back door to control an innocent machine? i was thinking how safe are those clients that are made to play with the old games like this(all c&c) and the one from forged alliance forever(if you know about supreme commander)

 

since they are not supported by the original developers, they can hide in the future, a malicious code in one of the update, i know that it will not be the case, but one never know...

As long as you have a decent antivirus program, it really doesn't matter which site or server you go to. You can always compare results at https://www.virustotal.com/en/ for false positives.

 

But that said, I'm sure the cncnet team won't let 8+ years of work and 8+ years of trust in the fans be ruined by malicious code in their server. I've been using this server since close to it's beginnings (but didn't register until about 2011) and haven't encountered any suspicious activity.

[Rampastring]

Automatic screenshots requires changes to the game executable itself though, which is something that at least I'm not able to do (without having the executable mapped, anyway). So I guess we have no one that's interested in YR and has the skills to implement Auto-SS (not that I'm interested in YR either - I've just shared my DTA and TI client with the rest of the CnCNet team who has wanted to support YR, and helped them with necessary changes. Nowadays Grant takes most responsibility for YR updates).

 

That being said, our ladder is still WIP and it'll be a while before we can really "officially" say that it's ready. Maybe we'll have figured out a decent anti-cheat solution before that.

 

About XWIS, I pretty much consider them done and don't really care about them. They only have the most hardcore RA2 players left, everyone else is playing on CnCNet. I doubt the situation will be reversed with Olaf's mentality either.

[SiRaLeX]

You don't need to modify the RA2 or YR executable to take screenshots of it. Not at all.

 

You can take screenshots of the games just like you can take screenshots of the desktop (and pretty much anything else).

 

[Rampastring]

At least in Windows 8 and 10 that tends to be unreliable though. For example, if I take a regular screenshot while I'm playing DTA in full-screen mode, I just get a picture of my desktop instead of the game. All video recording software also just captures the desktop, aside from OBS (Open Broadcaster Software) that I guess utilizes special hardware in my graphics card (AMD VCE) to do its job.

[SiRaLeX]

That's weird, mate. I've never seen that. To hell with Windows 8, 8.1 and 10.

 

I guess that only happens if you're running full-screen? But running full-screen breaks ALT-TAB compatibility for YR in those operating systems, anyway, so people are forced to use windowed mode.

 

Anyways, you could try passing the window handle when getting the display context.

 

[Rampastring]

I guess that only happens if you're running full-screen? But running full-screen breaks ALT-TAB compatibility for YR in those operating systems, anyway, so people are forced to use windowed mode.

Yes, it only happens in full-screen mode. And full-screen mode doesn't break alt-tab for me. Based on testing with my own PCs and various PCs from friends and family, plus feedback from DTA players, I think that it depends on your GPU vendor and the DirectDraw wrapper that you use. With TS-DDRAW and an AMD graphics card you're able to alt-tab, while with any other DirectDraw wrapper or an Intel / Nvidia GPU, you're not able to alt-tab.

[Amph]

can you at least provide in the future, a digital sign for the executable?

[Rampastring]

For that we'd need to buy a digital certificate that is used for the signing, and as far as I know, that costs hundreds of euros. So, not going to happen, unless someone wants to donate us those hundreds.

[Amph]

fair enough, i'm trying to run cncnet on a virtual mahcine, but it say connecting and it hung there forever, i permitted it via firewall, but nothign happened...

[SiRaLeX]

I think that it depends on your GPU vendor and the DirectDraw wrapper that you use. With TS-DDRAW and an AMD graphics card you're able to alt-tab, while with any other DirectDraw wrapper or an Intel / Nvidia GPU, you're not able to alt-tab.

Nice observation, mate.    The DirectDraw wrapper explanation sounds about right! Though TS-DDRAW wasn't exactly usable for me on Windows 10, it slowed the game down for about 33 % (it got really choppy).

 

 

For that we'd need to buy a digital certificate that is used for the signing, and as far as I know, that costs hundreds of euros. So, not going happen, unless someone wants to donate us those hundreds.

Indeed: http://stackoverflow.com/a/3129037/