|
 Joined: 22/12/08 Activity:  | Our team has decided to stop using the SBSRV plugin. The reason behind this is that the banlist has been build upon unreliable data, which was disclosed by foens somewhere in December 2009 and later posted about on your frontpage in April. We think that the only correct decision, in order to keep the trust of your community and to retain full integrity, is to clear the SteamBans banlist entirely and start from scratch after you can guarantee that SteamIDs in submitted demos can be verified with complete certainty.
What is the reason that there's a hold on new submissions while old submissions are still being processed? Both can't be trusted.
I'm also wondering what other teams think about this. Posted: 27/09/10 15:13:42 | Delete | Edit | Quote | Send IM |
|
|
 Joined: 28/12/04 Activity:  | The reason why there is a hold on new submissions for HL1 engine is exactly that post about unreliable data. Until then there was no knowledge about fooled proofs, so our banlist is clean from false bans as far we can say. There is a new pluginversion in progress that fixes this security hole. Demos from before that date are also save to process, that's why we still handle them.
Posted: 27/09/10 18:59:56 | Delete | Edit | Quote | Send IM |
|
|
Joined: 22/12/08 Activity: | |
|
|
 Joined: 20/09/05 Activity: | I will add a larger comment here in the next days because I suffer too much personal disappointment here but I have to protest strongly against your second claim.
After we got word about that plugin which makes it possible to change steamids with two clicks the submission were closed and there were no submission which were accepted since this time. Your teammate MartinShos should know that!
I'm not talking about the theoretical possibility of changing steamids. Keep always in mind that when a hacker really wants to do it and he got the time he will manage it. That's one of the basic rules of the internet. Posted: 27/09/10 19:58:22 | Delete | Edit | Quote | Send IM |
|
|
Joined: 22/12/08 Activity: | The disclosure was posted before or on November 18 2009, by foens. Our team's latest submitted demos stem from March this year. I don't see how this undermines my second claim.
Wook said:
 | After we got word about that plugin which makes it possible to change steamids with two clicks the submission were closed and there were no submission which were accepted since this time. Your teammate MartinShos should know that! |  |
Everyone knows that, there was even a news item on your frontpage about it. I also posted about this in my first post.
Wook said:
| I'm not talking about the theoretical possibility of changing steamids. | |
It wasn't only theoretical, actual evidence was posted. But I guess this is where we have a different opinion then. Posted: 27/09/10 20:14:57 | Delete | Edit | Quote | Send IM | Edited: 27/09/10 20:20:03 by 8088 |
|
|
Joined: 20/09/05 Activity: | The disclosure that a data can be altered on a dedicated server is older then some of our community member. He was referring that this was possible. The chance noneless are quite small. This is also a fact. I see a difference when I'm aware of a plugin that is published for everyone and a small possibility that a over average coder can recode a dedicated server to alter steamids. I hope you see my point.
In over five years of steambans.com I have never seen a protestee who accussed that his steamid was altered or where was reasable believe that it wasn't him playing.
We took every percausion to react to such situation and we would have ask Valve for Valdidation infos like we already do when someone got valid proof for his account hijacked.
Unlike many other anticheating team or communites we never claimed to have a 100% system as this is impossible in this buisness. That is another fact. But we improve ourself all the time and try to make a difference. Posted: 27/09/10 20:28:50 | Delete | Edit | Quote | Send IM |
|
Tomato  Forum support / Watchlist Agent |
 Joined: 26/08/06 Activity:  | |
|
|
Joined: 22/12/08 Activity: | Wook said:
| The chance noneless are quite small. This is also a fact. | |
I see your point, but, fact or not, I think this is a naive stance.
Tomato said:
| We are only processing cases where the evidence was proven unsubstancial. All demos where the evidence was substantial enough to warrant a ban were put on hold until the new system was developed and tested. | |
Our team has received confirmations of bans, based on demos that were recorded after the disclosure. But I suppose the only requirement is that they had to be recorded before the submission lock in April.
Anyway, I see now why you are still processing relatively new demos. I guess we have different views on the term 'safe'. Posted: 27/09/10 21:01:19 | Delete | Edit | Quote | Send IM |
|
|
 Joined: 26/05/04 Activity:  | Posted: 28/09/10 07:02:59 | Delete | Edit | Quote | Send IM | Edited: 28/09/10 07:12:44 by QuakerOates |
|
|
Joined: 13/11/09 Activity:  | I am the one that wrote the forum post that 8088 is referring to.
I am very happy that someone actually cares about this topic. Many people install SteamBans' plugin to protect their server from hackers, cheaters and the like. When they install such a plugin, I think they should be reasonable confident that they are banning people rightfully. I am glad submissions are closed, but this only happened when a public plugin was released - who knows who had access to such plugins before, or had coded it themselves - no one knows and therefore, in my opinion, no bans made by SteamBans are very secure.
My post made it clear that the effort needed to falsify proof was not very substantial. SteamBans chose to close and later delete the post. I guess the reasoning behind was not to let the public know that their proof was not very secure and to make it harder for people to alter proofs using the technique I used.
When I posted the problem, I hoped that SteamBans would work with me to fix the issue. I never felt that they actually wanted to fix it, and I felt I was a plague for them. Because I did not feel that SteamBans actually wanted to address the issue, I am not confident when SteamBans tells us, that they are making a fix for the issue. If the sourcecode of the plugins were made public, such confidence issues could be resolved. In my opinion there is no reason what so ever to keep the plugins used on the servers private and secret. The plugin serves no purpose in detecting cheats, and therefore it will not matter that "enemies" of the plugin knows it's sourcecode - but people working with SteamBans will be able to see faults, bugs or security problems which can then be fixed. Having one or two internal coders on such a project is not mature in my opinion.
Though I have my doubts about a fix, I hope that SteamBans is correct this time, and a fix for the problem is on the way. Posted: 29/09/10 09:03:25 | Delete | Edit | Quote | Send IM |
|
|
Joined: 28/12/04 Activity: | Wook said:
| The disclosure that a data can be altered on a dedicated server is older then some of our community member. He was referring that this was possible. The chance noneless are quite small. This is also a fact. I see a difference when I'm aware of a plugin that is published for everyone and a small possibility that a over average coder can recode a dedicated server to alter steamids. I hope you see my point.
In over five years of steambans.com I have never seen a protestee who accussed that his steamid was altered or where was reasable believe that it wasn't him playing.
We took every percausion to react to such situation and we would have ask Valve for Valdidation infos like we already do when someone got valid proof for his account hijacked.
Unlike many other anticheating team or communites we never claimed to have a 100% system as this is impossible in this buisness. That is another fact. But we improve ourself all the time and try to make a difference. | |
Nothing to add here foens.
We made our position clear.As the amxmodx plugin was released there was no discussion about that submissions had to be closed. After i found the plugin it took 5 minutes and they where closed. In fakt, i had to delete a few submissions done by myself because of that.
And you are wrong this time. A fix is in closed beta stadium and we hope to complete it next onth so we can release a public beta.
The reason why we do not open the sourcecode should be very clear, especially for you foens, and i really wonder why you ask such a question at all.
If we make the sourcecode public, the checksum we use to verify most of the data could be easily changed and anyone could do what he wants with it. Starting from faking STEAM_ID's, adding their servers to our service without valid license over spamming our database to eigther read all banned ID's or simply to spam it until it closes.
Posted: 29/09/10 15:35:27 | Delete | Edit | Quote | Send IM | Edited: 29/09/10 16:07:00 by Wook |
|
|
Joined: 13/11/09 Activity: | You are right Mordekay, I was too fast in saying a full source disclosure was a good thing. The parts that are only secure kept hidden should of course not be disclosed. What I would like to see publicly available was the fix you have found. If it is indeed secure, then there should be no problem showing this to the public. We might be able to see use cases where "enemies" might be able to bypass the system. It might be that you simply do not want to give out your solution in code, but then it might be possible to tell about the general idea of the proposed fix. I think a public discussion about a security fix is much more robust then a privately kept solution. This is all to evident in many security domains (a good example is GSM), and I hope you will not make the same mistake. Posted: 30/09/10 08:03:34 | Delete | Edit | Quote | Send IM |
|
|
 Joined: 01/10/05 Activity:  | A system like SteamBans will always be vulnerable to Steam ID spoofing. Steam ID spoofing isn't new, I've known about the possibility of faking Steam IDs.
As shown in earlier posts I made.
http://www.steambans.com/forums.php?fid=5&tid=7105
Unfortunately, even with this "new" stuff for the SteamBans plugins it is still possible to spoof Steam IDs and always will be. Seeing as any code that has to run on a remote machine is vulnerable to manipulation.
It is entirely possible to spoof Steam ID's without touching server code as well. (i.e., packet alteration, etc)
I wish this project some success with SteamBans Guardian. However, I do not believe it can replace KAC. And it definitely doesn't come close to what I'm working on. Posted: 25/10/10 01:08:47 | Delete | Edit | Quote | Send IM |
|
|
Joined: 28/12/04 Activity: | Your "earlier" post is already two years old. I guess you know how long good things can take until they are finished. Creating a system that works on many systems is always vulnerable, so your will it be too. Personaly i don't want to replace any AC-sollution as it should always be a cooperation working against cheaters.
Posted: 25/10/10 08:58:35 | Delete | Edit | Quote | Send IM | Edited: 25/10/10 14:45:53 by Mordekay |
|
|
Joined: 20/09/05 Activity: | Your last three sentences show me why you want to join this topic 
The plugins are in a closed beta now and we have positive success with the "new" stuff. Did anyone said that we can make a server spoofingproof ?
There is always more than one way to fix a problem and conceptional work was a pain in the ass here. Posted: 25/10/10 16:08:40 | Delete | Edit | Quote | Send IM |
SB Senior Admin.
SB Protest Admin.
