[MUD-Dev] Quake II has gone GPL

Vincent Archer archer at frmug.org
Fri Jan 18 10:17:41 CET 2002 

According to Frank Crowell:
> From: "Nicholas E. Walker" <new at gnu.org>

>> I am a free software bigot.  I am also a good software bigot.  If
>> you keep the hit-points or item list of my character stored in my
>> client, then I can and may change it, with or without the source
>> code.  "If you want it done right, do it yourself." comes to mind
>> for when thinking about designing a system.  I don't mean to
>> imply that any programmer will ever do anything right.  If you
>> want something done securely, you should do it in a secure place.

> A lot of that information is on the server (tucked away in some
> database or secure object) and not on the client.  The basic
> problem with current mud worlds -- all of them-- is that the
> character is private to that mud.  This is a subject for another
> thread.  But anyway, it fairly hard to edit your character when is
> really defined outside your system.

At first, this would seem fairly obvious. But, of course, that
depends on exactly how much your client does vs your server.

Two examples:

  For economical reasons, Everquest's client does a LOT of
  processing. The results of that processing is sent to the server,
  who uses it to update its own states. After some validation
  checks. Some.

  Everquest has these items that are flagged NODROP (bad choice of
  words, they're in fact NOTRADE; other games use NODROP to indicate
  items that do not drop from your inventory when you die). If an
  item is NODROP, you can't give it to another player.

  Of course people found out that, if you edited the item status in
  the client, and cleared the NODROP flag, well, suddendly, the
  client would allow you to trade that item. Because the checks were
  done only on the "can or cannot put item in trade window" code of
  the client. No need (well, no apparent need) to do verification
  twice.

  Another thing that is common to these 3D games is the fact that
  movement is continuous, not discrete. It's thus totally impossible
  to send your movement commands to the server, and wait for the
  resulting coordinate upgrade to come back: the resulting physics
  for a character are totally alien to your personal experience
  (people start moving only after a while, resist a lot direction
  changes and can't be stopped easily. This works for a space
  simulation, but not for a walking simulation).

  So the client process your movement, and sends a string of
  position updates to the server.

  Well, given the vagaries of the Internet, it's perfectly possible
  for a client to stop sending updates for a bunch of seconds, then
  resume connection. It's therefore "better" to assume that you can
  get discontinuous updates.

  And suddendly Joe Cheater has discovered two different variables
  in his client.

  The first one is simple: running_speed. The speed at which the
  client assumes Joe can run in any direction. Touch that variable,
  and suddendly Joe goes twice faster than a galloping horse. No
  monster can catch him, if the combat goes bad, he runs away faster
  than a speeding bullet. It's no longer Joe, it's the Flash :)

  The second set is even better: character_x & character_y. Now
  suddendly Joe's no longer speeding around as a red blur, he can
  instantaneously teleport to any place (within the zone). No need
  for a boring walk, here I go.

I discovered a milder form of this by accident. I was jumped by a
bunch of monster during a packet congestion storm on my local
network. I started to run, the monster stayed in place bashing me -
since from the server POV, I wasn't moving yet. Packet storm
subsided, the updates from the client managed to get in... and
suddendly, I was "warped" away from the ennemies.

With the head start I got, I survived. Had I ran under normal
circumstances, they would have killed me easily.

Those two examples show why "the character is on the server, there's
not much players can do" isn't exactly right. There's a lot of
cheating that can go in the client.

--
	Vincent Archer			Email:	archer at frmug.org

All men are mortal.  Socrates was mortal.  Therefore, all men are Socrates.
							(Woody Allen)
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list