Lord Havoc, you sould read this :I

John · Posted: Fri Oct 06, 2006 4:07 pm Post subject:

Yeah that little asshole Luigi Auriemma pulled some shit with Alien Arena about six months ago. I get an email about some "security issues" with the game, and that I have two weeks to fix the problems and re-release the game before he publishes his "findings". I told him that it might take more time than that, and respectfully asked him not to publish until I have time to work on it, and to which he basically replied "too bad", that it's his "policy" to do this. I find this type of extortion reprehensible to begin with, but the fact that not only does he publish the findings, he freaking publishes the code so that any little asshole can use it and crash servers. Following his release of this, I went through a couple of weeks of hell with servers crashing left and right, until I finally had time to address the issues, which weren't difficult to fix, but I do have a real life that needs attending outside of game programming hobbies.

He has gotten himself into some hot water with some more powerful people, but he seems to think because he is in Italy, that he is immune to Amercian laws and corporations lawsuits. I gots news for him...if they want him, they will get him. He should more carefully watch his step.

While I do understand the need to fix security issues in software, the fact that he attacks freeware games, and games in general, in my mind, makes him an enemy of the gaming world. After all, in the majority of cases, nobody would even give second thought, or know how to exploit these "bugs" if it weren't for little 14 year old no-life having hacks like him showing the way to do it, and then on top of it all, providing said code to the world.
_________________
COR Entertainment

GiffE · Fish Joined: 21 Apr 2006 Posts: 12

I've had his page bookmarked for a while, i used to use his gamespy master list code a while back.
I remember he got into some trouble with the people at gamespy but he has since restarted doing this crap.

DoS attack used to be very common in the old game MOHAA, recently using a dll wrapper a patch was made which basically just stops clients from connecting if they are already (duplicate ip) and the rate at which they connected. His fix and source can be found here if ya want to see how he did it: http://www.mods-r-us.net/page.php?al=mohfillfix only person here who probably knows who I'm talking about is IneQuation (hey rookie one!)

LH please fix as soon as ya get the chance, the engine is great and would hate to see a bunch of jerks ruin it.

LordHavoc · Soldier Joined: 16 Sep 2002 Posts: 88

GiffE · Fish Joined: 21 Apr 2006 Posts: 12

That's what I was trying to say, block multiple connects from a single ip that connect within a certain amount of time.

John · Posted: Fri Oct 06, 2006 9:59 pm Post subject:

Oh, I should mention, Luigi posted his hacks within 3 days of his initial email to me. Guess he didn't read his own "policy".

If I rememeber correctly, the fake player's DoS bug was *not* part of the list he sent me, and I see that Alien Arena is among his listed games that he has a script for to cause it. Nice eh? Find some exploit and don't even inform the developer, so much for his "honor" that he claims to have.

I do think I did something about that though, maybe because R!CH had done something and I ported it over, or saw what he did and made a similar fix.
_________________
COR Entertainment

jitspoe · Posted: Sat Oct 07, 2006 12:37 am Post subject:

So what exactly does this do? Just send an infinite number of challenges and block other players from connecting?
_________________
jitspoe's joint

LordHavoc · Soldier Joined: 16 Sep 2002 Posts: 88

z3ro · Enforcer Joined: 07 Oct 2005 Posts: 287

Personally I think it's a very good thing for someone like Luigi to publish
information regarding vulnerabilities or exploits in programs. If the developers
don't know about them, then they certainly won't get fixed.

Of course, there are people who use such information to cause trouble, but from
what I've read most people (including Luigi) who find these vulnerabilities or
exploits usually contact the developers of the program before publicly releasing
information.

I've also found the information that Luigi published on the Quake 3 network
protocols (master server, etc) to be rather useful and interesting. Although I
don't agree with some of the things he does (such as providing a program
designed to crack rcon passwords) most of the information that he's published is
very useful and interesting.

John · Posted: Sat Oct 07, 2006 3:21 pm Post subject:

Paranoia Agent · Fish Joined: 09 Oct 2006 Posts: 14

Heh, he probably has nothing better to do with his time.

Tei · Shub-Niggurath Joined: 06 Feb 2002 Posts: 2500

Hunting bugs is one thing. Exploiting a weak protocol is other.

"He looks me, mom!, I can use SMTP to send spam and fill a inbox with crap!"

Yea, nice, Mr Genius, SMTP is weak. Was designed that way back before, on a more n�ive era, pre-Web.

Anyway I am against safety by obscurity, If theres a problem sould be fix as posible :I

FrikaC · Posted: Mon Oct 09, 2006 11:00 pm Post subject:

I'm just happy to know that DP has enough of an installed base to warrant this kind of thing.

jalisko · Vore Joined: 08 Feb 2002 Posts: 1654 Location: Asturias

What I hate about these crackie kids is when they tell you they do it for the mind challenge between he and the game coder.

Dude, the game coder has zillions of things to care about. There is no mind challenge, just the desire of getting rid of you asap.
_________________
http://jal.quakedev.com

jitspoe · Posted: Tue Oct 10, 2006 5:38 pm Post subject:

No kidding. It's like 100x's easier to make cheats/exploits than it is to protect against them, too, so every hour some giggly little script kiddie spends finding ways to ruin the game, we have to spend like a week protecting against it.
_________________
jitspoe's joint

LordHavoc · Soldier Joined: 16 Sep 2002 Posts: 88