Yet another Skulltag source thread

[Tango]

stewboy said:

Not necessarily. I check these forums at least twice a day, I just rarely have anything useful to contribute, so I don't post.

Yeah but I've seen a lot of "ZDOOM AND DOOMWORLD ARE FULL OF MEANIES" type messages on skulltag.

[Cutman]

Yeah I've never understood that about the ZDoom forums, and the nickname "ZTheatre". The only drama we get is from people coming in, not understanding something or wanting people to do entire levels/decorate for them and getting pissed that we turn them down and point them where to learn how to do what they want.

[Aabra]

Wow, I hadn't checked this thread in a while and it's grown exponentially. I'm happy that there's some good, constructive discussion going on regarding the matter at least.

Anyways, as you can see by posts from other Devs like Torr - opening the source is something that we would *like* to do. There's no way that it could ever happen though without some serious closed source anti-cheat modules. I just don't see the entire team getting on board without that.

Preparing the code for open source would be an extremely time consuming process and there are still so many other things that we're working on. Just don't think that we're all anti-open source or anything because I think it's quite clear that we support the idea.... but at the same time we need to do what's best for our userbase.

[Carnevil]

Even I told them that if they can prove to me that it can be just as secure as it is now and open source at the same time, I'd give them permission to make it open source.

[chungy]

Ah! So to get permission to open source it.... they need to open source it first.

What the hell kind of sense does that make?

[Aabra]

MikeRS said:

Ah! So to get permission to open source it.... they need to open source it first.

What the hell kind of sense does that make?

You seriously misinterpretted Carn's post I think. Basically what Carn is saying is that a *lot* of work regarding security would need to be done before making it open source.... which is pretty much in tune with what the rest of the ST team thinks as well.

[Manc]

But for anyone to prove it they'd need the source first, and if they only people with the source are in agreement that closing it is the "safest" thing to do for security, then in essence the source would have to be open in order to prove it's open source.

[Gez]

Mancubus II said:

But for anyone to prove it they'd need the source first, and if they only people with the source are in agreement that closing it is the "safest" thing to do for security, then in essence the source would have to be open in order to prove it's open source.

I suppose the way to do it would be by showing an open-source direct competitor to Skulltag, with at least as many players at any given moment, and at most as much cheating as Skulltag.

So, it's up to Odamex to rise to this level of popularity in the user base.

[Carnevil]

Holy crap are you guys deliberately TRYING to misinterpret me? What I mean is that if they can demonstrate to me a sufficient amount of anti-cheat measures (closed source modules (which is hilarious, BTW), etc.) and a plan for dealing with cheats in the future should they arise, then the source can be released. Really what I'm looking for is a plan and an implementation of everything in that plan that needs to be done prior to releasing the source.

There. Sheesh.

[Torr_Samaho]

As already mentioned, denial of information methods can only be used to reduce the effectiveness of aimbots, but as soon as an opponent is visible on the screen, an aimbot has all information it needs. DOI may be effective against wallhacks, but can't really keep aimbots at bay.

Any other suggestions? If not, I'll guess I have to conclude that a closed source anti cheat module is the only feasible solution.

[myk]

Carnevil said:
(closed source modules (which is hilarious, BTW), etc.)

Why hilarious? They should serve their anti-cheating purpose and yet allow the source to be available. Assuming a module is not mandatory, that is. It would be available for anyone concerned about cheats; in general or due to circumstances, such as for a tournament.

[Manc]

Carnevil said:

Holy crap are you guys deliberately TRYING to misinterpret me? What I mean is that if they can demonstrate to me a sufficient amount of anti-cheat measures (closed source modules (which is hilarious, BTW), etc.) and a plan for dealing with cheats in the future should they arise, then the source can be released. Really what I'm looking for is a plan and an implementation of everything in that plan that needs to be done prior to releasing the source.

There. Sheesh.

And just how the fuck do you expect people to develop a detailed plan and implementation without having the source? It would have to be guess work and theory without knowing what's going on. What about THIS concept can you not understand? No one is trying to deliberately misinterpret you - I would think people have slightly better things to do than that. The simple fact of the matter is what you're asking for cannot be done without having the source.

Gez said:

So, it's up to Odamex to rise to this level of popularity in the user base.

While our ultimate goal does not include "getting more players", we are striving to be an example for other multiplayer ports that open source is entirely possible. Personally, when it comes down to it, I don't really care whether st is open source or not - I look at it as win/win regardless.

[Carnevil]

Mancubus II said:

<stuff>

Carnevil said:

Even I told them that if they can prove to me that it can be just as secure as it is now and open source at the same time, I'd give them permission to make it open source.

I'm pretty obviously talking about the ST developers WHO OBVIOUSLY HAVE THE SOURCE.

Myk said:

Why hilarious? They should serve their anti-cheating purpose and yet allow the source to be available. Assuming a module is not mandatory, that is. It would be available for anyone concerned about cheats; in general or due to circumstances, such as for a tournament.

Open sourcers: Open the source! Being open-source is more secure! It will help prevent cheating!
Me: And how do you counter <list of techniques>?
Open sourcers: Well you see, you have to have a closed-source module...

Give me a break. I've heard nothing but proclamations over the past couple years (this certainly isn't the first thread about this) about how "security through obscurity isn't a good way to make things secure," and then these people argue for, essentially, security through obscurity. It's ludicrous. The more open the source is, the less obscurity there is, and the less protection there is. Security by design can only go so far. Unless security by design or obscurity are infinitely secure (and they're not in this case), they have to work in tandem to be effective.

Arguing that being open-source is more secure, but then arguing for a closed-source module for security is hilarious.

[myk]

Carnevil said:
I've heard nothing but proclamations over the past couple years (this certainly isn't the first thread about this) about how "security through obscurity isn't a good way to make things secure," and then these people argue for, essentially, security through obscurity.

Who argued this? Here? Please quote the parts that say that in an open source environment it's easier to handle cheating than in a closed one. At least, don't generalize.

In any case, "secure" is not the best word, but rather "cheat-proof".

The closed source module idea is simply a way to address the needs of those who consider cheat-control by obscurity is a necessity, while still allowing the source to be open.

[RTC_Marine]

I like to be on the constructive side of arguments like this more than anything. Because atleast you guys have some sort of want to release the source, only there is a log in the road.

One of the odamex devs posted a wiki article, saying that you could maintain the entire game state in a virtual machine, have a look here.

The other obvious option is to arrange the source code so it has all the stuff you want to keep secure in closed source module. which is pretty much the same thing you said and is similar in concept to the vm idea stated above.

These are peculiarities if you want to make it severely difficult for cheaters. Presuming that is part of the project plan.
At the end of the day, if the game is too difficult to play for someone who cheats, then there would be no point in cheating at all.

[LexiMax]

I disagree with the need for a closed source security module and still stand by my opinions that the community should be self-policing. Closed source security modules have the exact same 'security through obscurity' problem as closed source game code and are just as susceptible to bypass; Warsow 0.30 had an aimbot that bypassed Battle-Eye, and the ezQuake security module has been proven trivial to bypass as well. And of course, to muddy the waters further, Quake 3 has been both closed source WITH a security module and open source WITHOUT one, and the community is gravitating towards open source as people realize how little you gain by using anti-cheat compared to what you gain by making the source open. Somehow, the communities of all three games have failed to descend into chaos and have all been better off for it.

However, myk has a very good point:

myk said:

The closed source module idea is simply a way to address the needs of those who consider cheat-control by obscurity is a necessity, while still allowing the source to be open.

Exactly. The security module would be optional. That's the whole point of using a closed source security module as opposed to keeping the entire source closed. You can 'opt out' of one security measure if you want the freedom to modify the source code. You can't exactly 'opt out' of anything if the entire game is closed source, because there's just no access except by the whim of a developer, period.

[Quasar]

Hopefully having it active on a server would also be optional, as commercial anti-cheat modules now border on malware and have behavior typically only seen otherwise in spyware, trojans, worms, and viruses, such as disk scanning, memory scanning, and keylogging. They actually have enormous untapped potential for abuse. In this age I wouldn't open my system up to this type of invasion. Anyone could be watching on the other side.

It would be prudent to look at the experiences of some players on games which use commercial anti-cheat packages before considering following in their footsteps.

[exp(x)]

Once again, I agree with AlexMax.

[Manc]

Carnevil said:

I'm pretty obviously talking about the ST developers WHO OBVIOUSLY HAVE THE SOURCE.

Yeah saying 'they' makes everything real obvious. So you're basically saying that this very small group of privileged users must take it upon themselves to prove to you that others can have what they have in secret.

Yeah I'm sure there's lots of incentive for them to get going on that one.

Carnevil said:

Arguing that being open-source is more secure, but then arguing for a closed-source module for security is hilarious.

Agreed! There's no point in it. I'm not sure it's hilarious, but laughable at any rate.

[Carnevil]

Mancubus II said:

Yeah saying 'they' makes everything real obvious. So you're basically saying that this very small group of privileged users must take it upon themselves to prove to you that others can have what they have in secret.

Yeah I'm sure there's lots of incentive for them to get going on that one.

Hey, I can't help it if you didn't get it. I thought it was fairly obvious who I was talking about given the context. Aabra got it.

And they want to open the source. They have enough incentive.

myk said:

Who argued this? Here? Please quote the parts that say that in an open source environment it's easier to handle cheating than in a closed one. At least, don't generalize.

Pretty sure it was Graf in a news thread somewhere concerning Skulltag. Sorry, but I'm not going to go dig it up. You must have me confused with someone who doesn't have anything better to do.

AlexMax: You can't rely on self-policing because you can't always tell when someone's cheating. It's not like someone has a massive sign above their head saying "I'M CHEATING." A cheat isn't any good if it's detectable.

[chungy]

Aabra said:

Basically what Carn is saying is that a *lot* of work regarding security would need to be done before making it open source.... which is pretty much in tune with what the rest of the ST team thinks as well.

If so much work needs to be done, then Skulltag is already hopelessly insecure (at least, "hopelessly" may be an exaggeration...). Look and Microsoft Windows or IIS; they're closed source, yet have hundreds of exploits. That didn't happen because someone peaked at the source code (indeed, the small snippet of Win2000 source code that was leaked, ended up with only one exploit forming from it).

[myk]

Carnevil said:
Pretty sure it was Graf in a news thread somewhere concerning Skulltag. Sorry, but I'm not going to go dig it up. You must have me confused with someone who doesn't have anything better to do.

I'm afraid you missed the point. And I'm not Mancubus II... nor Graf Zahl either, for that matter.

[Aabra]

I can't *believe* that some people couldn't figure out that when Carnevil said "they" he was referring to the Skulltag Developers who currently have access to the source... It's like if you see a McDonald's commercial and some guy says "We want to serve you better!" You think that the "We" is referring to the actor and his friends as opposed to the company.

Heck we have 4 active coders right now: Torr Samaho, Rivecoder, Blzut3, and Karate Chris. That's a lot more than most ports can claim.

Also when I say a lot of work - please realize that Skulltag is far from 'hopelessly insecure'. That's simply not the case. The amount of security work that's been done over the past couple of years is quite impressive and the lack of cheats is a direct result of that. Preparing something for open source however is quite a different thing. Making closed source security modules is no small project and requires a lot of work, time, and effort.

That being said it's not something that our excellent team of coders couldn't handle. Just look at how fast they're churning out new releases, features, and bug fixes. It's scary. Is preparing to open source the code priority #1 at the moment? Well, that's something else to debate over when there are so many other things that demand their attention and are obviously a lot more fun to code.

[Cutman]

I have yet to see anyone answer this so, why DO people still want the source code for it?

[myk]

Cutman, what do you mean by that?

I'm asking because reasons related to development, the sharing spirit of the community (based on Carmack's offering), and the (bad) effect of having closed sourced online ports on the user base were all given in this thread.

[Kira]

The answer is in the first post Cutman :

Quasar said:

I'm not so keen on looking at their net protocol anyway; it's more the gameplay kinds of things I would be interested in.

[Cutman]

Oh ok. It was a question for everyone though really, I'm just curious to see what everyone wants it for.

[DaniJ]

Personally, I'd like to see the code released primarily because of id's precedent in releasing the DOOM source in the first place. Other than that, I am interested in seeing how the mechanics behind Skulltag's net code interface with the (Z)DOOM side of things. Curiosity basically.

[RTC_Marine]

DaniJ said:

Personally, I'd like to see the code released primarily because of id's precedent in releasing the DOOM source in the first place. Other than that, I am interested in seeing how the mechanics behind Skulltag's net code interface with the (Z)DOOM side of things. Curiosity basically.

Ditto

[exp(x)]

Since I'm not a programmer, I don't really care about the actual content of the source code. I want it to be open because having it closed is against the spirit of Carmack's release.