Re: Doubleboxing, the MAC address might be suitable to allow the module/server to determine that the two player accounts are on the same physical machine, and so if the MAC addresses are different, they could be allowed.
I was always against any restriction for Stacking Traps and Transition Abuse. First can be overcome by investing in detect skill and limiting access to powerful traps and for me it's more like you spend time to get 5 rare traps because mechanics doesn't allow you to build one powerful.
Second is also part of planning, knowing that you have computer is like not being a runner, just talk yourself out of situation or if you pursuing someone just make sure to be prepared (traps, hold, flesh to stone spells/scrolls)
Ugh, definitely against any hardcoded anti double boxing.
As a household that has more than 1 NWN player it'd be a pain to have to go begging to servers to please whitelist our ip.
I've had servers ask for crazy intrusive stuff to prove that a husband and wife team play and I'd really rather not see that mentality made into an institution.
there other ways of catching multiboxers too. input automation is quite obvious but alt tabbing between characters takes a little more work to catch, i would start out any multi boxing measures by having clear community rules and explaining the reasoning behind them and then trust your core players to help root it out.
I'm sorry, but publicly writing about unfixed exploits is not the best idea. Can we please close this thread before someone posts an actually useful and uncommon one?
If you know about exploits that should be fixed in the game, please message the devs privately.
I have to disagree with this. Keeping exploits secret from PW developers does not help anyone (except maybe the blackhats who already know about the exploits). Many of the exploits have scripting or other mitigations that PWs could use to protect themselves...but only if they know what needs to be protected against. Otherwise each PW has to go through the same pain and discovery process, get shafted for a while, figure out a way to stop it, while losing players etc.
Certainly telling the devs is a good idea, but others need that information too. Just look at the clusterfsck around the meltdown/spectre embargoes.
Ugh, definitely against any hardcoded anti double boxing.
As a household that has more than 1 NWN player it'd be a pain to have to go begging to servers to please whitelist our ip.
I've had servers ask for crazy intrusive stuff to prove that a husband and wife team play and I'd really rather not see that mentality made into an institution.
Played in the LOTRO beta. Invested heavy in the RP community by not only building our own guild but holding festivities and recruitment drives for our fellow RP guilds to help the community thrive and new players find a home. I even mastered crafting which is something I dont normally do but I wanted to supply new guild members with new weapons and armor.
Two months into launch turbine put in harsh anti dual boxing code and the Wife and I could no longer play together at the same time. We had to throw in the towel and had the guild over to a soft hearted friend.
And on the NWN front, I had one player who made an account of his own NPCs to use in RP situations so whenever you RPed with him there was a chance he would bring in his own random encounters. He had no desire to be a DM but having some commoners he could drag in on a dual box opened up his options.
All of though can be fixed Stacking Traps - Replace trap system with cast spell place traps on trap items, that run through a script instead of standard system. This will allow you to check for near by traps before placement and cancel if they are too close, also allow you to control the place trap DC / failure etc... (Did this in my HR base) trap routing system.
Transition Abuse - This is the same thing in all PVP the guy with the faster computer got the shot off faster and anyone will adjust as need. This can be mitigated with transition scripting. I see this as minor and player understand it.
Continual Flame and Merchants - Adjust 2da so light property give no boost to value.
Hostile/Non-Hostile Greater Sanctuary bug - Script on door, placables, actions like casting spells even non-hostile, canceling this / short time duration have already been explained.
Double Boxing - On client scripts to log and handle this have already been shown and PW people deciding how many players can be on an account has already been established.
I have to disagree with this. Keeping exploits secret from PW developers does not help anyone (except maybe the blackhats who already know about the exploits). Many of the exploits have scripting or other mitigations that PWs could use to protect themselves...but only if they know what needs to be protected against. Otherwise each PW has to go through the same pain and discovery process, get shafted for a while, figure out a way to stop it, while losing players etc.
Certainly telling the devs is a good idea, but others need that information too. Just look at the clusterfsck around the meltdown/spectre embargoes.
Arguable for exploits that are fixable. Of the ones Djinn mentioned, only the sanctuary would actually be considered an exploit, but that is also easily fixable.
I'm concerned about actual exploits that are very hard or impossible to patch, or even detect. DJinn reported one of (mostly) that kind in another thread, and it was rightly censored by the devs. There's others, and I really wouldn't want people posting them.
Funny you should mention spectre - I actually think that was handled relatively well by the industry. There's plenty of room for improvement, but compared to just revealing a vulnerability, this was pretty well done.
Spectre was not handled well. Ask the freebsd people, or any of the other effected vendors who did not find out until it leaked a week before the official end of the embargo. Plus there was a lot of misinformation, partly due to the secrecy and people having to guess. We're still dealing with it and will be for a long time to come. True, some of that is just the nature of the bug but part of the mess was how badly it was handled.
As to the other parts, I'd consider all of those to exploits. And all those listed can be addressed by PW admins/devs. If there are exploits that can only be fixed with code then BD should fix them. If there is nothing the PW can do then maybe they could be hidden but even then it might be nice to know what to watch for... If one person found it someone else will too.
As a household that has more than 1 NWN player it'd be a pain to have to go begging to servers to please whitelist our ip.
I've had servers ask for crazy intrusive stuff to prove that a husband and wife team play and I'd really rather not see that mentality made into an institution.
Please. If this becomes the norm in NWN, you'll see it driving away players that might live together faster than anything.
sometimes i think exploits exist across all mmos/rpgers. the worst exploits are the ones that only tweak you abilities slightly. you get an advantage, but its not so obvious. such exploits are undetectable.
the worst exploits are the ones that only tweak you abilities slightly. you get an advantage, but its not so obvious. such exploits are undetectable.
I disagree. The worst exploits are those that let you take over the server, wipe everyone's characters and use all players as a botnet to mine bitcoin / DDOS websites. Yes, these exist. All known ones are fixed (or will be?) in EE, but there are certainly more we've never seen before. And 1.69 servers are still vulnerable.
Ask the freebsd people
They did pretty explicitly say that they will not participate in industry's disclosure practices and would immediately announce any vulnerability they are notified about. That's a sure-fire way to get excluded from the in-the-know group.
Going back to the previous exploits, I would never share something like described above with anyone who believes all exploits should be public.
Freebsd was just one example. But anyway, exploits should be fixed. Keeping them secret so that only the in-the-know crowd can protect themselves is fine as long as people who care have a way to be in that elite, special, shiny group. But that has not been the case in NWN. If there are server-side fixes for known exploits, then keeping them secret is a disservice to PW admins.
If not public then what... How do I get the information I need to protect my servers from known exploits? Is there an invite only mailing list or forum? There's at least one listed earlier in this post that I had not come across before that I need to look into. I'm not arguing here strictly from a philosophical difference of opinion about the value of keeping vulnerabilities secret. It's a practical concern too
There used to be NWNX plugins that plugged these vulnerabilities. Sometimes distributed without the sources even. I know niv wrote one that fixes an RCE exploit; best check with him what's the status there.
I haven't actually run a server in a long time, so I didn't pay too much attention to it, sorry.
I like the WSAD one that when used into a transition you can jump right across the next area and get loaded in the area after that one. Saves time moving or avoiding large groups of monsters.
Most of these aren't exploits. Things like item duping, using epic spells repeatedly in rapid succession, and crashing clients are all exploits, something like continual flame on weapons is just unwanted behavior.
All of though can be fixed Stacking Traps - Replace trap system with cast spell place traps on trap items, that run through a script instead of standard system. This will allow you to check for near by traps before placement and cancel if they are too close, also allow you to control the place trap DC / failure etc... (Did this in my HR base) trap routing system.
Transition Abuse - This is the same thing in all PVP the guy with the faster computer got the shot off faster and anyone will adjust as need. This can be mitigated with transition scripting. I see this as minor and player understand it.
Continual Flame and Merchants - Adjust 2da so light property give no boost to value.
Hostile/Non-Hostile Greater Sanctuary bug - Script on door, placables, actions like casting spells even non-hostile, canceling this / short time duration have already been explained.
Double Boxing - On client scripts to log and handle this have already been shown and PW people deciding how many players can be on an account has already been established.
Hi @ShadowM , this is very helpful information. Can you provide further insight on how a replacement of the trap system might operate? The other stuff here is pretty manageable for my small team but overhauling traps and drawing trap triggers via script is not something I currently know how to do. Is there something you can point me to?
There are several ways you could create an alternative trap system. If you largely want to preserve the current system then you should look at traps.2da and change the blueprint references in the ResRef column to a different item. This item is now used to call a script and set the trap (CreateTrapOnObject and CreateTrapAtLocation) after you do your checks and animations.
@DM_Djinn FreshLemonBun has pretty much covered the surface, but if you look at the traps.2da you notice that it setup pretty much like the spells.2da because each trap has it own script. You can change all these to point to one script (trap routing script) this will allow you override the standard traps action when triggered with anything you can script or even just allow the trap to function as it intended. For placing traps, just make a new spell called Use: Set Trap and them make be use-able on items and add them to your new trap kits or override the old trap kits blueprints. This will allow you to gather data on the person setting the trap, where they setting it (if their another trap close by) if the pc has X feat give the trap bonus damage etc... Look at my HR Base module in scripts for setting the traps hr_inc_spellab, hr_spell_routab (custom function SET_TRAP) and my traps.2da to get a better idea and come back for any more questions. For when the trap goes off look at scripts hr_traps_router and hr_inc_traps for custom functions. I have few trap kit examples in custom / miscellaneous / kits. Hope that helps
Double Boxing - Maybe this is one for a server or module switch to disallow? Simply put, unless a PW has created scripts to detect players who play two accounts from the same IP address, double boxing is an easy exploit to get away with. There is a use-case where multiple players in the same household would create this situation, but "double boxing" is generally prohibited by nearly every roleplay community.
this is impossible to "fix" without risk of false positive situations
I'm sorry, but publicly writing about unfixed exploits is not the best idea. Can we please close this thread before someone posts an actually useful and uncommon one?
If you know about exploits that should be fixed in the game, please message the devs privately.
Is there some place or resource or person that 'would be' server admins are supposed to go to to fix all these problems that many in the community have figured out how to fix? I've been wanting some kind of list forever so I can fix/know about all these problems. Or at least have a full list of fixable bugs/exploints with their solutions(keep the unfixable ones out). And I hate to think negatively but I've always felt like part of the community may have been holding back info so that competing PWs fail. I hope thats not the case but I can't help thinking it.
I believe it was about 2005 when i joined the old bioware forums and started to learn nwnscript from the likes of AxeMurderer, FunkySwerve, Rolo, Krit, to name a few. Even then I remember this same topic coming up several times and again people would shut it down. I mean I get why but at the same time I don't, because the only way to fix it IS to talk about it and to post solutions including scripts and "How Tos" for every PW builder to be aware of. I've figured out some in that time but probably still not aware of all of them.
Most likely because those with less technical expertise are most at risk and publicly posting what could effectively be a tutorial on how to hack your server for anyone curious isn't in your best interest.
Besides that most of the concerns aren't actually exploits and you would probably have better luck asking a question on the scripting forum, or posting a bug report if it's a bug.
...and you would probably have better luck asking a question on the scripting forum...
I've actually tried this over the years (including recently on the topic of how best to go about persistent storage) and have run into the same problem. Here's an anecdotal example.
~item duping is a problem ~how is it a problem, what exactly are they doing to make it happen ~can't post it cause then people will know how to do it ~ok well how do I prevent it ~cricket...cricket...cricket
This same back and forth has been going on since the dawn of Neverwinter forum time. If you don't at least know what the fixable exploits are, you can't fix them. And if you can't ask what they are then you won't know what to ask that needs to be fixed or what to even ask for on the scripting forum. So again where is a person supposed to start?
DM_Djinn
Member Posts: 112
Comments
Second is also part of planning, knowing that you have computer is like not being a runner, just talk yourself out of situation or if you pursuing someone just make sure to be prepared (traps, hold, flesh to stone spells/scrolls)
As a household that has more than 1 NWN player it'd be a pain to have to go begging to servers to please whitelist our ip.
I've had servers ask for crazy intrusive stuff to prove that a husband and wife team play and I'd really rather not see that mentality made into an institution.
If you know about exploits that should be fixed in the game, please message the devs privately.
Certainly telling the devs is a good idea, but others need that information too. Just look at the clusterfsck around the meltdown/spectre embargoes.
Two months into launch turbine put in harsh anti dual boxing code and the Wife and I could no longer play together at the same time. We had to throw in the towel and had the guild over to a soft hearted friend.
And on the NWN front, I had one player who made an account of his own NPCs to use in RP situations so whenever you RPed with him there was a chance he would bring in his own random encounters. He had no desire to be a DM but having some commoners he could drag in on a dual box opened up his options.
Stacking Traps - Replace trap system with cast spell place traps on trap items, that run through a script instead of standard system. This will allow you to check for near by traps before placement and cancel if they are too close, also allow you to control the place trap DC / failure etc... (Did this in my HR base) trap routing system.
Transition Abuse - This is the same thing in all PVP the guy with the faster computer got the shot off faster and anyone will adjust as need. This can be mitigated with transition scripting. I see this as minor and player understand it.
Continual Flame and Merchants - Adjust 2da so light property give no boost to value.
Hostile/Non-Hostile Greater Sanctuary bug - Script on door, placables, actions like casting spells even non-hostile, canceling this / short time duration have already been explained.
Double Boxing - On client scripts to log and handle this have already been shown and PW people deciding how many players can be on an account has already been established.
I'm concerned about actual exploits that are very hard or impossible to patch, or even detect. DJinn reported one of (mostly) that kind in another thread, and it was rightly censored by the devs. There's others, and I really wouldn't want people posting them.
Funny you should mention spectre - I actually think that was handled relatively well by the industry. There's plenty of room for improvement, but compared to just revealing a vulnerability, this was pretty well done.
As to the other parts, I'd consider all of those to exploits. And all those listed can be addressed by PW admins/devs. If there are exploits that can only be fixed with code then BD should fix them. If there is nothing the PW can do then maybe they could be hidden but even then it might be nice to know what to watch for... If one person found it someone else will too.
They did pretty explicitly say that they will not participate in industry's disclosure practices and would immediately announce any vulnerability they are notified about. That's a sure-fire way to get excluded from the in-the-know group.
Going back to the previous exploits, I would never share something like described above with anyone who believes all exploits should be public.
If not public then what... How do I get the information I need to protect my servers from known exploits? Is there an invite only mailing list or forum? There's at least one listed earlier in this post that I had not come across before that I need to look into. I'm not arguing here strictly from a philosophical difference of opinion about the value of keeping vulnerabilities secret. It's a practical concern too
I haven't actually run a server in a long time, so I didn't pay too much attention to it, sorry.
FreshLemonBun has pretty much covered the surface, but if you look at the traps.2da you notice that it setup pretty much like the spells.2da because each trap has it own script. You can change all these to point to one script (trap routing script) this will allow you override the standard traps action when triggered with anything you can script or even just allow the trap to function as it intended. For placing traps, just make a new spell called Use: Set Trap and them make be use-able on items and add them to your new trap kits or override the old trap kits blueprints. This will allow you to gather data on the person setting the trap, where they setting it (if their another trap close by) if the pc has X feat give the trap bonus damage etc... Look at my HR Base module in scripts for setting the traps hr_inc_spellab, hr_spell_routab (custom function SET_TRAP) and my traps.2da to get a better idea and come back for any more questions. For when the trap goes off look at scripts hr_traps_router and hr_inc_traps for custom functions. I have few trap kit examples in custom / miscellaneous / kits. Hope that helps
HR BASE LINK
Besides that most of the concerns aren't actually exploits and you would probably have better luck asking a question on the scripting forum, or posting a bug report if it's a bug.
~item duping is a problem
~how is it a problem, what exactly are they doing to make it happen
~can't post it cause then people will know how to do it
~ok well how do I prevent it
~cricket...cricket...cricket
This same back and forth has been going on since the dawn of Neverwinter forum time. If you don't at least know what the fixable exploits are, you can't fix them. And if you can't ask what they are then you won't know what to ask that needs to be fixed or what to even ask for on the scripting forum. So again where is a person supposed to start?
No one is entitled to anyone elses time or expertise.
If you know of an exploit that needs fixing then please report it to beamdog.
Otherwise