Tuesday, December 28, 1999
More on Quake 1 Cheating -- 10:16 am CST, Update by A.T. Hun
Well kids, John Carmack's solution to the Quake 1 hacking problem (story) has gotten the open-source community's undies in a collective bundle. Eric Raymond, an "expert in these things", wrote a diatribe called The case of quake cheats which was slapped up on Slashdot. Here's a snip that I have real problems with:I think one major lesson is simple. It's this: if you want a really secure system, you can't trade away security to get performance. Quake makes this trade by sending anticipatory information for the client to cache in order to lower its update rate . . . [I]t may have been a necessary choice under the constraints for which Quake was designed, but it violates the first rule of good security design: minimum disclosure.Well DUH! Quake servers are by no means the same as webservers (he makes a comparison to Apache in his article). Tradeoffs like this in the fluctuating world of Internet latency are necessary to get a game that is remotely playable especially at the time that QuakeWorld first came out. Minimum disclosure = unplayability. Then everyone loses.
Fortunately, the aim-bot cheat is also much less interesting from a general security point of view. It's hard to imagine anything but a twitch game in which the client user can cheat effectively by altering the millisecond-level timing of command packets. So the real lesson of both cheats may be that a closed-source program like Carmack's hypothetical secured program launcher is indeed a good idea for security -- but only if you're a hyperadrenalized space marine on a shooting spree.Once again, the author shows his ignorance of the situation. Aim-bot cheats are one of the biggest (if not THE biggest) bane of online gaming, especially in Quake II. None of the author's solutions can deal with this situation. The basic premise of his whole article is "if Quake were open source from the beginning none of this would have happened." Unfortunately, he can't seem to tell the difference between security vs. performance in an e-commerce site and in an online game.
Recent Headlines
January 5, 2015: It Returns!
August 10, 2007: SCO SUCKS IT DOWN!
July 5, 2007: Slackware 12.0 Released
May 20, 2007: PhpBB 3.0 RC 1 Released
February 2, 2007: DOOM3 1.31 Patch
January 27, 2007: Join the World Community Grid
January 17, 2007: Flash Player 9 for Linux
December 30, 2006: Darkness over Daggerford 1.2
December 19, 2006: Pocket Tunes 4.0 Released
December 9, 2006: WRT54G 1.01.1 Firmware OK with Linux/Mac
The Haus is powered by:
All original information on this website is copyright © TheHaus.Net, 1999-2005. The use of original images, text, and/or code from this website without expressed written consent is prohibited. The authors of this site cannot be held responsible for any damage, real or imagined, which comes from the use of information presented on this site. All trademarks used are the properties of their respective owners. This site is not to be used as a floatation device (but if you try, I want a video tape of it).
![[Valid RSS]](/images/valid-rss.png "Validate my RSS feed")