PlanetCrap 6.0!
Front Page (ATOM) • Submission Bin (2) • ArchivesUsersLoginCreate Account
You are currently not logged in.
T O P I C
Q3A Security Patch
May 4th 2000, 11:45 CEST by andy

Those crazy Texan funksters at Id Software have released a new version of their popular little shooter, Quake III Arena, to fix a "fairly serious security flaw" discovered by Internet Security Systems.



The patch documenation explains:

The basic nature of the exploit is that malicious server operators could overwrite any file on a client system. This type of thing is always possible with DLL based mods (which is why we strongly recommend VM based mods) but with this exploit, it was possible within the VM system.

Not much to say about Id on this one, but I think we should say a big nuff respect to ISS for identifying the problem, reporting it to Id, and then just letting them get on with fixing it.

Not being a Linux nut and, I like to think, not much of a geek either, I don't follow the security 'scene' at all closely, but several times recently I've seen games/tech sites covering security flaws that have been discovered, usually with links to a page on one of the security sites showing exactly how to exploit it.

This has always struck me as remarkably stupid. Sure, it probably gets the bug fixed quicker than going direct to the company, and if the company has been told but isn't doing anything then it's a good way to force them, but there are two nasty side-effects:

  • Hackers will generally have at least a few days to exploit the flaw, and not everyone using the software will know to protect themselves.

  • The software company may rush the patch, possibly not testing it properly and maybe even creating other bugs.

So well done to ISS - bug found, bug fixed, and everyone's happy. Shame all the little ego-boost hackmeisters out there prefer to go for public exposure and risk causing so much more trouble than it's worth.

No word as yet on when the flaw was reported to Id.

C O M M E N T S
Home » Topic: Q3A Security Patch

|«« - Previous Page - Next Page - »»|
#1 by "Andrew Stine"
2000-05-04 12:23:17
linguica@doomworld.com http://www.doomworld.com
You know what.
#2 by "Jafd"
2000-05-04 12:56:59
Wouldn't it have been nice if all the folks who made q3 and all the folks who made UT had just gotten together and made one game?<I><B></B></I><I></I><I></I>
#3 by "VeeSPIKE"
2000-05-04 12:58:44
appliedavoidanc@triton.net
<b>#1</b> "Andrew Stine" wrote...
<QUOTE>You know what. </QUOTE>

no, what?

Went to the ISS web site, and they haven't posted ANYTHING about it at all, not even as a publicity blurb. Wonder how long that will last.
<I><B></B></I><I></I><I></I>
#4 by "Desiato"
2000-05-04 13:33:48
desiato_hotblack@hotmail.com
Wow, a Q3A patch eh...that *is* suprising...I mean id, patching their games...unheard of. I'm certainly shocked.

I mean here I was cleaning my knife to use on my gun, and I never heard of such a flagrant abuse of user rights.

*LOL*

Seriously, what is the impact? Not much.

Back to UT Last Man Standing Instagib.....mmmm gibilicious...


Desiato..
#5 by "Frac"
2000-05-04 13:46:37
kkwyu@yahoo.com
Desiato: instead of commending id for releasing a security patch, nice to see that you're mocking them instead.

Security patches are issued all the time for all kinds of software.  When games are now technically large systems with oodles of unhidden complexity, shit happens.

I would prefer frequent patches that make my system more insecure, instead of holding security compromises into one big patch, at the risk of people whining about the quantity of them.

Frac
#6 by "Desiato"
2000-05-04 13:59:36
desiato_hotblack@hotmail.com
Frac: I didn't mock them - I just don't see the point of a story talking about id *patching* their game.....not exactly an unheard of occurance.

Most of it was humor anyway...oh well...guess I missed..

Desiato..
#7 by "RahvinTaka"
2000-05-04 13:59:59
donaldp@mad.scientist.com
<b>#5</b> "Frac" wrote...
<QUOTE>Desiato: instead of commending id for releasing a security patch, nice to see that you're mocking them instead. </QUOTE>

I am a big fan of patches that are just that, patches. Fixes of bugs addition of small features. I am not a big fan of the monolithic downloads that include all the extra dazzle and content. If I want more content I want to download it seperately or go to community based sites.

However I dispise the way that patches have been generally been distributed. Here download this file, unpack it in dir X, remove file Y, do X, do Y etc etc. I really like the way valve handled patches with a simple 1 click and I wander off. Sure the halflife patches have sometimes introduced a few features and they rarely seem to fix the proper bugs but they have a fantabulous way of distributing patches. Now if only the tech was available to mod community it would be sweet.

<I><B></B></I><I></I><I></I>
#8 by "Jafd"
2000-05-04 14:07:20
I really like the .mod files that UT makes possible. But I agree all that obnoxious clicking through once the patch is started is very annoying. Maybe it can be made such that a user defines patch default options, and .patch files can just be clicked on and ignored until they are done. The only thing I want to click on is the thing that says 'yes/no reboot?'<I><B></B></I><I></I><I></I>
#9 by "RahvinTaka"
2000-05-04 14:14:29
donaldp@mad.scientist.com
<b>#6</b> "Desiato" wrote...
<QUOTE>Frac: I didn't mock them - I just don't see the point of a story talking about id *patching* their game.....not exactly an unheard of occurance.</QUOTE>

Remeber id is one of the only companies who I have ever heard of taking any serious consideration of security. Why ? Most likely because the fan base is more ..... errr fervent about id games than others.

For instance, someone else noted that id Games are the only ones that are seriously hacked. This person believed this was because id didn't care about cheats while companies like Epic and Valve did.

But seriously come off it. Halflife's network protocol is trivial to brake and I assume that Unreals is similar (given the opensource project allows you to dump communication streams). So why hasn't there been a proliferation of hacks for these games ?

Popularity. While Halflife is propbably the most popular 3d shooter they don't have a huge following in the computer geek/hacker community, same with Unreal. Besides neither can yet be considered competitive games on same level as the quake purists consider it.

Personally I think q3a is the hardest yet to brake but my guess is that someone will rev eng it. Pity ... All I can say is I am glad that Unreal has not had any serious bot rashes and there have been few halflife ones.


hmmm .. i seem to have wondered into blathering so i will stop now








<I><B></B></I><I></I><I></I>
#10 by "Dethstryk"
2000-05-04 15:42:48
dethstryk@damagegaming.com http://www.damagegaming.com/
<b>#9</b> "RahvinTaka" wrote...
<QUOTE>Remeber id is one of the only companies who I have ever heard of taking any serious consideration of security. Why ? Most likely because the fan base is more ..... errr fervent about id games than others.</QUOTE>

I think we all also need to remember that id Software hardly has to release patches for their games, because when they release games, you can tell they spent a lot of time on the bugs, etc., since id's games run pretty much perfect.


--
Dethstryk
Damage Gaming
#11 by "Karl Palutke"
2000-05-04 16:12:03
palutkek@asme.org
<quote>. . . but several times recently I've seen games/tech sites covering security flaws that have been discovered, usually with links to a page on one of the security sites showing exactly how to exploit it. </quote>

Many times this happens when whoever discovered the exploit reported it to the vendor (Microsoft, for example) but the vendor did nothing.  Making the exploit public is a way to force the issue, making the vendor fix it or face some really bad press.
#12 by "VeeSPIKE"
2000-05-04 16:38:56
appliedavoidanc@triton.net
<b>#5</b> "Frac" wrote...
<QUOTE>I would prefer frequent patches that make my system more insecure,</QUOTE>

Me myself would prefer patches that make my machine MORE secure. I have enough insecurities on my own, thank you very much
<I><B></B></I><I></I><I></I>
#13 by "Houston"
2000-05-04 17:34:18
breynolds@us.infogrames.com http://www.www.www.www
Bug it

Ship it

Patch it

<i>Video Game Industry QA motto</i>
#14 by "VeeSPIKE"
2000-05-04 17:40:59
appliedavoidanc@triton.net
<b>#13</b> "Houston" wrote...
<QUOTE>Bug it

Ship it

Patch it

Video Game Industry QA motto </QUOTE>

you forgot
"Patch what we broke in the first patch"
"Get fired by developer and leave players out in the cold."
<I><B></B></I><I></I><I></I>
#15 by "Happy Cow"
2000-05-04 18:07:15
ez_2501@hotmail.com http://happycow.home.icq.com
Hold on a second pardnar * assumes a texan drawl....*

[post 9]
So why hasn't there been a proliferation of hacks for these games ? Popularity. While Halflife is propbably the most popular 3d shooter they don't have a huge following in the computer geek/hacker community, same with Unreal. Besides neither can yet be considered competitive games on same level as the quake purists consider it.

Last time I checked Half life was the big chillie chunga of all online games (most players online according to the game spy master server list). And Unreal tournament was second in numbers, followed by Quake 3 (UT had a couple hundred more players, nothing huge). So while I'm not saying your wrong (that would be rude) you're um, er.... mistaken. Of course you could be right about the sexless  lewzers geek being a more prominent demographic in the Q3 community. I would like to point out it was no I that said it.
And while I'm bothering to post. What is up with Q3 anyway. Every time I pop open ping tool and poll servers, I get like 500 players and 496 of them are the bots from the single player game (!?!?!?!?!). I wonder if any humans (outside of the four L33t d00ds I did find all playing on the same server) are playing Q3 at all.

And while I'm on a roll, (hey I don't post every three minutes like some people do, but I do take the time to read what you all say) I must take a moment to chuckle at the comment "Besides neither can yet be considered competitive games on same level as the quake purists consider it.". Well for the record the French don't think they are a bunch of snooty effeminate buttmunches. But the rest of the world does. So when Quake purist don't think other games are as "Quakey" as Quake I'm not surprised. But I must tell you as I read the words "Besides neither can yet be considered competitive games" I have to wonder how you mean that. Both games have winners, and ....... well.. the polite was to say is, not winners. That pretty much makes it competitive. Now if your hinting around at some kind of Professional gamer/ Cyber athlete, hey here is an Idea, just forget all about computers and games and make the professional masturbators league. Same dif really, something that use to be done to amuse oneself turned in to a public spectacle.
Ahhh, I feel much better now

    Happy Cow (Phear the Cow....mooo)

PS. If this seems like a flame or an attack, it's not. I'm just goofing with ya because I love you ( in a non legally binding way)
#16 by "Valeyard"
2000-05-04 18:33:54
valeyard@ck3.net http://www.ck3.net
While this isn't necessarilly the definitive list, it's pretty close...and it's MUCH more accurate than the Gamespy server list.

<a href="http://www.theclq.com/games.asp" target="_blank">CLQ list of popular games</a>
 
                   Minutes    Players  Rank
Counterstrike  -- 98,470,970  393,667   #1   TFC            -- 37,626,827  160,961   #2
Half-Life DM   -- 11,500,222   75,366   #3
Q3 DM **       --  8,957,168  103,993   #4
UT DM ***      --    581,911    6,149   #35

Queerying over 124,000 servers every few minutes...your stats are there whether you wanted them there or not.

So before anyone makes claims that UT is more popular than Q3 or anything like that


** If you add in Q3 servers running with bots and the totals are:
Q3             -- 14,989,594  125,184    1368
 Which bumps it up above HL, and nearly ties TFC.

Interestingly, the MOST played game is a free mod, with more minutes logged and players than HL, TFC, Q3 and UT combined.

*** UT fans claim this isn't correct, but the CLQ site claims that the latest version of QStat fully supports Unreal.  While the number may be off, I seriously doubt it's off as far as the UT fans hope.  The QStat page ALSO claims full UT support.
#17 by "Diseased"
2000-05-04 18:34:02
diseasedanimal@yahoo.com
<b>#</b> "" wrote...
<QUOTE></QUOTE>

Are you being sarcastic here?  Quake 3 may be decent but Q2 was a mess when it was first released.  Buggy weapons, maps, teleporters...  It didn't even have correctly working death messages.  

I suppose id has been relatively good when compared to most game developers on releasing bug-free products but even they are far from perfect.
#18 by "Valeyard"
2000-05-04 18:39:08
valeyard@ck3.net http://www.ck3.net
ok..the formatting got hosed...here's the second try at the list:

-------------------Minutes---Players----Rank

Counterstrike----98,470,970--393,667-----#1
TFC--------------37,626,827--160,961-----#2
Half-Life DM-----11,500,222---75,366-----#3
Q3 DM-------------8,957,168--103,993-----#4
UT DM---------------581,911----6,149-----#35

Of course you could have also clicked the link and checked out the data yourself. :)

-Valeyard
#19 by "Valeyard"
2000-05-04 18:39:55
valeyard@ck3.net http://www.ck3.net
Not any better....preview function anyone? :)

-Valeyard
 (can't use crapspy from the office) :(
#20 by "Lumberjack"
2000-05-04 18:41:47
joek@pckconsult.com
Valeyard, the reason that those numbers are far from being right is because they are only reporting from 40 active servers, when the UT server list regularily reports 1500+ servers.....<I><B></B></I><I></I><I></I>
#21 by "Andy"
2000-05-04 19:06:20
andy@planetcrap.com
Tut tut, oh how cynical we have become...

<b>#13</b>, Houston:
<QUOTE>
Bug it

Ship it

Patch it

Video Game Industry QA motto
</QUOTE>
How does that apply to the Q3A patch? I'd offer a few reasons why it doesn't:

1. It fixes a security flaw, usually something very obscure that is only found by accident or trial and error way beyond what could be reasonably expected of quality control.

2. It hasn't been exploited, and as we as we know, nobody outside of Id and ISS was even aware of it until yesterday - so it's not like it was something obvious, or even easy to find.

3. Q3A was a fairly solid product. Just playing it, you could tell it had been tested properly. Either that or Id rushed it out the door and just got lucky, which I very much doubt.

With FPS companies, things are getting better. What's the point of pretending that they're not? There's no point slamming people for doing something wrong if you're still going to slam them when they do it right.

Just wait for the next Lith game and then we can all have a jolly good moan, that's if any of us still even care.
#22 by "Valeyard"
2000-05-04 19:09:13
valeyard@ck3.net http://www.ck3.net
OK, cool.

Is there somewhere I can see a list showing 1500+ UT servers?  When I fire up UT, I sure don't see that many...granted it's more than 40...but no where near 1500.  I'll check the internal browser and gamespy again when I get home.

And honestly, I don't care which of them is more "popular", I just wish people would fire off some facts to support the claims. :)

After all, I'm primarily a CS player...and we already know how popular it is.  Now, if they'll just release 6.5 and kill most of the cheating issues, we'll all be happier.

-Valeyard
#23 by "scud"
2000-05-04 19:12:42
scud@counter-strike.net http://csnation.counter-strike.net
Valeyard - the reason 6.5 hasn't come out is because Goose and co are waiting for Valve's new netcode patch..I believe goose has all the coding done for it..he just hasta wait. So put the blame on Valve for that one..not the cs team.
<I><B></B></I><I></I><I></I>
#24 by "cliffe"
2000-05-04 19:18:05
cliffe@counter-strike.net http://www.counter-strike.net/
Valve still has some bugs in their code before it's final.
#25 by "Lumberjack"
2000-05-04 19:23:53
joek@pckconsult.com
Okay, the UT server browser is reporting 1334 servers with 2025 players playing......that is 30x the number that TheClq is looking at.....make your own conclusions....<I><B></B></I><I></I><I></I>
#26 by "Warren Marshall"
2000-05-04 19:26:28
warren@epicgames.com http://www.epicgames.com
<quote>*** UT fans claim this isn't correct, but the CLQ site claims that the latest version of QStat fully supports Unreal. While the number may be off, I seriously doubt it's off as far as the UT fans hope. The QStat page ALSO claims full UT support. </quote>

Do those stats include UT-CTF and the other game modes or just DM?  There are a LOT more CTF players/servers out there than just straight DM.

Just curious.  :)
#27 by "Valeyard"
2000-05-04 19:33:47
valeyard@ck3.net http://www.ck3.net
scud:
Trust me, I know WHY 6.5 is not out yet...I'm just anxiously awaiting it. :)

Lumberjack:
Thanks...that's much more realistic.  Now we just need to find out why the CLQ is so innaccurate for UT servers...and if this innaccuracy applies to ALL servers.

Warren:
That number was UT deathmatch only...the highest one on the list...which, it seems, isn't a good list for UT.

-Valeyard
#28 by "kanaeda"
2000-05-04 19:44:31
kanaeda@planetquake.com http://www.freshteam.co.uk
#21 -Andy:

<quote>Just wait for the next Lith game and then we can all have a jolly good moan, that's if any of us still even care.
</quote>

I think that's supposed to be 'if any of us are still alive to care.' :P

I, for one, enjoyed SHOGO quite a bit. Too bad they seemed to make a drastic downhill tumble into shit after that. Too much hype and PR and not enough substance sure does kill what small fan-base you might have had.
#29 by "Whisp"
2000-05-04 19:48:42
whisp@vt.edu
The player numbers on CLQ from what I understand report the total number of players that have played a particular game type EVER in the last two weeks.  As such, when comparing them game-to-game you might as well use the DM numbers, because I think many regular players go on a DM server at least once in a while.  This could be a bad assumption though.  The number of servers is just a pretty worthless comparison.  So the best comparison would be minutes played.  

To get a good comparison for a particular GAME rather than type would be very hard using that list.  You would need to add up the minutes played under all the game TYPES.  Unfortunately, there doesn't seem to be complete list on that page.  

Personally,  I think part of the problem with UT may be that there are so many mutator/mod combinations that it is watering down or not detecting/logging.  Or CLQ may not be pinging a lot of UT servers - I've had trouble in the past with my game play on certain servers just never showing up under Q3A.  Maybe its worse with UT.

-Whisp
#30 by "Flamethrower"
2000-05-04 20:05:08
flamey@alreadythere.freeserve.co.uk http://flamethrower.evilavatar.com
How come nobody has pointed out that DLLs are awful compared to a scripting/Quick C language?

Anyone without C++ experience, MSDEV, and half a lifetime isn't going to be making a mod. Quake C, despite it's flaws, introduced programming to a generation. DLLs have not.

The result is far, far, fewer mods. Some of those 1000s of Quake mods were naff, some were freaky, some were superb, but at least they got made. Now it's very elitist, and that's a Bad Thing.

Plus, having control over the language meant you couldn't put a Trojan in it.

I thought DLLs were a bad idea at the time (Quake 2) and I have seen nothing to dissuade me from that.
#31 by "RahvinTaka"
2000-05-04 20:34:00
donaldp@mad.scientist.com
<b>#15</b> "Happy Cow" wrote...
<QUOTE>
Last time I checked Half life was the big chillie chunga of all online games (most players online according to the game spy master server list). And Unreal tournament was second in numbers, followed by Quake 3 (UT had a couple hundred more players, nothing huge). So while I'm not saying your wrong (that would be rude) you're um, er.... mistaken. Of course you could be right about the sexless lewzers geek being a more prominent demographic in the Q3 community. I would like to point out it was no I that said it.
</QUOTE>

true Q3A has less players but it has more computer programmer type players. Consider how many different things have been reverse engineered in quake games that were not provided by id. Do I have any facts to back this up ... hell no :P. Just a general vibe.

<QUOTE>
And while I'm bothering to post. What is up with Q3 anyway. Every time I pop open ping tool and poll servers, I get like 500 players and 496 of them are the bots from the single player game (!?!?!?!?!). I wonder if any humans (outside of the four L33t d00ds I did find all playing on the same server) are playing Q3 at all.
</QUOTE>

unfortunately not. I don't think we will see huge numbers of players until a groovy mod comes to the forfront.

<QUOTE>
...
But I must tell you as I read the words "Besides neither can yet be considered competitive games" I have to wonder how you mean that. Both games have winners, and ....... well.. the polite was to say is, not winners. That pretty much makes it competitive. ...
</QUOTE>

True but any games have winners and losers or they wouildn't be a game. They would be a simulation or a toy. What I was getting at is that in Q3A it is pure gameplay .... you pretty much have a limited number of weapons with limited fire modes, while UT has more game elements (multiple firemodes, multiple useful weapons, different map architectures ...).

It is much easier to judge who is better when the number of game play elements is low because it comes down to plain skill rather than excessive wit (ooh bet ya didn't like that statement:P).

As for cyber athlete stuff. NFI ... I suspect UT will/is/should be played ... anyone know ?

Also UT/Halflife have their own set of "features". Halflife still uses the basic network architecture as q1/qw and it shows. The menus regularly crash the client and every now and again the hlaflife will crash the computer for no particular reason, or lose sound or X or Y. These are not acceptable, especially if it happens while in competing. UT is bug-free (or at least I haven't noticed any :P) but it is just so slow. It is a mamoth beast which probably explains it :P


JUst in case this sounds like I am a quake purist or something I generally only play qw TF and UT CTF/Assault.

<I><B></B></I><I></I><I></I>
#32 by "None-1a"
2000-05-04 20:46:21
none1a@home.com
First off Flame, the problem isn't just with the DLL files, with with the VM files that work in a simmaler manor to Quake C. Also a problem like this should have been tested by id, after all VM was included to prevent this.

Next ISS's action are not unheard of, most time when a microsoft OS flaw like this is found the same news reports also state that a fix is currently avalible, the press about no fix started shortly after th 48 day bug was found, at the time MS didn't know what was causing the bug and thus couldn't fix it so the news went to press with out a fix. Unfortunitly this maked MS as not responding to these bugs and has caused a glut of press now ask for a fix latter stories with 2000 (some how I just can't see any one finding a security bug in a OS, reported it the comapany, and expecting to have it fixed with in two days of the product release)
#33 by "Creole Ned"
2000-05-04 20:50:44
cned@home.com http://www.quirkybastards.com
I remember regularly checking my stats for a time whilst playing Tribes last year and CLQ was usually widly accurate. This applied for almost everyone in my tribe. As a source of accurate statistics, I would rate CLQ as iffy at best.

As for the id security patch, it was discovered, it was fixed, no harm done. What more needs to be said?

Now, is id going to charge for theit "Team Arena" expansion pack when other companies (that shall go nameless) have released a lot of their extra content for free? :)
#34 by "Creole Ned"
2000-05-04 20:52:01
cned@home.com http://www.quirkybastards.com
Doh! Make that "wildly <b>IN</b>accurate" in the above post.

Another call for a preview function here. :)
#35 by "RahvinTaka"
2000-05-04 20:59:12
donaldp@mad.scientist.com
<b>#30</b> "Flamethrower" wrote...
<QUOTE>How come nobody has pointed out that DLLs are awful compared to a scripting/Quick C language?
</QUOTE>

because they are not

/me ducks and weaves

<QUOTE>
Anyone without C++ experience, MSDEV, and half a lifetime isn't going to be making a mod. Quake C, despite it's flaws, introduced programming to a generation. DLLs have not.
</QUOTE>

Q2 DLLS got me on the road away from evil corporate programming :P.

<QUOTE>
The result is far, far, fewer mods. Some of those 1000s of Quake mods were naff, some were freaky, some were superb, but at least they got made. Now it's very elitist, and that's a Bad Thing.
</QUOTE>

The number of mods dropped due to a number of reasons. But DLLS could be blamed .... but not to the extent you claim I think. (A lot of peopl moved to halflife/unreal/stayed with q1).

<QUOTE>
Plus, having control over the language meant you couldn't put a Trojan in it.
</QUOTE>

quake c bytecodes was trivial to brake. You coul even make it overwrite stack and do arbitary things to computer. That is not safe ..

<QUOTE>I thought DLLs were a bad idea at the time (Quake 2) and I have seen nothing to dissuade me from that. </QUOTE>

Well I like DLLS because it puts power in the hands of the developer. For instance the only mod I seriously worked on was q2java (convert q2 game to a java implementation). Not possible  with VMs. Also look at all the admin/security proxy mods. They would not be possible without DLLs. Using DLLs also makes available thousands upon thousand of other libraries. So you could link it against X instead of writing X youself.

While DLLs do give power I do much prefer higher level OO scripting languages (ie java). I don't want yet another proprietary scripting language thou because quite frankly they are not worth my time to learn. Sure I could figure out Unrealscript but I would prefer java. Why ? Thousands of java libraries available. Thousands of tools available. Unrealscipt -- only one implementation, bad linking model (you have to restart UT every time you alter a script !!!!!), slow, slow slow, compiler has "features".

So all I can say is DLLs raise the stakes of mod developement (I guess for the worse) but they also empower the user. I would prefer an open architecture (say java :P) in a gme than any closed one (say Unrealscript) anyday because it is soooooooo much easier to develope with (and you don't have to learn some archaic language). When java games come about they will rock !
<I><B></B></I><I></I><I></I>
#36 by "Andy"
2000-05-04 20:59:34
andy@planetcrap.com
<b>#33</b>, Creole Ned:
<QUOTE>
Now, is id going to charge for theit "Team Arena" expansion pack when other companies (that shall go nameless) have released a lot of their extra content for free? :)
</QUOTE>
The man speaks sense. But don't say it too loud or next thing you know we'll have some kid running a petition site.
#37 by "RahvinTaka"
2000-05-04 21:03:13
donaldp@mad.scientist.com
<b>#32</b> "None-1a" wrote...
<QUOTE>Next ISS's action are not unheard of, most time when a microsoft OS flaw like this is found the same news reports also state that a fix is currently avalible, the press about no fix started shortly after th 48 day bug was found, at the time MS didn't know what was causing the bug and thus couldn't fix it so the news went to press with out a fix. Unfortunitly this maked MS as not responding to these bugs and has caused a glut of press now ask for a fix latter stories with 2000 (some how I just can't see any one finding a security bug in a OS, reported it the comapany, and expecting to have it fixed with in two days of the product release) </QUOTE>

Side note: Most bugs can be tracked down much soonmer than 24 hours (The Apache project had a 6 hr tunraround from bug spotiing to fix available). Also most of the MS "features" are deliberate additions of MS that they hoped the public would never find. For instance MS has had at least 3 cases (that I know of) of their being a long master password that gave full access to the computer. All the passwords were things like "Netscape sucks" etc and were known about at MS (some fools would go to say that they wanted in their so they could look at your computer).

MS bites because they go for security through obscurity which has been shown not to work over and over again. Reminds me a bit how MS claimed they invented this "new" and "revolutionary" architecture for win95. Guess what it was .... yup you guessed it multiprocessing. pfft.<I><B></B></I><I></I><I></I>
#38 by "RahvinTaka"
2000-05-04 21:06:21
donaldp@mad.scientist.com
<b>#37</b> "RahvinTaka" wrote...
MS bites because they go for security through obscurity which has been shown not to work over and over again. Reminds me a bit how MS claimed they invented this "new" and "revolutionary" architecture for win95. Guess what it was .... yup you guessed it multiprocessing. pfft.</QUOTE>

just in case it sounds like I am MS bashing ... I happen to use their OS a lot and love some of their products (VC6 is great). They just have NFI about security (or performace/resource usage for that matter but thats another story)<I><B></B></I><I></I><I></I>
#39 by "Whisp"
2000-05-04 21:15:44
whisp@vt.edu
Preview function?  Get CrapSpy.

I went through the CLQ stats and added up all the game types for Q3A and UT.  Here goes.

Game/Type---------Players-----Minutes---Servers

Q3A Afreeze-----------780-------72,703---------2
Q3A Beryllium-------5,830------299,467--------46
Q3A Comp------------1,473-------68,657--------14
Q3A Comp CTF--------1,237-------58,119---------7
Q3A Comp Tour-------2,795------162,965---------9
Q3A CTF------------46,805----5,367,846-------322
Q3A DM------------104,304----8,999,854-------864
Q3A Excessive-------8,509------603,812--------41
Q3A Fortress-------13,653----2,135,706-------152
Q3A Freeze------------673-------35,883---------5
Q3A Insta CTF-------1,485------120,986---------7
Q3A Instagib--------9,205------464,664--------44
Q3A Instagib Plus---5,841------284,505--------57
Q3A Jailbreak-------1,706------139,547--------23
Q3A OSP-------------25,95----1,772,692-------257
Q3A OSP CTF---------3,030------183,289--------38
Q3A OSP Tour-------14,297------770,336-------172
Q3A POW---------------287-------53,908---------4
Q3A Railfest--------1,185-------54,251---------7
Q3A Tour-----------31,681----1,919,895-------272

Q3A Total---------281,014---23,569,085------2343


UT Coop-------------1,416------125,896--------12
UT CTF--------------7,799------446,292--------11
UT DM---------------6,111------577,412--------40
UT DMP--------------2,196-------99,302--------11
UT Domination---------743-------23,861---------1
UT Garena-------------647-------37,100---------1
UT INFDM--------------792-------86,019---------3
UT Standoff---------1,379------262,472---------4
UT Team-------------3,202------262,075--------15
UT TGPlus-------------819-------29,297---------4

UT Total-----------25,104-----1,949,72-------102


So in summary - WTF!?!?

This definitely proves that CQL is has some issues about reporting UT servers.  That seems MUCH too low for a game that everyone says is kicking Q3A's butt.  While they could be wrong (I think they are), I seriously doubt they're THIS wrong.  I still think it has something to do with the mutators.

-Whisp
#40 by "Warren Marshall"
2000-05-04 22:14:58
warren@epicgames.com http://www.epicgames.com
Well, the in game browser consistently shows me 1500+ servers for UT, so I dunno what to tell you.  :)
#41 by "Bad_CRC"
2000-05-04 22:29:49
http://hammer.prohosting.com/~badcrc/
who cares about the security hole in Q3,  what about the security hole in all these microsoft products that leaves you wide open to attacks like the "I love you" worm...
 
 
oops, guess I'll go to slashdot for that...
#42 by "PainKilleR-[CE]"
2000-05-04 22:57:15
painkiller@planetfortress.com http://www.planetfortress.com/tftech/
In addition re:UT's number of players

Those CLQ stats are the ONLY stats I've ever seen on # of players that show UTDM as being higher than the other modes of play. Usually CTF, Assault, or Dom are higher than DM. While you're at it, go through CLQ and see what the last game I was playing online was. I've seen it give some highly innacurate statements for the amount of time I play in a week, often not monitoring several hours of gameplay, simply because I don't play on it's most 'popular' servers, which determines how often they scan a particular server for # of players and stats.

-PainKilleR-[CE]
#43 by "PainKilleR-[CE]"
2000-05-04 23:08:41
painkiller@planetfortress.com http://www.planetfortress.com/tftech/
heh, ok, I checked for myself, and here's what I found:

in progress Apr 30 - May 6 2000 Half-Life TFC N/A below 500 105 104 0 0.99
OFFICIAL Apr 23 - Apr 29 2000 Half-Life CounterStrike N/A below 500 141 235 0 1.67
history Apr 16 - Apr 22 2000 Half-Life CounterStrike 60,760 846 197 187 0 0.95
    Half-Life TFC 19,432 1,446 298 273 0 0.92

For the record: I don't play Counterstrike, yet it shows me playing 141 minutes last week and 197 minutes the week before. The reason for that: the server that CE is currently using for TFC practice is a counterstrike public server until we shut it down and bring it up as a TFC server. I don't even think I have the latest version of CS installed on my computer. GG CLQ.

-PainKilleR-[CE]
#44 by "None-1a"
2000-05-05 00:09:42
none1a@home.com
RahvinTaka back is 32 I was refering to the pre 48 day crash bug problem, the netscape sucks password was publisied after this was found (I really don't get why people went off about the 48 day thing, after all 9x isn't a server OS and most home system don't get left on for that long), some examples of the fix being released with the new where things like the Outlook long file name bug (a bug that would crash the program if a long file name was sent, and could run that attachment with the long file name after the crash). While I'll agree that there are a lot of holes in some MS products with MS's development model is can be hard to get programers around to fix a problem quickly (most developers are being swaped to other projects after one is out the door, for example most of the 2000 staff would have been moved to Windows ME after it's release), it's much easyer to get these developers around when the focus is one product rahter then two, also some bugs do take a while to track down if not reported in detail (just knowing how to use the bug might not be enough for extreamly complicated programs like an OS or server, smaller development team that know the code help a little here). It'd be nice if MS could get a team together to close holes as soon as possible, but with so many things going on there at once I can immagen this being difficult (although this could be a plus for a breakup)

Also I just thought of this, back with the 48 day bug I heard about the bug rather quickly but no one ever said any thing when a fix was released (I had to find out about it using windows update), so even if it does take the comapny a month to fix the problem more people would update had the progrem been reported when a fix was avalable (just from the fact that they acctauly know about the fix). This also shows a major problem when people count on news outlets for infomation like this, since all news sorces tend to report the attention grabing stuff, and never coming back to the story when more facts or a fix is avalable. The same things been pissing me off about normal news for a while, sotries like "two found dead in bar, cause of deaths unknow" and never an update on why the people die.

Also I really dought problems like this are centered soly around Microsoft products and other big name titles. I'd take a guess that Linux, Mac Os, UT and other titles that don't really get a lot of news also have problems,  but since most of the time these lesser know by the mainstream title are only reported by sites like /. how happen to be fans of these titles so bad stuff doesn't get in. (PlanetQuake didn't do any thing as in depth as the stuff I've seen on ZDnet, althoug I can't find at thing about it at Cnet).
#45 by "VeeSPIKE"
2000-05-05 00:19:01
appliedavoidanc@triton.net
<b>#34</b> "Creole Ned" wrote...
<QUOTE>Another call for a preview function here. :) </QUOTE>

Crapspy
<I><B></B></I><I></I><I></I>
#46 by "Max"
2000-05-05 00:46:42
max@planetcrap.com http://www.planetcrap.com
<a href="http://www.planetcrap.com/stories/18/#957467744">#39</a> "Whisp" wrote...
<quote>UT Total-----------25,104-----1,949,72-------102


So in summary - WTF!?!?</quote>

Ditto.  As of right now, my UT server (Chromag Hell 206.129.0.159), a straight DM server with no mutators, is ranked #109 on the <a href="http://ut.ngworldstats.com/fcgi-bin/Display?t=UT&gm=all&uid=323755&page=m&view=s">ngWorldStats</a> listings for straight DM, and I know those stats are correct because I keep close tabs on how many people are playing and when... so the 102 total servers figure is ridiculous. Try 8000 or so servers active in the last week: The <a href="http://ut.ngworldstats.com/fcgi-bin/Display?gt=UT&gm=all&uid=0&page=m&view=s">server totals</a> listing shows 8869 servers active (and that's so high because it counts listen servers that are only active once in a while) with 76,094 unique players, playing 13,474,080 minutes.  That's this week.

Like I said, I tend to trust the ngWorldStats listings because I've compared statistics I've generated via other means with what ngWS reports, so I know my server at least is reporting correctly.

And as you said - it doesn't say much for the accuracy of the CQL stats.  I suspect that their scripts are only compatible with an older version of UT (such as 400 or 402) that's since been replaced by most server operators with version 413.
#47 by "Andy"
2000-05-05 01:11:36
andy@planetcrap.com
<b>#45</b>, VeeSPIKE:
<QUOTE>
#34 "Creole Ned" wrote...
Another call for a preview function here. :)

Crapspy
</QUOTE>
Yep, get CrapSpy. Since I started using it the only times I've gone to pc.com were to post new stories.
#48 by "Tom"
2000-05-05 05:32:00
[10] Dethstryk
I think we all also need to remember that id Software hardly has to release patches for their games, because when they release games, you can tell they spent a lot of time on the bugs, etc., since id's games run pretty much perfect.


Ok im not sure what planet you're coming from (nor am i critisising ID) but i had to laugh at this post.
Back when q2 came out and was popular, it had heaps and heaps of patches. The newsgroups and msg boards i read were constantly up in a massive roar saying "WTF IS WITH ALL THESE PATCHES #(*&$(@#&(@#%&"
#49 by "RahvinTaka"
2000-05-05 05:38:41
donaldp@mad.scientist.com
<b>#48</b> "Tom" wrote...
<QUOTE>Ok im not sure what planet you're coming from (nor am i critisising ID) but i had to laugh at this post.
Back when q2 came out and was popular, it had heaps and heaps of patches. The newsgroups and msg boards i read were constantly up in a massive roar saying "WTF IS WITH ALL THESE PATCHES #(*&$(@#&(@#%&" </QUOTE>

I hope the learned from this. They released to get out at the right time (tm) ... I think for X-mas ....

You can tell if you look at code to game it was ugly as hell. The game didn't really reach a quality standard till 0.09 or 0.14 depending on who you ask. But I don't think they will make that mistake again (or at least I hope not :P)<I><B></B></I><I></I><I></I>
#50 by "Dethstryk"
2000-05-05 05:46:47
dethstryk@damagegaming.com http://www.damagegaming.com/
<b>#48</b> "Tom" wrote...
<QUOTE>Ok im not sure what planet you're coming from (nor am i critisising ID) but i had to laugh at this post.
Back when q2 came out and was popular, it had heaps and heaps of patches. The newsgroups and msg boards i read were constantly up in a massive roar saying "WTF IS WITH ALL THESE PATCHES #(*&$(@#&(@#%&" </QUOTE>

I will have to admit my ignorance when I said id hardly has to patch their games because of major problems. I forgot that Quake 2 was their one real big mistake bug/patch wise. (Hey, I didn't play it. I never have liked Quake 2.)


--
Dethstryk
Damage Gaming
C O M M E N T S
Home » Topic: Q3A Security Patch

|«« - Previous Page - Next Page - »»|
P O S T   A   C O M M E N T

You need to be logged in to post a comment here. If you don't have an account yet, you can create one here. Registration is free.
C R A P T A G S
Simple formatting: [b]bold[/b], [i]italic[/i], [u]underline[/u]
Web Links: [url=www.mans.de]Cool Site[/url], [url]www.mans.de[/url]
Email Links: [email=some@email.com]Email me[/email], [email]some@email.com[/email]
Simple formatting: Quoted text: [quote]Yadda yadda[/quote]
Front Page (ATOM) • Submission Bin (2) • ArchivesUsersLoginCreate Account
You are currently not logged in.
There are currently 0 people browsing this site. [Details]