Slashdot Mirror
Denial of Service bounty hunters
lightPhoenix writes "Get this, John Carmack, god of id & quake 3 arena, is offering a bounty for exposure of game server exploits. Check it out. " It's down the page a bit-but it's there. That's a cool idea.
← Back to Stories (view on slashdot.org)
A) Something positive for hackers to get a hold of, and actually get attention for their exploits, and even get them fixed!
B) Positive feedback from the developer of the software, and appriciation.
C) A final product that would be far superior in security from DoS then if it had been released without this testing.
Definitely makes everyone happy.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
This patch was fixed in version 3.17 of Quake2 and all following releases and in version 2.1 of QuakeWorld and all following releases.
It was a piece of test code that got left QuakeWorld (and Quake2 inherited in the code base). QuakeWorld was never an "official" prouduct--it was only a test platform for new networking ideas such as prediction. As soon as it was identified, both games were patched and new versions were made available.
The exploit page you cite lists Quake1 (regular Quake) as vulnerable, which is bogus since Quake1 doesn't even have rcon facilities. It also states it isn't logged which is false since every rcon prints out on the console with the address it came from.
Root compromise? Any decent sysadmin would never run a Quakeworld or Quake2 server as root to begin with (the servers do not need special privledges).
This issue was dealt with quickly and appropriately.
/// Zoid.
what kind of loser takes down a game server?
Sad indeed. I was one of the many that was put out when script kiddies blew up all the q2 servers and no one could play for a couple weeks. My only guess was 'sour grapes' where ppl didn't have enough hardware or good enough connection to be able to play, so they decided *noone* would play.