#Steam Workshop::Nova Defender – All-in-O...

while anticheats are fun and have a purpose, being able to browse the clients files and download them is a privacy violation in the first 15 seconds of your video

i asked rubat as i needed a second opinion, it's fine as long as it's in the game files, but i'd personally say anything like chromiums logs (higher directory) and whatnot to be a no no, be it username or path relativity is too far
i am the reason crashes/mdmp's are blocked.

doesn't look bad, however theres some pretty uselessly redundant stuff like the "spam filestealers" timer, and the contant writing to other addon's fake data directories (eg in your banpayloads)

I do think Phoenix is entirely correct also. Your anticheat does not need to provide a full filetree access to random players.

Personally, I'm against even looking through their lua directory lol, but especially stuff like the chromium log (which honestly I forgot could even be accessed)

HTTP protection as in lua/nova/modules/networking/http.lua is faulty. It doesn't protect the HTTP() function. The overridden http library functions are off specs too: Blocked requests never get their given callback called, resulting in "endless" loading stages on sending requests instead of an end with a defined error case. Always stay in specs if you detour functions or it WILL break legitimate addons and other legit code.

There is also some amount of obfuscation going on. It has obfuscated code. Which is fishy at best in an open source project. Never trust obfuscated code in "open source" software, because it can't be reviewed for safety and trustworthiness to a degree you expect from open source policies.

The code is only "obfuscated" at runtime. All code is human readable. I think you are referring to the minified files. But those are also open source and avaiable on Github. See the credits section inside the workshop description. 🙂

Thanks for that notice. I will add this

Real cheaters don't have anything in their filesystem that you will find, making it useless and redundant and only invasion of privacy if they're legitimate people developing addons directly in their client

That's true but also not. Countless (and frequently used) cheats store their config inside the games folder. I didn't just came up with this idea. Those cheats include popular ones which are banned on a daily/weekly basis on my server.
This detections is not included in the default anticheat.
My addon is also not designed to detect the most advanced cheats. Rather a basis of commonly used ones.

If they store their config in the game folder you don't need a tree to browse, you could automatically detect them based on your logic

That's right. That's what it already does.

Then you don't need to browse their files and/or take their addons

You may not do this, but the public/those you enable with this will

You have a point there. I am thinking of blacklisting specific directories for downloading.
For example the addons folder would be only accessible for listing files.

As I don't want to remove this functionality all together

Yeah, i get you don't because of the time spent and it's "cool".
think gamemodes too, there are people who test/install locally, but probably shouldn't

I also had this thought as people cloud steal my invite-only anticheat with my own addon 😅
I will have a look at the code today. Thank you for the suggestion.

I remember a while ago I realized I can make a client file browser on the server. And so I did. And then I realized how powerful it can be for all the wrong reasons and I deleted it lol
It's a huge invasion of privacy, and most cheats store their configs in the data folder anyway. You don't need to peek into anything else besides that folder.

About that file browser thing: A am not a lawyer, but so far as I can tell using the browser could violate the GDPR law. And man that's huge thing in Germany. Even having it installed could be a problem for EU based servers at least.

what kinda shit cheat stores its config in the data folder 💀

enough. But not only inside the data folder, but also inside the (1st) garrysmod folder. I think many cheat "developers" don't even know that those can be accessed via file.Read

Sometimes they randomize their filename or content to evade detections

the only silly cheat that i knew of that did that was execc storing login info in dat files, which btw is also a privacy violation as you're yoinking their password

oh same dev as modern anti cheat