In case anyone is following this, there's a WebAPI update planned for next week which allows for getting the owner's account from a lender id.
There's also a Steamworks update planned for between yesterday and (?), which adds the owner's id to the ticket verification result (ValidateAuthTicketResponse_t). However, this is too late for servers to get the owner's id. SourceMod at the moment supports checking if they're verified (by not handing out admin before IsClientFullyAuthenticated happens). However, this happens far too late in the process (30 seconds typically to a couple minutes, to never if Steam is down), subsequently most servers (to my knowledge) have the feature disabled (or at least want it disabled; from the threads I've seen). After the Steamworks update happens, I believe we need the owner's accountid passed to the server at the same time as the actual rendered SteamID (how it is at the moment, sent from the client at connection time). This should allow for the same verification result as IsClientFullyAuthenticated, and pre-usage that most of the engine does. This should continue to allow for immediate usage, which is what is used now. A public engine function would be appreciated to get the owner's account id (or rendered SteamID, as to conform with everything else). Unless if I'm neglecting something major, this should resolve the exploit for everyone as clients are updated to support sending the supposed ownerid. Thanks, Kyle. On Tue, Oct 22, 2013 at 1:56 PM, Kyle Sanderson <kyle.l...@gmail.com> wrote: > The Steam Family Sharing Exploit is still a vivid problem CS:S, as it > takes roughly 90 seconds to connect to a new VPN Server, create a new Steam > account, and rejoin. I've re-banned the same griefer about 7 times now in > the last 19 minutes; they're pretty persistent. Please help everyone using > your products protect ourselves against this new `feature`. > > Thanks, > Kyle. > > > On Sat, Oct 19, 2013 at 5:23 PM, Kyle Sanderson <kyle.l...@gmail.com>wrote: > >> Today, we're seeing a ton of banned, griefing players using VPNs and >> throw-away Steam accounts to bypass server bans. The problem already seems >> to be pretty widespread in CS:S. Considering this is the first weekend >> where the beta was opened up, it's only going to get worse. I'm sure this >> isn't isolated to CS:S, or my servers. There are many others running >> community servers, some probably not even using Source that are impacted by >> this. The native Steam Exploit seems to be getting abused quite heavily. >> >> The theoretical is now the present, >> Kyle. >> >> >> On Fri, Oct 18, 2013 at 7:09 AM, Jesse Oak <wazanato...@gmail.com> wrote: >> >>> Every game copy should have an ID associated with it, this way an admin >>> can ban per copy of the game rather then player ID. It's bad enough right >>> now in TF2 and some of the Source mod games where a griefer can just >>> quickly make a new account and reset their IP address having this start to >>> happen in games like CSGO is going to be a major pain for admins. >>> >>> >>> On Fri, Oct 18, 2013 at 1:29 AM, Valentin G. <nextra...@gmail.com>wrote: >>> >>>> Banning by IP is useless for many countries. And if cheaters abuse the >>>> family sharing they will certainly go to the "lengths" of making a quick >>>> new dial-in to grab that new IP. >>>> >>>> I have already said this much on the Beta Forums, and fully agree with >>>> Kyle. This brings the TF2 F2P dilemma to every title. >>>> >>>> >>>> On Fri, Oct 18, 2013 at 6:58 AM, Dominik Friedrichs <d...@forlix.org>wrote: >>>> >>>>> On 2013/10/18 03:38, N-Gon wrote: >>>>> >>>>>> I agree with Dog. >>>>>> However, I would also like to note that with SourceMod you could ban >>>>>> the >>>>>> users by IP. Sure they can change it, but most of the trolls are >>>>>> either >>>>>> too stupid to figure out how or too stupid to figure out how to do it >>>>>> quickly. Meaning you'd see the "repeat offender" now and then, but not >>>>>> enough to be too much of a nuisance. >>>>>> >>>>> >>>>> I'd like to note that for broadband providers in my area it is quite >>>>> common to hand out a different IP on every dial in, while a connection >>>>> with >>>>> that same IP can be kept alive for 24 hours at maximum. Hence I would >>>>> never >>>>> bother to ban by IP if the ban is supposed to be longer than a few hours. >>>>> >>>>> >>>>> >>>>> ______________________________**_________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds> >>>>> >>>> >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>> >>>> >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>> >>> >> > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
