It should be possible to construct an IPTables rule that would function the same way the hardware filter does....
It should be possible to construct an IPTables rule that would function the same way the hardware filter does....
"What you've just said is one of the most insanely, idiotic things i've ever heard. At no point in your rambling, incoherant response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you NO points, and may god have mercy on your soul."
They would put the detection features in the EQ client, which is behind the firewall.If you have a firewall how would they detect a NIC behind it running in promiscuous mode?
In fact, they would probably do this anyway, since it would place the processing burden on the client machine, allowing them far greater detection capacity; why overload your server if you don't have to?
Don't assume.Assuming that's the case for all detection techniques...
The common method involves bursting the LAN with a flood of packets while timing the response time from each NIC; promiscous cards will take much longer to respond. My understanding is that this method can be made to work with well-formed packets, although I haven't personally tested it.
You're right (and the same would apply to flooding, even with legit packets); that would be a more elegant solution. S_B_R's suggestion of using IPTables would also work, and is (IMO) an even better solution....it would be ridiculous for Verant to attempt to send malformed packets across an entire class C subnet every time EQ is run. I run behind a router, so if I was really paranoid I'd just put my ShowEQ box on a different class B subnet and be done with the silliness.
However, my point was simply this: here is a simple, cheap, easily-achievable way for even non-technical ShowEQ users to be absolutely sure that they won't run into problems down the road, regardless of whether they may be detection problems, password problems, or general security problems (ShowEQ only runs as root, unless you want to further complicate your setup).
Thanks to the flexibility of Linux, all of these aims can also be done with software (hell, you could just remove all the transmit code from the nic driver source), but those aren't solutions that are cheap, easy, fast, and reliable for non-technical users.
Again, run what ever you're happy with.
Monklett has posted some good info here. No, it's not necessary to do, and yes it is being paranoid, but come on, give the guy a break.
Monklett says here's a way to further hinder detection, alot of others say, it's not needed. Cool.
Does anyone believe that what Monk is suggesting is BAD information? Unnecessary maybe, but truely, it's not bad. Following his advice isn't going to make it easier for SOE to detect (not that they are or are going to) NICs in Promiscuous Mode, and on the surface really does remove ALL doubt (not that there is much to begin with).
I agree it's unnecessary, but it's not worthless information either.
--Raistlin
- Raistlin
of course.. the other thing that takes far longer to reply to packets is a slow computer. my 486DX50 for example with an original NE1000.
i thought that the method of detecting promisc. interfaces was a before/after comparison affair (or comparing comparable machines). with unknown devices on the network there is no baseline "how fast should it respond". if you had a magic "detect promisc." routine it would also pickup any hubs with ip addresses, bridging firewalls (my favorite), IDSs etc etc - and wouldn't get SEQ running on routers.
and besides which.. everquest doing this would be.. a touch visible and provoke an absolute storm of protest.. not to mention it would be blocked by half the windows firewalls..
This guy's not paranoid is he? Personally I won't be messing with my hardware because im scared someone might find out theres a chance that possibly there could be a NIC on my lan thats uhhh sniffin stuff. Its just silly, call it good info if you want, but then again, dont fix what aint broke.
Sony would much rather have my $13 bux a month then ban me cause they "think" im running showeq.
Don't worry so much man, take it easy once in a while.
I agree, it's very good information, and I gave him a "good effort" in my first post. Plus it's got me looking more indepth into IPTables, which I've been meaning to do for quite some time.Originally posted by Raistlin
Monklett has posted some good info here. No, it's not necessary to do, and yes it is being paranoid, but come on, give the guy a break.
Monklett says here's a way to further hinder detection, alot of others say, it's not needed. Cool.
Does anyone believe that what Monk is suggesting is BAD information? Unnecessary maybe, but truely, it's not bad. Following his advice isn't going to make it easier for SOE to detect (not that they are or are going to) NICs in Promiscuous Mode, and on the surface really does remove ALL doubt (not that there is much to begin with).
I agree it's unnecessary, but it's not worthless information either.
--Raistlin
So Thanks again Monklett, good topic for discussion ya got going here
"What you've just said is one of the most insanely, idiotic things i've ever heard. At no point in your rambling, incoherant response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you NO points, and may god have mercy on your soul."
Yes I agree...
that it is good information in general, simply because... if you don't know everything about linux this can be a sure fire way to make certain someone won't be able to use a a trojan / back door program on your PC. Possibly you left your ftp daemon running with a stupid login password. Who knows...
What I still think is comical, is the way everyone (correction: some of you) thinks of EQ as 'the man' that is out to get you. Be as paranoid as you want, it provides me with amusement. I can point at you guys and say.. "see.. there are people like that in the world that freak out over a game..."
Good security is all about balancing the effort of securing versus the risks.
In this case, the mod that I recommended takes about 30 seconds to accomplish; you just cut a couple of pins on the AUI adapter. The rest of the install is the same as it would otherwise be. Its even reversable in about 5 seconds; you just switch the network cable to another port.
On the other hand, there is no authoritative information on Sony's efforts to track ShowEQ usage, and it is possible to detect promiscuous NICs on a LAN. While there is much anecdotal evidence that Sony doesn't care, etc., the point remains that we simply don't KNOW. Things could also change in the future, and I'm fairly sure that Sony wouldn't be sending out a press release if it changes countermeasures.
EQ has also been the focus of several security attempts, including a trojan UI mod that attempted to highjack passwords and at least one series of forged Sony customer service communications; these facts clearly indicate that EQ is of interest to crackers. Furthermore, ShowEQ is typically compiled straight out of CVS, is recompiled comparitively often, and frequently relies on custom ad-hoc patches. All of these facts make it an reletively easy target for a trojan attempt.
Personally, I think that 30 seconds with a pair of wire cutters in exchange for being able to prevent all these possibilities from ever being issues is a good deal, but you should run whatever you feel comfortable with.
Hm I don't care a damn about SEQ, but this is a nice idea to hide a IDS
SEQ is not the only cause a NIC runs in P-Mode... not sure but i think most of the time minimum one NIC here in my Lan runs in P-Mode ... and i dont think SoE wants to bann all who do troubleshooting ... i.e. i had a problem with channels and a NAT router some time ago and i only got it fixed with packet tracing ...
2cp
of course, someone who does this and makes their nic undetectable could well feel so safe and secure that they forget not to hare across the zone to a rare.
GMs don't snoop networks, they watch players and wait for players petitioning tracking by non-trackers. so personally i find the thread title about as misleading as possible.
tams
SOE scanning your network is also against federal laws, the EULA only grants them to scan the EQ folder and the space that it is taking up in RAM. anything outside of that is legally offlimits. but if you dont want to be detected, dont make a B-Line for a freshly poped rare mob or use SEQ with a druid alt so you atleast can act like you were using real tracking skill.
Which federal law is that?
last i checked it wasnt legal for someone or some company to go snooping around private networks, i know if i went snooping around the SOE network and they traced it to me id get a visit from the FBI.
They would have to change the EULA to be able to scan stuff. I had a quick look and there's nothing in there at the moment that looks like it would allow them to do this. Of course, changing the EULA is trivial for them.
This all misses the point. Sony's not going to ban you for having a card on your network in promisc. mode. There's just too many perfectly valid reasons for doing so and banning innocent paying customers isn't a good way to run a business. Realistically, you'll see them banning all Magelo users (for sniffing memory) before you see them scanning for Linux boxes.
The *real* definitive way to not get banned for SEQ is to *never* act on the information you've received from it. That's what gets you banned - zoning into Kael and saying "/gu Hey guys, SoRZ is up!".
There are currently 1 users browsing this thread. (0 members and 1 guests)