r2005This update patches 2 buffer overflow bugs in response to
this ongoing incident.
It is also compiled in the latest version of visual studio with
Control Flow Guard enabled. This may provide some general protection against this type of bug.
There may be some side effects. I have noted a slight performance decrease, but it seems to be unrelated to CFG.
I am planning a more thorough solution to the compromised key problem, please be patient.
r2006 Addressed another potential vulnerability of the same type.
r2007Many unsafe string copy and concatenation operations updated.
r2009Minor cleanup, one additional buffer limit fix
Removed "-1" event on Speedkart_Lighthouse
Removed ultra shortcut on Speedkart_Descent
Brightened lighting on Speedkart_Harbor
I have re-enabled key authentication,
with the limitation that it will not work on new IP addresses. That means you can log in and play as normal, but only if your IP is the same as it was a few days ago (or the last time you logged in).
Everyone in the list of stolen keys who had a steamID linked to their account has been made steam-only. Of the remaining keys on the list, I found suspicious log in activity on the following BLIDs:
4578
20406
22324
27013
30372
35295
39877
43110
46163
I reverted their IP addresses to what they were before this started. There may be other compromised keys, but given the pattern here there probably aren't that many that were actually logged into.
This isn't a complete solution obviously, it's just a stop-gap to let a few more people play while I implement a more permanent fix.
The permanent solution is going to be using steam for authentication. Having everyone store a password on their computer is just too high value of a target with too large of an attack surface. It's stressful enough just keeping them on my server.
You will be able to host dedicated servers
You will be able to keep your BLID (even alts)
You will be able to have multiple installation folders
It's going to take a little bit of time. If I don't implement everything at once or the plan changes, try not to sperg out immediately.
r2011Removed case where key.dat would be cleared when auth failed
Updated to latest steamworks sdk
r2012Fix for unintended change in stricmp behavior