[opensource-dev] Banning by client

[Rob Nelson]

The only way to reliably detect a client is if the client sends an MD5
hash of the executable to the login server, and that function was
removed ages ago from the login process due to ease of spoofing.

Requiring a unique login channel requires manual intervention to change
the login channel from the official LL channel to the unique one
required by the TPV, so malicious developers don't even have to lift a
finger in order to bypass detection.  

The entire system is flawed, and I'm sure LL knows this.

On Sun, 2010-05-02 at 20:56 +0200, Carlo Wood wrote:
> On Sat, May 01, 2010 at 06:53:49PM -0400, Glen Canaday wrote:
> > Though WHY anyone wouldn't want to come HERE to talk about client 
> > detection is far beyond my grasp. That's like AVG not wanting to talk to 
> > Microsoft.
> 
> Probably because it's a moronic asshole, who is only 
> interested in making money with the product and doesn't
> care if 1% are false positives.  Not until LL comes
> knocking on their door anyway.
> 
> I guess that the only reasonable response (unless LL
> wants to get involved) is to find out how the detection
> works and write a patch that makes SURE it won't be
> detected (which then can be used by everyone, but malicious
> viewers will do this anyway, whether or not we do or not).
> 
> So, how does this thing "detect" the mentioned "signature"?
>