Posted on

ioquake3 Security Notice 06/13/19: Test Builds Possibly Compromised

Summary:

As an initial notice, I want to warn ioquake3 players and server operators that precompiled test builds downloaded from our website may have been compromised. Please do not use or run an ioquake3 test build until we provide new builds for download. This post will be updated and a new notice will be provided on this site. ioquake3 builds compiled from source or provided by distributions should be safe to use so long as they did not redistribute our test build binaries. I have no evidence that the ioquake3 test builds were compromised but I am alerting the community out of an abundance of caution.

Issue:

On 06/12/19 I became aware of high CPU usage on our Jenkins server. Jenkins is the software that builds our test builds and does some basic testing of each new merged commit to our GitHub repository. It appears that an outdated Jenkins install and plugins were at least exploited to install some form of cryptocurrency mining malware.

What is Jenkins?

The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.

What are Cryptocurrencies?

They are a garbage libertarian fantasy of money without responsibility or governance (except by the rich who control these pseudo currencies) and should be thrown into the sea because they waste more electricity than some countries use at a time when we need less consumption of scarce resources to prevent climate change.

What I will do:

The test build page has already been modified to provide no links to download the test builds. The Jenkins server has been shut down. The test builds will be thrown out and replaced once a new Jenkins server is operational, the server the Jenkins user is running on will be reformatted and reinstalled from scratch, this will cause some outages for these services:

  • The ioquake3 master server
  • The official ioquake3 game server
  • The discord <-> irc bridge bot
  • The wiki site, wiki.ioquake3.org
  • Jenkins, of course

As far as I know, nothing was done besides mining for cryptocurrencies, but I am going to reformat the server that was running these processes and I am warning users and server operators out of an abundance of caution.

Thank you

Thanks to Daniel Beck from the Jenkins team for helping to resolve this issue.

Posted on

Thank You, Zack Middleton (zturtleman)

Zack Middleton (zturtleman) announced that he’ll be leaving the project, and Quake 3 engine development in general, on October 10th, 2018:

October 10th 2018 is the 10 year anniversary of when I started modding ioquake3. It was my third attempt at creating a Ninja Turtle fangame within a three year time period. I intend to release Spearmint 1.0 as the end result of 10 years of working on the Quake 3 engine.

On October 10th I’m planning to cease development on my projects based on the Quake 3 engine (Spearmint, Turtle Arena, Lilium Voyager, flexible HUD mod for ioq3, …) and resign from being a ioquake3 maintainer (since 2011). I’ll no longer be following ioquake3 development or providing support on the ioquake3 forum.

Please read  full post, there’s more information there.

Thank you, Zack Middleton (zturtleman).

If you would like to thank ZTM, please contribute to his Ko-Fi.

Posted on

Help Wanted: Volunteer Linux System Administrator

ioquake3 is an entirely volunteer-run project and we need more volunteers! Please share this post with your friends.

If you love maintaining Linux servers, and specifically Ubuntu Server, this is the role for you. The ioquake3 project is looking for a qualified Linux Systems Administrator to assist with maintaining our Ubuntu VPS. We need someone to help maintain our server and it’s services, keep it running, and up-to-date.

The first major goal we need to accomplish is to move our web sites off of DreamHost and onto the VPS that Ryan “icculus” Gordon provides for our project.

This role should not require much of your time once you become familiar with our systems. A few hours a week should take care of it, outside of any large upgrades.

Basic Qualifications:

  • 2+ years of experience with Linux Systems Administration. You need to have done this before if you’re going to help the project.
  • Virtual Private Servers
  • Apache configuration
  • nginx
  • PHP. You don’t have to be able to develop a new application in it, but most of the webapps we use make use of it.
  • Experience working with other free or open source software projects.
  • DNS
  • Domain registration
  • Experience with terrible shared hosting providers

Preferred Qualifications:

Please write an introductory e-mail to zachary at ioquake dot org (there’s no 3 in the domain name for our email services)  and we’ll discuss your future with the project.

Because this is a free software project and we receive what amounts to almost no donations please keep in mind that this is a VOLUNTEER ROLE. That also means you get to work entirely remotely. Woohoo!

If this role doesn’t sound good for you, there is plenty more work to be done. We need to make ioquake3 the best and easiest way to play Quake 3 on Windows, macOS, and Linux, develop new games, and play mods. This is your opportunity to contribute to an incredible free software project that needs your help. Get involved.

If you don’t have time to help, please contribute to Ryan’s Patreon campaign here.

Posted on

Auto-Update Update

Ryan “icculus” Gordon has surprised us with a cross-platform auto-updater for ioquake3.

Created thanks to contributions to his patreon campaign, here’s how Ryan describes it:

I’ve written an autoupdater for ioquake3, with the intention of the game operating much like Google Chrome…it just stays up to date and you don’t really notice. This has been a long-time wishlist item for the ioq3 team…as they are locked out of platforms like Steam, they’ve been stuck telling people to download the game over and over, maybe migrating their mods, or live without new features and fixes.

Once this solidifies, the official builds will just keep staying up to date, which is pretty sweet. And of course, this is optional, so it won’t interfere with distro packages and such.

We still need to implement the network infrastructure behind the update mechanism, but this is a very important and large first step on that road.

You can browse the code in this pull request and this update that added more security features to the process.

Or read more about the updater in these three blog posts from Ryan:

  1. Project: ioquake3 autoupdater
  2. ioquake3 autoupdater: now with Linux support!
  3. ioquake3 autoupdater: now with Windows support!

Please contribute to Ryan’s patreon campaign if you enjoy his work.

If you’d like to support ioquake3  in a roundabout way I am selling t-shirts and hoodies for Nuclear Monster.

ioquake3 is an entirely volunteer-run project and we still need your help, please check out this page on our wiki for more information.

Posted on

Help Wanted

Last month I wrote about an important security update, and we were lucky that the news was spread far and wide but many players still didn’t see it.

Even if they read the news, and they updated to the latest build of ioquake3, they wouldn’t have caught the follow-up security commits to the code repository unless they downloaded another test build more recently.

We have a serious issue getting people on the latest code because our installers and DMGs are 8 years old and designed for a time when the only way to get Quake 3 was on a disc.

That’s changed, the only good way to get Quake 3 today is on Steam or gog. You can probably find old discs on ebay, but I wouldn’t bother when you can get digital bits delivered instantly. There are huge caveats to those digital platforms, #1 for us is that if you’re on macOS or Linux it is not at all straightforward to get the data from Steam or gog.

If we had a standalone baseq3 replacement of our own, that would not be as big of an issue.

Even if we had installers that were modernized, our binaries aren’t code signed and so players on macOS and Windows receive warnings and their operating systems prevent our code from being executed. We need help resolving that issue from someone who is more familiar with the code signing process.

Even if our binaries were code-signed, we don’t have any way for players to get the latest binaries automatically. This has become the new normal for games delivered via Steam and standalone mechanism’s like the one Blizzard uses for their games. Even web browsers like Firefox and Chrome have been doing this for years. Networked software needs security updates, and we can’t get it to players without an auto-update mechanism.

Here again I will make the caveat that it would be possible for ioquake3 to be on Steam if only we had a standalone game, even a minimal one, for players to play when they don’t own Quake 3.

Around this time last year I wrote a post about an issue when the id master server was down, because id (thankfully) was able to bring their master server online we did not get a fix implemented and committed to our git repo. This means that exceptionally long-running Quake 3 servers might still be reporting to the wrong ioquake3 master server, and if id has ever changed their master ip address it could be wrong for those servers as well. It also means that the in-game Quake 3 server browser still only receives servers from id’s master.

When security issues, and others like the id master server downtime, occur, it would be amazing if we could also announce that they are already resolved for players on our auto-update system instead of having to post blog posts and hope that people update before their computers are compromised.

We need to deliver updated code automatically to everyone, and make it as easy as possible to play Quake 3, mods, and games built on this engine. We need a project manager to help get our launcher project going again and developers to work on adding an auto-update mechanism to it.

This project, ioquake3, is entirely volunteer-driven. We receive no grants of time or money from any corporation except for the wonderful discourse forum donated from the Discourse enterprise. We spend more money on hosting ioquake3 and its servers than it gets in donations.

We can’t move one step without volunteer contributions from the community of players and developers who love Quake 3 and the projects that have been built off of the source code. It’s only with those contributions that we have been able to develop ioquake3 for the past 12(!) years.

While there wouldn’t be an ioquake3 project without the code, the contributions we need now are in recognition of the mature status this codebase has reached.

We need help from build and release engineers to update and maintain our installation process for Windows, macOS, and Linux.

We need help from people who love writing documentation to help players, game makers, and systems administrators get started with ioquake3.

We need help from people to create art, sounds, maps, and menus for a small stand-in for baseq3 when people don’t own Quake 3: Arena but want to use this incredible code to get some frags in or to get started making a game.

We need help from anyone who loves the quality assurance process to go through our bug queues on Bugzilla & Github in order to triage and duplicate those issues to confirm their continued threat and eradicate them. Testing is part of quality assurance and testing means playing Quake 3, who wouldn’t want to do that?

We need help from people who want to help other players on our forums, live chat on our Discord server, and on our Facebook page.

We need to make ioquake3 the best and easiest way to play Quake 3 on Windows, Mac, and Linux, develop new games, and play mods. This is your opportunity to contribute to an incredible free software project that needs your help. Get involved.

Posted on

Important Security Update: Please Update ioquake3 Immediately

Please immediately update ioquake3 to the latest test build before you connect to any online servers. Despite the name, the test builds are in fact way more stable and secure than any release at this time.

In doing so you’ll also receive access to all kinds of other updates and changes that we’ve made since you last installed ioquake3.

Here’s the why:

We recently pushed  a large security fix that prevents malicious actions from multiplayer servers.

Please share this news with any other Quake 3 players you know. It’s on Facebook and Twitter as well. These kinds of exploits are even worse in the regular Quake 3 client, nobody should be using that anymore.

Our Player’s Guide can help new Quake 3 players get started with ioquake3.

Ideally, we would distribute these security fixes automatically, similar to the way browsers like Chrome and Firefox distribute updates. Games on consoles, or in Steam, require updates in order to go online and happen automatically now. This way, we could distribute an update first so that nobody who is online is vulnerable in an ideal scenario.

Right now we don’t have anyone working on that issue, if you are interested in helping us with an auto-update system to be built into our launcher, get in touch.

Until then, please update your test build as often as you can to get the latest security changes.

ioquake3 is an all-volunteer project that needs your help. Check out this page if you’d like to join us in our mission to keep Quake 3 alive.

Our thanks to Victor Roemer for reporting the vulnerability.

If you find a security vulnerability, please e-mail zachary@ioquake.org.

Posted on

Discourse Made Our Forums Great Again

A screenshot of our discourse forums

The subdomain to access the forums has changed from community.ioquake.org to discourse.ioquake.org. Please update your bookmarks and note that you might see some error messages in your browser during the transition if you visit the old URL. We’re still working out the best method to redirect old traffic to the new site.

Here’s why:

Back in 2013 we moved our forums to the new open source forum software on the block, Discourse.

It has been easier to maintain these forums than our old ones which used phpbb 3. With phpbb we got so much spam that we had to routinely shut down registration, manually approve users, and resort to bringing new moderators on board to team up for spam account deletion parties.

With Discourse, we get so much less spam, practically none in the almost 3 years since we switched.

Discourse forums are also much easier to read on modern browsers and mobile devices. It’s a flat design that doesn’t overwhelm new users with categories at first glance. Replies can be in the topic or you can create a new topic if you don’t want to derail the current one. Topics update in real-time so you are less likely to post the same thing as somebody else. Replies to an individual post can be read without losing your place in the topic.

The news today is that we’re in the process of moving from our self-hosted installation to Discourse’s official hosting. It took just a few moments to pull the levers to upload our backup from the old forums and switch. The forums should be more reliable, faster to access, and despite the transition we have retained all of the posts on the forums since we moved to Discourse in 2013. We are extremely thankful to the Discourse team for providing this service to our project as well as other open source projects.

If you have any questions, issues, or just want to chat post to the forum or feel free to email me directly zachary@ioquake.org. We’re also on twitter where you can ping me or the ioquake3 project.

Posted on

The id Master Server is Back Online (Updated)

Update: the id master server is back online, the in-game server browser is working again. We will continue to look for a way to work around it in the event of future extended downtime. Our original post appears below.

Master server If you’ve tried to play multiplayer Quake 3 using the original id Quake 3 binaries or ioquake3 in the past few months you might have had a difficult time finding a game with the built-in Server Browser. You would have seen the error message in the screenshot above:

No Response From Master Server

The master server is what game servers that you play on talk to, in order to communicate their availability to your copy of Quake 3: Arena.

Since at least March 11th the official Quake 3: Arena master server offered by id software at master.quake3arena.com has been offline and that is why there is an error displayed instead of a list of servers.

We operate a master server at master.ioquake3.org that has been up for years, and fortunately servers using ioquake3 are still reporting in to it, but there isn’t a quick fix for the in-game server browser at the moment. We have repeatedly reached out to id software to notify them of the issue, suggesting resolutions for it, and received no response.

You can watch for the resolution of this issue on Gibhub, but even when we resolve the issue for ioquake3 players, people using the original id binaries will be out of luck unless they switch to ioquake3 or id software brings their server back online.

There are third-party server browsers such as Qtracker and XQF will continue to work if directed to our master server.

Our Quake 3 server is still online and you can connect to manually by typing /connect phobos.ioquake3.org in the console. This same methods works for connecting to other servers when you know their address.

Posted on

ioquake3 on OS X El Capitan & Windows 10

El cap win 10

Two major updates have come to desktop and laptop computing recently. OS X 10.11 El Capitan and Windows 10. Big news for users of each platform, and we’re excited that ioquake3 continues to work with both platforms for players updated to the latest build.

Check out our Players Guide and Sysadmin Guide, or just go ahead to the test builds, to get started with playing ioquake3 or running a server today!

If you run into any issues with either this new operating systems or old ones, let us know on our community forums. Thanks to our community of contributors for helping us keep Quake III, mods, and new games going for TEN YEARS now, wow. That is a lot of fragging!

Posted on

ioquake3… in Docker?!

The folks from the open platform for building, shipping, and running distributed applications called Docker demonstrated a containerized version of ioquake3 at Dockercon. Not just the server, but also the client. Docker’s Arnaud “icecrime” Porterie even called ioquake3 “The best game ever” in their dockerfile description. I don’t think I could be more proud. They were already my favorite container project when I started using Docker for our Discourse forum installation.

Posted on

ioquake3 updated to SDL 2

If you’ve been following along via github, twitter, facebook, and our new discourse-powered forums, you might have noticed that we’ve been working on updating ioquake3 to Simple DirectMedia Layer (SDL) version 2. SDL 2 is already in use in lots of games, and we’ve been using it internally for over a year now, which is why we felt that it was finally appropriate to bid farewell to SDL 1.2.

The SDL upgrade won’t make a huge difference to the experience of playing Quake 3 and the assorted games that have been built with this engine, but if you’ve got a copy of Q3A please try out the new test builds. Your testing will give us a chance to see if everything checks out OK on more systems than the ones we have access to.

Once in-game you can /connect to our new test server at phobos.ioquake.org

Please report any issues you find with the test builds on the forums, in IRC, or on bugzilla.

Posted on

Test Builds are Back!

If you’ve been waiting to try out the latest features like the new renderer from our github, you don’t have to wait any longer. We’ve got our test builds page back online and updated with the latest builds from our continuous integration systems.

These builds aren’t tested, but you can file bugs against them on our bug tracker and let us know how they work out for you on our forums.

Go frag somebody today.

Posted on

Continuous Integration with Travis

Ghost of shame

It’s been a long time since I last wrote about any kind of testing, and one of the most basic forms is making sure your build compiles as a step of continuous integration.

This has been added to ioquake3’s github with the Travis service.

What this means is that every time one of your friendly neighborhood ioquake3 team members makes a commit, travis will pull down a copy of the codebase from github to a fresh virtual machine, read our instructions, and follow them to compile our codebase with a script that we’ve created.

If the build succeeds, great!

If the build fails, then, oh no! Somebody screwed up and let me write code again. A bot is dispatched by travis to our irc chat compound (irc.freenode.net #ioquake3) to let us know and will let everyone know which commit broke the build. The author will then receive the depicted ghost of shame in the mail within 64-128 weeks.

Currently we’re telling Travis to build for mingw (under Linux) and Linux itself with various options and it takes about 14 minutes to complete the operation.

In the future we hope to figure out a way save the builds Travis creates to the ioquake3 website so that we can offer you more expedited builds.

Travis’ website suggests a method that involves Amazon S3 but we are interested in other storage solutions.

Posted on

Happy New Year, ioquake3 and github!

Hi All,

This August will be the 7th Anniversary of ioquake3!
Time flies when you’re fragging fools and breaking builds.
We still haven’t had a release since 2009. Don’t worry, we still have another 365 days to go until it has been 5 years since a release!
The real reason for this post is that I wanted to tell you all that we’re moving the project to github.
There is a new organization there, called ioquake.
But most importantly there is a project there that you can clone, fork, and send pull requests.
Bugzilla and other things hosted on icculus.org will keep going, but the SVN repository is now deprecated and I don’t know if it will remain online or not. If possible, we may set up a thing to automatically slurp in changes from the github project.
ioquake3.org itself is not going anywhere
Thank you to everyone who has contributed and played ioquake3 since the project started on August 20th, 2005!

Make sure to join us on server.ioquake3.org for some baseq3 fragging when you get a chance!

Here are your top-ten all-time contributors, by number of commits:

  1. Thilo Schulz
  2. Tim Angus
  3. Ludwig Nussel
  4. Zack Middleton
  5. Ryan C. Gordon (he beat me by 3 commits!)
  6. Zachary J. Slater
  7. Tony J. White
  8. Aaron Gyes
  9. James Canete
  10. Coyote

If you have any questions or suggestions let me know in the comments here, on our freenode irc channel #ioquake3, or on our twitter account and facebook page.

Continue reading “Happy New Year, ioquake3 and github!”

Posted on

ioquake3 and OS X Mountain Lion

10imac27 photo

The latest version of OS X, Mountain Lion has been available for a little while and we have now confirmed that ioquake3’s latest SVN (revision 2306) compiles and runs smoothly on it.

If you already have ioquake3 installed on your intel Mac running 10.6 or greater please try a test build:

It should run fine under Mountain Lion, if you have Gatekeeper enabled with the default setting you will have to right click and then select Open on the .app.

Please let us know if it works well for you.