Why in the name of…soup is this a feature on FiveM?
I won’t state how it is done, I will tell a dev if asked but in essence, anyone can snoop on a default FiveM server install even on team channels or the like.
Who thought this was a good idea?
There’s the obvious privacy concerns for IP and Steam IDs being broadcast but yeeesh. What is this madness?
Seems someone already brought this up 21 days ago. Right now any idiot can nab the IPs of anyone playing right now on any FiveM server. What gives?
FXServer has an sv_endpointPrivacy convar that’ll hide any player IPs, however SteamIDs are there to support essential system infrastructure and are not possible to hide.
But why is information like this public to all users? Its ok for that to be in the back-end for server owners (steam ID whitelisting) but what are the FiveM team doing with those SteamIDs or if you do need to collect it, why is there no authentication or protection for that data?
Why does it matter? We’re a community based on openness and transparency - the only reason an IP privacy feature has been added is as there’s been abuse based on those (denial of service attacks against players of prominent servers); I don’t see how SteamIDs can be abusable whatsoever, especially as player names can be looked up on Steam already, and Steam profiles can be hidden on the Steam Community if players feel like such.
Why should there be? You’ve provided no use case of SteamIDs being abusable, except ‘wow, it shouldn’t be public!’. Again, the ‘team’ has no special powers on FiveM other than being able to push updates directly to users - anything else is open and transparent, for anyone to use.
They’re exposed so that tool developers (or the team itself) can, for instance, make a friend list tool that displays what server your Steam friends are playing on, or other such features.
If someone who sets up a community wants to expose their users IPs to the universe, sure why not, in 1989 this was an ok mindset, IPs for all.
In 2017 with everyone and their mothers’ talking about privacy and security, it is just poor. The fact it took actual abuse before someone changed it kind of proves my point. Same with SteamIDs, might there be a useful way developers can use it? Maybe, should it be something that is exposed to the public? No.
If we go in and hard-break that feature so it is no longer public on our server, what critical infrastructure will stop working?
Now we jump onto the tiny detail that someone can record every piece of text chat or command typed on the server and we run into more potential areas for abuse.
lol
bull
there is no good reason for steamids to be public other then sheer lazyness
there is apis to handle getting and reading the steamid as well as steam to steam client communication
it should be hashed and salted and stored as encrypted string which is then used to generate some kind of fivem id
no client should ever be directly reading and forwarding steamids period not over opennet
Could you provide an example as to why it shouldn’t be public? It’s literally just an identifier. AFAIK there is no way in which people could abuse you by having your steam ID. Maybe they could send you a friend request or, see the games you have but that’s about it, is it not?
Sorry to be nit-picky but, hashing is not encrypting 
. And again, why would they want to do more work to get a “FiveM ID” when there’s no issue in using the steam ID?
Again. Why? You say they shouldn’t but, you give no reason as to why they shouldn’t. It’s not like they’re exposing plaintext passwords for everyone to see.
Because an IP address is an identifier which can be used to directly harm another player on the server. Period. Earlier in this thread, you have stated it has happened before to prominent streamers.
Why is this not being taken more seriously by the team? Why does default FiveM install present all this:
And no, its not acceptable for someone to be viewing all of the steam IDs in a nice tidy list, especially as we are obfuscating the steam names within the FiveM scoreboard so it will not be possible to view them for exactly that reason.
This is 2017. If someone wants to open up their logs to the world, let them! But to have it as a public facing default, not great.
I’m sorry but, there is no similarity in what the steam ID represents and what an IP address represents. I agree that having IPs shown can be problematic because they point to a specific router/endpoint that can be shutdown with a DoS attack. But, steam IDs just point to a steam account… That’s it. I really don’t see the issue.
Why? You’ve said “exactly for that reason” but, you’ve not stated a reason other than “its not acceptable”. Why is it not acceptable? Like I said, it’s only a steam profile. If you wanted to, you could just look at the “recent players” thing in steam. I don’t see why you would want to remove this from FiveM and not ask steam to remove their feature. Also, what’s to stop the players in game just asking each other for their steam profile? Nothing. I’m trying to see the position you’re coming from but, I honestly can’t see the problem.
Ugh. I hate the “this is current year” argument. It generally means you have nothing of substance to argue your point on. As for the activity logs being public, try creating an issue on the github repo or, on the forum asking the developers for a way to hide them. It’s 2017 after all, you should be able to use github 
If I as the end user choose to give you my SteamID, that is my choice. Same way if I want to give you my email or phone number. That is up to me to share that. The SteamID is far less of an issue than the IP addresses but to make it extremely clear:
Could you name me one product or service or webapp which opens up the private backend serverside logs of the software to the public end users on a web page with no authentication? Then presents the details of every user active on the app and shows exactly what they are doing in real time along with all their messages?
Every server log, chat message, IP address and steam ID, all neatly presented.
Can you now see why this might be a problem?
Uhmm you know you can hide those logs by editing some code of the chat resource right.
Also there was a recent commit which will allow a server owner to disable ip addresses to be viewed by anyone.
And last but not least steam ids are easily obtainable literally in every game that uses steam auth.
Do some research next time,
It’s a problem because nobody else does so? You’ve still provided no reasoning why it’s ‘a problem’ or ‘not acceptable’ whatsoever, other than ‘this exists, so it’s a problem’.
they’re not private backend logs, they’re public logs, as can be seen by them being publicly exposed.
Then don’t discuss anything sensitive in a video game’s text chat service?
I don’t understand why there is so much hostility in this thread. A valid concern has been raised, but a lot of the people that have replied seem to be taking this very personally. Instead of working towards a solution, most of you are just going on and on.
Three issues were raised by @alogan19:
helium said:
SteamIDs are there to support essential system infrastructure and are not possible to hide.
Meanwhile mercury stated:
“They’re exposed so that tool developers (or the team itself) can, for instance, make a friend list tool that displays what server your Steam friends are playing on, or other such features.”
So which one is it?
If this is a community based on openness and transparency, we shouldn’t react like this when someone raises a concern, but instead work towards a solution. I think a lot of people are afraid to raise their concerns, because of these types of reactions.
To summarize the things that have been said in this thread:
I sincerely hope that we can all work together towards a solution for the betterment of this project.
Only if you have access to an ISP database (which, if abusive people do, should mean one should switch ISP!), and even then you only get a subscriber name, not a person name. In addition, in multiple countries, an IP address has been ruled to not uniquely identify a subscriber.
We are not here to police the entire Internet.
Currently, nothing uses this infrastructure feature - however, given how fully-centralized server infrastructure is not a viable option due to the possibility of legal action from TTWO, this has to be reported by individual servers using a public endpoint, and can’t be moved to be reported ‘in private’ to a service endpoint.
Legacy behavior, nor is there any reason it shouldn’t be public.
They’re from early testing in 2014 on CitizenMP:IV by the original developer of that project - there’s a reason FXServer was developed: it’s to get rid of badly designed legacy features that break the moment anything minor is changed.
Any solution can be implemented by individuals themselves - the required code is all available or will be provided upon request, a ‘concern’ itself doesn’t really help resolve anything.
Provide a GH PR if need be, we have other priorities until OneSync is completed - the project itself shouldn’t even have become as popular as it has at this point.
you mean, individually taking points apart? the original poster of this thread provided no substantiation for his reasoning behind SteamIDs being ‘bad’, also if really needed (why, when Steam profiles can be set to private) users can edit the server code to return fixed SteamIDs.
It is hard to see how fear comes into this, the first replies (until @alogan19 kept regurgitating the same point) were short and concise; it is a bit hard to believe how anyone would get afraid of this.
They’re from early testing in 2014 on CitizenMP:IV by the original developer of that project - there’s a reason FXServer was developed: it’s to get rid of badly designed legacy features that break the moment anything minor is changed.
I’m confused. What’s the difference between CFX and FX? I used the download from the main page, but that also said the files haven’t been updated since 4/30. To start the server I run CitizenMP.Server.exe is there something newer out now that I should be using?
Sorry… Im fairly new to the scene here, I’m trying to search and find answers.
The cfx-server package at this point contains CitizenMP.Server.exe, FXServer (a new server part of the client codebase) is in semi-testing, see https://wiki.fivem.net/wiki/Running_FXServer - it however might have some severe issues, we’re still waiting for a large-player-count server to adopt testing it.
What do you mean by ‘large-player-count server’? Is the development team looking for servers that are large enough to test FXServer? Or are you waiting for the functionality to be finished? If it is the former, can people volunteer their servers for such testing?
Yes. There’s some compatibility-breaking changes, and we’d already found one community willing enough to subject themselves to such tests - however there’s not been enough time yet for them to test their code for the most part.
If you feel you or someone you know qualifies, join the FiveM Discord chat and email pr@fivem.net with your nickname used on there and you’ll be added to a testing group for internal discussion.
