Top Mud Sites Forum Return to TopMudSites.com
Go Back   Top Mud Sites Forum > MUD Players and General Discussion > Tavern of the Blue Hand
Click here to Register

Reply
 
Thread Tools
Old 08-07-2012, 07:53 PM   #21
Ide
Senior Member
 
Join Date: Feb 2006
Location: Seattle
Posts: 361
Ide will become famous soon enoughIde will become famous soon enough
Re: Cyber-Attack on Atonement (warning)

Obviously we're diverging from the original thread here but it's a good launching point.

There's a big difference between giving your coders access to the source code and access to the server. Furthermore, as the owner of your game, your source code and changes made to it should not be a black box. If you decide to take on more people to help you with your game, then I'd argue it's incumbent on you for the sake of the game and its players to do it in a responsible way. Anything less and you should be willing to admit the mistake was yours when your actions lead to unfavorable consequences.
Ide is offline   Reply With Quote
Old 08-07-2012, 09:32 PM   #22
langricr
New Member
 
Join Date: Aug 2012
Posts: 3
langricr is on a distinguished road
Re: Cyber-Attack on Atonement (warning)

Quote:
Originally Posted by camlorn View Post
Atonement is an established game; there's no reason to believe they don't have a competent application process and screening and the like.
HAL, the person who was in charge of Atonement at the time, wanted me to compile the existing publicly available SoI codebase (which Atonement is built off of). After he was able to connect to the MUD server running from my home computer I got the account JDK with superuser access.

Edited to add:
Interview process
followed by
http://puu.sh/PD4r

Last edited by langricr : 08-07-2012 at 09:52 PM.
langricr is offline   Reply With Quote
Old 08-08-2012, 11:49 AM   #23
camlorn
Member
 
Join Date: Aug 2011
Posts: 144
camlorn is on a distinguished road
Re: Cyber-Attack on Atonement (warning)

Is langricr trolling? Not really sure here--I'm really, really not certain why a coder needs superuser access...

I mean, with superuser access, I could do "rm -rf /", and if I'm on a distro that doesn't protect against it, I'm taking out way more than the game: the entire linux kernel will go with it.

Do you actually make potential coders compile the SoI codebase? Just curious here--I don't know if that runs natively on windows without cygwin or what, but I've never heard of that particular requirement before--I can't decide if it's a good one or a bad one; I could see it both ways.

For you new mud admins, superuser access == bad. So does using the same shell account for all coders, for that matter; if you're on one of the free hosts, you don't have much choice, but don't do it if you've got a vps. Superuser access is like giving someone the keys to your house--they could go inside and replace all the locks, as it were--there's a good reason a lot of linux distros use sudo now.
camlorn is offline   Reply With Quote
Old 08-08-2012, 12:42 PM   #24
Sebguer
New Member
 
Join Date: Jul 2007
Posts: 18
Sebguer is on a distinguished road
Re: Cyber-Attack on Atonement (warning)

Okay, Holmes here again. Kind of bothered that this has become a 'defend the hiring practices of a game that was maliciously attacked', but alright. Blame-the-victim is in style in all sorts of ways! We should've dressed like less of a slut, of course.

JDK was a player for a fair bit of time before he applied to staff. He applied to staff at a time where we were having significant instability due to back-end access, and our lead programmer (and competent coder/experienced server administrator) had very recently stepped away from the game suddenly. Neither HAL, nor I, (the two people who were engaged in the day-to-day administering of the game) were very experienced in the world of MUD administration, and neither of us are programmers. In terms of hiring a coder and letting them actually make changes to the game (changes which we had a compelling need for), granting them the access that JDK was given was the ONLY way to do this to our knowledge and experience level.

In defense of this practice, I'd like to point out that JDK had this access for almost a year. As you can see, we hired him in October of 2011. He showed no signs of malicious behavior (though, hey, maybe he'll post again and tell me all sorts of wicked deeds that he did while he was working for us) for the duration of his officially being an administrator. He didn't do much work, either, really, but that's what you get with volunteers and it wasn't a terribly worrisome fact. Regardless, the issue here wasn't that he had access, it's that he was allowed to persist in having access after having (amicably, as far as I know) departed staff. This was, and I don't think anyone will deny it, a mistake and an oversight. However, this hardly excuses the man's actions- and the idea that because we gave out this access, which may or may not have been necessary, we deserved for our server to get attacked is patently ridiculous.

As for the requirement to compile SoI's codebase, yeah. It was a 'basic competency' requirement.
Sebguer is offline   Reply With Quote
Old 08-08-2012, 12:51 PM   #25
realmsofvalor
New Member
 
realmsofvalor's Avatar
 
Join Date: Jul 2011
Posts: 22
realmsofvalor is on a distinguished road
Re: Cyber-Attack on Atonement (warning)

Quote:
Originally Posted by camlorn View Post
Is langricr trolling? Not really sure here--I'm really, really not certain why a coder needs superuser access...

Do you actually make potential coders compile the SoI codebase? Just curious here--I don't know if that runs natively on windows without cygwin or what, but I've never heard of that particular requirement before--I can't decide if it's a good one or a bad one; I could see it both ways.
A coder shouldn't need superuser access. Whomever is administrating the server should well know that.
Edit - As from the above post, it appears the Admins of the game were not administrating the server itself, and didn't know any better. And yes, it was a mistake to allow him continual access after he left the project. A lesson learned.

I don't think he's trolling so much as demonstrating the credentials that hired him. Getting a stock game running and hosted on your home machine seems like a fine test to me; I would not wish to hire a coder that could not figure that out eventually. It took a lot of effort (so it seemed at the time) for me to get my very first MUD running on my own local machine. People can say 'hey, I'm a coder, hire me' but the C/Java they've worked with would have little or nothing to do with a MUD's code, and could be fairly lost or lose interest quickly in your project.. and then you've got to start all over again, finding someone new.

Trust is a big aspect, but sometimes an Administrator does not have the luxury of hiring good friends with the requisite skillsets. Not to bust langricr's balls or anything, but perhaps he proved (and was) trustworthy enough during his tenure. I would not say the same thing now, and am grateful that the Admin of Atonement has publicized his conduct to the community.

Last edited by realmsofvalor : 08-08-2012 at 12:57 PM.
realmsofvalor is offline   Reply With Quote
Old 08-08-2012, 02:15 PM   #26
Threshold
Legend
 
Threshold's Avatar
 
Join Date: Apr 2002
Home MUD: Threshold RPG
Posts: 1,240
Threshold will become famous soon enough
Re: Cyber-Attack on Atonement (warning)

Quote:
Originally Posted by Sebguer View Post
Okay, Holmes here again. Kind of bothered that this has become a 'defend the hiring practices of a game that was maliciously attacked', but alright. Blame-the-victim is in style in all sorts of ways! We should've dressed like less of a slut, of course.
Seriously?

The only thing worth discussing is how a mud admin could avoid this situation.

How many posts are worth reading if it was just a bunch of people saying "Yeah, that guy was a dick."

Giving superuser shell access to someone you don't know is dangerous as hell and extremely irresponsible. I am glad your mud was not destroyed by the mistake and thus you'll be able to live and learn.

For the purpose of discussion on a public forum, the only part still interesting is to discuss how people should go about vetting staff so they can avoid this type of situation.
Threshold is offline   Reply With Quote
Old 08-08-2012, 02:18 PM   #27
Sebguer
New Member
 
Join Date: Jul 2007
Posts: 18
Sebguer is on a distinguished road
Re: Cyber-Attack on Atonement (warning)

Sorry, perhaps I replied a bit harshly, but Snowtroll's post is a complete strawman and Langricr's rubbed me the wrong way.
Sebguer is offline   Reply With Quote
Old 08-08-2012, 03:17 PM   #28
Ide
Senior Member
 
Join Date: Feb 2006
Location: Seattle
Posts: 361
Ide will become famous soon enoughIde will become famous soon enough
Re: Cyber-Attack on Atonement (warning)

Sebguer, I don't think anyone is saying you deserved the attack. Obviously the guy was a jerk and he deserves to be banned. However DonathinFrye's statement "Trust me, I am more than capable of fending for my game, protecting it and dealing with incursions" obviously is false and strikes me as simply protecting his ego, which isn't an attitude you want to foster as game admin. That is worth pointing out to beginner mud admins reading this thread.

Quote:
Originally Posted by Threshold
For the purpose of discussion on a public forum, the only part still interesting is to discuss how people should go about vetting staff so they can avoid this type of situation.
I think there are three parts to this, the interview, which is kind of hard to rely on for various reasons, levels of admin access, and automation of your build/deployment process.
Ide is offline   Reply With Quote
Old 08-08-2012, 07:00 PM   #29
Threshold
Legend
 
Threshold's Avatar
 
Join Date: Apr 2002
Home MUD: Threshold RPG
Posts: 1,240
Threshold will become famous soon enough
Re: Cyber-Attack on Atonement (warning)

Quote:
Originally Posted by Ide View Post
Sebguer, I don't think anyone is saying you deserved the attack.
I just wanted to echo this to make sure Sebguer didn't get the wrong impression about our community.

The attack was despicable and totally indefensible. I'm really sorry it happened to you guys and I am glad you were able to recover from it with minimal impact.
Threshold is offline   Reply With Quote
Old 08-09-2012, 03:05 AM   #30
DonathinFrye
Senior Member
 
DonathinFrye's Avatar
 
Join Date: Dec 2005
Name: Donathin Frye
Location: Columbus, OH
Home MUD: Optional Realities
Home MUD: Atonement RPI
Home MUD: Project Redshift
Posts: 510
DonathinFrye is on a distinguished road
Send a message via AIM to DonathinFrye
Re: Cyber-Attack on Atonement (warning)

Quote:
Originally Posted by Ide View Post
Sebguer, I don't think anyone is saying you deserved the attack. Obviously the guy was a jerk and he deserves to be banned. However DonathinFrye's statement "Trust me, I am more than capable of fending for my game, protecting it and dealing with incursions" obviously is false and strikes me as simply protecting his ego, which isn't an attitude you want to foster as game admin. That is worth pointing out to beginner mud admins reading this thread.
Notice that I'm not actively attempting to argue with anyone here; I've actually avoided posting because I really don't want to be trolled into an argument. I'd like to think that I have reputation on TMS as both a good, friendly community member and respected administrator of multiple games over the years. A few things I'll note before putting this matter to bed:

- My point, Ide, was that I created this thread as a Public Service Announcement to warn other games of this programmer so that they understand that he is a potential security liability.

- Sebguer is not an admin on Atonement anymore, but I am thankful for his support as a player; even if he and Hal were inexperienced in running a game and had to make due with limited resources during their tenure of administration (while I was taken away from it due to real life), I'm thankful that they were there. They kept the game alive during that period of time - and Atonement is a rather special game that exists, in no small part, because of them (and a number of others).

- I'm not attempting to ignore the oversight revolving around this guy's security access. However, I'm also not really keen on accepting personal insults from situational outsiders; the first that I'd ever heard of this person was when our game was hacked. I was not aware that he had this level of access (or even existed), nor am I the staff member who is the administrator of the server itself. I am the administrator that cleaned up the mess, investigated the issue, banned this guy - and made a friendly attempt to warn other MUDs of him. If there's a lesson to be learned revolving around giving this access to people that you do not know to voluntarily program for your game, I'm not opposed to that discussion. I am opposed to turning the other cheek when people begin to use this situation as a means to point fingers at me personally (or the game itself) without the knowledge to do so; simply put, it's an ignorant comment. It's a situation that any game could find itself in, no matter how secure it believes itself to be.

- I would agree with the others posting in that you do not need to give the highest level of security access to a coder for your game. It would, perhaps, be beneficial for newer admins to hear good alternatives so that they can protect the security of their game. As we did, I would also encourage people to have a system to automatically backup your information in a safe place - not just for a security breach, but for a number of reasons. This is what saved us from a massive amount of data loss.

- Thank you to the folks who've given us their best wishes. The truth of the matter is that we recovered from the attack after about 24 hours, with the biggest loss being a few players having lost a centimeter of skill-progress. We've been back to business as usual since then. Again, I just wanted to give the community a warning, an effort that I thought was the responsible decision considering the potential damage was far greater than the actual damage.

Last edited by DonathinFrye : 08-09-2012 at 03:26 AM.
DonathinFrye is offline   Reply With Quote
Old 08-09-2012, 08:55 AM   #31
Darren Brimhall
Member
 
Join Date: Jun 2010
Posts: 241
Darren Brimhall is on a distinguished road
Re: Cyber-Attack on Atonement (warning)

Those of us who are staffing Games still in the process of formation (in my case, Eterena) thank you for your honesty in comming out with this matter, as we can use your exsperiences to avoid that pitfall your game encountered.

These are the kind of surprises no one wants to deal with. And those of us who've learned from this incident will take the means to insure they do not have a simular, or greater, impact upon their Game in the future.


Thank you,

Darren Brimhall
Darren Brimhall is offline   Reply With Quote
Reply


Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT -4. The time now is 03:06 PM.


Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Style based on a design by Essilor
Copyright Top Mud Sites.com 2014