Cyber-Attack on Atonement (warning)
 

On August 3rd, Atonement RPI suffered a cyber-attack by a member of the community who has been active on a number of games. They were an ex-programmer of ours who was not removed, so much as was lazy, only moderately skilled and went inactive. We never developed a negative relationship, to our knowledge, with said person - so his attack on the game came as quite a surprise. He literally erased every piece of information on our server in an attempt to destroy three years and hundreds of thousands of hours of storytelling and community. Luckily for us, our host had just recently done an off-site automatic backup, so we only lost two days of information.

Now for most MUDs, reverting two days or a week (or even a month) wouldn't be the end of the world ... but for an RPI, especially one as moment-to-moment driven as Atonement is - it could have been a nightmare. In fact, it would have erased the entire current gameworld and forced us to rebuild it from scratch, as Atonement frequently moves and spans across space and many locations; it is not a stagnant or sandbox world.

Luckily for us, our data loss was ultimately small and manageable. While we will not be pursuing legal recourse against the attacker because we do not see it as a fruitful use of our time, we do want people to be aware of who he is, what he did, and why he is a security risk. The point of this article is to make sure that anyone who has online interactions with or runs a game where this guy is a player (or programmer) is aware of the potential threat he poses. Below is his contact information and some information from Kithrater, our Lead Programmer.

---

Name: Richard Robert Lang
Known Aliases: Langric, Reiteration, Deiteration, Negation
Email:
Facebook:

---

At around 10am AEST 03/08/12, someone began modifying playerfiles on the ARPI database. The most obvious modification was changing the "state" of all playerfiles to "alive": many people reported that their characters past and previous were suddenly accessible from the main menu. After hearing reports of odd things going on, Taiamat asked Holmes to take a look at the server, via the web interface. Holmes logged on, and saw that the JDK user account, which belonged to an ex-coder of ARPI, was active. After attempting to kill the connection, Holmes was forced out of the web-interface. Tiamat informed me via email that something was going on, and that she suspected JDK might be behind it.

I looked at AIM, saw JDK was online, and proceeded to have a conversation with him, replicated below and complete with Android-induced typos:

JDK went offline at that point, and so did the game. During the conversation, I was attempting to log on to the control panel for our Virtual Private Server and shut down everything, hoping to create some space with which to figure out what was going on. JDK kindly figured out a much faster way of shutting down the server, and so part way through our conversation, began erasing every file possible on the server. Did he panic, and decide to delete everything before being locked out? It's hard to say.

Meanwhile, an account named "negation" was logged on to the ARPI chat, and was boasting about hacking the server. According to those in the room at the time, no one was paid him any attention, not even when he posted "time for rm -rf /" shortly before the server going down. The life of a hacker isn't as glamorous as they make out in the movies.

Given all of the above, it was highly unlikely it could be anyone but JDK, abusing his staff login to seize control and then wipe everything from the server. However, one further piece of evidence makes it all-but-obvious that it was JDK. On his public, unlocked Facebook, JDK posted a link to an image: . That is a screenshot of someone attempting two MySQL commands:

- The first query is an attempt to change everyone's description to "a tall, muscular man" [which is the "default" NPC on Armageddon] and assign every pfile to a randomly selected account. That query failed, because I guess MySQL is hard for some.

- The second query, however, did work - its effect was to set the room of all pfiles to a PC's bedroom, much to the surprise of said PC when people started appearing from nowhere!

JDK goes by a few handles on the internet: langricr appears to be a common pseudonym of his. Trawling through Google, it appears he has earned himself a reputation for being a troll with little redeeming feature in other roleplaying communities. reiteration and disiteration are his Arm handles. If you're an admin on a roleplay MUD, forum, game, or whatever, I strongly advise you to keep a close eye on JDK/langricr.

Re: Cyber-Attack on Atonement (warning)
 

Wow. That's...wow. I could see someone doing this if there was a negative relationship, to use your term, but to just do it to do it is surprising. Glad to hear you got back up and running; let me take this time to remind all admins that backups are good.

I imagine that atonement rpi will suddenly be keeping full logs of all developer activity, or something.

Still, this is, for lack of a better word, sad.

Re: Cyber-Attack on Atonement (warning)
 

Thanks for the heads-up.

We in Eterena are currently looking for Programmers to help 'put the pieces together' on our Server.

I'll pass this along to my Boss, who ironicly I communicated they very possibility of this occuring--but in a reversed manner involving those who are known as Internal Threats due to their using their work computer's Internet connection to surf and download from the Web.

Please keep the community informed to any further dealings or sightings of this person.

Thank you,

Darren Brimhall

Re: Cyber-Attack on Atonement (warning)
 

Holmes, here. Not actually an active Administrator on Atonement, anymore, but I've been closely involved with the recent events, so I hope Jaunt doesn't mind me posting a little update:

On August 4th, 2012, Richard Robert Lang once more vandalized AtonementRPI.com, though this time only managing to deface the front page of the website and causing even less permanent damage (this time, literally none beyond brief downtime for the forums). He did this via a backdoor he'd installed some point in the past few weeks. Kithrater is currently examining logs, here's a copy and paste from his latest update on our forums:

Also, after the latest attack, our culprit admitted to passing along his log-in information to several other individuals, who he blames for ultimately deleting our server in a prank that "quickly escalated". He's since written a letter of apology:

Re: Cyber-Attack on Atonement (warning)
 

Now for the big question; why did he do it?

Darren Brimhall

Re: Cyber-Attack on Atonement (warning)
 

To quote him:

JDKAtonement: I never had anything against atonement, don't get me wrong, it was just a boring night and some passwords got shared.

Though it's somewhat at odds with his having prepared the attack some weeks in advance.

Re: Cyber-Attack on Atonement (warning)
 

He has shared the information in detailed format. I suspect that not all of the information is honest, but I believe that the majority of it rings of truth. It does also help me confirm suspicions of another player that I believed to be involved (his friend), but had no evidence towards.



The issue is fully resolved now, on our front.

Re: Cyber-Attack on Atonement (warning)
 

>I give another shrug, think to let **** be ****, and decide to deface the index page of the website. At this point, I'm starting to regret what I did, and why I wronged Atonement a second time when they were justified in their comments.

>I realize I'm ****ed either way and tell him to raze my identity to the ground. I realize I'm only digging myself a deeper hole and start asking what to do to compensate the community.

Guy's a total douche. No 'I'm sorry', no caring about the game he USED to contribute to, and plus he violated the game players' trust by CREATING BACKDOORS and then SHARING THEM WITH RANDOM PEOPLE.
People do make dumb mistakes and deserve to be forgiven... but I fail to see how this guy has adequately handled his Atonement. He seems more sorry he got 'outed' than for any real damage that has been done.

Re: Cyber-Attack on Atonement (warning)
 

He wasn't bored.

The posted evidence agrees with his having prepaired the attack with backdoors in advance.

If random people did this, I believe there would have been more meyham and distruction occuring to the site than what presently occured.

And besides, he knew better than to share those passwords. Either way, he's cooked.


Darren Brimhall

Re: Cyber-Attack on Atonement (warning)
 

I gave an apology, it just didn't make it to this topic it seems, its been brought up on both Armageddon and Atonement.

Re: Cyber-Attack on Atonement (warning)
 

Wait, is it a bloody fingerprint? LOL

Re: Cyber-Attack on Atonement (warning)
 

If you knowingly let someone who did this back on your mud, then you're going to lose a lot of players I suspect; you would lose me at any rate. This is something you can go to jail for, potentially, not just a "bannable offense". I doubt there's enough evidence to go that far and I don't advocate it, but this is way beyond bug abuse.

Also, if he's also apologizing to Armageddon, something else is going on that we don't know about. I believe in second chances, I really do, but there's no way to claim this was a "accident", or anything.

Re: Cyber-Attack on Atonement (warning)
 

I'm not sure Armageddon cares about apologies, I've been extirpated from the community there and a few of them are having a laugh over how atrocious my handwriting is and how mentally unbalanced I must be to sign an apology in blood, not unlike one's comment.



Oddly, I feel as if I'm receiving more wrath from Armageddon than Atonement.

Re: Cyber-Attack on Atonement (warning)
 

Well, I'm blind. I thought that was a figure of speech--one, obviously, that I'm not familiar with, but a figure of speech all the same.

That's really not what you should have done--that sends up all sorts of red flags. Like, seriously, um. I'm not even sure how to put this nicely, but yeah, you're definitely more than a bit odd. My comment wasn't aimed at Armageddon, it was aimed at Atonement; I know nothing about the Armageddon situation.

Intentionally or not, you came close to destroying years of work. I personally think this was intentional, but I'm not going to debate it, but I'd never let you anywhere near my game (knowingly--it's easy to circumvent bans now, unfortunately) ever if I had been the target (a moot point--I don't have a game to ban you from).

This is seriously sad--surely you have something better (and more constructive) to do with your time that doesn't involve hacking muds.

Re: Cyber-Attack on Atonement (warning)
 

You need to know your staff in the real world. You have to know their real names, addresses, phone numbers, e-mail addresses, and have real life contact information for them, preferrably have interviewed them over the phone, and maybe even reviewed a resume or two and checked a couple of references. I know that's a lot to ask for a free, hobbyist game, but you can't just get a private message on the topmudsites forums from "Cyberrpdude47" saying "hi i want to code on ur mud," exchange a few e-mails with this guy's free e-mail address, grant him unrestricted access to your creation, then be surprised when he deletes or changes a bunch of stuff. I know there are other safe ways to go about this, various levels of administratorhood that can be progressively earned with time and trust, and that this guy was probably pretty well vetted, or so it seemed, but my point still stands. You have to know your staff in the real world, because when cloaked in the anonymous nature of the internet, people are tools.

Re: Cyber-Attack on Atonement (warning)
 

We have his contact information. We did interview him, though I was not around at the time that we brought him on and can't speak to the thoroughness of it. Simply put, he didn't give us any warning signs over this issue. I'm also not sure what would make anyone think that we would allow him to play our game again. He and everyone involved are permanently banned and we marked the internet with their contact information to help others avoid finding themselves in the same predicament. We are certainly not forgiving or forgetting him.

I posted this here as a friendly warning to the community on this person, since there was no warning for us. Trust me, I am more than capable of fending for my game, protecting it and dealing with incursions. I didn't post here to ask for your criticisms over a situation that you have negligible information regarding. IMO, it's fairly trollish to give it.

Re: Cyber-Attack on Atonement (warning)
 

I don't think it's trollish at all. I appreciate that you brought it up, but if you're going to discuss it in a public forum, you should expect it to be...discussed.

I agree with ST, no one but your most trusted staff should have server access. There's no reason that this guy should have had the access he did. That's just a fundamental security error Atonement made and they should recognize it as such.

Re: Cyber-Attack on Atonement (warning)
 

I just read the entire topic to see if I was in error; I was. Apparently, something got crossed with something else, and I started taking the ongoing investigation for backdoors as something it wasn't: namely, investigations that it *wasn't* his fault.

Sorry for any hurt feelings. I can see, now that I've reread, why that came across the way it did.

Re: Cyber-Attack on Atonement (warning)
 

I think the people with smarts already have a pretty good warning system called 'why on earth does anyone outside of the owner and PERHAPS a couple of core wizards need shell access'. If critiquing that decision is trolling there's not much to say here, aside from 'well you shouldn't have done that'. I'm not gonna mark this guy down in a blacklist because elementary security precautions prevent situations like this in the first place!

Maybe that's a little harsh, because this situation:

happens all the time. I don't know why, aside from a complete lack of foresight. ST has some good advice on the level of trust required for shell.

Re: Cyber-Attack on Atonement (warning)
 

Here's my thought on shell access: With current mudding technologies, it's almost necessary.

We do have lpmud which doesn't, and a few others, but anyone who's going to do anything beyond building will for the most part need shell access (I discount lpmud in this argument because I can just write malicious utilities myself, there, and get them run--in lpmud, even builders are coders). There's currently no way around this, not really, anyway--you can use version control, which imho is a good thing and more mud admins should use it, but shell access is still needed for the compilation (kind of--some versioning utilities will rebuild the mud).

But this doesn't matter. As soon as you give someone sourcecode-level access in any form, they can code anything they want to do; with c, this includes executing commands with the same privileges of the mud. Even builders nowadays have really powerful tools--a builder can't delete the sourcecode (Or can they? I'm sure there's a hack somewhere), but they can wreck players if they want in a lot of these codebases. For once, the limited mobprogs of diku get a positive mention for not really allowing this easily...I can't do "player.maxHp = 1", for example on a diku.

Essentially: I wouldn't give shell access to pr/rule enforcement unless they're also coders but most others will be able to do damage anyway (still, not giving it to people who don't need it is good--you might or might not limit the damage that way); I agree with snowtroll about trust, but see no reason to believe Atonement RPI didn't take necessary precautions.

The real problem with this, and I suspect where most of the I'm someguy123 coders come in, is for new projects. If I don't want to do everything myself, I need immortals, both builders and coders, and for many projects there's no game to make a potential coder play on first. For new projects, I personally think either code it yourself/with friends, or take nightly backups, keep logs of what people do, and hope for the best.

So, to sound hypocritical, I don't think it was Atonement's "fault", or anything--I misread the conversation above and assumed they were looking for justification to let him play again (for which I have previously apologized), but he's right--we shouldn't criticize; they did nothing wrong to bring the attack upon themselves, unless there's internal politics that we aren't aware of (I don't play Atonement--I wouldn't know, and I don't think there is or anything). Atonement is an established game; there's no reason to believe they don't have a competent application process and screening and the like.

I understand that no one's mentioned Atonement as the target of his/her advice, but I can't tell myself if it's intended as criticism or not--everything that's been posted, however, will be helpful to someone who's new to mud development, so I really don't think that there's a point in arguing about it.

Re: Cyber-Attack on Atonement (warning)
 

Obviously we're diverging from the original thread here but it's a good launching point.

There's a big difference between giving your coders access to the source code and access to the server. Furthermore, as the owner of your game, your source code and changes made to it should not be a black box. If you decide to take on more people to help you with your game, then I'd argue it's incumbent on you for the sake of the game and its players to do it in a responsible way. Anything less and you should be willing to admit the mistake was yours when your actions lead to unfavorable consequences.

Re: Cyber-Attack on Atonement (warning)
 

HAL, the person who was in charge of Atonement at the time, wanted me to compile the existing publicly available SoI codebase (which Atonement is built off of). After he was able to connect to the MUD server running from my home computer I got the account JDK with superuser access.

Edited to add:

followed by

Re: Cyber-Attack on Atonement (warning)
 

Is langricr trolling? Not really sure here--I'm really, really not certain why a coder needs superuser access...

I mean, with superuser access, I could do "rm -rf /", and if I'm on a distro that doesn't protect against it, I'm taking out way more than the game: the entire linux kernel will go with it.

Do you actually make potential coders compile the SoI codebase? Just curious here--I don't know if that runs natively on windows without cygwin or what, but I've never heard of that particular requirement before--I can't decide if it's a good one or a bad one; I could see it both ways.

For you new mud admins, superuser access == bad. So does using the same shell account for all coders, for that matter; if you're on one of the free hosts, you don't have much choice, but don't do it if you've got a vps. Superuser access is like giving someone the keys to your house--they could go inside and replace all the locks, as it were--there's a good reason a lot of linux distros use sudo now.

Re: Cyber-Attack on Atonement (warning)
 

Okay, Holmes here again. Kind of bothered that this has become a 'defend the hiring practices of a game that was maliciously attacked', but alright. Blame-the-victim is in style in all sorts of ways! We should've dressed like less of a slut, of course.

JDK was a player for a fair bit of time before he applied to staff. He applied to staff at a time where we were having significant instability due to back-end access, and our lead programmer (and competent coder/experienced server administrator) had very recently stepped away from the game suddenly. Neither HAL, nor I, (the two people who were engaged in the day-to-day administering of the game) were very experienced in the world of MUD administration, and neither of us are programmers. In terms of hiring a coder and letting them actually make changes to the game (changes which we had a compelling need for), granting them the access that JDK was given was the ONLY way to do this to our knowledge and experience level.

In defense of this practice, I'd like to point out that JDK had this access for almost a year. As you can see, we hired him in October of 2011. He showed no signs of malicious behavior (though, hey, maybe he'll post again and tell me all sorts of wicked deeds that he did while he was working for us) for the duration of his officially being an administrator. He didn't do much work, either, really, but that's what you get with volunteers and it wasn't a terribly worrisome fact. Regardless, the issue here wasn't that he had access, it's that he was allowed to persist in having access after having (amicably, as far as I know) departed staff. This was, and I don't think anyone will deny it, a mistake and an oversight. However, this hardly excuses the man's actions- and the idea that because we gave out this access, which may or may not have been necessary, we deserved for our server to get attacked is patently ridiculous.

As for the requirement to compile SoI's codebase, yeah. It was a 'basic competency' requirement.

Re: Cyber-Attack on Atonement (warning)
 

A coder shouldn't need superuser access. Whomever is administrating the server should well know that.
Edit - As from the above post, it appears the Admins of the game were not administrating the server itself, and didn't know any better. And yes, it was a mistake to allow him continual access after he left the project. A lesson learned.

I don't think he's trolling so much as demonstrating the credentials that hired him. Getting a stock game running and hosted on your home machine seems like a fine test to me; I would not wish to hire a coder that could not figure that out eventually. It took a lot of effort (so it seemed at the time) for me to get my very first MUD running on my own local machine. People can say 'hey, I'm a coder, hire me' but the C/Java they've worked with would have little or nothing to do with a MUD's code, and could be fairly lost or lose interest quickly in your project.. and then you've got to start all over again, finding someone new.

Trust is a big aspect, but sometimes an Administrator does not have the luxury of hiring good friends with the requisite skillsets. Not to bust langricr's balls or anything, but perhaps he proved (and was) trustworthy enough during his tenure. I would not say the same thing now, and am grateful that the Admin of Atonement has publicized his conduct to the community.

Re: Cyber-Attack on Atonement (warning)
 

Seriously?

The only thing worth discussing is how a mud admin could avoid this situation.

How many posts are worth reading if it was just a bunch of people saying "Yeah, that guy was a dick."

Giving superuser shell access to someone you don't know is dangerous as hell and extremely irresponsible. I am glad your mud was not destroyed by the mistake and thus you'll be able to live and learn.

For the purpose of discussion on a public forum, the only part still interesting is to discuss how people should go about vetting staff so they can avoid this type of situation.

Re: Cyber-Attack on Atonement (warning)
 

Sorry, perhaps I replied a bit harshly, but Snowtroll's post is a complete strawman and Langricr's rubbed me the wrong way.

Re: Cyber-Attack on Atonement (warning)
 

Sebguer, I don't think anyone is saying you deserved the attack. Obviously the guy was a jerk and he deserves to be banned. However DonathinFrye's statement "Trust me, I am more than capable of fending for my game, protecting it and dealing with incursions" obviously is false and strikes me as simply protecting his ego, which isn't an attitude you want to foster as game admin. That is worth pointing out to beginner mud admins reading this thread.

I think there are three parts to this, the interview, which is kind of hard to rely on for various reasons, levels of admin access, and automation of your build/deployment process.

Re: Cyber-Attack on Atonement (warning)
 

I just wanted to echo this to make sure Sebguer didn't get the wrong impression about our community.

The attack was despicable and totally indefensible. I'm really sorry it happened to you guys and I am glad you were able to recover from it with minimal impact.

Re: Cyber-Attack on Atonement (warning)
 

Notice that I'm not actively attempting to argue with anyone here; I've actually avoided posting because I really don't want to be trolled into an argument. I'd like to think that I have reputation on TMS as both a good, friendly community member and respected administrator of multiple games over the years. A few things I'll note before putting this matter to bed:

- My point, Ide, was that I created this thread as a Public Service Announcement to warn other games of this programmer so that they understand that he is a potential security liability.

- Sebguer is not an admin on Atonement anymore, but I am thankful for his support as a player; even if he and Hal were inexperienced in running a game and had to make due with limited resources during their tenure of administration (while I was taken away from it due to real life), I'm thankful that they were there. They kept the game alive during that period of time - and Atonement is a rather special game that exists, in no small part, because of them (and a number of others).

- I'm not attempting to ignore the oversight revolving around this guy's security access. However, I'm also not really keen on accepting personal insults from situational outsiders; the first that I'd ever heard of this person was when our game was hacked. I was not aware that he had this level of access (or even existed), nor am I the staff member who is the administrator of the server itself. I am the administrator that cleaned up the mess, investigated the issue, banned this guy - and made a friendly attempt to warn other MUDs of him. If there's a lesson to be learned revolving around giving this access to people that you do not know to voluntarily program for your game, I'm not opposed to that discussion. I am opposed to turning the other cheek when people begin to use this situation as a means to point fingers at me personally (or the game itself) without the knowledge to do so; simply put, it's an ignorant comment. It's a situation that any game could find itself in, no matter how secure it believes itself to be.

- I would agree with the others posting in that you do not need to give the highest level of security access to a coder for your game. It would, perhaps, be beneficial for newer admins to hear good alternatives so that they can protect the security of their game. As we did, I would also encourage people to have a system to automatically backup your information in a safe place - not just for a security breach, but for a number of reasons. This is what saved us from a massive amount of data loss.

- Thank you to the folks who've given us their best wishes. The truth of the matter is that we recovered from the attack after about 24 hours, with the biggest loss being a few players having lost a centimeter of skill-progress. We've been back to business as usual since then. Again, I just wanted to give the community a warning, an effort that I thought was the responsible decision considering the potential damage was far greater than the actual damage.

Re: Cyber-Attack on Atonement (warning)
 

Those of us who are staffing Games still in the process of formation (in my case, Eterena) thank you for your honesty in comming out with this matter, as we can use your exsperiences to avoid that pitfall your game encountered.

These are the kind of surprises no one wants to deal with. And those of us who've learned from this incident will take the means to insure they do not have a simular, or greater, impact upon their Game in the future.


Thank you,

Darren Brimhall