08-07-2012, 07:53 PM | #21 |
Senior Member
Join Date: Feb 2006
Location: Seattle
Posts: 361
|
Re: Cyber-Attack on Atonement (warning)
Obviously we're diverging from the original thread here but it's a good launching point.
There's a big difference between giving your coders access to the source code and access to the server. Furthermore, as the owner of your game, your source code and changes made to it should not be a black box. If you decide to take on more people to help you with your game, then I'd argue it's incumbent on you for the sake of the game and its players to do it in a responsible way. Anything less and you should be willing to admit the mistake was yours when your actions lead to unfavorable consequences. |
08-07-2012, 09:32 PM | #22 |
New Member
Join Date: Aug 2012
Posts: 3
|
Re: Cyber-Attack on Atonement (warning)
HAL, the person who was in charge of Atonement at the time, wanted me to compile the existing publicly available SoI codebase (which Atonement is built off of). After he was able to connect to the MUD server running from my home computer I got the account JDK with superuser access.
Edited to add: followed by Last edited by langricr : 08-07-2012 at 09:52 PM. |
08-08-2012, 11:49 AM | #23 |
Member
Join Date: Aug 2011
Posts: 144
|
Re: Cyber-Attack on Atonement (warning)
Is langricr trolling? Not really sure here--I'm really, really not certain why a coder needs superuser access...
I mean, with superuser access, I could do "rm -rf /", and if I'm on a distro that doesn't protect against it, I'm taking out way more than the game: the entire linux kernel will go with it. Do you actually make potential coders compile the SoI codebase? Just curious here--I don't know if that runs natively on windows without cygwin or what, but I've never heard of that particular requirement before--I can't decide if it's a good one or a bad one; I could see it both ways. For you new mud admins, superuser access == bad. So does using the same shell account for all coders, for that matter; if you're on one of the free hosts, you don't have much choice, but don't do it if you've got a vps. Superuser access is like giving someone the keys to your house--they could go inside and replace all the locks, as it were--there's a good reason a lot of linux distros use sudo now. |
08-08-2012, 12:42 PM | #24 |
New Member
Join Date: Jul 2007
Posts: 20
|
Re: Cyber-Attack on Atonement (warning)
Okay, Holmes here again. Kind of bothered that this has become a 'defend the hiring practices of a game that was maliciously attacked', but alright. Blame-the-victim is in style in all sorts of ways! We should've dressed like less of a slut, of course.
JDK was a player for a fair bit of time before he applied to staff. He applied to staff at a time where we were having significant instability due to back-end access, and our lead programmer (and competent coder/experienced server administrator) had very recently stepped away from the game suddenly. Neither HAL, nor I, (the two people who were engaged in the day-to-day administering of the game) were very experienced in the world of MUD administration, and neither of us are programmers. In terms of hiring a coder and letting them actually make changes to the game (changes which we had a compelling need for), granting them the access that JDK was given was the ONLY way to do this to our knowledge and experience level. In defense of this practice, I'd like to point out that JDK had this access for almost a year. As you can see, we hired him in October of 2011. He showed no signs of malicious behavior (though, hey, maybe he'll post again and tell me all sorts of wicked deeds that he did while he was working for us) for the duration of his officially being an administrator. He didn't do much work, either, really, but that's what you get with volunteers and it wasn't a terribly worrisome fact. Regardless, the issue here wasn't that he had access, it's that he was allowed to persist in having access after having (amicably, as far as I know) departed staff. This was, and I don't think anyone will deny it, a mistake and an oversight. However, this hardly excuses the man's actions- and the idea that because we gave out this access, which may or may not have been necessary, we deserved for our server to get attacked is patently ridiculous. As for the requirement to compile SoI's codebase, yeah. It was a 'basic competency' requirement. |
08-08-2012, 12:51 PM | #25 |
New Member
Join Date: Jul 2011
Posts: 22
|
Re: Cyber-Attack on Atonement (warning)
A coder shouldn't need superuser access. Whomever is administrating the server should well know that.
Edit - As from the above post, it appears the Admins of the game were not administrating the server itself, and didn't know any better. And yes, it was a mistake to allow him continual access after he left the project. A lesson learned. I don't think he's trolling so much as demonstrating the credentials that hired him. Getting a stock game running and hosted on your home machine seems like a fine test to me; I would not wish to hire a coder that could not figure that out eventually. It took a lot of effort (so it seemed at the time) for me to get my very first MUD running on my own local machine. People can say 'hey, I'm a coder, hire me' but the C/Java they've worked with would have little or nothing to do with a MUD's code, and could be fairly lost or lose interest quickly in your project.. and then you've got to start all over again, finding someone new. Trust is a big aspect, but sometimes an Administrator does not have the luxury of hiring good friends with the requisite skillsets. Not to bust langricr's balls or anything, but perhaps he proved (and was) trustworthy enough during his tenure. I would not say the same thing now, and am grateful that the Admin of Atonement has publicized his conduct to the community. Last edited by realmsofvalor : 08-08-2012 at 12:57 PM. |
08-08-2012, 02:15 PM | #26 |
Legend
Join Date: Apr 2002
Home MUD: Threshold RPG
Posts: 1,260
|
Re: Cyber-Attack on Atonement (warning)
Seriously?
The only thing worth discussing is how a mud admin could avoid this situation. How many posts are worth reading if it was just a bunch of people saying "Yeah, that guy was a dick." Giving superuser shell access to someone you don't know is dangerous as hell and extremely irresponsible. I am glad your mud was not destroyed by the mistake and thus you'll be able to live and learn. For the purpose of discussion on a public forum, the only part still interesting is to discuss how people should go about vetting staff so they can avoid this type of situation. |
08-08-2012, 02:18 PM | #27 |
New Member
Join Date: Jul 2007
Posts: 20
|
Re: Cyber-Attack on Atonement (warning)
Sorry, perhaps I replied a bit harshly, but Snowtroll's post is a complete strawman and Langricr's rubbed me the wrong way.
|
08-08-2012, 03:17 PM | #28 |
Senior Member
Join Date: Feb 2006
Location: Seattle
Posts: 361
|
Re: Cyber-Attack on Atonement (warning)
Sebguer, I don't think anyone is saying you deserved the attack. Obviously the guy was a jerk and he deserves to be banned. However DonathinFrye's statement "Trust me, I am more than capable of fending for my game, protecting it and dealing with incursions" obviously is false and strikes me as simply protecting his ego, which isn't an attitude you want to foster as game admin. That is worth pointing out to beginner mud admins reading this thread.
I think there are three parts to this, the interview, which is kind of hard to rely on for various reasons, levels of admin access, and automation of your build/deployment process. |
08-08-2012, 07:00 PM | #29 |
Legend
Join Date: Apr 2002
Home MUD: Threshold RPG
Posts: 1,260
|
Re: Cyber-Attack on Atonement (warning)
I just wanted to echo this to make sure Sebguer didn't get the wrong impression about our community.
The attack was despicable and totally indefensible. I'm really sorry it happened to you guys and I am glad you were able to recover from it with minimal impact. |
08-09-2012, 03:05 AM | #30 |
Senior Member
|
Re: Cyber-Attack on Atonement (warning)
Notice that I'm not actively attempting to argue with anyone here; I've actually avoided posting because I really don't want to be trolled into an argument. I'd like to think that I have reputation on TMS as both a good, friendly community member and respected administrator of multiple games over the years. A few things I'll note before putting this matter to bed:
- My point, Ide, was that I created this thread as a Public Service Announcement to warn other games of this programmer so that they understand that he is a potential security liability. - Sebguer is not an admin on Atonement anymore, but I am thankful for his support as a player; even if he and Hal were inexperienced in running a game and had to make due with limited resources during their tenure of administration (while I was taken away from it due to real life), I'm thankful that they were there. They kept the game alive during that period of time - and Atonement is a rather special game that exists, in no small part, because of them (and a number of others). - I'm not attempting to ignore the oversight revolving around this guy's security access. However, I'm also not really keen on accepting personal insults from situational outsiders; the first that I'd ever heard of this person was when our game was hacked. I was not aware that he had this level of access (or even existed), nor am I the staff member who is the administrator of the server itself. I am the administrator that cleaned up the mess, investigated the issue, banned this guy - and made a friendly attempt to warn other MUDs of him. If there's a lesson to be learned revolving around giving this access to people that you do not know to voluntarily program for your game, I'm not opposed to that discussion. I am opposed to turning the other cheek when people begin to use this situation as a means to point fingers at me personally (or the game itself) without the knowledge to do so; simply put, it's an ignorant comment. It's a situation that any game could find itself in, no matter how secure it believes itself to be. - I would agree with the others posting in that you do not need to give the highest level of security access to a coder for your game. It would, perhaps, be beneficial for newer admins to hear good alternatives so that they can protect the security of their game. As we did, I would also encourage people to have a system to automatically backup your information in a safe place - not just for a security breach, but for a number of reasons. This is what saved us from a massive amount of data loss. - Thank you to the folks who've given us their best wishes. The truth of the matter is that we recovered from the attack after about 24 hours, with the biggest loss being a few players having lost a centimeter of skill-progress. We've been back to business as usual since then. Again, I just wanted to give the community a warning, an effort that I thought was the responsible decision considering the potential damage was far greater than the actual damage. Last edited by DonathinFrye : 08-09-2012 at 03:26 AM. |
08-09-2012, 08:55 AM | #31 |
Member
Join Date: Jun 2010
Posts: 243
|
Re: Cyber-Attack on Atonement (warning)
Those of us who are staffing Games still in the process of formation (in my case, Eterena) thank you for your honesty in comming out with this matter, as we can use your exsperiences to avoid that pitfall your game encountered.
These are the kind of surprises no one wants to deal with. And those of us who've learned from this incident will take the means to insure they do not have a simular, or greater, impact upon their Game in the future. Thank you, Darren Brimhall |