I was kinda wondering if exploiting the security holes is pushing back the release of open source. What's your opinion?

_________________

Quote:

When you eliminate all other possibilities, what remains, no matter how improbable, must be the solution.
Sherlock Holmes

Just a note, I would put unauthorized hacking...

_________________


Thelonius "Prof" Higginsbottom

member of the Guild of Calamitous Intent

"I invented the term the Bevin Generation do I get a spot in Mystlore?"

I'm with the Prof. From the first post, I assume that by "hacking" you mean "cracking", in which case, yes, three days spent on security updates is three days spent on neither making money nor opening source.

I wonder if the salaries for the programmers working on this came out of the CAVCON slush fund.

_________________
Have Ages, and link to them without bindings.

No,
if Cyan really has the intention to open source it, this is a non issue.
It will not be longer hosted by them and it will not be longer their problem.

Last edited by denDwaler on Sun May 09, 2010 6:15 pm; edited 1 time in total

It pushes it back because Cyan chooses to push it back. There are several people who have been offering for years to help fix the security and other issues in the Plasma engine. Cyan has consistently turned them down. At this point, many of the developers who wrote the engine have been laid off. I don't think anyone currently at Cyan really has a full understanding of how the code works, and that means long downtimes to fix things that should have been fixed years ago had Cyan worked with those who were offering help.

_________________
MOULagain KI #: 66990

When I was your age, we rocket-jumped up hill both ways in boiling lava.

Pavitra wrote:

I'm with the Prof.

Who exactly?

Free Bird wrote:

Pavitra wrote:

I'm with the Prof.

Who exactly? :?:

jadawin12, Thelonius "Prof" Higginsbottom.

_________________
Have Ages, and link to them without bindings.

PaladinOfKaos wrote:

It pushes it back because Cyan chooses to push it back. There are several people who have been offering for years to help fix the security and other issues in the Plasma engine. Cyan has consistently turned them down. At this point, many of the developers who wrote the engine have been laid off. I don't think anyone currently at Cyan really has a full understanding of how the code works, and that means long downtimes to fix things that should have been fixed years ago had Cyan worked with those who were offering help.

Indeed. I hope Cyan changes its ways and opens the process (or at least explains why they cannot). I would say "I hope our coders change their ways by being more patient," but that's an insult to people who have already been beyond the reasonable limit of patience.

_________________
-Whilyam

I guess the real answer is "Possibly". It may or may not effect anything happening - I guess only someone from Cyan can answer that, but this hack (or crack or whatever) is "Not Good" for the Cavern and those in it.

My concern is in RAWA's statement that if it is done again, the Cavern could close for an indefinite time so they can plug these holes. I would not be happy with having no Cavern because someone thinks its clever to mess with something they have no right to.

Yes, it is pushing it back

To explain this: they are planning to make it open source; HOWEVER, they are only planning it, for now. It hasn't gone full open source yet. So they still have all the rights over all the properties of their server. As such, if they say no hacking/cracking, then it means No hacking/cracking. If they choose to take it down until they can try to limit the hacking/cracking, then it is their choice. As such, those who do not follow the rules and choose to hack/crack, ARE making the development to Open source take longer. By becoming open source, they still have rights to the property on the server in which they developed. So they could make everything open source and choose not to include anything. Yet another game engine with no development. They aren't though; as such, we need to respect all their rules and regulations that they set forth.

_________________
If you are not part of the solution, then you are a gas.

I don't see how this is a question. I think it's obvious that if you exploit security holes on Cyan's server, you are going to force Cyan to take time and money to fix said holes. I can't imagine a scenario where this would not be the case.

_________________
BAD is as good as BAD can be.

Visit our new site!

SOUP!

[opinion] Such holes really should be fixed anyway, so I don't see how this is a problem. This is a totally different problem than the imager hack. That required someone's attention that if it had not been hacked would have not. This however only caused them to do work which really needed to get done in the first place. Sure, it was not a good idea, and sure I wouldn't recommend anyone doing it again. [/opinion]

Also, to clarify a misconception. MQO is their current source of money right now. (They may have other sources or leads, but this is the only public venture I know of) However, MQO is being developed by a totally separate team at Cyan. As far as I know, the people working on MQO would not also be working on MOULa, so it would be incorrect to say that (extra) work being done on MOULa would take away from their main source of income.

Disclaimer: To the best of my knowledge the above information is correct. If it is not, I would be happy to be corrected by a Cyan employee.

Tahgtahv wrote:

[opinion] Such holes really should be fixed anyway, so I don't see how this is a problem. [/opinion]

I'm not sure I see that. If the exploit could have given a more malicious attacker access to other players' unencrypted passwords, say, then I would be more inclined to agree (though I'd still disagree with the methods -- generally speaking, the procedure is inform company of vulnerability --> wait a while --> publish existence of vulnerability --> for goodness sakes, don't exploit the vulnerability). But this? Maybe I'm just not aware of how much damage a more malicious attacker could have done, but the whole thing seems kind of meh. Are you sure the vulnerability couldn't have just been left alone until open source?

Tahgtahv wrote:

However, MQO is being developed by a totally separate team at Cyan. As far as I know, the people working on MQO would not also be working on MOULa, so it would be incorrect to say that (extra) work being done on MOULa would take away from their main source of income.

That seems very counterintuitive, as it would seem to imply that Cyan has more than one employee working exclusively on MOULa, which strikes me as a distinctively CAVCON-5 state of affairs.

_________________
Have Ages, and link to them without bindings.

Time spent fixing security is time that could have been spent creating the open source project. I wonder If I can get a Cyan employee to chime in on this one

_________________

Quote:

When you eliminate all other possibilities, what remains, no matter how improbable, must be the solution.
Sherlock Holmes

Whilyam wrote:

PaladinOfKaos wrote:

It pushes it back because Cyan chooses to push it back. There are several people who have been offering for years to help fix the security and other issues in the Plasma engine. Cyan has consistently turned them down. At this point, many of the developers who wrote the engine have been laid off. I don't think anyone currently at Cyan really has a full understanding of how the code works, and that means long downtimes to fix things that should have been fixed years ago had Cyan worked with those who were offering help.

Indeed. I hope Cyan changes its ways and opens the process (or at least explains why they cannot). I would say "I hope our coders change their ways by being more patient," but that's an insult to people who have already been beyond the reasonable limit of patience.

The answer to the problem of "why didn't Cyan allow people to help fix security issues..." is most likely a legal issue. Cyan currently owns the copyright to the plasma engine. In order to protect their rights, they have to give expressed permission to specific people for specific purposes to do specific things with their property (I hate this legal junk, but there it is). Regardless of what people "want" or "demand" (as if they have a right to demand), Cyan will do what Cyan chooses to do with it's property. Any "verbal agreement with the users" will never ever hold up in any court in the US (where Cyan is located), and they have as yet to release a legally binding agreement between Cyan and the users regarding "Open Sourcing of Cyan properties". Until such time as this happens, we should count our blessings that Cyan doesn't bring down the legal hammer on the people responsible for "cracking" the servers, and just be patient.

Arguing this issue is moot. Cyan owns the property and that is a fact able to be proven by anyone who wants to access the legal documents stating such (also in many countries, copyright ownership is implied at creation and thus does not necessitate "proof" unless ownership is in question).

Basically, I am very glad that Cyan is willing to release the Plasma engine to the open source forum. They have not done that yet (and they are well within their rights to change their minds).

To answer the question of whether it slows down the process... while I don't know how many employees are currently attached to Cyan, it is still a very small company, with very limited resources. Time and resources diverted away from one area take time and resources from another (like this "open source project"). So yes, it directly affects the timing for people to "crack" the servers.

_________________
Latharion

KI: 03390194