Hacking and cracking… I think the lines are getting blurry as to which we have in Uru.

Several of us believe there is little Cyan can do to prevent the cracking other than close down the servers. I agree with Dachannien in that regard.

The big problem is this game was built with the concept that access to the server would be via the client-side Cyan program, which we consider the game that runs on our computer. In SL we call that a VIEWER. There was only one and it was reasonably secure in the beginning. Loads of obscuring and complexity in the design provided the security. Neither of those can withstand time. So, security is gone, all but the appearance.

The recent change and creation of the hacker hoods appears to be an attempt to limit the hackers. One really has to ask if that is even possible. In many ways hackers are curious little kids. They want to see what does what. To them the games inner workings are another puzzle. Some want to show off after solving a puzzle, “look what I can do”. While some will have the ethics and morals to restrict their activities, like kids, some number of them will have no clear ethics or understanding of social responsibilities. They will go wherever their self centered curiosity takes them and show off in whatever way they deem impressive.

Those of us that have been around for some time know members of the community we consider spoiled brats and worse. Few if any of those people have been removed from the community. Removing them is like removing spammers, an ongoing battle. Something Cyan does not have the manpower to do. When one can spoof or change their IP Address, fake their MAC address, and change any aspect of the electronic face they present the game it becomes extremely difficult to block an individual. All one can do is make it tedious and time consuming for them to change their face and open a new account.

Until Cyan has time or gives us open source, the server side security is unlikely to change. That means we are stuck with crackers and hackers. I think even worse is that some of those that will be working with open source to add security are those we most need protection from.

Those of us playing in Second Life have seen how this works. We had the Emerald Viewer Scandal and now RedZone as the most recent. People make things in SL that are sold for REAL money. Theft is an ongoing problem. A recent ‘security device’, RedZone, claiming to prevent theft was revealed to be more of an identity theft device for the creators than anything that provided its customers protection. It was literally running an algorithm that guessed the customers password style from the passwords they used and failed login attempts and predicted probable passwords. It was doing more than that but that was its most duplicitous act. The results could then be used to guess probable passwords and attempt to open other of the customers’ accounts. Devious. And they got paid to do it.

They were caught because of the ‘drama’ and personality conflicts between the various hacker communities in SL. With a couple of million somewhat active individuals there is enough talent for a number of such communities to develop with highly capable members. In the Wild West it was big enough there was always some gunslinger faster. But, that was not the case in any small town, where there was a fastest gun. That is sort of our problem in our small Uru community where our marshal seems overwhelmed.

Karkadann has it right about peer pressure. The problem is we first have to move Cyan. When a number of people were being abusive in Cavern and forum it took months to get things changed. Now many of those people are back and their personalities have not changed. I don’t expect the cracking and hacking to be controlled any time soon.

_________________
Nalates - GoC - 418 - MOULagain: Nal KI#00 083 543, Nalates 111451 - Second Life: Nalates Urriah
Guild of Cartographers

Nalates wrote:

I don’t expect the cracking and hacking to be controlled any time soon.

Agreed, and it's time we start to just accept the fact that Uru is now the wild west and we play at our own risk. And, other than alerting people to that fact, threads like this serve no real purpose except to feed the egos of those doing the cracking. Once we learn to accept these things and no longer discuss them, the griefers will grow bored and move on.

_________________
OpenUru.org Minkata Test Shard is
OU-Minkata Shard Testers Guide (in laymen's terms)

well, i wonder if this rogue hacker really has hostile intent. i mean, all that's happened is a few avatars have been picked up and dropped in the public instance. a violation of the rules, no doubt, but it's hardly worth mobilizing the troops over. but if somebody wanted to really cause harm i'd imagine there would be worse things going on than that. i mean, the so called birthday hack had much more stuff going on. either somebody doesn't wish to aquaint themselves with the regulations, somehow the public instance is being affected either unknowingly or unwittingly, or they simply wish to cause a stir. that being said, a truely malicious hack is a certain possibility and one that should be guarded against, lest the worse come to pass. and however a minor intrusion these public instance hacks may be, there needs to be a statement made that they do not take place there.

i wonder how many lines of code comprize the vault section of the code? hundreds? thousands? millions even? i imagine it grows daily. would there be automated software to automatically save the state of the vault at certain intervals? or even a manual means to save the vault state? if done often enough, if the vault should ever be corrupted, restoring the vault to the last saved state would minimize the amount of data lost. if cyan does this already, then it's all the better for them and us that they do.

A new node is created in the vault every time you make a KI mail or take a KI shot. The nodes are changed every time you press a switch or move a rock. The vault is constantly changing and growing.

_________________
MOUL KI# 10281985
MOULa KI# 1492059

Fear is the mind-killer

Main_Avvie wrote:

i wonder how many lines of code comprize the vault section of the code? hundreds? thousands? millions even?

There's the server side code, which probably countains thousands of lines of code, and there's the database which probably contains millions of nodes. Backing up a database is not hard, and I'd think you could restore the game to a certain state from a backup.

As much as we shout, there's only one fix for this: Cyan needs to work on security in their server. Remember, they still own Plasma and can use it for future MMOs, and security is a very important aspect. It doesn't only benefit Uru, it benefits Cyan.

Loshem wrote:

A new node is created in the vault every time you make a KI mail or take a KI shot. The nodes are changed every time you press a switch or move a rock. The vault is constantly changing and growing.

Oh this system has so much potential for abuse. I cringe to think at what somebody with malicious intent could do with it.

_________________

The Public Age Project | Owner of Eastern Time Zone's Bevin

tanshin wrote:

Oh this system has so much potential for abuse. I cringe to think at what somebody with malicious intent could do with it.

You don't know the half of it.

Fortunately the MOUL vault is more-or-less immune to the sort of viral corruption that the Prologue and UU vaults were susceptible too - the occasional loss of the memorial imager is a result of the protections in place being a bit over-zealous and unreffing the imager to prevent (hopefully imagined) corruption.

_________________
MOULagain KI #: 66990

When I was your age, we rocket-jumped up hill both ways in boiling lava.

from what i can gather uru seemed vulnerable to hacks even long before the idea of sanctioned hacking was ever concieved.

makes me wonder how or if Cyan maintained security back when uru live was still a commercial product. running a game server that is vulnerable to corruption is suicide.

plus, plasma is still a commercial engine. running and marketing a commercial engine in a product that is vulnerable to sabatoge does not bode well for business. security measures are standard pratice. if cyan has such measures, they should be applied to uru if they aren't already even if it's no longer a commercial product.

Nalates wrote:

Until Cyan has time or gives us open source, the server side security is unlikely to change.

When MOUL is open source, more will be known to exploit and security will be substantially dependent on good behavior until solutions are found. Solutions will not be quick, but they can be developed.

Tai'lahr wrote:

...threads like this serve no real purpose except to feed the egos of those doing the cracking.

True. I wish these threads would instead become discussions about how to develop server security from the client without throwing up our hands with the fact that the server trusts the client. That's true, and it's part of the problem; a good server mantra is "never trust the client." But just saying so is a poor substitute for pursuing solutions.

dragossh wrote:

Cyan needs to work on security in their server.

No, we'll need to.

_________________
OpenUru.org: An Uru Project Resource Site : Twitter : Perfect Speed Is Being There.

JWPlatt wrote:

Nalates wrote:

Until Cyan has time or gives us open source, the server side security is unlikely to change.

When MOUL is open source, more will be known to exploit and security will be substantially dependent on good behavior until solutions are found. Solutions will not be quick, but they can be developed.

Security is already substantially dependent on good behavior. I don't think that will change following the source release - there's plenty of reference source code out now in various tools and libraries.

_________________
MOULagain KI #: 66990

When I was your age, we rocket-jumped up hill both ways in boiling lava.

JWPlatt wrote:

dragossh wrote:

Cyan needs to work on security in their server.

No, we'll need to.

Until open, fans can only do so much. Uru is still in Cyan's hands as of yet.

_________________
Love Jesus the Lord our God. Also I am not affiliated with HeadSpin or Cyan.

Cyan was pretty darn clear that if the keep it to the special 'hoods rule can't be followed, that stuff gets turned off. Bottom line. It can be argued till the cows come home that we could build better security, ect, but this is what we've got, and you play nice in the provided sandbox, or you don't.

It boils down to respect. If people can't handle following a simple request- "Please only play with stuff in these designated hoods." Then they don't respect Cyan, Uru, or, most importantly, their fellow players.

_________________
Officially bonked R.E.B.E.L.
Falling Man Group Secretary
Storyteller & Creatrix
MOULAgain Houligan KI#00001498

Little things I've heard imply a few people aren't playing by the rules.. like tales of someone in the city teleporting people about. Never experienced myself. The big problem though (and I suspect related to the current server outage) is there's no one about to police this stuff. Just today, in fact not even 15 minutes ago, someone was creating avatars and hoods using swear words, and the nexus doesn't apparently profanity filter those (oddly though the "recent visitors" board DOES, so you see "From: ****" ***** (timestamp)"

Still, either that sort of thing isn't stopped at avatar creation and thus it should have been at all levels and it's a bit of a coding failure (ok, I know it's a list and that never works, but it'd be mixed with reseng oversight like it was before) OR it means someone was in the vault and renaming hoods they created to profanity.
And that's far worse.


The biggest problem is that the vault isn't secured, and this sort of stuff can and will happen now. There's only three real ways.. one is that Cyan shuts down moula completely, one is that they pull time/effort to rewrite the vault design to something secured ground-up (possible, I mean, if the same design is shared for mqo it could be justified as protection, and then backfed as possible into moula), or unpaid semi-official "cs reps" are hired from among the grey hats to move in and be moderators for this sort of thing, allowed to use their abilities in the sanctioned hoods and only uising it outside of them for stuff the ResEngs did.
The problem with the third is that I don't know if we have enough grey hats who can spare time to do this and are willing, and that quite bluntly the "black hat" renegades have the same abilities.


Either way, things are interesting, just not in the way we might want

_________________
You know, I wish we would learn Atrus loved the 1812 overture, and in turn we had a copy for our relto.
That's right, a canon canen cannon!

MOULa KI: #00027582
Welcome back all!

I think it is clear and well known that MOUL was never designed for this type of freedom. It does lack the security an open source game needs. In SL we see all sorts of problems and it is designed for an open source client side. There solution is banning those that are problem people and hardening the server as each weakness is found.

Respect... some people simply do not understand respect. Those that do not respect their self have no idea what it means to respect others. Saying they should respect... is not a solution. But may be things will change and Cyan will do something. We can hope it is soon. Since it is either do something or shut the servers down, I'll bet on something happening.

_________________
Nalates - GoC - 418 - MOULagain: Nal KI#00 083 543, Nalates 111451 - Second Life: Nalates Urriah
Guild of Cartographers

Shutting down the server seems a tad on the extreme side, in my opinion. From all i've heard, the "black" hat(s), have just been moving people around and the like, which is small party tricks. Since we don't know if this has been done with malicious intent, shutting down the server doesn't seem all that reasonable to me.

_________________
.:: KI #: 00386531 ..::. Name in Cavern: Crystal-Leigh ::..
Google+ Profile: https://plus.google.com/100649275943901496026/posts
Twitter Profile: www.twitter.com/Shavonne_5