It is currently Fri Oct 18, 2019 1:52 am

All times are UTC




Post new topic Reply to topic  [ 28 posts ]  Go to page 1, 2  Next
Author Message
 Post subject:
PostPosted: Thu Sep 15, 2011 4:49 am 
Offline
Creative Kingdoms

Joined: Tue May 09, 2006 8:06 pm
Posts: 6227
Location: Everywhere, all at once
A pull request via the OpenUru.org Bitbucket mirror repo would be the easiest and speediest method. Goodness knows I can't say anything to absolute speed of consideration, but relatively speaking, that would be best. Test documentation (e.g., PMs from shard owners or users who have tried it) and an independent review (i.e., someone other than the authors) would also be helpful so that we don't have to wait for time to find someone to do it ourselves.

_________________
OpenUru.org: An Uru Project Resource Site : Twitter : Make a commitment.
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 10:16 am 
Offline
Obduction Backer

Joined: Sun Jan 20, 2008 2:14 pm
Posts: 902
JWPlatt wrote:
A pull request via the OpenUru.org Bitbucket mirror repo would be the easiest and speediest method. Goodness knows I can't say anything to absolute speed of consideration, but relatively speaking, that would be best. Test documentation (e.g., PMs from shard owners or users who have tried it) and an independent review (i.e., someone other than the authors) would also be helpful so that we don't have to wait for time to find someone to do it ourselves.


Just out of curiousity, Platt, can you offer a single instance of Cyan pulling code directly from OpenUru.org?

Because they've taken code given them by the H'uru guys, taken code given to them by dragossh... and take code given to them directly by Paradox... but I can't think of a single example of code being taken directly from OpenUru.org's repository.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 11:17 am 
Offline
Obduction Backer

Joined: Mon May 15, 2006 2:02 pm
Posts: 814
Location: Switzerland
Well, that’s probably because there hasn’t been much worth taking in the OpenUru.org repositories so far.

Regardless, I’d be interested in this too, JW: Has there been any actual word from Cyan on their preferred way of accepting contributions? Is there any confirmation that going through the OpenUru.org repositories is the speediest or most likely to be successful way (regardless of absolute speed), or is that just wishful thinking? I have e-mailed Mark with that question some time ago, but have received no response.

Having an official affirmative answer to that question would hopefully raise people’s enthusiasm to work with OpenUru.org. With no (or a negative) answer, I feel that OpenUru.org will stay somewhat irrelevant as a CWE developer community center.

My working hypothesis at this time is that they are not going to take contributions to MOULa at all for the foreseeable future, and that MOULa build 902 was just a fluke.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 4:26 pm 
Offline
Site Admin

Joined: Wed Aug 02, 2006 7:13 pm
Posts: 1061
Christian Walther wrote:
... MOULa build 902 was just a fluke.

Yes, the 902 update was a fluke sorta speak. A group had used an exploit in MOUL to send a covert message to people playing the game that told their computer to download a program from an outside server and execute it and run in the background, hidden. In other words, a virus. This exploit/virus was traced back to top level individuals of GoW.
I firmly believe that people should be given the chance to correct their mistakes and make the situation better - which this group did by providing a patch to close the exploit. Which I am very thankful for.
However, this incident only confirmed Cyan Worlds management's mistrust of GoW.

So, back to the question at hand… Yes. I have received lots of emails from lots of people asking about how to submit patches to Cyan for inclusion into MOUL. I'm sorry, I was waiting until I had an actual answer but things went crazy (unrelated things).

Because OpenUru.org and crew already have a business relationship with Cyan Worlds, the best place and most likely place to get patches into MOUL is through OpenUru.org (which does include code reviews!)


Thanks,
Mark


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 4:49 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 4:41 pm
Posts: 1694
Location: South Georgia
http://en.wikipedia.org/wiki/Proof_of_concept

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 4:50 pm 
Offline
Obduction Backer

Joined: Wed Feb 17, 2010 6:52 pm
Posts: 1159
Location: US
Chogon wrote:
Because OpenUru.org and crew already have a business relationship with Cyan Worlds, the best place and most likely place to get patches into MOUL is through OpenUru.org (which does include code reviews!)


Thanks,
Mark


This single handedly answered about ten thousand questions I had about OpenURU and the GoW. Thanks Mark! Glad to see OpenURU is still going to be a valuable Open Source "Source."

_________________
Image
TOC#60089 DI#132103 MOULa is Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 5:09 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 4:41 pm
Posts: 1694
Location: South Georgia
To further my earlier post:

I understand that most of you will not get anything from a wiki article, so I'll explain why the GoW "top members" would be writing a "virus." This incident happened around the opening of the fun house. Branan had earlier stated that no one could slip a virus onto another explorer's computer using MOULa. I was pretty certain that it he was wrong, so I spent a couple of minutes looking through the python and found a glaring remote code exploit vulnerability. So, I wrote a simple script to pop up a message box saying "YOU GOT HAXXED" and sent that to branan. From there, we wrote a program that would run silently in the background and some code to launch it. We needed something that was slightly more real world than "YOU GOT HAXXED" after all (opening a dialog box is fairly trivial).

So we had our proof of concept program, a script to launch it, but no way to automate sending it. I took care of that part. It was designed to send the "attack" when anyone on the buddies list of a certain avatar came online. I put mine and a few other "top level" KI numbers in the buddy list--we did not want to send even an innocent PoC toy to an unsuspecting Uru user (that would make us look even worse, after all). Once we proved the vulnerability was quite easily exploitable, I removed our KI numbers from the buddy list.

At the same time as all this, we were also compiling a list of Cyan avatars' KI numbers. I mistakenly added those KI numbers to the proof of concept avatar's buddy list, which was empty--I thought it was another avatar. After that, I closed all everything down and chillaxed. We had our Cyan KI numbers and we weren't being sent exploits when we login to MOULa. It wasn't until Chogon contacted us about our proof of concept getting to Cyan that I looked at the buddy list again and saw my colossal blunder.

TL;DR: We were testing the client's security, found a hole, and by a huge mistake of my own doing sent our proof of concept exploit to Cyan. To make up for it, we patched the hole for Cyan. We absolutely were not attempting to be malicious. Whether Cyan chooses to believe or disbelieve that is up to them.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 5:20 pm 
Offline
Obduction Backer

Joined: Wed Feb 17, 2010 6:52 pm
Posts: 1159
Location: US
It's actually quite hilarious to read how things like that go down. At least the hole is patched so it can't happen again; in a way it set URU on the path it's headed now where, thanks to Open Source, these issues will be dealt with in future builds more quickly and efficiently.

_________________
Image
TOC#60089 DI#132103 MOULa is Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 5:33 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 4:41 pm
Posts: 1694
Location: South Georgia
Trekluver wrote:
It's actually quite hilarious to read how things like that go down. At least the hole is patched so it can't happen again; in a way it set URU on the path it's headed now where, thanks to Open Source, these issues will be dealt with in future builds more quickly and efficiently.


Agreed. In some ways, I wish we could go back in time and not write that stupid program (it was a logical decision TO write it), but it did allows us a chance to patch the hole. I hope you can all forgive me for my mistake, because really the buck stops here on this one.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 5:44 pm 
Offline

Joined: Thu Aug 03, 2006 10:55 pm
Posts: 625
Trekluver wrote:
It's actually quite hilarious to read how things like that go down


Yeah, but mistakes like that burn bridges. We lost what little trust we had with Cyan, and that's a huge setback. The two options are either to finally give up and stop working on Plasma/Uru or to keep pushing forward and working on awesome stuff like the Unicode support to prove we're dedicated to the continued growth and survival of the game.

_________________
MOULagain KI #: 66990

When I was your age, we rocket-jumped up hill both ways in boiling lava.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 5:52 pm 
Offline
Obduction Backer

Joined: Wed Feb 17, 2010 6:52 pm
Posts: 1159
Location: US
PaladinOfKaos wrote:
Trekluver wrote:
It's actually quite hilarious to read how things like that go down


Yeah, but mistakes like that burn bridges. We lost what little trust we had with Cyan, and that's a huge setback. The two options are either to finally give up and stop working on Plasma/Uru or to keep pushing forward and working on awesome stuff like the Unicode support to prove we're dedicated to the continued growth and survival of the game.


That's true. Trust is something that is always earned. At least in the realm of gaming, if you do good in a community then rewards will eventually be reaped. In this case, I'll take option two please.

_________________
Image
TOC#60089 DI#132103 MOULa is Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 15, 2011 6:59 pm 
Offline
Obduction Backer

Joined: Mon May 15, 2006 2:02 pm
Posts: 814
Location: Switzerland
Thanks Mark! I’m excited to see a “yes” (fully aware of its limited scope) – I’d even have settled for a “we don’t have an answer at this time” in response to my e-mail, just getting no response at all was a bit uninspiring.

I’m glad that you and Adam told us the story of the proof-of-concept exploit. These things belong discussed in public, everything else just breeds mistrust.

I’m also glad that Adam expanded on his unhelpful first post. By itself, that single-link post would have destroyed some trust. The expansion restored it.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 16, 2011 12:45 am 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1812
Location: California
It was not one thing that destroyed the trust. Chogon confirms that on Cyan’s behalf when writing ‘confirms Cyan Worlds management's mistrust of GoW.’

Anyone that has read much of the Slackers’ sites and forums comes away with a new understanding of the problems in the community. See http://slackersforum.servebeer.com/ and some of the choice posts in the Slackers’ old forum reveal deliberate malicious behavior dating back years.

Adam has certainly written a plausible explanation of the 902 Haxxor fluke. The problem I continue to have is people’s long term behavior. When I consider that Adam’s threatened vigilante action which comes well after the Haxxor problems the current explanation is not inspiring confidence.

The trust issues with people in GoW are not with everyone participating there, but neither are they with only one person. Nor was trust lost over a couple of events. That numerous people, including moderators on various fan sites and Cyan people, have discussed, or tried to discuss, these issues with involved people and not been able to get through simply shows their perception of issues is different and unlikely to change.

I linked to the articleUser Sponsored Enforcement Groups in another post to show any group can become a problem and power does corrupt. It is not only the code submitted by those associated with GoW that may be a problem. All code in any open source project needs to be reviewed for security, back doors, and Trojan code.

I can see no reason Cyan would trust a group controlled mostly by those creating community problems and consistently exercising poor behavior and bad judgment to handle code review. Nor can I see why the community would suddenly start trusting people with a long history of poor behavior.

Very simply put, some bridges were burned a long time ago. Many additional bridges were and are still being burned when found. It should be no surprise that people are unwilling to trust. Consider recent posts. So, yes. People on the wrong side of the bridge’s embers do have to consider whether and how they will proceed. Just as the community has to decide who to trust and how they will proceed.

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah
Guild of Cartographers Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 16, 2011 1:12 am 
Offline
Creative Kingdoms

Joined: Tue May 09, 2006 8:06 pm
Posts: 6227
Location: Everywhere, all at once
Just speaking for myself and common sense - not presuming to moderate or anything - we can proceed in this manner to a locked thread, or talk about unicode and getting it into MOULa. I prefer the latter as being more progressive and constructive. It might help keep the forums open longer.

_________________
OpenUru.org: An Uru Project Resource Site : Twitter : Make a commitment.
Image


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 28 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: