Guild of Writers

[Chacal]

I'm sure it will be interesting.
I have never met Hoikas. Maybe he IS a primitive gorilla!

Back to security...

It is surprising how little development teams know about it. They are often geniuses and can argue endlessly about performance and optimization and algorithms, but ask them about security and they are useless. The most likely answer you'll get is "Isn't that something for the network guys to worry about?".

My team has audited systems from several sources (it is a fast growing market) and we are flabbergasted to find obvious flaws, the kind you find about by typing "Java security" or ".net security" on Google.

Last week, on one huge system that will process civil servants pensions and will have an internet portal, we found 58 severe flaws. I'm not talking obscure code tweaking here, I'm talking common sense best practices like "Don't keep system passwords in clear text in flat files on the web server". That's just one of the 58, and we found lots of such passwords. The dev team had no idea what we were talking about.

We vetoed deployment. This was not popular with the big consultant firm that had just spent 3 years developing it at a cost of millions. The look on the face of the project manager was something to behold. The customer is still trying to determine if the system can be corrected or if it would be cheaper to scrap it altogether and begin again. I say scrap.

What is even more amazing is these things we found:
- There was no requirement about security;
- no risk assessment was done;
- no security advisor was assigned to the dev team;
- no security training was offered to the dev team;
- no framework was available;
- no security test was included in the test plan;
- critical functions were developed by juniors with little supervision and no peer review.

[Paradox]

I'm sure it will be interesting.
I have never met Hoikas. Maybe he IS a primitive gorilla!

No arguments there *runs and hides*

In all seriousness, Cyan will do whatever is necessary to protect what they think is important. I've seen lots of cease and desist letters, and lots of resources and projects fade away to nothingness because they trod to closely to what Cyan wanted to protect.

[andylegate]

I believe that Cyan more than likely has thought of the issues that Chacal has brought up as far as security goes. More than likely, they are also thinking of how and what to approach people with.

More than likely they'll talk about this when they are ready, and not before. I'm not saying that they don't wish to talk to your everyday explorer, or a potential Writer, however, when it comes to their server security, that is pretty close to their heart.

If you succeed in geting Cyan to talk on this forum (even in private) I'd be surprised right now (down the road not so much).

[Aloys]

I still maintain that all this talk is wasted energy. When (and IF) they want to actually talk with us about any of this they will come. IMO anything we do before that goes down the drain.
In the past 2 years or so many attempts under various forms were made to see how we could work with them, offer our help, warn them about possible issues down the road, or simply to contact them. Nothing came out of this. I don't judge them for that, that's just how they work. (at least as a company, individuals may vary) I don't approve but that's not gonna change anything.
All we can do is wait and see, work on our side and hope that this work won't go to waste in six months or so when they wake up.

(again I'd love to be proven wrong, but I'd be greatly surprised)

[Chacal]

Well, at least we've held out our hand.
As you all said, ultimately it isn't our responsibility.

If anyone is still interested in talking security (not necessarily in relation to MOUL), feel free to do so.

BTW, I'm co-writing an ISO standard on application security, and we think it will have a huge impact on the software industry. As opposed to a lot of ISO standards, it will be actually useful and down-to-earth. Big players such as M$ are already interested. If all goes well (and if we can find the time to actually work on the damn thing), it will go a long way towards ending the kind of situation I mentioned earlier.

Yeah, I know, I'm an optimist.

[BAD]

There have been instances of Cyan and fans working together to make some great things. It was always done on Cyan's terms, and of course in strict secrecy.

The UU servers are an example.

[Aloys]

I'm talking about Age development here. But I'm not sure what you are talking about with the UU servers? AFAIK they were developed by Cyan and simply used by the community. But I wasn't too much into UU, I might have missed things.

[BAD]

AFAEK, they were, but some fans did help write that code.

[Tsar Hoikas]

I'm talking about Age development here. But I'm not sure what you are talking about with the UU servers? AFAIK they were developed by Cyan and simply used by the community. But I wasn't too much into UU, I might have missed things.

Let's take a trip into long forgotten lore...

Back in Feburary 2004, Uru Live was irrevocably destroyed, neutered, slain, etc. (MOUL != Uru Live; Uru Live was actually good). Anyway, a group of fans were majorly p/o'ed about this, so they began writing the Alcugs Servers (using packet dumps that they had made during the final days of live) to keep the game alive. In summer of 2004, the servers were becoming somewhat stable, so they sent a petition to Cyan to allow them to use said servers publicly. Cyan responded with an opportunity for them and Chip (a former Cyan intern) to prepare the old Uru Live servers to be used again in a new way... Untìl Uru was born.

Alcugs was released a few months after UU became available in August 2004.

Edit: My dates got a little jumbled up. Thanks Tomala

[Tomala]

Actually UU came into being 6 months after the demise of the first Uru Live. Which was back in 04.