Guild of Writers

[OHB]

One solution might be to add a layer between the client and the server which acts as an API. It has specific exposed functions for specific things. Instead of going in and attaching a vault node, you'd have to use something like a sendKIMail() or sendKIPhoto() function which would do it for you. Build all the security into the API. Of course, then re-write the client...so yeah.

[Karkadann]

Ive been wondering about this on and off for a while now, and Im not sure it was a major hack

The MO:ULagain service is back online.

Note: If any remaining security holes continue to be exploited on the main server, the service may be taken down indefinitely until all the holes can be plugged. That would be a Bad Thing (tm), and would require much longer downtime.

Thanks for your patience and cooperation.

Cyan has been very Silent about the whole thing, and the only shut down was the monthly reboot. I had a feeling that the mischief may have come from within Cyan as some type of Birthday celebration for Randi that just went the wrong way.

[Branan]

It was not internal to Cyan, and RAWA was very not happy about it.

Rand was in the City at the time, and enjoyed the "festivities". I think had he not been there, and had this been just RAWA responding to another hack, the response would have been quite a bit worse.

[Karkadann]

OK like I posted earler I was told it was not Cyan and it was not a security breach, and if it was not an individual from Cyan then someone with known access to Cyan severs could have been resposible. What I cant understand is they spent so much time with this mischief that has all been for not why didn't they do something useful like open the gates add terrain and UVmap texture to the stairs and rooftops near Tocatah Ally.

[D'Lanor]

Again, no servers were hacked. All of this was done by ordinary game messages each client is allowed to send, and SHOULD be allowed to send for ages to function properly. Like it or not, that is how Plasma works.

[Karkadann]

Ya mean like (/jump 100) in the off line version??

wow thats interesting,

[diafero]

Exactly. Remember me to show you some of the Offline KI admin functions at some point (or try them out offline) - seen from the server, this is all legitimate client activity. Including linking a player to another age, using flymode on objects or players in the age I am, making your hair green, running the female dance animation on your male avatar. The server doesn't care, it just forwards the message my client sends to your client - and if the message says "make that guy's eyes purple", your client will do so happily.

[Chacal]

And if this situation doesn't change in the server Zrax's team is building, we'll still be in trouble.

[diafero]

Unfortunately, I don't see a really good way out. That's how Uru is designed. Maybe the server could notice attempts of modifying other players' avatar's, but as D'Lanor mentioned, much of this is happening in normal gameplay. The server does not even know the age things are happening in, all it got is the .age files (for the sequence prefix to age name mapping, basically), and the SDL files for storing the permanent age state. Since it has no notion of (in)valid states, nor does not it know if and where there are any kinds of buttons or whatever, it can't even tell whether a user setting an SDL does this legitimately or not, for example. Player avatars are just SDL objects, like kickables or animations (okay, they are attached to a clone instead of a simple object, but those are used for NPCs like Yeesha, Zandi or the Quabs as well). Changing this would basically require a re-write of the state management and syncing part of the protocol.

[N. Sigismund]

Cyan appear to have accepted the inevitabiltiy, anyway.

http://mystonline.com/forums/viewtopic.php?t=24068
http://forums.drcsite.org/viewtopic.php?t=2923

Smart move, I suppose.