Guild of Writers

[Karkadann]

No word from Cyan yet. However when I was their experiencing the strange going''s on I asked someone "is this from Cyan or is it a security breach" I was told it was neither", it is what you see".

So not knowing one way or another I tried to stay impartial about it cuz it was fun at first but got a bit irritating after a while. Why I just didn't leave Im not sure.

[Lontahv]

it seems likely that the server's been hacked

As far as my limited Plasma knowledge allows me to speculate, I would say that “the server has been hacked” is a very inaccurate description of what was going on. I imagine that from the point of view of the server, nothing unexpected or unusual or forbidden was happening at all. Simply one client was sending messages that usually only a Cyantist client would send.

That's pretty accurate. However, the last sentence is incorrect. Cyantists do and can send messages to alter ages in the way seen in the city earlier. However, all of the code needed to make these changes exists inside the client in unaltered form, however, this is not to say the CCR kit is included in the normal client. The reason why these commands exist is because they are used in the actual Python game code. One example: object transportation (aka warping) is vital in the workings of Gahreesen, however, it can just as effectively be used to move Kerath's Arch around.

[Paradox]

I guess it can’t hurt to be reminded every now and then of the lack of security in Plasma. (I don’t know what Cyan updated back in May, but it can’t have been a complete solution, as that would have taken much more work.)

They changed the value of their crypto constants, and added code to prevent a normal client from linking in as a non-Male or non-Female avatar (preventing someone from linking in as a Bahro via the normal client).

This doesn't prevent a non-UruExplorer.exe client from linking in as a Bahro (one could do it easily with PlasmaClient), nor does it address the Vault security issues, nor the ability for the client to send commands that will be broadcast to all Age Players.

[Christian Walther]

Thanks for the clarifications, Lontahv and Paradox. That’s interesting to know.

[N. Sigismund]

Just as a question, Paradox - how high on your list of priorities would it be to patch security holes if you had access to the entire source code? I'm just interested in how easy the holes would be to fix, and especially how you would avoid dodgy clients accessing bits of the server they're not supposed to.

[D'Lanor]

Since practically all events in Plasma are client driven there is no easy patch. Any age writer who has been doing some wiring should know that already. I guess it would take a redesign of the engine from the ground up, which makes all existing ages useless in the process.

[Paradox]

Just as a question, Paradox - how high on your list of priorities would it be to patch security holes if you had access to the entire source code? I'm just interested in how easy the holes would be to fix, and especially how you would avoid dodgy clients accessing bits of the server they're not supposed to.

In some cases adding some sanity checking before broadcasting a message would be a good start, but it's like a bandaid over a dismembered arm: It doesn't actually address the cause of the problem.

Even with sanity checking, "hack" messages could still get through because in some cases the client does legitimately send those types of messages (changing fog colour, warping objects around, disabling Relto books, etc.)

[N. Sigismund]

Hmm. Maybe, then, in an ideal world you could have a new server-only file for each age which would have values that infom the server if an object should be movable, for example?
I'm no coder, but simply having the server refer to the relevent list when someone attempts to do something...

Command I'm getting from the client - Move Kerath's Arch.
Check Kerath's Arch's values in city.modvalues
Keraths Arch is "Not movable" according to values set in city.modvalues
Reject command.

Because I'd assume that to move an arch, you need to tell the server that you want to move an arch. I'm not a coder, though. And you could still let certain commands though if you want them to be able to change the fog colour or drag a box around a room.

[Pavitra]

(1) That sounds simple, but it's really of moderate/intermediate difficulty.
(2) You would have to do that separately for several dozen different types of activities.
(3) Not all of those would be as easy to check for validity as moving the arch.

[Lontahv]

When it comes to security, the only source I could really fix would be the server code. Although it would be hard to guard against things like changing the fog, measures could be taken to keep people from:

spying on other people by looking at vault entries,
deleting Phil's journal and messing with the memorial imager,
and other evil things.

When people talk about how bad changing the fog color is, I tend to get a little annoyed because there are real, malicious hacks out there that complainers about security are not paying attention to. Many seem more concerned about an hour or two of unusual fog than people stealing private information and permanently vandalizing the journals in the game. Temporary fog changes are chickenfeed.