In other discussions, we talked about things that can crash the MOUL server or even corrupt the vault.
With the amount of expertise now concentrated in this GoW forum, I wonder if we could start thinking about ways of advising and helping Cyan secure the servers. This is an area I have experience in.
Wearing my IT Security ResEng hat, with the increased interest in hacking Uru (such as what we do here), security by obscurity is no longer a valid strategy (if it ever was). Competent IT security experts don't rely on obscurity, no matter what the layman's perception is.
Also, from a QA perspective, it doesn't make sense to say "this function is dangerous, so let's never use it otherwise it might crash the vault". If the function is needed, then we should say "this function is dangerous, so let's make sure it is used properly and let's test it thoroughly before releasing the Age".
Also, Cyan should say "we have found several functions that are dangerous to the server, such as linking, commands sent from modified client-side python code such as adminKI and flymode. Let's fix the server code so it's not vulnerable to client-side events anymore".
The following are not safeguards and we should stop relying on them:
- Hope that pirates will not discover that you can do pretty much what you want using client-side python code;
- try to keep UU userKi and adminKi code secret;
- tell people not to use dangerous hacks such as flymode;
- put restrictions on Huru tools so they won't open Cyan Ages.
What we should do:
- Invite Cyan devs to participate in discussions here (I'm on it);
- ask Cyan devs to share the MOUL architecture and security model;
- track down and invite the original hackers who started reverse-engineering Uru in 2004 (leading to the current tools), and those who worked on analysing captured packets when the imminent closing of the original Live was announced in 2004 (leading to the Alcugs server).
- do a risk analysis, based on probability and impact on MOUL and its players;
- suggest best solutions for reducing the main risks. Solutions should offer the best ROI, in keeping with what resources Cyan can spare for security.
Topics for discussion should include:
- Securing the client code (integrity checking, code review, input filtering, elegant recovery from exceptions and network problems...)
- Providing a secure API for coders (thanks Trylon)
- Securing the server code (input filtering, code review, managing exceptions, recovery...)
- Securing the vault (sanity checking, integrity assurance, health monitoring)
- Securing communications;
- Securing architecture (redundancy, managing performance problems, intrusion detection and prevention...)
- Precise QA procedures for user-submitted content (unit testing in the prp file (could be automated), functional testing by Maintainers)
- ...
From our perspective, the most important thing is unit testing in the prp file. All the information about whether or not the Age is dangerous to the MOUL server is in there.
It is possible that some might still think such things shouldn't be discussed in public. That perception is wrong but difficult to get rid of, and maybe more realistic until the biggest risks are taken care of, so I'm prepared to live with secrecy if needed. I guess it would be acceptable to move it to a private forum, as long as access is not limited to a closed elite.
What do you think?
Guild of Writers
