PSA: Magix Plugin

Discussion in 'Community News and Announcements' started by Jadedcat, Oct 21, 2014.

Thread Status:
Not open for further replies.
  1. Yes indeed, I know you take care of stuff, hence why I pm'ed you on IRC when I noticed a few cloned plugins on DBO. (virtual hug for taking care of that back then). But still, you told the team you were going to make a post, so it was *their* job to inform you about the Reddit post (Kaelten for example knew about the reddit post and knew the situation since he has been replying on it). So in my opinion, you have a communication problem there. (This has nothing to do with you, you did your job and I'm glad you are taking care of things)
     
    ZeusAllMighty11 likes this.
  2. Offline

    xGhOsTkiLLeRx

    I understand that you are humans, too and mistakes are made. However this is not acceptable and wouldn't have happened with the "old/retired" staff
     
    korikisulda and Anrza like this.
  3. Offline

    lol768

    Good to know, thanks.

    Yeah, quite a few things are categorised as comments (project comments, PMs etc) if I recall correctly.
     
  4. Offline

    Lolmewn

    I'd be like "Oh hey a ClassLoader. 99% chance of this being a big fat NOPE!"
    EDIT: Also scripts. Scrips very much bad. Very 99% NOPE factor.
     
  5. Offline

    Caprei

    I don't understand why this user has been banned. It was clearly a security test, and furthermore, he's made people recognize that the review process needs to be more effective.
     
  6. Offline

    DrPyroCupcake

    Stuff happens, calm yourselves people.
     
  7. Offline

    Jadedcat


    Sorry but that's not how it works. You can't claim "It was only a test" after doing something malicious and get away with it. Try it some time. Try shoplifting and then tell the police "I was just checking their security". If he had contacted Kaelten first, he might have been approved to run a test without the code teams knowledge.

    Thats how "tests" are run. An outside party is invited by management to try and get through security. The security team isn't told its happening. The test is run. The results are used to find loopholes and weaknesses. Without the approval of someone in the company, its not a test, its an attack. Good intentions or not.


    I checked the timeline. Kaelten posted to the reddit thread 3 hours after this thread. 2.5 hours after the reddit link was posted here. Which means he posted after I mentioned in staff channels, oh there's a reddit thread about this too. No one else from the team except me has posted on reddit. And I posted only a few hours ago. The whole team is aware of the reddit thread and has been since it was posted on this thread even if they weren't aware before.

    Does that mean he wasn't aware of the reddit thread? No, Does it mean he knew about the reddit thread before my post? Also no.

    And no one has yet told me why it would matter either way. We find things through review, reports, forum messages etc. This is the first time I am aware of where we didn't find the malicious code prior to it being public.

    My announcement was that we missed the code in several rounds of review. It didn't say how it was eventually found. I haven't actually asked. The point is it was found, we made a mistake, we took responsibility for our mistake and we will learn from the mistake.
     
  8. Offline

    ColonelHedgehog

    Oh for crying out loud. I'm going to be blunt. Yes, Watson, blunt.

    I'm seeing a lot of complaining and rustled feathers from ex-BukkitDev staff here. Curse taking over BukkitDev was a response to your resignation. So there are two things you can do:

    a) Stop complaining about the Curse team as there are very few of them and they all have to do a lot at once

    and/or:

    b) Offer your expertise as nobody knows how to moderate the DBO site as well as you do.

    I honestly don't see how you can be giving them such a hard time when they wouldn't haven needed to do this if you all hadn't qq'd. Of course you had your reasons, but these guys are completely new to this position. Most of you stepped down because you didn't like the lack of support you were getting. So, what, this gives you the right to do the same to Curse? C'mon.


    *Robs mall*
    *Gets arrested*
    Me: "It was just a security test. Turns out your security is pretty good!"
    Police: "Oh, well that excuses everything."

    Sorry if this offends anyone, but I'm just getting so tired of all this Curse hate.
     
  9. Offline

    bubble0seven

    Reviewing code lol doubtful by whats being stated 4 chances of catching a fairly obvious malicious code but missed them all and instant approval! The ironic part is jaded gets the shits because we have the shits at their incompetents, wasn't us that failed to review code and allow it through 4 times!! How many other plugins are the same that have been rushed through ?

    Ah well bukkit is dead anyhow majority have moved over to sponge anyhow :)
     
    korikisulda likes this.
  10. Offline

    Jaaakee224

    That's not in anyway Curse's fault. There's nobody to blame, it was a simple mistake.
     
  11. Offline

    Alshain01

    Exactly! I mean, except for the whole fact that it did happen several times with the old/retired staff... like this one:
    http://forums.bukkit.org/threads/ps...guard-anticheat-and-infinitedispenser.174108/

    And that was just the last one. There were at least 3 other times I can think of, off the top of my head.
     
  12. Offline

    Jaaakee224

    Clearly, you don't understand anything. Mistakes happen to everyone. I think Curse is doing a good job for the small amount of people moderating both FBO and DBO. The least you can do is appreciate the work they do instead of being very ingrateful. It's not Curse's fault in anyway for the staff leaving, so I have no clue where you came up with that incorrect statement.
     
    timtower likes this.
  13. Offline

    ColonelHedgehog

    Finally. Someone who isn't just bashing Curse. .-.

    Your post kind of reminded me of this:

    [​IMG]
     
  14. Offline

    Kaelten


    I didn't post there until after I saw it posted in this thread. I've since stopped posting there since instead of talking people just down voted my comment into being hidden. Which doesn't help anything.

    EDIT: it looks like other people offering varying opinions on the situation have started to be down voted too.

    He's yet to ask for the account to be reinstated (to my knowledge anyway). I also would not be surprised if he has another main account.

    Nor is it factual.

    My favorite part about that post is how supportive, and understanding the community is. They thank ES for informing them, and say how it's understandable as people make mistakes.
     
    timtower and Jaaakee224 like this.
  15. Offline

    RockyMan13

    LOL.... No comment! :D
     
  16. Offline

    rossistboss

    korikisulda likes this.
  17. Offline

    ColonelHedgehog

    Did you read nothing that has been said?
     
  18. Offline

    Caprei

    ColonelHedgehog


    - http://www.reddit.com/r/admincraft/...ukkitdev_should_no_longer_be_considered_safe/
    - User reported his own plugin
    - Resubmits FOUR TIMES to test security
    - Clearly stated on that link that it was a security test
    - Link was posted BEFORE this PSA was posted

    Yep. Clearly your analogy is accurate. I don't think he should be excused of everything. But I do think he shouldn't be banned for improving the review process. He should receive a warning at the most.
     
  19. Offline

    Jadedcat


    Timeline:

    - submits non malicious plugin first time has difficulty uploading because of a custom image format, staff helps him upload his file for review.
    - Resubmits with changes adding malicious code
    - Resubmits 2 more times
    - User reported his own plugin without announcing he is the author or what the code is, just that there is an issue.
    - Malicious code is located, author is banned - somewhere around here the author adds 2 comments to his report giving the link to the reddit post to a staff member who I believe was asleep.
    - I make this PSA post
    - evilmidget posts the reddit link on this thread - this is the first I know of the reddit thread.
    - Kaelten posts to the reddit thread after seeing it on this thread.
    - Clearly stated on that link that it was a security test - A link only 1 member of staff was given.
    - Link was posted BEFORE this PSA was posted - but not posted where I and the rest of the team knew about it.

    Just because someone posts something on a different site sooner than on this site, doesn't mean we saw it. Furthermore, yes that analogy is pretty accurate. Without having received consent from the company being "tested" its not a "test". Proper security audits are done with management knowledge , and without telling the security team. Management was not warned or asked prior to the addition of the malicious code.

    If we don't ban him, we then allow for anyone who's ever banned for malicious code to say "I was only testing".
     
    TheHandfish, MisterErwin and timtower like this.
  20. I like how because the Curse staff is paid while the old staff wasn't, they have to be smarter. Like if it was related or something. It's not that the new staff isn't good, it's that the old staff was amazing. See the difference? Also, afaik, the current Curse staff is still composed of less persons than the old one.
     
  21. You can't really complain about them not doing the exace same level of checking, until they let slip through the first bot-net-plugin. If you think that's not fair, just give them 2 or 3 years to proove their ability (...).
     
  22. Offline

    lol768

    Author added the link as a comment to the report. Reports are visible to all staff members, regardless of who claimed it.

    The malicious class actually states it's a whitehat attempt (see ~ L70 http://hastebin.com/ihesiheqeq.java). If the malicious code was actually located, this information should've been known.

    I realize there's a difference between being able to access something and knowing about it, but all members of staff would have been able to read the author's response to the report. Whether the team would've been notified about the matter relies on the quality of the tools (if any exist) available to the team.

    Yes, the author should've been banned. As you stated, anything else sets a precedent and I don't think intent is really important with these cases. In any case, the author requested that his account be banned :p

    With regards to informing management first, a real malicious developer would not do such a thing and so IMO one of the advantages of this test was that it was realistic. There was no possibility that staff responsible for reviewing the code would be informed beforehand to create a false illusion of security (I'm not suggesting that this would've happened but it could've). There are some obvious disadvantages to this approach:
    • Real users may have inadvertently downloaded the plugin and had their server compromised - though it's clear that the author (by making the plugin automatically disable itself) and Curse (by removing the plugin in a relatively timely manner) have both mitigated this risk to an extent.
    • The approach led to a lot of speculation as to the safety of the site. While I think discussion of this is a good thing, less people downloading plugins due to concerns over security is unlikely to favourably impact ad revenue for the site (and subsequently the CurseForge rewards scheme).
     
  23. Offline

    Kaelten

    My concerns aren't about the downloads, ad revenue, or the rewards scheme. Honestly, those are secondary (or tertiary) goals for those of us running CurseForge.

    When left with the decision of locking up the site or keeping it running we did what we thought best for the authors and users who still are using Bukkit until a successor materializes. We didn't have great options. It was either a) get a lot of hate for keeping it running or b) get a lot more hate for shutting it down.

    What I don't care for is people pointing at this as a way of stating the site is now insecure or somehow lesser than it has been. Yes the CraftBukkit project is on hiatus (at best), but the plugins and content hosted on DBO is as safe as it's always been.
     
    DamienMine and MisterErwin like this.
  24. Offline

    ColonelHedgehog

    Well said, Jadecat.

    You do realize how silly it is to think that just because someone is "testing" the review process means they can do whatever they like, right?

    http://wiki.bukkit.org/BukkitDev:Project_Submission_Guidelines

    The guidelines clearly state that your file cannot contain anything that could damage the server. Curse didn't ask for a security test, Curse didn't want a security test. Did it have a good impact? Well that remains to be seen. Depending on how many people downloaded it. It does seem to have encouraged the Curse staff to make the review process be a bit more thorough, but if you're going to do things this way to simulate a malicious coder submitting malicious code, you can't just pick the good part of the experiment and you should face the consequences.
     
  25. Offline

    Deathmarine


    I... I... I... I... Eye...Aye... To the credit of Curse this sort of plugin could have been missed by us but with the fact of uncertainty it would of remained in queue until it was determined safe. It is compromised of a binary file loading another binary file that was created from the first binary. This had been done in the past, bytes converted to String arrays and loaded via a classloader and text files or binary files loaded at runtime, downloading a string and loading it at runtime, even loading a bytecode manipulation library to load bytes converted to strings and compiled at runtime, using a process builder to execute shell commands remotely, followed a guy to a IRC control station where he tried to make an army of servers for evil doings...
    For my point though, you need to unify yourselves, this (I) or (you) attitude is a blame game. The reason I think that we (BukkitStaff) were so successful was because we are a team. I took responsibilities for everyone and they did for me as well. So you (as in Curse) should band up, this can't be a "one man army". Positive / Negative regardless this only effects you how you let it.
    Regardless of the status or how it was caught or the responsibility, doesn't matter, what matters is people are concerned. So yes as you should take responsibility for things, I think you could also handle them better.
    It is hard to not fly off the handle and make rash decisions and/or comments, but taking a calm approach and a cool head helps.
    If I remember correctly this wasn't just a rare occurrence this type of upload was a weekly to sometimes daily thing.

    Ma'am this was probably the best part of the military, I had people fired and sent to recruit because of a little hard work and dedication. You don't just become a manager automatically, you take it by force because you want it, or you fail. Lastly don't patronize your friends while your in your comfy bed.
     
    tyzoid, Anrza, korikisulda and 7 others like this.
  26. Offline

    Searchndstroy

    If I had enough time to pour into checking plugins I would.

    Remember, work as a team, don't rush things.
     
  27. Offline

    xTrollxDudex

    Please have the dbo staff prove their knowledge of basic use of java: https://github.com/RocooTheRocoo/Magix-Plugin/blob/master/Random.java#L30-31
    https://github.com/RocooTheRocoo/Magix-Plugin/blob/master/Malicious-Jscript.txt#L4594

    It is quite obvious (I am assuming that Random.java is hidden) that registration is going on, and that's exactly where you guys need to look... This is a basic listener for a chat event, not sure why/how a class was not checked (albeit implicitly).

    An explanation to what happened and why would be appreciated, or taking of responsibility for this.
     
    korikisulda likes this.
  28. Offline

    FerusGrim

    The Random class wasn't so much 'hidden' as it was painstakingly converted into bytes, and then injected via the image.

    EDIT: Just to clarify, the Random class doesn't actually 'exist'. It's converted into bytes, hidden within the image, and then some other class (When loading the image), 'activates' it for lack of a better term. From within that image is also the ClassLoader, and the Listener call for the Random class, which is created from those bytes.

    Unless they had thought to look for code inside of the image, it never would have been found.

    EDIT: Just to clarify again, lol768 refers to 'warning' signs in the plugin. What he's referring to is the method in which the image is loaded. I cba to look back through the Reddit post, but I believe he mentioned that the way the image was loaded was ridiculously suspisious. Not enough to warrant an outright denial, but he mentioned he would have asked for someone else's opinion.

    This probably would have led to them looking at the image themselves and finding the malicious code. But, again, Curse isn't Mojang, and Curse is handling something that they weren't prepared for valiantly. We can focus on them not finding this one bug all we want - but as they've said (even if I can't verify the validity of the statement), many more have been found and dealt with.

    If anyone is honest with themselves, it's plain that people are just looking for an outlet for their tensions. Plugins like this have slipped past review before, under the old staff's tenure. Most, then, were just glad they were warned and the issue taken care of.

    The difference? The atmosphere. We're taking something that happens, and making a big deal out of it for no other reason than we want someone to blame for something.

    C'mon guys, we're better than that.
     
  29. Offline

    xTrollxDudex

    Exactly, but you should be looking at how it works, not what it is.
     
  30. Offline

    FerusGrim

    wat
     
    korikisulda likes this.
Thread Status:
Not open for further replies.

Share This Page