Ever feel like you’re watching a rerun of a bad show? (Yes I’ve been reading the MOUL forums again)

Ever feel like you’re watching a rerun of a bad show? (Yes I’ve been reading the MOUL forums again)

Chogon:

Yes, the 902 update was a fluke sorta speak. A group had used an exploit in MOUL to send a covert message to people playing the game that told their computer to download a program from an outside server and execute it and run in the background, hidden. In other words, a virus. This exploit/virus was traced back to top level individuals of GoW.
I firmly believe that people should be given the chance to correct their mistakes and make the situation better – which this group did by providing a patch to close the exploit. Which I am very thankful for.
However, this incident only confirmed Cyan Worlds management’s mistrust of GoW.
So, back to the question at hand… Yes. I have received lots of emails from lots of people asking about how to submit patches to Cyan for inclusion into MOUL. I’m sorry, I was waiting until I had an actual answer but things went crazy (unrelated things).

Because OpenUru.org and crew already have a business relationship with Cyan Worlds, the best place and most likely place to get patches into MOUL is through OpenUru.org (which does include code reviews!)

Thanks,
Mark

Shorter Chogon: If you’re not part of OpenUru or can’t work with OpenUru then don’t even bother.

The hacks were later on explained:

Hoikas:

I understand that most of you will not get anything from a wiki article, so I’ll explain why the GoW “top members” would be writing a “virus.” This incident happened around the opening of the fun house. Branan had earlier stated that no one could slip a virus onto another explorer’s computer using MOULa. I was pretty certain that it he was wrong, so I spent a couple of minutes looking through the python and found a glaring remote code exploit vulnerability. So, I wrote a simple script to pop up a message box saying “YOU GOT HAXXED” and sent that to branan. From there, we wrote a program that would run silently in the background and some code to launch it. We needed something that was slightly more real world than “YOU GOT HAXXED” after all (opening a dialog box is fairly trivial).

So we had our proof of concept program, a script to launch it, but no way to automate sending it. I took care of that part. It was designed to send the “attack” when anyone on the buddies list of a certain avatar came online. I put mine and a few other “top level” KI numbers in the buddy list–we did not want to send even an innocent PoC toy to an unsuspecting Uru user (that would make us look even worse, after all). Once we proved the vulnerability was quite easily exploitable, I removed our KI numbers from the buddy list.

At the same time as all this, we were also compiling a list of Cyan avatars’ KI numbers. I mistakenly added those KI numbers to the proof of concept avatar’s buddy list, which was empty–I thought it was another avatar. After that, I closed all everything down and chillaxed. We had our Cyan KI numbers and we weren’t being sent exploits when we login to MOULa. It wasn’t until Chogon contacted us about our proof of concept getting to Cyan that I looked at the buddy list again and saw my colossal blunder.

TL;DR: We were testing the client’s security, found a hole, and by a huge mistake of my own doing sent our proof of concept exploit to Cyan. To make up for it, we patched the hole for Cyan. We absolutely were not attempting to be malicious. Whether Cyan chooses to believe or disbelieve that is up to them.

It was only a matter of time before yet another person from the GOW decided that it was time to stick a fork in the thought of working with Cyan and calling it done: Link

You have no idea how nostalgic this makes me feel. I remember that there was one place in ye olden UU shard daze where you were supposed to post code. If you were from the wrong group or very unpopular you most likely would have been ignored while they copy your code and use it themselves or even try to change one thing about it and say that they did it and have people praise them (this actually happened). If you were from the more popular groups not only would they tell you that you did an excellent job, they would actually help you fix a problem within the code if they saw something wrong! This was basically why we stopped talking to the H’uru Project Shard regarding code and kept any refined or new ideas to ourselves. I only bring this up as some of the old guard are part of the OpenUru project (big surprise).

But of course it is easier to go with one group submitting everything to you since Uru is no longer the bread and butter project. An idea like accepting code fixes from anyone in the community is best left to companies that know what they’re doing.