Regarding Force-OP content

[Capaldi]

A member asked this question in chat;

Thanks, what are the rules on undisclosed [as in, not telling buyers] Force-OPs in premium plugins? Where you, the author, can just login and get opped. Note: I don't have one of these

To which Harry responded with

A force op/similar would be 35 warning points, and what the author does with that backdoor is its own punishment on a case-by-case basis.

[Source]

A ban is issued whenever the backdoor blatantly harms a user, say malware/ransomware or deleting server files as a few examples.

[Source]

However, nothing good comes out of someone putting a force-op in a plugin. Whether the buyer knows or not, having force-op in a plugin is nothing but with malicious intent. If the seller puts a force-op in a plugin, their only intent is to destroy a server thus making the Owner, or Owners, spend time having to fix the damage. That may deter players from playing, thus making the Owner, or Owners, needing to do damage control and spend more money on the server.

A ban should be given on the first offense to those who are selling a plugin that contains a force-OP, regardless if they inform the buyer or not because their intention is to destroy servers - directly or complicity.

Another argument I want to make is: Force-OP is nothing but malicious intent.
Ethereal739 was banned just for IP logging, which IPs can be used with malicious intent, so can Force-OPs. In fact, IP logging has more uses than just malicious, whereas Force-OP has nothing but a malicious intent.

Beer was banned for 'Malicious use of backdoors' but isn't that also what Force-OP is? It's with malicious intent; either for the buyer or for the buyer(s) of the buyer.

 

[Sullybash12]

tbf IP's don't have many uses for malicious intent - they're pretty useless unless you just want to know someone's location

 

[Harry]

Though including a force-op generally shows malicious intent, it doesn't always so that's partly why a warning is issued instead of a ban, along with it not being inherently harmful as mentioned within shoutbox. Often developers leave such statements in for debugging purposes and forget to remove them before publishing, may include them when a license check fails in order to be able to disable their plugin/shut down the server, or they may have developed a plugin multiple years ago for private use and had forgotten about the existence of the force-op.

Obviously, none of those excuses are ones we accept, but they are genuine situations where malicious intent didn't exist; to issue a permanent ban for such seems quite harsh. This is why the actions of an author making use of an undisclosed backdoor they've implemented are handled on a case-by-case basis where we can verify that malicious intent did exist compared to assuming it did.

Ethereal739 was banned just for IP logging

This wasn't the actual reason for the ban; I'm unsure why the ban reason was what it was, so I've since updated to "resource contains malware".

REDACTED

You'd need file and/or database access to the server to retrieve such information, no? Unless the plugin itself implements a command to retrieve this information, but that doesn't seem likely in the case of API keys/login credentials/player private messages.

 

[User]

My god, yes, please. IP logging is so much less harmful than Force-OP, it genuinely hurts to see it being treated like the opposite. Force-OP should be an instant ban from the site IMO, I can't think of a single non-malicious use. Even if you don't intend to destroy the server, the only other uses of force-OP that I've seen are copying player data like IPs (sound familiar?) and stealing lists of server settings, plugins, etc to create other servers to leech the playerbase with a stolen setup.

 

[Capaldi]

Though including a force-op generally shows malicious intent, it doesn't always so that's partly why a warning is issued instead of a ban, along with it not being inherently harmful as mentioned within shoutbox. Often developers leave such statements in for debugging purposes and forget to remove them before publishing, may include them when a license check fails in order to be able to disable their plugin/shut down the server, or they may have developed a plugin multiple years ago for private use and had forgotten about the existence of the force-op.

What is the purpose of someone having force-op in the first place? More-so for private use?

This wasn't the actual reason for the ban; I'm unsure why the ban reason was what it was, so I've since updated to "resource contains malware".

Okay, you cleared up the part regarding Ethereal's ban but what about Beer's? His ban was for 'malicious use of a backdoor'.

 

[inferno]

A member asked this question in chat;


To which Harry responded with



However, nothing good comes out of someone putting a force-op in a plugin. Whether the buyer knows or not, having force-op in a plugin is nothing but with malicious intent. If the seller puts a force-op in a plugin, their only intent is to destroy a server thus making the Owner, or Owners, spend time having to fix the damage. That may deter players from playing, thus making the Owner, or Owners, needing to do damage control and spend more money on the server.

A ban should be given on the first offense to those who are selling a plugin that contains a force-OP, regardless if they inform the buyer or not because their intention is to destroy servers - directly or complicity.

Another argument I want to make is: Force-OP is nothing but malicious intent.
Ethereal739 was banned just for IP logging, which IPs can be used with malicious intent, so can Force-OPs. In fact, IP logging has more uses than just malicious, whereas Force-OP has nothing but a malicious intent.

Beer was banned for 'Malicious use of backdoors' but isn't that also what Force-OP is? It's with malicious intent; either for the buyer or for the buyer(s) of the buyer.

I've spoken on this before and exactly as you say no good comes from force op. Literally, a dev sent a plugin to someone to sell, they posted it on their mcm, the dev used it maliciously to harm a server, was proven on it yet the person who had no idea and uploaded was the one in trouble. The dev literally got away while my ticket is getting called for "nitpicking proof from srs" even though the proof conclusively proves their actions and I had talked to the owner before. 0 punishment on the dev who performed the action lol, very very good justice system we have here. Beer griefed a server of somebody who stole his plugin aka his work which took forever to make and costs 300$ per license. I can understand his anger, of course, he took it out poorly but he ended up giving the user a stellar license as far as I am aware, making them satisfied as an "apology". In scam reports or so once you give the person what is supposedly owed they "scammer" is free to go, why was that not done when it comes to beer? If the user affected is happy and affects, and the backdoor is removed I see no harm in it, of course, he shouldn't have done it to start but he has made up for it but hasn't been resolved :shrug:

 

[Harry]

If I make a plugin for a server that I own fully or the other owner agrees for this to happen and we put a backdoor in the plugin if our server gets hacked and plugins leaked what happens?

Nothing would happen as the offence occurs when an individual distributes content with an undisclosed backdoor, not when one is discovered within a piece of software they've written.

Abusing or otherwise accessing that backdoor in a malicious way is its own offence and handled on a case-by-case basis as mentioned above.

What is the purpose of someone having force-op in the first place? More-so for private use?

Correct. A crude example would be a server owner wanting to ensure that they could never be banned or de-opped by someone who's gained unauthorised access; the server owner would make a plugin which unbans and ops them every time they join and this wouldn't be considered a force-op until that plugin is distributed elsewhere.

REDACTED

It is still inherently malicious, yes, and that's why we don't accept any excuses for a force-op being present. However, there are non-malicious uses such as the above which we need to consider. It's very hard to prove an individual's intent when we're just staring at a piece of code.

REDACTED

For me, the phrase 'possibly eventually get what you need' sums it up - the immediate action of escalating your permissions via a force-op does not give you access to this information, so their subsequent actions would be the result of maliciously accessing the backdoor (which offences are again handled on a case-by-case basis).

Accessing a backdoor for the purpose of theft/distribution of personal information would be a bannable offence.

I've spoken on this before and exactly as you say no good comes from force op. Literally, a dev sent a plugin to someone to sell, they posted it on their mcm, the dev used it maliciously to harm a server, was proven on it yet the person who had no idea and uploaded was the one in trouble. The dev literally got away while my ticket is getting called for "nitpicking proof from srs" even though the proof conclusively proves their actions and I had talked to the owner before.

I don't want to get bogged down in discussing specific situations here, but in this situation you're referencing, the existent of the backdoor was fully disclosed to the purchaser of the plugin's ownership rights, and that plugin was originally for private use.

If conclusive evidence has been provided within the scam report regarding the author maliciously accessing that backdoor then the appropriate action should be taken by the time the scam report has concluded - if it hasn't been then that needs to be followed up on.

Taking evidence from an on-going scam report and relaying that within a ticket does no good for us as the situation is already being handled by another staff member; we never want more than one staff member handling the same situation/report, as such is inefficient and causes confusion/communication breakdowns.

 

[Justis]

I’ve issued many of these warnings, and essentially every single person that I granted this warning to, responded begging for a verbal warning because of one of the following reasons:

1. It was an accident, they completely forgot that was even in there. It was left over code from local testing where they needed an easy way to test permissions with and without op.
2. The person they were collaborating with to develop this must have put it in there and forgot to remove it. They never wrote it, they never even saw it.
3. They aren’t the developer at all. They bought rights to the plugin/source off of someone else, and the code was left in by them. They had no idea it was there.
4. They left it in there in order to test the plugin's permissions on servers that are experiencing bugs without relying on the server owner to constantly op and deop them. They had no idea that it was considered malware on MCM, but they understand why it’s not allowed. They’ll never do it again.​

Now, I am absolutely 100% against giving any of these people a verbal warning. They still uploaded the content to our site for our users to download, and they should be punished harshly for that. However, a permanent ban from our platform for an accident, for a misunderstanding, and for having done something with 100% no ill will whatsoever towards anyone, seems like a good way to lose some very valuable members of our community who otherwise would have never harmed a fly.

These people deserve a second chance, and that’s why the warning is high enough to where if it ever happens a second time, they will automatically be permanently banned for excessive violations of our rules.

If there was any indication that the user intended it maliciously, or if the user ever does maliciously make use of a back door or a forceop that was left in one of their uploads, they will be permanently banned, just as other currently banned users have been.

 

[Capaldi]

I’ve issued many of these warnings, and essentially every single person that I granted this warning to, responded begging for a verbal warning because of one of the following reasons:

1. It was an accident, they completely forgot that was even in there. It was left over code from local testing where they needed an easy way to test permissions with and without op.
2. The person they were collaborating with to develop this must have put it in there and forgot to remove it. They never wrote it, they never even saw it.
3. They aren’t the developer at all. They bought rights to the plugin/source off of someone else, and the code was left in by them. They had no idea it was there.
4. They left it in there in order to test the plugin's permissions on servers that are experiencing bugs without relying on the server owner to constantly op and deop them. They had no idea that it was considered malware on MCM, but they understand why it’s not allowed. They’ll never do it again.​

Now, I am absolutely 100% against giving any of these people a verbal warning. They still uploaded the content to our site for our users to download, and they should be punished harshly for that. However, a permanent ban from our platform for an accident, for a misunderstanding, and for having done something with 100% no ill will whatsoever towards anyone, seems like a good way to lose some very valuable members of our community who otherwise would have never harmed a fly.

These people deserve a second chance, and that’s why the warning is high enough to where if it ever happens a second time, they will automatically be permanently banned for excessive violations of our rules.

If there was any indication that the user intended it maliciously, or if the user ever does maliciously make use of a back door or a forceop that was left in one of their uploads, they will be permanently banned, just as other currently banned users have been.

If you want to be lenient with those who have not shown malicious intent with it, that's something I can't really argue over.
However, Nathan received at least one warning for selling his force OP despite knowing it wasn't even allowed.
(He made a thread long before trying to get it allowed on MC-Market and about a year later, started to advertise it again on his profile)

His ban was ultimately for scamming, but he should have been banned long ago for selling the force OP.