Zero tolerance for distribution of malicious software

Status

saint

IPVP.ORG
Premium
Feedback score
2
Posts
86
Reactions
87
Resources
0
With the recent controversy surrounding Scar, I feel like there should be a change in the rules for developers and plugin sellers. For those unaware, there was a recent uncovering where malicious code (ie. a force op backdoor) was discovered in copies of iHCF that were sold to clients via the Plugins sub-forum. Once uncovered, the standard proceeding and warning template was applied to him by a moderator (35 points) and was further escalated to a permanent ban by Doge as can be seen in the picture below and this thread here.

A picture of the ban:
2538d6d863aca1aee1e221892fe4d94b.png


As of this moment the permanent ban has been lifted and the 35 point warning suspension remains in place.

When questioning the reversal of the ban with Justis in the shoutbox, a snippet of our conversation is as follows:
Justis R: There are many people who "accidentally" leave force ops in their plugins, for example, under the guise of it being used for development purposes. This would be considered a lesser offense.
Justis R: A ban worthy offense is something in which intent to harm the downloader is obvious, such as something which will delete your files upon running, install rats, or send personal data to the author.

Posting a backdoor plugin is an extremely malicious offense and should not be treated this lightly. A suspension is a mere slap on the wrists considering that in a previous thread posted (now deleted) there were claims of servers being griefed due to the exploits made available in the distributed software. This type of offense should not have an appeal process and should be a straight forward ban, especially considering there is a disconnect in the opinions of various moderators (scar suspended, banned, then the ban being reversed). Alongside all of this, there is more room for debate with user Andromeda remaining banned for the exact same reason.

I propose a strict no tolerance rule for malicious code with no appeals process, it should be in the interest of staff members and users to discourage the spreading of backdoored plugins. Developers should be aware of the rules (this one is common sense) when selling plugins and there should not even have to be a debate on whether the distribution was accidental versus malicious. The argument that a force-op backdoor was intended for development use only is incredibly weak - why would a developer need force-op when their test environment presumably gives them access to the file system and console? Are they doing their development testing on the servers of clients?
 
Type
Suggestion
Status
Denied
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Kuzni

If you signed up after 2016 don't diss me thx
Supreme
Feedback score
12
Posts
1,688
Reactions
950
Resources
0
Think about this

The purchased version of iHCF could really fuck up a server when they did nothing wrong
They paid for a plugin which could ruin it all
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Just clarifying a few things; members are already banned for content which is obvious malicious, the examples of which, you've already given; and members are issued 35 warning points, which is more than half the warning points necessary for a ban, if they've submitted content which could potentially be malicious.

I want what's best for the community, obviously; and as a resource moderator who catches these guys during the approval process, and has to issue warnings, I am certain that the difference between malicious and potentially malicious is important and should be considered when giving punishments.
Every single user who has ever uploaded something with "potentially" abused backdoor or other content has always claimed:
- It's for protection, should their buyers attempt to scam them or leak their content
- It was left in accidentally from development
- It was left over from a previous developer, or the person who the author purchased it from.

I do not mind issuing bans to ignorant authors who upload malicious content; however, content which could have been no harm at all; when the author claims no malicious intent, it would break my heart having to ban them.

When suggesting this, I want you to keep in mind the severity of a ban. A ban means never being able to return. Just think about that. Imagine how screwed over you'd feel if you purchased a plugin from a developer, uploaded it to resources to sell after using it for a while, and then got perm banned from MC-Market because there was a force-op command still in there.

Also keep in mind that a 35 point suspension is a month-long suspension, and if you had five points before, that's two months.
That's a lot of time to get the message that you need to be more careful about what you upload; because it is a serious offense.
However, of the countless who came back after the long suspension, I've known only one who ever made the mistake of uploading potentially malicious content again; and due to the > 50% for ban required points, will never be able to again.

Malicious content is unforgivable, results in a ban.
Potentially malicious... But not having actually used it for anything malicious. Have a heart. Put yourself in their shoes. You'd kill for room for 1 more chance.

With all the people getting banned and feeling cheated; I'd like to keep away from implementing even more instant-ban offenses.
The warning system is here to ban people who don't learn from their mistakes, while providing those who could still be great for the community, the opportunity to do so.
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Why is there a "potentially" there?
Because a backdoor or forceop for example, isn't malicious unless it's intended to be used.
It's just a section of code that could potentially never be used; and if it's used, what it's used for is not defined by it's existence.

Something that rats your computer, steals your personal data, or delete your valuable files, that is malicious. The purpose of it's being there is implied and it could not be used for anything else.
 

Samuel

The most serious person ever.
Supreme
Feedback score
33
Posts
2,210
Reactions
1,572
Resources
0
Because a backdoor or forceop for example, isn't malicious unless it's intended to be used.
It's just a section of code that could potentially never be used; and if it's used, what it's used for is not defined by it's existence.

Something that rats your computer, steals your personal data, or delete your valuable files, that is malicious. The purpose of it's being there is implied and it could not be used for anything else.
A backdoor is malicious even if it's not used
 

Kuzni

If you signed up after 2016 don't diss me thx
Supreme
Feedback score
12
Posts
1,688
Reactions
950
Resources
0
Because a backdoor or forceop for example, isn't malicious unless it's intended to be used.
It's just a section of code that could potentially never be used; and if it's used, what it's used for is not defined by it's existence.

Something that rats your computer, steals your personal data, or delete your valuable files, that is malicious. The purpose of it's being there is implied and it could not be used for anything else.

Maybe it wouldn't be used by the developer but there is nothing to stop other users abusing it
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Maybe it wouldn't be used by the developer but there is nothing to stop other users abusing it
And there was nothing stopping the players of the MCM server from getting infinite money when my first algorithm for price change was released.
Stuff happens. Mistakes are made by people publishing their development work. There's no question with that.
The thing that's in question here is whether or not the person we are banning had malicious intent. Did they intend to do harm. That's what needs to be considered when banning them.
 

Kuzni

If you signed up after 2016 don't diss me thx
Supreme
Feedback score
12
Posts
1,688
Reactions
950
Resources
0
And there was nothing stopping the players of the MCM server from getting infinite money when my first algorithm for price change was released.
Stuff happens. Mistakes are made by people publishing their development work. There's no question with that.
The thing that's in question here is whether or not the person we are banning had malicious intent. Did they intend to do harm. That's what needs to be considered when banning them.

Say you spent $40 on the core, trusting the developer
$500 setting up the rest of the server and advertising
300 players on SOTW and your server gets grifed abusing a forceop

Wouldn't you be very pissed off?
 

ee

Supreme
Feedback score
3
Posts
278
Reactions
104
Resources
0
Just clarifying a few things; members are already banned for content which is obvious malicious, the examples of which, you've already given; and members are issued 35 warning points, which is more than half the warning points necessary for a ban, if they've submitted content which could potentially be malicious.

I want what's best for the community, obviously; and as a resource moderator who catches these guys during the approval process, and has to issue warnings, I am certain that the difference between malicious and potentially malicious is important and should be considered when giving punishments.
Every single user who has ever uploaded something with "potentially" abused backdoor or other content has always claimed:
- It's for protection, should their buyers attempt to scam them or leak their content
- It was left in accidentally from development
- It was left over from a previous developer, or the person who the author purchased it from.

I do not mind issuing bans to ignorant authors who upload malicious content; however, content which could have been no harm at all; when the author claims no malicious intent, it would break my heart having to ban them.

When suggesting this, I want you to keep in mind the severity of a ban. A ban means never being able to return. Just think about that. Imagine how screwed over you'd feel if you purchased a plugin from a developer, uploaded it to resources to sell after using it for a while, and then got perm banned from MC-Market because there was a force-op command still in there.

Also keep in mind that a 35 point suspension is a month-long suspension, and if you had five points before, that's two months.
That's a lot of time to get the message that you need to be more careful about what you upload; because it is a serious offense.
However, of the countless who came back after the long suspension, I've known only one who ever made the mistake of uploading potentially malicious content again; and due to the > 50% for ban required points, will never be able to again.

Malicious content is unforgivable, results in a ban.
Potentially malicious... But not having actually used it for anything malicious. Have a heart. Put yourself in their shoes. You'd kill for room for 1 more chance.

With all the people getting banned and feeling cheated; I'd like to keep away from implementing even more instant-ban offenses.
The warning system is here to ban people who don't learn from their mistakes, while providing those who could still be great for the community, the opportunity to do so.
Thats like saying I could rat it and say I forgot to remove it I was just testing and still get away with it. Sorry for being rude but its the truth.
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Say you spent $40 on the core, trusting the developer
$500 setting up the rest of the server and advertising
300 players on SOTW and your server gets grifed abusing a forceop

Wouldn't you be very pissed off?
Absolutely, as I would be if any development mistake was made which screwed up my server.
Then I'd blame myself if I didn't have backups beforehand.
Whether or not the user who was distributing the plugin should be banned or be given 1/2 the warning points needed for a ban, however, should depend on whether or not they did it intentionally, or if there's reason to believe they had no malicious intent.[DOUBLEPOST=1493312105][/DOUBLEPOST]
Thats like saying I could rat it and say I forgot to remove it I was just testing and still get away with it. Sorry for being rude but its the truth.
Why would you need a rat for testing purposes? ^.-
Rats = ban. I said that.
 

ee

Supreme
Feedback score
3
Posts
278
Reactions
104
Resources
0
Absolutely, as I would be if any development mistake was made which screwed up my server.
Then I'd blame myself if I didn't have backups beforehand.
Whether or not the user who was distributing the plugin should be banned or be given 1/2 the warning points needed for a ban, however, should depend on whether or not they did it intentionally, or if there's reason to believe they had no malicious intent.[DOUBLEPOST=1493312105][/DOUBLEPOST]
Why would you need a rat for testing purposes? ^.-
Rats = ban. I said that.
It was an example. Rats are backdoors force ops are backdoors.
 

matthewp

Software Developer
Supreme
Feedback score
14
Posts
542
Reactions
503
Resources
0
Having backdoors in plugins is something that is over-used. Yes if someone leaks your plugin and random servers are using it you could destroy them, but why would you? You should have a antileak system that works well that prevents the plugin from loading on other servers and you obfuscate it so it is harder to crack. Because if you have a backdoor in it, you should make sure that only YOU can use it and no one else except maybe other devs. But that means if the person hates you, they can just go on your server and destroy it.

To Sumarize (imo): Get a antileak and obfuscate. Don't but backdoors.
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Having backdoors in plugins is something that is over-used. Yes if someone leaks your plugin and random servers are using it you could destroy them, but why would you? You should have a antileak system that works well that prevents the plugin from loading on other servers and you obfuscate it so it is harder to crack. Because if you have a backdoor in it, you should make sure that only YOU can use it and no one else except maybe other devs. But that means if the person hates you, they can just go on your server and destroy it.

To Sumarize (imo): Get a antileak and obfuscate. Don't but backdoors.
Exactly what I'll tell people when issuing the 35 point warning, and at least a month long suspension.
So they can get 1 more chance to do it right.
Something they would not have if we issued a perm ban right away for some simpe lapse in judgement.
 
Last edited:

Kuzni

If you signed up after 2016 don't diss me thx
Supreme
Feedback score
12
Posts
1,688
Reactions
950
Resources
0
Absolutely, as I would be if any development mistake was made which screwed up my server.
Then I'd blame myself if I didn't have backups beforehand.
Whether or not the user who was distributing the plugin should be banned or be given 1/2 the warning points needed for a ban, however, should depend on whether or not they did it intentionally, or if there's reason to believe they had no malicious intent.

A backup wouldn't do much, having your server grifed at SOTW will fuck it all up
 

ee

Supreme
Feedback score
3
Posts
278
Reactions
104
Resources
0
A backup wouldn't do much, having your server grifed at SOTW will fuck it all up
Agreed, people won't want to come back if SOTW fails.
 

matthewp

Software Developer
Supreme
Feedback score
14
Posts
542
Reactions
503
Resources
0
A backup wouldn't do much, having your server grifed at SOTW will fuck it all up

Agreed, I feel like there should be either strict rules for backdoors or you should not be allowed to have them at all.
 

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
A backdoor is malicious even if it's not used

Tell that to Bebosny. Kappa

Ajdin a backdoor is malicious even if it isn't used

The backdoor was installed on my very own server and hard drive. It's not my fault if anyone tries to copy the files without consulting me first lol.

Justis My backdoor was installed on something that wasn't intended to be spread to other servers or users. The user mentioned in the example above had a clear intention of spreading the files which contained a backdoor without notifying anyone. Even if he didn't know that the files contained a backdoor, it's his own responsibility and he should be punished for it as if he spread the files. Anyone would be able to use this as an excuse which is just shitty.
 
Status
Top