Zero tolerance for distribution of malicious software

Status

saint

IPVP.ORG
Premium
Feedback score
2
Posts
86
Reactions
87
Resources
0
With the recent controversy surrounding Scar, I feel like there should be a change in the rules for developers and plugin sellers. For those unaware, there was a recent uncovering where malicious code (ie. a force op backdoor) was discovered in copies of iHCF that were sold to clients via the Plugins sub-forum. Once uncovered, the standard proceeding and warning template was applied to him by a moderator (35 points) and was further escalated to a permanent ban by Doge as can be seen in the picture below and this thread here.

A picture of the ban:
2538d6d863aca1aee1e221892fe4d94b.png


As of this moment the permanent ban has been lifted and the 35 point warning suspension remains in place.

When questioning the reversal of the ban with Justis in the shoutbox, a snippet of our conversation is as follows:
Justis R: There are many people who "accidentally" leave force ops in their plugins, for example, under the guise of it being used for development purposes. This would be considered a lesser offense.
Justis R: A ban worthy offense is something in which intent to harm the downloader is obvious, such as something which will delete your files upon running, install rats, or send personal data to the author.

Posting a backdoor plugin is an extremely malicious offense and should not be treated this lightly. A suspension is a mere slap on the wrists considering that in a previous thread posted (now deleted) there were claims of servers being griefed due to the exploits made available in the distributed software. This type of offense should not have an appeal process and should be a straight forward ban, especially considering there is a disconnect in the opinions of various moderators (scar suspended, banned, then the ban being reversed). Alongside all of this, there is more room for debate with user Andromeda remaining banned for the exact same reason.

I propose a strict no tolerance rule for malicious code with no appeals process, it should be in the interest of staff members and users to discourage the spreading of backdoored plugins. Developers should be aware of the rules (this one is common sense) when selling plugins and there should not even have to be a debate on whether the distribution was accidental versus malicious. The argument that a force-op backdoor was intended for development use only is incredibly weak - why would a developer need force-op when their test environment presumably gives them access to the file system and console? Are they doing their development testing on the servers of clients?
 
Type
Suggestion
Status
Denied
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Samuel

The most serious person ever.
Supreme
Feedback score
33
Posts
2,210
Reactions
1,572
Resources
0
The backdoor was installed on my very own server and hard drive. It's not my fault if anyone tries to copy the files without consulting me first lol.
That's a new story. If you have it on your own system and you're not distributing it, then it's not malicious.

Justis what Ajdin said is not malicious.
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
That's a new story. If you have it on your own system and you're not distributing it, then it's not malicious.

Justis what Ajdin said is not malicious.
Thanks for your opinion.

The backdoor was installed on my very own server and hard drive. It's not my fault if anyone tries to copy the files without consulting me first lol.

Justis My backdoor was installed on something that wasn't intended to be spread to other servers or users. The user mentioned in the example above had a clear intention of spreading the files which contained a backdoor without notifying anyone. Even if he didn't know that the files contained a backdoor, it's his own responsibility and he should be punished for it as if he spread the files. Anyone would be able to use this as an excuse which is just shitty.
Once the files were no longer yours, I would have expected you to help get those backdoors removed, and not flaunt about how they're still there. That's why I'm salty.

Would you agree with the statement that:
Potentially malicious content should be punished the same as malicious content. With a ban.
Or would you agree that such a ban should require that the content actually be confirmed to be distributed maliciously; and that 35 points for content without inherent malicious intent is acceptable?
 

Samuel

The most serious person ever.
Supreme
Feedback score
33
Posts
2,210
Reactions
1,572
Resources
0
Thanks for your opinion.


Once the files were no longer yours, I would have expected you to help get those backdoors removed, and not flaunt about how they're still there. That's why I'm salty.

Would you agree with the statement that:
Potentially malicious content should be punished the same as malicious content. With a ban.
Or would you agree that such a ban should require that the content actually be confirmed to be distributed maliciously; and that 35 points for content without inherent malicious intent is acceptable?
Mick didn't want his help though, if you're referring to something in MCM.
 

Taiga

¯\_(ツ)_/¯
Supreme
Feedback score
6
Posts
614
Reactions
984
Resources
0
Exactly what I'll tell people when issuing the 35 point warning, and at least a month long suspension.
So they can get 1 more chance to do it right.
Something they would not have if we issued a perm ban right away for some simpe lapse in judgement.
Replace this whole situation from "backdoor" to "scamming" and you would sound like a mcm competitor.

If I had a big server that is a important source of money and I found my server griefed because of a backdoor put in knowingly by a developer, I would be real mad. This could lead to a loss of money, just like scamming, so why should it only be punished with a temp ban?
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Replace this whole situation from "backdoor" to "scamming" and you would sound like a mcm competitor.

If I had a big server that is a important source of money and I found my server griefed because of a backdoor put in knowingly by a developer, I would be real mad. This could lead to a loss of money, just like scamming, so why should it only be punished with a temp ban?
Replace any situation with "scamming" and you can argue it should result in a ban. I don't see how this argument particularly clarifies anything regarding the differences between malicious and potentially malicious programming.
 

Taiga

¯\_(ツ)_/¯
Supreme
Feedback score
6
Posts
614
Reactions
984
Resources
0
Replace any situation with "scamming" and you can argue it should result in a ban. I don't see how this argument particularly clarifies anything regarding the differences between malicious and potentially malicious programming.
Potentially is a gray zone. Lets make a quick example:
You got a bomb. The bomb can either blow up in 10 seconds, have a controlled detonation by a button or not be there at all. The bomb is placed on each car to ensure the user pays their lease. If you have with the button, the car maker can obviously say that they have excellent moral reasons and would never press the button if the lease was paid. You wouldnt trust that, right? What if the person with the button wasnt right in his/her head? It's just better to remove the bomb then to either have it at 10 seconds or controlled, and then we can start talking about how awful it would be if you were never told about this at all.
This is MEANT to be malicious if the dev himself feels like he is right, especially if he has it hidden. I have seen people banned for copying or misinforming, so why isnt placing malicious code perm ban worthy?
 
Last edited:

saint

IPVP.ORG
Premium
Feedback score
2
Posts
86
Reactions
87
Resources
0
Every single user who has ever uploaded something with "potentially" abused backdoor or other content has always claimed:
- It's for protection, should their buyers attempt to scam them or leak their content
- It was left in accidentally from development
- It was left over from a previous developer, or the person who the author purchased it from.
These reasons are incredibly weak. There are different ways to protect software (ie. obfuscation and a licensing system) and a force-op is virtually useless when attempting to prevent distribution and leaking of software.

I do not mind issuing bans to ignorant authors who upload malicious content
The last two points you provided in the quote above are clear examples of extreme ignorance. The developer owes it to the client to vet the code and take full responsibility for any software that is sold.

when the author claims no malicious intent, it would break my heart having to ban them.
Your duty should be to protect the community and its members from harm as well as protecting the integrity of the sales section. Stating that you have a weak/soft heart makes you a target or point of contact for anybody with a crappy excuse to try exploiting you to unban them. In the same spirit, it's absolutely heart breaking for a server team who has spent (potentially) hundreds of dollars and hours constructing their server and advertising an SOTW for it to be wasted as a result of an exploit such as the one presented in the thread topic.

Justis I understand that there may be people who genuinely are innocent, however removing the requirement to take responsibility for them opens up a can of worms that can potentially cost hundreds of dollars to individuals. Regardless of whether somebody intended to spread something or not, this creates a hostile environment for clients because they may be receiving something in their purchases that was not advertised or wanted.

In creating this thread I'm not concerned with whether or not the decision to suspend Scar rather than permanent ban him is flipped around. My interest is mainly just to ensure that there are no more issues, debates or dramas arising when a member of the community (be it accidentally) spreads malicious software.
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Justis I understand that there may be people who genuinely are innocent, however removing the requirement to take responsibility for them opens up a can of worms that can potentially cost hundreds of dollars to individuals. Regardless of whether somebody intended to spread something or not, this creates a hostile environment for clients because they may be receiving something in their purchases that was not advertised or wanted.
You believe giving someone more than 1/2 of the required warning points necessary to perm ban someone is taking away their responsibility?
Giving someone that many warning points only allows them 1 more chance, and as I said, for the people who end up getting the warning instead of a ban, it's almost always received well.
The people who would abuse it would only possibly get that 1 chance, so there's no room for continued abuse.
I don't believe the weight of the half way point suspension is really being fully acknowledged here.
 

Mick

BuiltByBit Owner
Management
Feedback score
28
Posts
6,413
Reactions
7,704
Resources
0
Just clarifying a few things; members are already banned for content which is obvious malicious, the examples of which, you've already given; and members are issued 35 warning points, which is more than half the warning points necessary for a ban, if they've submitted content which could potentially be malicious.

I want what's best for the community, obviously; and as a resource moderator who catches these guys during the approval process, and has to issue warnings, I am certain that the difference between malicious and potentially malicious is important and should be considered when giving punishments.
Every single user who has ever uploaded something with "potentially" abused backdoor or other content has always claimed:
- It's for protection, should their buyers attempt to scam them or leak their content
- It was left in accidentally from development
- It was left over from a previous developer, or the person who the author purchased it from.

I do not mind issuing bans to ignorant authors who upload malicious content; however, content which could have been no harm at all; when the author claims no malicious intent, it would break my heart having to ban them.

When suggesting this, I want you to keep in mind the severity of a ban. A ban means never being able to return. Just think about that. Imagine how screwed over you'd feel if you purchased a plugin from a developer, uploaded it to resources to sell after using it for a while, and then got perm banned from MC-Market because there was a force-op command still in there.

Also keep in mind that a 35 point suspension is a month-long suspension, and if you had five points before, that's two months.
That's a lot of time to get the message that you need to be more careful about what you upload; because it is a serious offense.
However, of the countless who came back after the long suspension, I've known only one who ever made the mistake of uploading potentially malicious content again; and due to the > 50% for ban required points, will never be able to again.

Malicious content is unforgivable, results in a ban.
Potentially malicious... But not having actually used it for anything malicious. Have a heart. Put yourself in their shoes. You'd kill for room for 1 more chance.

With all the people getting banned and feeling cheated; I'd like to keep away from implementing even more instant-ban offenses.
The warning system is here to ban people who don't learn from their mistakes, while providing those who could still be great for the community, the opportunity to do so.
Denied, thanks for the suggestion.
 
Status
Top