25 Oct, 2012, Hades_Kane wrote in the 21st comment:
Votes: 0
Quote
Just being the devil advocate, I could just say those are randomized test data and who could prove the contrary. (I have not seen them, but from what I read from Hades, there is absolutely no personal data, so I do not think there are any reason to care). I would not say the same if there was mail or real name (often contained in the mail ) though.

Yes, but many games do. Even within a single game, I've seen IP tracking (last since logged) along with email address and even spots in accounts to put legitimate, real, personal data. I pity the poor sob who uses the same password on the MUD that they use on the email they listed, and if recent hacked password lists are any indication (I mean really, hundreds upon hundreds of people who use things like "password" or "12345" as their email address password?), there are enough stupid people out there to do that. I glanced at the pfiles in the codebase upload in question just enough to see if the password entry was still intact, I actually didn't bother looking to see what else it might contain, that was really enough for me to pose the question I did.



Quote
No, Quix's point is perfectly valid because the exact premise of your initial post is that there's some kind of inherent threat in codebases containing pfiles as though there's some "hacker(s)" out there who are going to actually waste their time cracking some mud player's encrypted password from a released codebase for some moronic reason or another.

It doesn't take a bonafide "hacker" to pull something like that off. A spiteful player with some coding knowledge could probably pull that off. And again, not every MUD encrypts their passwords, and even in ROM, you can set the value to not have them save encrypted.

Quote
Really? Everyone else in the MUD community? Hyperbolic much, HK?

Guess I was just following the trend of the thread ;)

Quote
First of all, hundreds of people? Lets be realistic here: We're talking about muds, and about muds whose source code is ever actually released; those muds generally aren't those in the top-ten with large player counts. At best, it's tens of people.

Even moderately active MUDs will have literally hundreds of individuals connect. Whether they retain these people are a completely different issue, and whether many of them log on simultaenously is another matter entirely too. Even with as "new" as End of Time is, I would wager we have had at least 100 different people log on during the course of the last two months, so a MUD that's been up and open and actively seeking players for a few years? It's not a stretch at all to say that literally hundreds of different people's information could be contained in an archive like that.

Quote
Secondly, good job attacking and making sweeping assumptions about a person you know nothing about other than the little snippet I mentioned in my post for example-sake. I thought he was just unfortunate at best for having his hard drives die on him through no fault of his own, or merely lazy at the worst, but apparently according to you he's doing a great disservice to the mud community.

And yeah, it is unfortunate, but anyone that knows even a little bit about computers knows that they fail, that stuff gets lost, and that if you want to retain something important, you make backups. And you stated yourself, this has happened multiple times. I could maybe see the first time forgiveable, but after that, "no fault of his own" as far as the hard-drive or not, it has become his fault by not learning from the mistake of the first time and keeping independent backups of his code. And yes, a great disservice to the MUD community. I myself have on more than one occasion had a year into a character on a game that had his mentality, only to have it all lost because they apparently didn't make backups and the entire game was lost. Not everyone is as resilient as me, because after having that happen on more than one game? That could be enough to drive someone a little less enthralled with the hobby away from it entirely. Probably my biggest "break" from MUDing came after one such experience. It's lazy, irresponsible, and downright disrespectful to the people who put any time into the game, whether it's as a player or especially as a builder.

Quote
Aren't you doing a disservice to mud players out there who don't have the sensibility to change passwords between muds by acting as their crutch? Someone unable to put that little bit of work, I mean seriously, it's so ridiculously trivial, to pick secure passwords and change passwords between muds probably has no real business playing a MUD, right? How is it that the matter of players potentially having poor password (n)etiquette isn't also "not your problem"?

And what's going to be the easier and more effective task? Educating HUNDREDS if not THOUSANDS of MUD players to use unique passwords per MUD and to never use passwords on MUDs they use elsewhere, or remove the occasional pfile directory on a MUD listing site, and having some sort of disclaimer in the upload section cautioning against adding such content? Besides, the burden on things like that should be more on the Administrators of games like that, as they are in a more responsible and trusted position than just some player logging into a MUD.

Quote
…is the matter of admins/moderators acting out of sync with the stated site policies and failing to provide users with the information they need to know in order to be compliant in the first place. You know what I see when I check the site rules section regarding content submissions? This:

etc

Yes, and this is EXACTLY why I asked if you even read the thread.

I asked a question, I didn't state anything, and yes, I still technically have moderator access, but I never said anything was being done or should be done.

To restate my original post:

Quote
When we run across downloads in the repository that have pfile directors that include intact pfiles with passwords in them, is there anything we can do in order to request either modification of the download, or removal of the download as a result? I don't know what the policy of modifying other's uploads or anything like that is, but after a recent command about a backdoor on a codebase download, I downloaded the codebase to look for it and noticed the pfiles/passwords were still intact. I mean, they "encypted" to the best that a Dikurative is capable of, but I'm sure it wouldn't take much to reverse engineer the code that does that to extract actual passwords.


Emphasis added.

How in any way could this be construed as moderators and admins being out of step with one another or me in any way talking about an existing rule or anything like that, when it was a question on my part? Besides, moderators make NO policy decisions, their job is to enforce/modify or otherwise deal with things related specifically to forum discussion.

A question, mind you, that almost no one waited for an Administrator to answer, and that everyone jumped on and blew way out of proportion. It seems that finding out the answer to a question before breaking out the pitchforks would have been a much more reasoned response.

Quote
Maybe, just maybe, if users of this site even knew beforehand that they're not supposed to have player files and such present in submitted files, it wouldn't happen and thus wouldn't illicit any of the over-reactive hand-wringing that started this thread in the first place.


You even quoted Davion's response, the Administrator response clarifying policy. It isn't MB policy to edit uploads or change them, he clarified this. MB doesn't edit uploads, they may reject with suggestions improvement, but that's it.

And for the record, if anyone had bothered actually asking or even taking a moment to look into what this was about rather than jumping to conclusions and blowing everything out of proportion, they would see that the only Administrative action taken was this line was added to the description of the file (that was not user submitted, but imported from mudmagic)

"This Upload contains a relevel command that allows users to hit implementer level."

An action, mind you, that was COMPLETELY unrelated to my question, save purely for context about the "backdoor" that was left in the code, which is what the additional line was addressing.

As far as I am concerned, however, through all of the BS that followed my initial question, the question itself was answered by the Administration of the site, which was clarification of MB policy and whether there was anything that could be done.

Based on the way I was attacked, mocked, and everything else in between, I may just find myself less likely to ask these questions or lobby for a particular position in public like this and take it to private messaging, and I believe in transparency and things like this discussed in the open so a consensus can be reached and other view points heard, but when people are just so quick to jump on someone for merely asking a question that sure doesn't lend itself toward the openness and transparency that was so strongly fought for here in the site's infancy.

And for what it's worth, I feel I am owed an apology for being jumped on like I was.
25 Oct, 2012, Lobotomy wrote in the 22nd comment:
Votes: 0
Hades_Kane said:
And for what it's worth, I feel I am owed an apology for being jumped on like I was.
Alright, fine. I'm truly and deeply sorry, Hades_Kane, that you're an inept twit. :rolleyes:

Next time, try using PM's to ask questions that are meant for only administrators to answer.
25 Oct, 2012, Ssolvarain wrote in the 23rd comment:
Votes: 0
Way to be gracious, jackass.
25 Oct, 2012, Lobotomy wrote in the 24th comment:
Votes: 0
Ssolvarain said:
Way to be gracious, jackass.

Assuming you're talking to me, you're welcome, asshole. I figure that (accurately) calling HK an inept twit is more succinct than another lengthy post debating him point for point; particularly since HK seemed to be more interested in nailing himself to a cross as the thread continued.

Now we can all do more productive things with our time; like watch and see how many years it takes for the additional information regarding the enforced-but-not-written content submission guidelines to actually be posted where it would be useful and informative to have them.
25 Oct, 2012, Davion wrote in the 25th comment:
Votes: 0
Just to clarify on content submission so there is no confusion by some of this information. There is no mystical set of guidelines that we come up with when approving or denying submissions. What we measure is the level of intent by the submitter. IF they intended to release the codebase with all the pfiles, so be it. If they intend to release the file with back doors, so be it. However, if we notice things like gdb cores and such, we point them out, and ask if they are intended to be in the release, if so, they make the cut.

We do not arbitrarily reject content based on other guidelines. We work with you to make sure the content you are submitting is exactly what you intended to submit. We do not force any guidelines beyond those stated in the site rules. You can find a link to those rules on every single page, in the navigation bar.
25 Oct, 2012, Hades_Kane wrote in the 26th comment:
Votes: 0
I posted a rude reply, and would like to apologize for anyone who saw it.

Bad morning + all of this = a lapse in judgment on my part.
25 Oct, 2012, arholly wrote in the 27th comment:
Votes: 0
I feel like throwing out the obligatory "Can't we all just along."
25 Oct, 2012, Davion wrote in the 28th comment:
Votes: 0
arholly said:
I feel like throwing out the obligatory "Can't we all just along."


You're not kidding. What bothers me the most is the reaction to HK trying to lookout for other peoples information. There was absolutely no malice in his question.
25 Oct, 2012, quixadhal wrote in the 29th comment:
Votes: 0
To me, the offensive part wasn't HK saying that (not asking if) including player files was a problem, but his implied attempt to force submissions to be sanitized of such data. I'm sorry, but you don't ASK about something in that manner unless you're actually campaigning for it to happen.

I don't approve of placing an additional burden of work on both the submitters AND the Mudbytes staff, just to try to solve a problem which (to my knowledge) has never been reported as an actual problem, only a hypothetical one.

I'd be kind of curious if anyone has actually had something hacked as a result of some character name/password combination from over ten years ago…. I'd also wonder why the heck they're been using the SAME PASSWORD for ten years?
26 Oct, 2012, KaVir wrote in the 30th comment:
Votes: 0
I'm not sure why you seem to think people always wait ten years before releasing their source code. More often than not, the source code is released while the mud is still active, or shortly after it shuts down.

I remember once seeing a mud distribution that included player files (including one of mine) with unencrypted passwords. The name I used wasn't one many people associate with me, nor do I use the same password for all my characters, but I do recall some people cross-referencing the names with those of high level players on other muds to see if any of the passwords matched.

There was also an incident on the original God Wars mud where one of my staff used the same password on another mud. The owners of that mud logged his character into God Wars and caused some grief. People like that would leap at the chance to get a list of passwords.
26 Oct, 2012, Scandum wrote in the 31st comment:
Votes: 0
KaVir said:
And while we're on the subject of submissions, I'd still like some way to remove or at least mark obsolete code. It's irritating having to explain to people that despite its name, "KaVir's MUD Protocol Handler (Fixed Up Source Code)" is actually obsolete, and that they should instead download "KaVir's MUD Protocol Handler".

There doesn't appear to be an option to delete files, but if an admin wants to delete KMPH (FUSC) that's fine with me.
26 Oct, 2012, quixadhal wrote in the 32nd comment:
Votes: 0
KaVir said:
I'm not sure why you seem to think people always wait ten years before releasing their source code. More often than not, the source code is released while the mud is still active, or shortly after it shuts down.


The majority of the last-updated dates in the code repository seem to indicate otherwise. Perhaps not a full 10 years, but I see a great many things from 2006, and very few from 2010 or later. I could be wrong, in that I may have not looked across enough different sections of the repository.

That does remind me of a feature request though… Is there (or could there be) a page that would show you recently updated or new submissions to the code repository, much like the page for showing recently updated topics on the forums?

Thanks for the example Kavir. I'd never heard of anyone actually trying to do that across muds before (plenty of examples of people getting someone else's password on the same mud, unfortunately).

And Hades, while I won't apologize for my argument (I still think this is a non-issue, and I still feel it hurts potential submitters more than it helps players), I will for my tone coming across as insulting. To me, the entire idea comes across as putting warning labels on hot coffee about it being hot, or trying to change the nature of sheets of paper to avoid paper cuts.
26 Oct, 2012, Hades_Kane wrote in the 33rd comment:
Votes: 0
quixadhal said:
And Hades, while I won't apologize for my argument (I still think this is a non-issue, and I still feel it hurts potential submitters more than it helps players), I will for my tone coming across as insulting. To me, the entire idea comes across as putting warning labels on hot coffee about it being hot, or trying to change the nature of sheets of paper to avoid paper cuts.


I'll take what I can get with that, thank you.

As far as the other stuff, yeah, I didn't have a specific example to point to (thank you KaVir for providing one), but I've been MUDing long enough to feel like it would be a safe assumption that it's either happened or was still fairly likely. I've been on enough games that feel entitled to your personal information (email, real name, etc.) that I felt compelled to bring it up.

As far as burdening the staff or submitters with additional work? I figured if the Administration of the site didn't see a problem, didn't feel they had the right, or didn't want the extra work, that would be clarified and they could answer for themselves. Which they did, and I feel that the differences in opinions on both sides were heard, a decision was made, and that's where we are, and I'm cool with that. With regards to the submitters, clearing out notes directory and the player directory (with maybe leaving an implementor level character intact) didn't seem like much of an extra step for me, I suppose.

Either way, as someone earlier stated, this is a good reminder of why it's good to make sure you use different passwords across different MUDs, not to use a password you use elsewhere in MUDs, and not to use the private boards on a MUD for anything you wouldn't want others to potentially see.

I think that, at least for the players of End of Time, I will take some extra steps to remind them of that as well.
26 Oct, 2012, Tijer wrote in the 34th comment:
Votes: 0
I remember the issue that KaVir mentioned.. and the MUD that logged on the immortal didnt encrypt their passwords, so anyone with shell access could view the characters passwords

Personally i think it is wrong for mud codebases to be released complete with pfiles, i had one of my muds stolen by someone who gave it out complete with pfiles, they were using my character pretending that they were me, and using several other
characters pretending to be them!!!
26 Oct, 2012, Davion wrote in the 35th comment:
Votes: 0
quixadhal said:
That does remind me of a feature request though… Is there (or could there be) a page that would show you recently updated or new submissions to the code repository, much like the page for showing recently updated topics on the forums?


It's there. http://www.mudbytes.net/index.php?a=file...

It only tracks very recent though. …wow is it yellow! :D
26 Oct, 2012, quixadhal wrote in the 36th comment:
Votes: 0
Hmmmm, how hard would it be to allow it to select from a specific category (or a category and all the sub-categories of it)?

What I'm thinking is, "show me the 10 most recently updated merc muds", and it'd show you anything from the merc level downwards. The query probably wouldn't be hard (provided you can get a list of sub-categories from a given category), but I'm not sure how to display it nicely. Maybe just a button in the corner of the repository pages, or a drop-list on the recent upload page?
28 Oct, 2012, Nathan wrote in the 37th comment:
Votes: 0
The way I see it, if you give out personal information on a mud that doesn't have any policies regarding that then you have in some ways given them free license to do what they wish with it. It's like if I told someone my name and birthday on a street corner. I don't have any right to prevent whoever I told from posting that info online, storing it in a file, telling a friend, etc. Whereas with a business usually they have policies that say what they can do with that information, etc.

Passwords and pfiles aren't really that big a deal at the end of the day unless they come from a live mud or one that shut down fairly recently. I feel like maybe in those two cases the admin might be obligated to remove player files. After like 5 or 10 years most of that information is probably unimportant and irrelevant. Ultimately what you do with your information is your problem.

It doesn't seem unreasonable that this site might remove downloads with pfiles if the admin of a live mud (who can be proven to be the admin) requests it. I.e. if they or someone posted the code for the game and didn't remove the pfiles, etc. If a player of that mud is concerned that their pfile is available on some website they really should contact the admin of their mud first to have them deal with it. That person probably ought to change their password as well.

As to the size issues that could be fairly annoying, although sometimes it's interesting when you have a download of code that isn't used anywhere anymore that has old users in it.
28 Oct, 2012, Runter wrote in the 38th comment:
Votes: 0
Quote
The way I see it, if you give out personal information on a mud that doesn't have any policies regarding that then you have in some ways given them free license to do what they wish with it. It's like if I told someone my name and birthday on a street corner. I don't have any right to prevent whoever I told from posting that info online, storing it in a file, telling a friend, etc. Whereas with a business usually they have policies that say what they can do with that information, etc.


You're making your own personal distinction here since policies a business chooses to use are fleeting and not some type of binding contract when you use the service. A more reasonable approach is just taking the stand that people should be careful with other peoples personal information. Not dismissive or indignant about legalisms regarding what you have the right to do with their information based on what will get you in legal trouble.

When organizations (Even legally) don't follow that basic concept, there should be someone posting and sounding the alarm so that users of their services can make the decision if they want to continue supporting them or not. Legalisms have nothing to do with it.
29 Oct, 2012, Nathan wrote in the 39th comment:
Votes: 0
I'm simply pointing out that with business there is usually at least semblance of some attempt to ensure the users that their info is secure. If you agreed to an agreement on a site that said they would keep your personal information secret and then they deliberate passed it on, sold it, etc you could probably might be able to sue them in a civil court over it. On the other hand if you freely give away information their is very little that you can do about it.

I sincerely doubt there is much anyone can do about someone spreading information about them that was freely given. Facebook, anyone? Just because you trust people enough to friend doesn't make them trustworthy. It's not like they'll be at fault legally if they tell someone else what they know and that third person or a fourth person uses that info to commit identity theft or to successfully get through security questions to gain control of the first person's online accounts.

I'm just saying regardless of what happens, people need to be responsible for being careful. They shouldn't complain too loudly if they were incautious and something happened. If you had a player and your player file with personal info you put in it get out into public access, then you have almost no one else to blame but yourself even if someone else's behavior was unethical.

A single person or even a few running running a text game server is hardly an organization.
29 Oct, 2012, Hades_Kane wrote in the 40th comment:
Votes: 0
I don't dispute that anyone who uses passwords on MUDs they use elsewhere, who give a MUD their personal information, uses the personal boards for secure communication, or otherwise compromises their own personal security on a MUD shouldn't. I don't dispute they need to be more reponsible.

One important thing to keep in mind, though, is that at one point, all of us were at a point where we might not have "known better."

Even with regards to MUDs, I remember being separately naive both about at one point believing that every input sent to the game, regardless of what it was, was being recorded in these mysterious, all encompassing, all knowing things called logs, and that any dispute or issue could be resolved by the imms "checking the logs"… and once finding out this wasn't the case and how it actually worked, being shocked the first time I took a peek at the note directory in the shell for a MUD and realizing just how open and out there for anyone with shell access the personal notes were.

Being a newbie can be confusing, and in the same way one person might suspect everything they do on a game is being watched, another might just assume their information is safe, just as that assumption can normally be made from email providers or graphical MMOs. I'm not suggesting a crusade to "protect the poor helpless newbie" or whatever. But I think it is important to remember that most of us here probably exist in the relative upper echelon of computer users when it comes to knowledge and awareness, and the bulk of computer users out there don't "get it" quite to the same level we do. I can't remember the last time I actually had a computer virus, spyware on my computer, and there's only been one time I've ever had a fradulent charge on my credit card, and that's been years. I suspect the same could be said for the rest of you as well. We know better… most people don't.

That said, we might understand a single person running a text game server is hardly an organization, but someone new to the genre, someone less computer knowledgeable as most of us, they might not quite grasp that to the same level. Also, let me note that I know people who have used the same password across all services for like 15 years. It might not be as bad as "12345678" or "password1" or something like that, but despite my best efforts to get some of these people to vary it up at least a little, they stick with what they know because they've never had a problem they are aware of, they know the password, and change is scary :p

Now, I'm not lobbying MUDBytes to change their policy, all I'm saying is, it might not hurt to just remember that even though they should "know better", lots of people don't, and it doesn't hurt to have a little more compassion with regards to that, or do a little more to remind people how to protect themselves.

If nothing else, this conversation contiuing in a productive manner may help toward that end.
20.0/46