Babylon/mud
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
mud/lib/www/articles/old/forum_chat.html
Babylon 433e764989 first commit
2020-09-06 05:43:07 -07:00

279 lines
16 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title>security bug forum chat</title>
</head>
<body>
<span style="font-family: monospace;">tacitus - 2006/06/17 05:48&nbsp; </span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">I'm all for healthy competition
and needling each other. I think</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">anyone who knows me knows I'm
anything but thin-skinned.</span><br style="font-family: monospace;">
<span style="font-family: monospace;">I enjoy a good romp either on gjs
or on justrage, or whatever.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">This thing, though, crossed the
line between rough play</span><br style="font-family: monospace;">
<span style="font-family: monospace;">and actual harm.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">I figured Tacitus would be
insufferably smug if he found</span><br style="font-family: monospace;">
<span style="font-family: monospace;">the bug he was looking for, but I
figured that was a small</span><br style="font-family: monospace;">
<span style="font-family: monospace;">price to pay for getting help
securing DS. What I did</span><br style="font-family: monospace;">
<span style="font-family: monospace;">not count on was him taking it
upon himself to delete</span><br style="font-family: monospace;">
<span style="font-family: monospace;">log files.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">This is a serious problem,
because he was messing with</span><br style="font-family: monospace;">
<span style="font-family: monospace;">security, and if I can't tell
what he did, I have to</span><br style="font-family: monospace;">
<span style="font-family: monospace;">stop everything and reconstruct
the events by hand.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Whether it was malicious is
actually beside the point.</span><br style="font-family: monospace;">
<span style="font-family: monospace;">Either he's untrustworthy because
he was concealing bad</span><br style="font-family: monospace;">
<span style="font-family: monospace;">behavior, or he's untrustworthy
because he doesn't know</span><br style="font-family: monospace;">
<span style="font-family: monospace;">better than to tromp around
someone's logs as he pleases,</span><br style="font-family: monospace;">
<span style="font-family: monospace;">without so much as a hint of his
intentions to the</span><br style="font-family: monospace;">
<span style="font-family: monospace;">owner.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Either way, it was a breach of
trust I did not expect</span><br style="font-family: monospace;">
<span style="font-family: monospace;">from someone I've been supporting
as a leader in the</span><br style="font-family: monospace;">
<span style="font-family: monospace;">community.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">I've been granted guest creator
and sometimes even guest</span><br style="font-family: monospace;">
<span style="font-family: monospace;">admin privileges on other
people's muds, and I have</span><br style="font-family: monospace;">
<span style="font-family: monospace;">never done anything but exactly
what I've announced</span><br style="font-family: monospace;">
<span style="font-family: monospace;">and only with permission, because
it's not my mud</span><br style="font-family: monospace;">
<span style="font-family: monospace;">and I understand that. This is
basic. It's obvious.</span><br style="font-family: monospace;">
<span style="font-family: monospace;">In someone else's house, you ask
before you perform</span><br style="font-family: monospace;">
<span style="font-family: monospace;">potentially irreversible changes,
or you can just</span><br style="font-family: monospace;">
<span style="font-family: monospace;">consider yourself a boor.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">So there's that.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">According to Tacitus he attempted
to delete logs without</span><br style="font-family: monospace;">
<span style="font-family: monospace;">asking permission out of a
concern that other people</span><br style="font-family: monospace;">
<span style="font-family: monospace;">might happen upon them and learn
the exploit. Aside</span><br style="font-family: monospace;">
<span style="font-family: monospace;">from the obvious objection that
he could have just</span><br style="font-family: monospace;">
<span style="font-family: monospace;">told me so I could decide for
myself, is the bizarre</span><br style="font-family: monospace;">
<span style="font-family: monospace;">fact that he went on gjs
intergossip to announce there</span><br style="font-family: monospace;">
<span style="font-family: monospace;">his achievement, and allowed
thespread of information about how</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">he did it. Any casual reader of
the gjs i3 log is</span><br style="font-family: monospace;">
<span style="font-family: monospace;">now in full possession of all the
details needed to</span><br style="font-family: monospace;">
<span style="font-family: monospace;">compromise a Dead Souls mud, if
given Creator status.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">How this squares with his stated
intention of protecting</span><br style="font-family: monospace;">
<span style="font-family: monospace;">the community by deleting my logs
I can't say.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">There are some folks out there
who find exploits in</span><br style="font-family: monospace;">
<span style="font-family: monospace;">commercial software, and share
the information</span><br style="font-family: monospace;">
<span style="font-family: monospace;">with the public in an attempt to
help people get</span><br style="font-family: monospace;">
<span style="font-family: monospace;">ahead of the curve. Even assuming
this is not</span><br style="font-family: monospace;">
<span style="font-family: monospace;">dangerous, it is common for
professional, responsible</span><br style="font-family: monospace;">
<span style="font-family: monospace;">programmers who find serious
flaws to give the</span><br style="font-family: monospace;">
<span style="font-family: monospace;">manufacturer a few days or weeks
to develop a</span><br style="font-family: monospace;">
<span style="font-family: monospace;">patch before outing the info. As
a colleague, this</span><br style="font-family: monospace;">
<span style="font-family: monospace;">is the least I would have
expected.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Instead I'm now spending what
little of the weekend</span><br style="font-family: monospace;">
<span style="font-family: monospace;">I had for myself reconstructing
free space to</span><br style="font-family: monospace;">
<span style="font-family: monospace;">find potentially deleted files,
and exhaustively</span><br style="font-family: monospace;">
<span style="font-family: monospace;">nailing down each exploit and
subexploit related to</span><br style="font-family: monospace;">
<span style="font-family: monospace;">this incident. Just because
Tacitus couldn't contain</span><br style="font-family: monospace;">
<span style="font-family: monospace;">his glee and pride at rooting me,
and couldn't</span><br style="font-family: monospace;">
<span style="font-family: monospace;">give me a couple of days to deal
with it</span><br style="font-family: monospace;">
<span style="font-family: monospace;">in a more deliberate and measured
way.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Well, Tacitus, you win. The big
bad Dead Souls</span><br style="font-family: monospace;">
<span style="font-family: monospace;">juggernaut had feet of clay,
after all.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">However, you've lost any trust I
had in you, any</span><br style="font-family: monospace;">
<span style="font-family: monospace;">good will. Maybe it will change,
but at the moment</span><br style="font-family: monospace;">
<span style="font-family: monospace;">I just don't see myself feeling
up to dealing</span><br style="font-family: monospace;">
<span style="font-family: monospace;">with you. You didn't have to do
it this way.</span><br style="font-family: monospace;">
<span style="font-family: monospace;">I hope the schadenfreude was
worth it.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">When you came back from watching
your</span><br style="font-family: monospace;">
<span style="font-family: monospace;">movie, this was your message:</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Tacitus@TimMUD
&lt;intergossip&gt; How is that audit coming?</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">It's coming along fine. Thanks.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">-Crat</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;</span><br
style="font-family: monospace;">
<hr style="width: 100%; height: 2px; font-family: monospace;"><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Re:tacitus - 2006/06/17 06:00</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">I think Cratylus made some very
valid points however I think we all know that I wasn't trying to be
malicious - I was simply excited by my discovery. Furthermore, you told
me you were snooping and then I paged the log file and then proceeded
to delete (However, either the access file hadn't reparsed or you had
already removed me from the arch group so it failed) the log file that
contained the commands (eval and call logs) I used to find the exploit.
From today's events, I can only conclude we didn't truly realize the
lack of trust we had in each other in the first place or you are trying
to use this as some sort of publicity stunt.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">As for the information being
released on intermud, I did not release the information directly.
Rather Duuk was cleaver enough to pry enough out of him to figure it
out on his own and then proceed to make fun of you - I can see how your
feelings can be a bit hurt.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">I know if this happened to my
lib, I'd be very much embarassed too and I can understand why you are
making this post. I humbly appologize.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">P.S. The audit comment was to
Hellmonger because he joking said that he'd audit my mudlib for me. If
you know this and that means that you are now auditing my mudlib, I
look forward to the results.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Post edited by: somerville32, at:
2006/06/17 06:02 Tacitus</span><br style="font-family: monospace;">
<span style="font-family: monospace;">Executive Director</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">Research, Education, and
Development</span><br style="font-family: monospace;">
<span style="font-family: monospace;">LPUniversity Foundation</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<hr style="width: 100%; height: 2px; font-family: monospace;"><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Re:tacitus - 2006/06/17
06:18&nbsp; </span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">For the record, I don't remember
saying anything about</span><br style="font-family: monospace;">
<span style="font-family: monospace;">watching you. While you were
messing with my lib, I was</span><br style="font-family: monospace;">
<span style="font-family: monospace;">in the middle of helping Samael.
That was the level of</span><br style="font-family: monospace;">
<span style="font-family: monospace;">trust I had in you. When you
started crowing about your</span><br style="font-family: monospace;">
<span style="font-family: monospace;">success, I started snooping you,
and saw you trying</span><br style="font-family: monospace;">
<span style="font-family: monospace;">to delete logs. You can imagine
my dismay. Given</span><br style="font-family: monospace;">
<span style="font-family: monospace;">that you were admin, were
deleting logs without telling me,</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">and I didn't know what you'd do
next, I ridded you on the spot</span><br style="font-family: monospace;">
<span style="font-family: monospace;">and locked the mud, but alas,
you'd already made yourself</span><br style="font-family: monospace;">
<span style="font-family: monospace;">an elder, so you recreated your
character and logged back</span><br style="font-family: monospace;">
<span style="font-family: monospace;">in. Not knowing what you *had*
done or what you *planned*</span><br style="font-family: monospace;">
<span style="font-family: monospace;">to do, I killed the mud process,
unmounted the filesystem,</span><br style="font-family: monospace;">
<span style="font-family: monospace;">and began the tedious process of
intrusion forensics.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">You really don't need to suggest
I feel hurt because of Duuk.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">I feel betrayed because of *you*.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">You seem intent on provoking me
by claiming that my</span><br style="font-family: monospace;">
<span style="font-family: monospace;">statements are for some purpose
other than telling the truth.</span><br style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">I would suggest you read my
statements as declarations</span><br style="font-family: monospace;">
<span style="font-family: monospace;">of what I believe to be true,
regardless of how uncomfortable</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">that might make you.</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">-Crat</span><br
style="font-family: monospace;">
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink