PSA: SuperString

Discussion in 'Community News and Announcements' started by eyamaz, Nov 8, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    eyamaz

    Today, it was brought to my attention that the plugin "SuperString" had slipped past us and contained malicious code. This plugin, and the author, have both been removed from DBO. If, at this time, you are one of those that have downloaded this plugin, please be warned that version 1.1 contains the malicious code.

    Over the last few months, we have caught more than a dozen new plugins uploaded with malicious code. However, no system is perfect and we miss some. Anyone that says you can catch such code all of the time, would be straight lying. This is where the community helps play in to the protection equation.

    As much as the community relies on us to help ensure a safer place to download their addons, modifications, and various plugins, we also rely on the community's feedback and help to report the things we miss. Instead of a blind hosting system like many other sites, we use this 2 step peer review (both us and the community) to try and weed out those who would do harm. In this, we can take and grow our services to try to provide a better experience for all of the community.

    We had announced that if we missed anything that was then reported to us in this fashion, we would always do a PSA to inform the community. We have no reason not to tell you if we missed a malicious file as that would be dangerous to the community itself if these plugins stayed in use.
     
    tjbruce likes this.
  2. eyamaz Hahaha... This time no excuses. Man up and take your responsibility as a team (or whatever you call it). This should have been caught.
     
  3. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    Should we expect a PSA every time a malicious plugin is caught post-approval?
     
  4. Offline

    slipcor

    Glad to have a PSA that you continue reviewing files again! Or do you stop now, again, to fix stuff?

    Edit: wait what, how does that peer review work? You rely on server owners noticing that they are taken over by some plugin they just installed/updated? You DO realize that some plugins use auto updating? I hope this is not what you meant Oo
     
  5. Offline

    lol768

    Could you explain why the plugin was reviewed in such a short period of time, suspicious variable names such as "scoreOpCode" and calls to methods such as getConsoleSender and dispatchCommand were completely missed?

    This is a complete joke, not least because the entire team is paid and works presumably full-time to moderate Curse(Forge) sites. We were informed staff had learnt from the past times this had happened. The only reason these plugins have been reported is because they were designed to see whether Curse staff picked them up during the review process and the authors had the decency to publicly explain the mistake and contact Curse regarding the matter. Someone with malicious intent would not do this.
     
  6. Offline

    Zenexer

    While it's inevitable that some malicious plugins will be overlooked, it does seem rather suspicious that this particular case was missed. Perhaps there is room for improvement?
     
  7. Offline

    drtshock

    Where is the PSA saying the community is also responsible for catching malicious files? Why do you need to shift the blame onto us? Sad that you can't even take responsibility despite this being a paid job.

    Glorifying the person that got this through by making a visible PSA every time someone makes a reddit post about getting malicious code through will just make more people want the infamy of getting something through.
     
  8. Offline

    thomasb454





    What you guys are saying is all pretty valid, but might I remind you bashing on them like this doesn't help. Let's not forget you're the ones that left and returning to slander Curse staff just doesn't look too good.

    Yes standards have dropped, but they have been dropped into the deep end, not knowing what is what.
    Please try and be supporative.

    *waiting for all retired staff to cut me up*
     
  9. Offline

    Kaelten


    We've been doing this to be transparent with the community. Would you suggest something alternative?

    The idea of peer review is that if people notice things we don't we're going to respond quickly to those reports. It's not about shifting blame or anything else.

    There is always room for improvement. With hundreds of files reviewed, and dozens of files banned before they ever make it through our detection rate is pretty good. We will continue to strive to do better.
    I'm beginning to think the same thing. I'm curious about your guys thought process on the matter. It did seem that you guys had some sort of threshold on project popularity before you did a PSA when a project made it through. What was the logic you guys used?
     
  10. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    thomasb454 I... just asked a question. Why are you accusing me of bashing and slander? I don't see how this derailing helps.
     
  11. Offline

    Kaelten


    I don't believe that standards have shifted that much. Mistakes where made by both teams and files made it through. The community's response to these events, combined with the ramp up of glory seeking, I think is the biggest change.
     
  12. Offline

    thomasb454

    Perhaps your post wasn't intended to be in my post, sorry.
     
  13. Offline

    Zenexer

    I think the point here is that it was a very obvious, deliberately conspicuous security flaw that should have been caught in the first round. While responding to community discoveries is certainly nice, the plugin shouldn't have made it that far in the process.

    From the point of view of an experienced developer, it's demoralizing that this code made it through; I'm less likely to trust BukkitDev.
     
  14. Offline

    thomasb454


    All I'm trying to say is - I don't like how all of the ex-staff are trying to say "we were the best, hah! look at you struggle" yet they left.
     
  15. Offline

    Kaelten

    You are correct. It's our mistake, we will continue to improve processes in response.
     
  16. Kaelten Perhaps actually manually checking the files would be an improvement?
     
    coxie53, hawkfalcon, bramhaag and 9 others like this.
  17. Offline

    Zenexer

    There have been some conflicts in the past and feelings were hurt on all sides. Let's not make any assumptions or point any fingers; there's been enough of that already. I do know that not everyone left on their own accord.
     
    drtshock likes this.
  18. Offline

    Kaelten


    A human being does check each and every file. Regardless of methodology, or the individuals involved, a 100% detection rate is impossible. Even 'obvious' examples make it through.
     
    number1_Master likes this.
  19. Offline

    ColonelHedgehog

    thomasb454 does make a fair point, however, I don't see how the ex DBO staff can really be giving Curse such a hard time about this if they were the ones who put them in this situation. Yes, you are correct, the file should not have been approved. Yes, you are correct, it was pretty obvious that the code was malicious. But your comments do not help. None of you wanted to fill the "EvilSeph-sized hole", and now that three people step up and try and do it themselves you tell them they're doing everything wrong and don't even offer any advice for improvement?
     
  20. Offline

    Kaelten


    Only one staff member, to my knowledge, was removed before resigning and that was an exceptional case.
     
  21. Offline

    lol768

    I don't recall mentioning my own performance or the skills of any of the former staff in my post. I simply asked some questions for which no answer has been provided so far.

    If I'd have said "We would've caught this" or "The curse staff are so useless compared to us" your criticism would be valid. I have no interest in attacking people. That said, I think the process is critically flawed if plugins like this can be approved. Standards haven't dropped, they don't exist anymore.
     
  22. Offline

    Zenexer

    I've purposely stayed out of it and haven't asked for details. I wouldn't know numbers. :)
     
  23. Offline

    slipcor

    I am just asking questions. Oo The PSAs have been happening pretty frequently lately, not for new results about the community, like CraftBukkit updates, but about malicious plugins and in fact one was that they stopped approving files completely. And this is three at once

    * a new malicious thingie
    * the fact that they continued approving (yes, I waited for some announcement, I did not update any of my plugins)
    * the fact that apparently the community now does count as second phase of approval, which I personally find is wrong. If it was not for shifting the blame, I don't see a reason of explicitly adding that second phase.

    Well yeah of course it is important to act quickly, but as it happened here it seems more glorifying than informational. I have no data on the actual impact this malicious plugin had, and I am honestly not sure if this matters, as it was not my duty to post an announcement when stuff like that happened. I only remember one big thing that we missed, and we did a PSA there. To be fair, I did not have the time, back then, to check out the interwebs to actually notice stuff like the forums in here, let alone reddit. I was busy approving files ;)

    And to come to a conclusion, my main point is that it would have been nice to have some sort of update on the former status of "we have stopped approving files" - this was presented as a big thing and I might have missed it, but I saw no update on that, at least not as prominent as the malicious plugin PSAs.
     
    tjbruce likes this.
  24. Offline

    lol768

    To be fair to Curse, they did update the initial PSA (see the edits).
     
  25. Offline

    slipcor

    Oh, so we are to blame? I can only speak for myself, but I told noone to go ahead and take over what I left. Especially under the legal circumstances we have, I can not understand anyone blaming us for letting bukkit die. Before making assumptions and blaming us for killing Bukkit, think about two things:

    * What did EvilSeph say in his post? Did you do anything to improve the situation by contributing to bukkit/craftbukkit? [I mean actual github / update grunt work, pull requests, etc]
    * Why did noone file a DMCA counter notice? For the cases that had one, it was filed after 2-3 days. Draw your own conclusion why Mojangs last statement is that the DMCA takedown is unfounded, but yet it still stands.

    Edit:

    Ugh really? :D Next time please add some coloring! Alrighty then. Thanks for the heads up
     
    tjbruce and Adzkii like this.
  26. We never said we were the best but anyone with a basic set of Java- and reading skills would have caught this plugin.

    To be quite frank, I do not care if they leave 1 or 100 malicious plugins through. What I do care about is that they claim that "the standard hasn't shifted" - while it obviously has.
     
  27. Offline

    thomasb454



    You're all implying it, well, that's the way I see it.
    I don't have time to reply to all of you, but I just wanted to make my point.
     
  28. Offline

    ColonelHedgehog

    slipcor, I'm not saying you're to blame, but this criticizing of the Curse process in addition to the lack of the will to try to improve it does not make you look good. The fact that you didn't tell them to take over for you should be all the more reason for you to stop acting this way.
     
  29. Offline

    pokuit

    As most people I do believe the standards have dropped since the old bukkit team retired.

    THOUGH: we have got to consider, to not give overriding bias, that these kind of PSA's (by people on reddit showing exploits they got onto bukkit dev) only really started happening when they checking team changed. This could have happened because:
    A - The checking team has got worse (Which most people assume)
    B - It is a form of detection bias, due to the drama with the old checking team quitting people are now trying their luck with the new one. We have no way of knowing if these bugs would of gone through the old team, so it is unfair to draw the comparison. As such reddit posts (exposing bugs in checking process) either wouldn't have been published if it hadn't made its way through the checking process and they also wouldn't have been published possibly without the drama of the old checking team quitting.

    To coin a phrase [or failing too :D], "A person thinking they will fail; will fail". This applies with bukkit, if we believe the new checking team will fail, due to the drama of the old team quitting: we are likely to be more bias when failures do occur.

    Just a thought; noway of checking if it's A or B

    I just wanted to bring the potentially bias to your attention; I'll now let you decide.

    ~pokuit
     
    obnoxint likes this.
  30. Offline

    Developerjohn

    Lol I just love this whole thread of arguments. I would like it if the Curse staff did a better job, but we need to help them in order to succeed it. First the flaming about the EULA and now this. Yea, I am too pissed off that this happened again, but Bukkit is in need of support. Without support, Bukkit will be left in the deep waters for eternity.
     
Thread Status:
Not open for further replies.

Share This Page