Posts: 170
Threads: 24
Joined: Aug 2010
Hey guys,
Late Monday night/Tuesday morning Harrek contacted me asking if I could help with php as Lucas had left the ACWC project. I said yes and I was told they were trying to access the "unapproved" teams who had been submitted. I was finished by about 3am and went to bed, thinking all was well and good.
The next night(tuesday) at 8pm I got an angry email from Lucas which can be seen here:
Lucas Wrote:echo "<!--Herro " . MYSQL_USER . " " . MYSQL_PASSWORD . " -->";
Remind you something ?
Yes, when you were stealing my db username / password, right.
First, you were not supposed to have enough access. Since you were going to play the tournament and you had nothing more to do, and to prevent this kind of shit from happening, i had removed your svn access;
Unfortunately, (fortunately for you), daylixx gave you his login and password. It was his fault ok. But how could he guess you would do such things ?
You have absolutely NO reason to steal this informations, you could have done without it and you know that.
Also you've made this critical data public while you were trying to get it.
And anyway you could have asked me if needed instead of doing that.
Of course daylix password has been removed.
And i'm seriously thinking about taking other actions against you.
PS : db password has been changed and i will not share my VPS any longer. Thanks to you.
I was confused by this, but as I was at work I thought I would attend to it then.
When I arrived home from work finding out my team captain(undead) had recieved the following message from daylixx(new acwc admin).
DaylixX Wrote:[23:09] <DaylixX> Hello Undead, we disqualified Castiel of the World Cup for hacking database site, so you will have found a new partner.
This all threw me off a bit, as all I thought I had done was help out my friend, Harrek.
I promptly emailed lucas back apologising, a sent him another email a few hours later but I have had no response. I also tried to contact him(Lucas) on teamspeak when he was online but I got no response(harrek told me he was talking to him moments before).
Now I'm confused and not really sure what to do, I have been excluded from a tournament I was rather looking forward to due to me trying to help out and have been accused of hacking.
Also when I now try to visit the ACWC website, I get a 403 error, which usually means my ip has been blocked(I have asked others and they can still access it fine).
The events on the night of the accused "hacking" go as follows:
Events Wrote:Harrek/DaylixX contacted me asking if I knew php, I replied yes. They needed help finding the teams which had applied to ACWC, as the current admin interface that DaylixX had did not show the unapproved teams.
I was previously working on the site, but my svn access had been disabled as I am a player(of course), so daylixx gave me his access so that I could try and work out how to view the unapproved teams.
My first thoughts were that lucas possibly had a higher admin role on the acwc site so that I just needed to change daylixx's role to the same and it would all work.
I ran queries against the database to increase my role to same level as lucas, to test if that meant you could see the unapproved teams, unfortunately it seemed that lucas and daylixx had the same admin level on the acwc site and lucas was approving teams a different way.
I looked through the php of the site and I saw that when a user submitted a team the team details was inserted into the mysql database.
My next thought was that if I simply had the database username and password, I could login to phpmyadmin(an online database viewer) and look at the unapproved teams in the database.
To do this I used the following command:
echo "<!--Herro " . MYSQL_USER . " " . MYSQL_PASSWORD . " -->";
This would output the username and password to the site, but would put it in a comment, only viewable if the user clickes "view source" and then knows what the username/password combo is for. It was a slightly risky thing to do but I removed that line as soon as I had the username and password to ensure nobody else would see it.
I then used the username and password to login to phpmyadmin and to view the acwc database, I was able to inform harrek and daylixx of the extra teams that had been submitted, so they were now able to approve the newly entered teams.
This is all that I did, in defense of myself: - I was ONLY trying to help, nothing else. All my actions were in an attempt to help Harrek and DaylixX
- I did not know it was lucas's personal server, I thought it was a w00p clan server
- I did not email lucas about this as I was informed/thought that he was unreachable(that's why I thought they contacted me not him)
- I attained the MySQL username and password so I could easily view the content of the database, not for ANY other reason
- As lucas said there are other ways to get the data(without the username/password) but it was late and I just wanted a simple solution + at the time I did not think it would be an issue
As I have said to lucas, i'm sorry that I did not email him and that I instead did not write some php code to retrieve the unapproved teams. But on the night it seemed like an easy way to get the information harrek/daylixx wanted. I'm sorry if it seemed like I was doing anything else other than try to help them.
I don't think I should be labeled a hacker for this, or excluded from the tournament, I have not heard from lucas in over 2 days so decided I would post and let people know what is going on, I have apologised and tried to talk to him but have had no response.
Thanks for hearing me out, Castiel
Posts: 3,780
Threads: 33
Joined: Jun 2010
28 Jul 11, 04:20PM
(This post was last modified: 28 Jul 11, 04:21PM by V-Man.)
I do think it is an odd conflict of interest for you to have access to the database while at the same time participating in the tournament. You ought to be part of one, or the other.
As far as "hacking" goes, this was all too simple and should not have been blown out of proportion like it was. It can hardly even be called "hacking," since you were given explicit access to the database.
For a third point, this should be discussed between you, Lucas, and other pertinent members of the ACWC. Bringing it here may attract unwanted participants. Since it's here now, I'll just take this opportunity to warn that any posts from people not directly involved in the ACWC will be subject to deletion and strict application of the forum rules.
Posts: 1,436
Threads: 7
Joined: Jun 2010
Jesus christ.
1) A password is personal. Never give it to someone else.
2) Never assume that "no one will see it". (If you absolutely have to do that kind of crazy stuff, write the password to a file on the server, goddamit)
3) Never tinker around on a live server accessible from the internet.
4) I wonder how convoluted that code must be, so you couldn't even figure out how to dump a list of unapproved teams.
So, to sum up, so many things were done wrong here (not just by you), that all "best intentions" in the world don't really count. Of course that wasn't intentional - in that case, you would probably have figured out a smarter way to do it.
Posts: 1,981
Threads: 63
Joined: Jun 2010
28 Jul 11, 06:10PM
(This post was last modified: 28 Jul 11, 06:14PM by Luc@s.)
Someone told me about this post, i thought i had to react.
First your access was supposed to be removed because you had no reason to contribute anymore. Also, giving access to the code implies to give access to confidential data so i had decided to remove your password.
The problem is you stole and published (even if they were commented they were still public) informations about the database which were stored in a hidden file for good reasons. It was a real security issue and also i don't like the fact you have knowledge of my databases passwords and users. You have modified the source when you wouldn't have been able to and you have caused a serious problem.
I don't care about how you'd like to name that - hacking or not - actually it's serious and i had to changed all passwords of my database.
I reinforced the security of my server and removed the user name and password you used to modify the code.
I -do- know why you did that, from the beginning, but it is absolutely NOT an excuse.
I decided to disqualify you from ACWC because i just had to do something, and it was the most appropriate sanction imo. I also have blacklisted you from http://acwc.us.to/ because i think you should stay away from the web site for security reasons. You have knowledge of the source code and, despite your help, i don't trust you anymore.
I've been really disappointed by this problem, a few days after i handed over the reins and shared my VPS. I have even thought about stopping to share it actually. But it would have been a bad idea. I preferred to penalize only you.
PS : the modifications daylixx asked were not needed, there was just no link to the resource he wanted to access.
PS 2 : i can tell there is no problem with the code, everything has been made to make it easy to use. This is just about laziness.
Posts: 170
Threads: 24
Joined: Aug 2010
28 Jul 11, 06:35PM
(This post was last modified: 28 Jul 11, 06:37PM by castiel.)
(28 Jul 11, 06:10PM)Luc@s Wrote: Someone told me about this post, i thought i had to react.
First your access was supposed to be removed because you had no reason to contribute anymore. Also, giving access to the code implies to give access to confidential data so i had decided to remove your password.
I agree with this, I never said it shouldn't have been removed.
(28 Jul 11, 06:10PM)Luc@s Wrote: The problem is you stole and published (even if they were commented they were still public) informations about the database which were stored in a hidden file for good reasons. It was a real security issue and also i don't like the fact you have knowledge of my databases passwords and users. You have modified the source when you wouldn't have been able to and you have caused a serious problem.
I don't care about how you'd like to name that - hacking or not - actually it's serious and i had to changed all passwords of my database.
I reinforced the security of my server and removed the user name and password you used to modify the code.
"Published"? you can't be serious. First lets say the chance of somebody looking at the source, literally 0.
Then lets say they happen to realise what the random bit of commented out 'jibberish' is, literally 0.
I was modifying the source because you left and they came and asked me? Why didn't they just email you?
What serious problem? If you've had any intrusions because of it please list them, because other than a minor incontinent task of you having to change your password. So no actual problems were caused.
I don't care that you removed the access, because I never wanted to access it other than to help your friends who asked me..
(28 Jul 11, 06:10PM)Luc@s Wrote: I decided to disqualify you from ACWC because i just had to do something, and it was the most appropriate sanction imo. I also have blacklisted you from http://acwc.us.to/ because i think you should stay away from the web site for security reasons. You have knowledge of the source code and, despite your help, i don't trust you anymore.
Stay away for security reasons? All I wanted to do was participate...
(28 Jul 11, 06:10PM)Luc@s Wrote: I've been really disappointed by this problem, a few days after i handed over the reins and shared my VPS. I have even thought about stopping to share it actually. But it would have been a bad idea. I preferred to penalize only you.
How was I to know it was your VPS? Again, I have no reason to want to touch it other than to help. If I want VPS access I have 2 of my own... One of which I bought specifically to help you host acwc
(28 Jul 11, 06:10PM)Luc@s Wrote: PS : the modifications daylixx asked were not needed, there was just no link to the resource he wanted to access.
I never even spoke to daylixx, I talked to harrek and gave him all he asked...
(28 Jul 11, 06:10PM)Luc@s Wrote: PS 2 : i can tell there is no problem with the code, everything has been made to make it easy to use. This is just about laziness.
? They couldn't see the unapproved users from the admin panel of the site, which is why I looked at the database to check it. I told them how I "thought" you had been approving teams and how they should add them.
So all in all they should have emailed you instead of contacting me. I have been totally screwed over for trying to help out.
Posts: 1,981
Threads: 63
Joined: Jun 2010
(28 Jul 11, 06:35PM)castiel Wrote: "Published"? you can't be serious. First lets say the chance of somebody looking at the source, literally 0.
Then lets say they happen to realise what the random bit of commented out 'jibberish' is, literally 0. 1st you did catch my password and it's enough.
Also even is the risk is low, i don't think sending these informations to all clients is a good idea. A robot could have cached a few pages of my site during this period for example. It is obviously a security issue. You can't negate that.
(28 Jul 11, 06:35PM)castiel Wrote: I was modifying the source because you left and they came and asked me? Why didn't they just email you? "They" are a bit responsible because "they" shared daylixx's password. But you could have used other methods to help them. Don't try to evade the problem please.
(28 Jul 11, 06:35PM)castiel Wrote: What serious problem? If you've had any intrusions because of it please list them, because other than a minor incontinent task of you having to change your password. So no actual problems were caused. You got my password. It is actually a problem. And some informations have been published for a few minutes on my server. It is a problem.
(28 Jul 11, 06:35PM)castiel Wrote: I don't care that you removed the access, because I never wanted to access it other than to help your friends who asked me.. Don't worry we will not ask you to help anymore. You have proved you were not able to.
(28 Jul 11, 06:35PM)castiel Wrote: Stay away for security reasons? All I wanted to do was participate... then just participate and don't bring security issues
(28 Jul 11, 06:35PM)castiel Wrote: How was I to know it was your VPS? Again, I have no reason to want to touch it other than to help. If I want VPS access I have 2 of my own... One of which I bought specifically to help you host acwc what does it change if it's my own VPS or not ? you have made a big mistake still..
(28 Jul 11, 06:35PM)castiel Wrote: I never even spoke to daylixx, I talked to harrek and gave him all he asked... so what
(28 Jul 11, 06:35PM)castiel Wrote: ? They couldn't see the unapproved users from the admin panel of the site, which is why I looked at the database to check it. I told them how I "thought" you had been approving teams and how they should add them. Just by looking at 1 file you would have known what they had to do. And you have modified this file so you should have known.
(28 Jul 11, 06:35PM)castiel Wrote: So all in all they should have emailed you instead of contacting me. I have been totally screwed over for trying to help out. Yes they should have emailed me, but they didn't guess you would do such a mistake.
Posts: 170
Threads: 24
Joined: Aug 2010
28 Jul 11, 07:13PM
(This post was last modified: 28 Jul 11, 07:14PM by castiel.)
(28 Jul 11, 06:54PM)Luc@s Wrote: (28 Jul 11, 06:35PM)castiel Wrote: "Published"? you can't be serious. First lets say the chance of somebody looking at the source, literally 0.
Then lets say they happen to realise what the random bit of commented out 'jibberish' is, literally 0. 1st you did catch my password and it's enough.
Also even is the risk is low, i don't think sending these informations to all clients is a good idea. A robot could have cached a few pages of my site during this period for example. It is obviously a security issue. You can't negate that.
Yes I did catch the password, but I was the only person in the WHOLE WORLD who knew what it was and why it was there. There WAS a "risk" BUT you changed the password thus nullifying the chance of ANYTHING happening.
(28 Jul 11, 06:54PM)Luc@s Wrote: (28 Jul 11, 06:35PM)castiel Wrote: I was modifying the source because you left and they came and asked me? Why didn't they just email you? "They" are a bit responsible because "they" shared daylixx's password. But you could have used other methods to help them. Don't try to evade the problem please.
Evade the problem? I am the one who ignored emails, ims? If they are also responsible where is the punishment? You seem to be going out of your way to simply give me a miserable time.
(28 Jul 11, 06:54PM)Luc@s Wrote: (28 Jul 11, 06:35PM)castiel Wrote: What serious problem? If you've had any intrusions because of it please list them, because other than a minor incontinent task of you having to change your password. So no actual problems were caused. You got my password. It is actually a problem. And some informations have been published for a few minutes on my server. It is a problem.
Something that was easily fixed. As of right now you have no problems and no issues.
(28 Jul 11, 06:54PM)Luc@s Wrote: (28 Jul 11, 06:35PM)castiel Wrote: Stay away for security reasons? All I wanted to do was participate... then just participate and don't bring security issues
There would be no issues if I had not been asked, I did not bring this on myself.
(28 Jul 11, 06:54PM)Luc@s Wrote: (28 Jul 11, 06:35PM)castiel Wrote: I never even spoke to daylixx, I talked to harrek and gave him all he asked... so what
(28 Jul 11, 06:35PM)castiel Wrote: ? They couldn't see the unapproved users from the admin panel of the site, which is why I looked at the database to check it. I told them how I "thought" you had been approving teams and how they should add them. Just by looking at 1 file you would have known what they had to do. And you have modified this file so you should have known.
1 file? It was messy as hell, thus why in the first place I suggested you use a framework or at least follow some sort of design pattern(this is besides the point).
I did not see from "1 file" what they had to do, so I looked at the database and told them what they wanted.
(28 Jul 11, 06:54PM)Luc@s Wrote: (28 Jul 11, 06:35PM)castiel Wrote: So all in all they should have emailed you instead of contacting me. I have been totally screwed over for trying to help out. Yes they should have emailed me, but they didn't guess you would do such a mistake.
So you admit it is essentially their fault?
Whatever way you try to spin it. I was simply trying help and do what they asked me to do.
You can go on about "security issues" all day. But at the end of it all, I tried to help out(when I shouldn't have been asked) and accidentally did something you seem to deem [b]unforgivable[b](for what reason I cannot fathom). I have apologised and you and I both know that there is no longer a security risk, yet you still hell bent on giving me a hard time over it.
Posts: 1,436
Threads: 7
Joined: Jun 2010
28 Jul 11, 07:32PM
(This post was last modified: 28 Jul 11, 07:32PM by tempest.)
Castiel, it seems that you don't really understand the problem. The probability of such an event being maliciously exploited might be below zero, but still. Such events stack up, and eventually you'll get a server riddled with security holes like swiss cheese. It should be common sense that you wouldn't do something like that.
Guess how all those Anyonymous, LulzSec and similar jerks can run around and hack servers? It's not because they're so uber-savvy. It's because of lazy, unaware and dumb people fumbling around on servers.
Lucas is not overreacting, it's just an average reaction of a responsible administrator. I'm sure he recognizes your motivation, but if you think about it, you should understand why he's mad.
PS: Whether it was necessary to disqualify you from the cup is a different story.
Posts: 1,981
Threads: 63
Joined: Jun 2010
28 Jul 11, 07:37PM
(This post was last modified: 28 Jul 11, 07:39PM by Luc@s.)
(28 Jul 11, 07:13PM)castiel Wrote: Yes I did catch the password, but I was the only person in the WHOLE WORLD who knew what it was and why it was there. There WAS a "risk" BUT you changed the password thus nullifying the chance of ANYTHING happening. hopefully i fixed the issue you did bring
(28 Jul 11, 07:13PM)castiel Wrote: Evade the problem? I am the one who ignored emails, ims? If they are also responsible where is the punishment? You seem to be going out of your way to simply give me a miserable time. The only email i've ignored is yours if you mean i should have helped them myself.
Btw, please don't publish my emails. You're violating the privacy of this conversation, and it is illegal in my country.
(28 Jul 11, 07:13PM)castiel Wrote: Something that was easily fixed. As of right now you have no problems and no issues. Again the fact i fixed the problem doesn't mean there was never any problem. You can't be serious ?!
(28 Jul 11, 07:13PM)castiel Wrote: There would be no issues if I had not been asked, I did not bring this on myself. They asked you to help to find where to get teams registrations. Not to bring security issues as far as i know.
(28 Jul 11, 07:13PM)castiel Wrote: 1 file? It was messy as hell, thus why in the first place I suggested you use a framework or at least follow some sort of design pattern(this is besides the point).
I did not see from "1 file" what they had to do, so I looked at the database and told them what they wanted. should i take it as a personal attack ?
btw using a framework for such a small project is a mistake.
And yes you should have understood how it worked since you have modified the front-controller-like file where you could have found the URL to access the list of pending teams (the only thing they asked).
(28 Jul 11, 07:13PM)castiel Wrote: So you admit it is essentially their fault?
Whatever way you try to spin it. I was simply trying help and do what they asked me to do.
You can go on about "security issues" all day. But at the end of it all, I tried to help out(when I shouldn't have been asked) and accidentally did something you seem to deem [b]unforgivable[b](for what reason I cannot fathom). I have apologised and you and I both know that there is no longer a security risk, yet you still hell bent on giving me a hard time over it. Are you trying to say you're the victim ?
You have penalized the security of the server, you failed to help daylixx and harrek.
And of course you have apologized. Of course there is no longer a security risk. But i don't trust you anymore.
Posts: 86
Threads: 4
Joined: Jul 2010
28 Jul 11, 08:05PM
(This post was last modified: 29 Jul 11, 05:14AM by V-Man.)
Too much for me to read..
Mod edit: srsly, I told you either contribute or keep quiet. Warned.
Posts: 170
Threads: 24
Joined: Aug 2010
I'm not asking you to trust me. I was trying to help, and in doing so accidentally caused an issue for you. I am sorry for this but I don't think I deserve not to play because of it.
Posts: 42
Threads: 1
Joined: Dec 2010
Castiel try to help Daylixx while Lucas is away and then Castiel is ban
Did I forget something ?
Posts: 1,981
Threads: 63
Joined: Jun 2010
(28 Jul 11, 09:17PM)Reedie-oH Wrote: Castiel try to help Daylixx while Lucas is away and then Castiel is ban
Did I forget something ?
yes you just forgot to read
Posts: 2,387
Threads: 56
Joined: Aug 2010
History:
Castiel (the hero) tried all he could to help DaylixX (the bad guy) but Castiel made an error (a very bad error) but of course, it's Lucas' fault.
@Reedie-oH you forggot something but it's not the most important.
You'll say that i'm trolling but i just say all facts.
Posts: 999
Threads: 20
Joined: Jul 2010
28 Jul 11, 11:04PM
(This post was last modified: 28 Jul 11, 11:06PM by titiPT.)
(28 Jul 11, 08:05PM)cOGhost Wrote: Too much for me to read..
Then _don't post_. It's just that simple.
On the contrary, i did read everything.
(28 Jul 11, 09:17PM)Reedie-oH Wrote: Castiel try to help Daylixx while Lucas is away and then Castiel is ban And this is all i got.
Edit: and what does unintentionally causing an issue for someone have to do with banning that person from playing in the acwc?
Posts: 534
Threads: 21
Joined: Jun 2010
Just out of curiosity, what advantage did having this information give castiel? Or, how did he hurt the other teams by having this information?
Posts: 840
Threads: 10
Joined: Jun 2010
It may have no real advantage, that's not the issue Luc@s is mad about, the fact is that he used his knowledge of php to get a private password and user name, causing Luc@s to not trust him anymore regardless of what he could have found.
Him beeing disqualified from the tournament it's the way Luc@s used to "punish" him, because as a player you can't have acces to certain things.
Posts: 231
Threads: 14
Joined: Jun 2010
Lucas, I don't know you well, but I know you enough to say you're a nice guy.
same for you castiel.
I understand Lucas, I'd be angry too.
But I also understand castiel, he just wanted to help, he didn't want something bad.
Why don't you 'take place' together in IRC and talk about this problem. Not just to discuss, who is right, also to find a solution, to solve the problem. Quoting and answering like here won't help at all!
Hope you'll find a Solution,
Me.
Posts: 1,207
Threads: 74
Joined: Aug 2010
29 Jul 11, 01:11AM
(This post was last modified: 29 Jul 11, 01:16AM by Xenon.)
Castiel has done nothing wrong. Read it all, my 2 cents
EDIT: Luc@s, how come Harrek + Daylixx get away with everything but Castiel doesn't. I think Castiel should not be banned, nor should anyone else. Harrek simply asked Castiel to help, I'm surprised some french people have stuck up for themselves this time and agreed.
Posts: 617
Threads: 20
Joined: Sep 2010
Trying to help and getting banned from the cup....dont you think that is taking it a little too far? Sure he did get the pass and username but i dont believe he should be banned from the competition if he in no way meant to harm it. ($0.02)
Posts: 115
Threads: 5
Joined: Sep 2010
ive read the whole thing, and i honestly dont understand why castiel is being grilled.
lucas: something has caused you discomfort. this doesnt mean you have to be rude to all posters, including castiel.
Posts: 145
Threads: 11
Joined: Jun 2010
i think disqualifying castiel from the ACWC was a gross overreaction
get over yourselves it's not the fucking olympics
Posts: 2,331
Threads: 45
Joined: Feb 2011
29 Jul 11, 03:58AM
(This post was last modified: 29 Jul 11, 03:59AM by Nightmare.)
(29 Jul 11, 03:49AM)MusicMan10 Wrote: i think disqualifying castiel from the ACWC was a gross overreaction
get over yourselves it's not the ice cream olympics
^this.
Especially since he admitted his mistake and apologized twice.
More <3 people!
Posts: 3,780
Threads: 33
Joined: Jun 2010
To be honest, I did look at the site's source when I first registered. Maybe it's a script nerd thing.
Web security is a serious issue. I think Castiel deserves a severe reprimand and lecture about it. To answer Zarj's question, having access to the site while also being an ACWC player gives not an immediate advantage, but a subtle potential for abuse that could mushroom out later. It's not that Castiel shouldn't be trusted, it's that nobody should be put into both positions at the same time. It's the potential for abuse that worries Lucas, not any suspicion of abuse or intent to abuse.
At the same time, I do not believe Castiel should be banned from the ACWC or the website. This is a bit far. I believe that the punishment that (as Lucas said) is made necessary by the situation could be satisfied in the stern rebuke and lecture, and nothing more.
And that does not need to be public. This could have been best resolved through PMs, in my opinion, provided both parties can get on the same page. M__Stayla has the right idea.
Posts: 170
Threads: 24
Joined: Aug 2010
(29 Jul 11, 05:26AM)V-Man Wrote: To be honest, I did look at the site's source when I first registered. Maybe it's a script nerd thing.
Web security is a serious issue. I think Castiel deserves a severe reprimand and lecture about it. To answer Zarj's question, having access to the site while also being an ACWC player gives not an immediate advantage, but a subtle potential for abuse that could mushroom out later. It's not that Castiel shouldn't be trusted, it's that nobody should be put into both positions at the same time. It's the potential for abuse that worries Lucas, not any suspicion of abuse or intent to abuse.
At the same time, I do not believe Castiel should be banned from the ACWC or the website. This is a bit far. I believe that the punishment that (as Lucas said) is made necessary by the situation could be satisfied in the stern rebuke and lecture, and nothing more.
And that does not need to be public. This could have been best resolved through PMs, in my opinion, provided both parties can get on the same page. M__Stayla has the right idea.
Yeah I do that aswell, as I said it was stupid when I look back on it.
I pretty much agree with everything you've said. I'm not saying I didn't stuff up, I just don't think I should be made to sit the tournament out because of it. If he(lucas) wishes for me not to access the acwc site that is fine, I can have a teammate let me know what is going on.
I understand I have lost his trust which is fair enough, but expelling me from a large tournament as you said, should not be the answer/outcome.
Just an example:
Example Wrote:Lets say your manager gives you the code to your works safe as he is going on holidays for 2 days. You write it on a piece of paper so you remember it.
You then accidentally lose the piece of paper, but find it the next day on the floor at work.
Your manager gets back, and finds out what happens, he of course will check the contents of the safe and then change the code to ensure nothing is taken or stolen.
Now there is every chance he will sit you down and tell you the seriousness of what you have done and the risks involved, and probably not trust you with valuable data in the future.
But he isn't going to fire you for accidentally making a mistake.
This is essentially what I am trying to say.
Posts: 700
Threads: 65
Joined: Jun 2010
Sorry castiel but I disagree.
My example:
Say I were to hack admin on your server. What would you do to me? You would most likely ban me. But bans are not permanent so ya. Maybe even just the first match I don't know.
I hope were still friends but this is how I process the cituation.
Posts: 170
Threads: 24
Joined: Aug 2010
(29 Jul 11, 07:03AM)bballn45 Wrote: Sorry castiel but I disagree.
My example:
Say I were to hack admin on your server. What would you do to me? You would most likely ban me. But bans are not permanent so ya. Maybe even just the first match I don't know.
I hope were still friends but this is how I process the cituation.
Reread the posts, I didn't forcibly hack his server.
Posts: 1,981
Threads: 63
Joined: Jun 2010
(28 Jul 11, 11:04PM)titiPT Wrote: [...] what does unintentionally causing an issue for someone have to do with banning that person from playing in the acwc? He deserves a sanction. Instead of legal actions (and that would actually be an overreaction), i prefer a linked sanction (it's still about ACWC).
(28 Jul 11, 11:16PM)Zarj Wrote: Just out of curiosity, what advantage did having this information give castiel? Or, how did he hurt the other teams by having this information? If you speak about the username and password of my database, it gave him the advantage to do w/e he wants, like writing / modifying / reading any confidential informations (like passwords hash, email addresses, matches reports, etc.). Also he published these informations for more than 15 minutes and then he shared them with daylixx (yes he shared =>my<= password after stealing it).
Actually, he penalized the whole server security and user's informations privacy. It's not only about me, but about the hundred of registered users on acwc's web site.
(28 Jul 11, 11:45PM)jAcKRoCk* Wrote: It may have no real advantage, that's not the issue Luc@s is mad about, the fact is that he used his knowledge of php to get a private password and user name, causing Luc@s to not trust him anymore regardless of what he could have found. exactly.
(29 Jul 11, 12:35AM)M__Stayla Wrote: Lucas, I don't know you well, but I know you enough to say you're a nice guy.
same for you castiel.
I understand Lucas, I'd be angry too.
But I also understand castiel, he just wanted to help, he didn't want something bad.
Why don't you 'take place' together in IRC and talk about this problem. Not just to discuss, who is right, also to find a solution, to solve the problem. Quoting and answering like here won't help at all! There is nothing to "solve", apart from the server security issue and it has been done. I'm just trying to explain the the others, like ACWC participants, that a sanction is needed and the issue is serious. I'm sharing a (expensive) VPS, my work and my time for the organization of this tournament. Assert the security of all users is part of my task.
(29 Jul 11, 01:11AM)Xenon Wrote: Castiel has done nothing wrong. Read it all, my 2 cents You must be kidding. He recognized himself he has done nothing wrong. He just said he had done it to help (which is right, but doesn't change my opinion).
(29 Jul 11, 01:11AM)Xenon Wrote: EDIT: Luc@s, how come Harrek + Daylixx get away with everything but Castiel doesn't. I think Castiel should not be banned, nor should anyone else. Harrek simply asked Castiel to help, I'm surprised some french people have stuck up for themselves this time and agreed. There is a huge difference between castiel's mistake and harrek's or daylixx's ones. Maybe you don't have to keys to understand why. Yet, you should have all informations about that in this thread. I suggest you read it again.
Also i trust harrek and daylixx.
(29 Jul 11, 01:15AM)lucky Wrote: Trying to help and getting banned from the cup....dont you think that is taking it a little too far? Sure he did get the pass and username but i dont believe he should be banned from the competition if he in no way meant to harm it. ($0.02) You have definitively not understood the issue. Read tempest's posts if you think my point of view is not neutral enough. He just says in clearer words what i'm trying to explain.
(29 Jul 11, 02:40AM)JamJamTheCalcMan Wrote: ive read the whole thing, and i honestly dont understand why castiel is being grilled.
lucas: something has caused you discomfort. this doesnt mean you have to be rude to all posters, including castiel. Castiel has violated my privacy, the privacy of all users of acwc, he has shared my password, published it. I'm not even being rude.
(29 Jul 11, 03:49AM)MusicMan10 Wrote: i think disqualifying castiel from the ACWC was a gross overreaction
get over yourselves it's not the fucking olympics get a life
(29 Jul 11, 05:26AM)V-Man Wrote: To be honest, I did look at the site's source when I first registered. Maybe it's a script nerd thing. I usually do that. But it's not the debate anyway. Maybe someone has caught this informations, maybe a search engine did so. We'll never know!
(29 Jul 11, 05:26AM)V-Man Wrote: Web security is a serious issue. I think Castiel deserves a severe reprimand and lecture about it. To answer Zarj's question, having access to the site while also being an ACWC player gives not an immediate advantage, but a subtle potential for abuse that could mushroom out later. It's not that Castiel shouldn't be trusted, it's that nobody should be put into both positions at the same time. It's the potential for abuse that worries Lucas, not any suspicion of abuse or intent to abuse. Exactly.
(29 Jul 11, 05:26AM)V-Man Wrote: At the same time, I do not believe Castiel should be banned from the ACWC or the website. This is a bit far. I believe that the punishment that (as Lucas said) is made necessary by the situation could be satisfied in the stern rebuke and lecture, and nothing more. I banned castiel from the web site for security reasons. He's aware of the source, and again, i don't trust him anymore. It's not part of the "sanction".
Now about the sanction. What should i do then ? Some guys just don't understand what's the problem (maybe because of its technical aspect) so of course my decision sounds a bit rude for them. But i just can't let this unpunished. And the first and only sanction that came in my mind was to kick him from the tournament; instead of legal actions as said above. Seriously it's a light sanction compared to the offense.
(29 Jul 11, 05:26AM)V-Man Wrote: And that does not need to be public. This could have been best resolved through PMs, in my opinion, provided both parties can get on the same page. M__Stayla has the right idea. Castiel obliged me to react here with his thread. Also he obviously wanted to oblige me to change my decision, he knew he would get some approbation involving people who are clearly not able to make their statement about this technical issue.
(29 Jul 11, 06:15AM)castiel Wrote: If he(lucas) wishes for me not to access the acwc site that is fine, I can have a teammate let me know what is going on. Yes, it's not really a sanction.
(29 Jul 11, 06:15AM)castiel Wrote: I understand I have lost his trust which is fair enough, but expelling me from a large tournament as you said, should not be the answer/outcome. I know how disappointing it can be to be kicked from a "large tournament". But you deserve a sanction, related to acwc imo. And you'll have time to play other tournaments... I wish it to you. But not this one.
(29 Jul 11, 07:08AM)castiel Wrote: (29 Jul 11, 07:03AM)bballn45 Wrote: My example:
Say I were to hack admin on your server. What would you do to me? You would most likely ban me.
Reread the posts, I didn't forcibly hack his server. Well you stole my password published and shared it.. it's still a serious issue.
Posts: 2,067
Threads: 11
Joined: Jun 2010
29 Jul 11, 01:32PM
(This post was last modified: 29 Jul 11, 01:33PM by Orynge.)
Personally, I think pretty much everything said so far is correct in some way.
Maybe just ban Cas from the site, but not the cup (my $0.02).
We're going to hit a dollar soon.
Posts: 170
Threads: 24
Joined: Aug 2010
29 Jul 11, 01:49PM
(This post was last modified: 29 Jul 11, 01:54PM by castiel.)
Nobody is saying I didn't do anything wrong and i'm fairy sure most people understand generally what has happened(even if they do not understand the specifics).
BUT it was an accident, you are acting like i've done this on purpose and treating me like a criminal.
Lets say 2 kids are playing soccer in the park. One kid does a mis-kick and the ball ends up on the road causing an accident. Would you charge the kid for causing the accident? Of course not as it was not done on purpose.
|