My disqualification from the ACWC

[castiel]

Hey guys,

Late Monday night/Tuesday morning Harrek contacted me asking if I could help with php as Lucas had left the ACWC project. I said yes and I was told they were trying to access the "unapproved" teams who had been submitted. I was finished by about 3am and went to bed, thinking all was well and good.

The next night(tuesday) at 8pm I got an angry email from Lucas which can be seen here:

echo "<!--Herro " . MYSQL_USER . " " . MYSQL_PASSWORD . " -->";

Remind you something ?
Yes, when you were stealing my db username / password, right.
First, you were not supposed to have enough access. Since you were going to play the tournament and you had nothing more to do, and to prevent this kind of shit from happening, i had removed your svn access;
Unfortunately, (fortunately for you), daylixx gave you his login and password. It was his fault ok. But how could he guess you would do such things ?

You have absolutely NO reason to steal this informations, you could have done without it and you know that.
Also you've made this critical data public while you were trying to get it.
And anyway you could have asked me if needed instead of doing that.

Of course daylix password has been removed.
And i'm seriously thinking about taking other actions against you.

PS : db password has been changed and i will not share my VPS any longer. Thanks to you.

I was confused by this, but as I was at work I thought I would attend to it then.

When I arrived home from work finding out my team captain(undead) had recieved the following message from daylixx(new acwc admin).

[23:09] <DaylixX> Hello Undead, we disqualified Castiel of the World Cup for hacking database site, so you will have found a new partner.

This all threw me off a bit, as all I thought I had done was help out my friend, Harrek.

I promptly emailed lucas back apologising, a sent him another email a few hours later but I have had no response. I also tried to contact him(Lucas) on teamspeak when he was online but I got no response(harrek told me he was talking to him moments before).

Now I'm confused and not really sure what to do, I have been excluded from a tournament I was rather looking forward to due to me trying to help out and have been accused of hacking.

Also when I now try to visit the ACWC website, I get a 403 error, which usually means my ip has been blocked(I have asked others and they can still access it fine).

The events on the night of the accused "hacking" go as follows:

Harrek/DaylixX contacted me asking if I knew php, I replied yes. They needed help finding the teams which had applied to ACWC, as the current admin interface that DaylixX had did not show the unapproved teams.

I was previously working on the site, but my svn access had been disabled as I am a player(of course), so daylixx gave me his access so that I could try and work out how to view the unapproved teams.

My first thoughts were that lucas possibly had a higher admin role on the acwc site so that I just needed to change daylixx's role to the same and it would all work.

I ran queries against the database to increase my role to same level as lucas, to test if that meant you could see the unapproved teams, unfortunately it seemed that lucas and daylixx had the same admin level on the acwc site and lucas was approving teams a different way.

I looked through the php of the site and I saw that when a user submitted a team the team details was inserted into the mysql database.

My next thought was that if I simply had the database username and password, I could login to phpmyadmin(an online database viewer) and look at the unapproved teams in the database.

To do this I used the following command:
echo "<!--Herro " . MYSQL_USER . " " . MYSQL_PASSWORD . " -->";
This would output the username and password to the site, but would put it in a comment, only viewable if the user clickes "view source" and then knows what the username/password combo is for. It was a slightly risky thing to do but I removed that line as soon as I had the username and password to ensure nobody else would see it.

I then used the username and password to login to phpmyadmin and to view the acwc database, I was able to inform harrek and daylixx of the extra teams that had been submitted, so they were now able to approve the newly entered teams.

This is all that I did, in defense of myself:

• I was ONLY trying to help, nothing else. All my actions were in an attempt to help Harrek and DaylixX
  
• I did not know it was lucas's personal server, I thought it was a w00p clan server
  
• I did not email lucas about this as I was informed/thought that he was unreachable(that's why I thought they contacted me not him)
  
• I attained the MySQL username and password so I could easily view the content of the database, not for ANY other reason
  
• As lucas said there are other ways to get the data(without the username/password) but it was late and I just wanted a simple solution + at the time I did not think it would be an issue
  

As I have said to lucas, i'm sorry that I did not email him and that I instead did not write some php code to retrieve the unapproved teams. But on the night it seemed like an easy way to get the information harrek/daylixx wanted. I'm sorry if it seemed like I was doing anything else other than try to help them.

I don't think I should be labeled a hacker for this, or excluded from the tournament, I have not heard from lucas in over 2 days so decided I would post and let people know what is going on, I have apologised and tried to talk to him but have had no response.

Thanks for hearing me out, Castiel

[V-Man]

I do think it is an odd conflict of interest for you to have access to the database while at the same time participating in the tournament. You ought to be part of one, or the other.

As far as "hacking" goes, this was all too simple and should not have been blown out of proportion like it was. It can hardly even be called "hacking," since you were given explicit access to the database.

For a third point, this should be discussed between you, Lucas, and other pertinent members of the ACWC. Bringing it here may attract unwanted participants. Since it's here now, I'll just take this opportunity to warn that any posts from people not directly involved in the ACWC will be subject to deletion and strict application of the forum rules.

[tempest]

Jesus christ.
1) A password is personal. Never give it to someone else.
2) Never assume that "no one will see it". (If you absolutely have to do that kind of crazy stuff, write the password to a file on the server, goddamit)
3) Never tinker around on a live server accessible from the internet.
4) I wonder how convoluted that code must be, so you couldn't even figure out how to dump a list of unapproved teams.
So, to sum up, so many things were done wrong here (not just by you), that all "best intentions" in the world don't really count. Of course that wasn't intentional - in that case, you would probably have figured out a smarter way to do it.

[Luc@s]

Someone told me about this post, i thought i had to react.

First your access was supposed to be removed because you had no reason to contribute anymore. Also, giving access to the code implies to give access to confidential data so i had decided to remove your password.

The problem is you stole and published (even if they were commented they were still public) informations about the database which were stored in a hidden file for good reasons. It was a real security issue and also i don't like the fact you have knowledge of my databases passwords and users. You have modified the source when you wouldn't have been able to and you have caused a serious problem.
I don't care about how you'd like to name that - hacking or not - actually it's serious and i had to changed all passwords of my database.
I reinforced the security of my server and removed the user name and password you used to modify the code.

I -do- know why you did that, from the beginning, but it is absolutely NOT an excuse.

I decided to disqualify you from ACWC because i just had to do something, and it was the most appropriate sanction imo. I also have blacklisted you from http://acwc.us.to/ because i think you should stay away from the web site for security reasons. You have knowledge of the source code and, despite your help, i don't trust you anymore.

I've been really disappointed by this problem, a few days after i handed over the reins and shared my VPS. I have even thought about stopping to share it actually. But it would have been a bad idea. I preferred to penalize only you.

PS : the modifications daylixx asked were not needed, there was just no link to the resource he wanted to access.
PS 2 : i can tell there is no problem with the code, everything has been made to make it easy to use. This is just about laziness.

[castiel]

Someone told me about this post, i thought i had to react.

First your access was supposed to be removed because you had no reason to contribute anymore. Also, giving access to the code implies to give access to confidential data so i had decided to remove your password.

I agree with this, I never said it shouldn't have been removed.

The problem is you stole and published (even if they were commented they were still public) informations about the database which were stored in a hidden file for good reasons. It was a real security issue and also i don't like the fact you have knowledge of my databases passwords and users. You have modified the source when you wouldn't have been able to and you have caused a serious problem.
I don't care about how you'd like to name that - hacking or not - actually it's serious and i had to changed all passwords of my database.
I reinforced the security of my server and removed the user name and password you used to modify the code.

"Published"? you can't be serious. First lets say the chance of somebody looking at the source, literally 0.

Then lets say they happen to realise what the random bit of commented out 'jibberish' is, literally 0.

I was modifying the source because you left and they came and asked me? Why didn't they just email you?

What serious problem? If you've had any intrusions because of it please list them, because other than a minor incontinent task of you having to change your password. So no actual problems were caused.

I don't care that you removed the access, because I never wanted to access it other than to help your friends who asked me..

I decided to disqualify you from ACWC because i just had to do something, and it was the most appropriate sanction imo. I also have blacklisted you from http://acwc.us.to/ because i think you should stay away from the web site for security reasons. You have knowledge of the source code and, despite your help, i don't trust you anymore.

Stay away for security reasons? All I wanted to do was participate...

I've been really disappointed by this problem, a few days after i handed over the reins and shared my VPS. I have even thought about stopping to share it actually. But it would have been a bad idea. I preferred to penalize only you.

How was I to know it was your VPS? Again, I have no reason to want to touch it other than to help. If I want VPS access I have 2 of my own... One of which I bought specifically to help you host acwc

PS : the modifications daylixx asked were not needed, there was just no link to the resource he wanted to access.

I never even spoke to daylixx, I talked to harrek and gave him all he asked...

PS 2 : i can tell there is no problem with the code, everything has been made to make it easy to use. This is just about laziness.

? They couldn't see the unapproved users from the admin panel of the site, which is why I looked at the database to check it. I told them how I "thought" you had been approving teams and how they should add them.

So all in all they should have emailed you instead of contacting me. I have been totally screwed over for trying to help out.

[Luc@s]

"Published"? you can't be serious. First lets say the chance of somebody looking at the source, literally 0.

Then lets say they happen to realise what the random bit of commented out 'jibberish' is, literally 0.

1st you did catch my password and it's enough.
Also even is the risk is low, i don't think sending these informations to all clients is a good idea. A robot could have cached a few pages of my site during this period for example. It is obviously a security issue. You can't negate that.

I was modifying the source because you left and they came and asked me? Why didn't they just email you?

"They" are a bit responsible because "they" shared daylixx's password. But you could have used other methods to help them. Don't try to evade the problem please.

What serious problem? If you've had any intrusions because of it please list them, because other than a minor incontinent task of you having to change your password. So no actual problems were caused.

You got my password. It is actually a problem. And some informations have been published for a few minutes on my server. It is a problem.

I don't care that you removed the access, because I never wanted to access it other than to help your friends who asked me..

Don't worry we will not ask you to help anymore. You have proved you were not able to.

Stay away for security reasons? All I wanted to do was participate...

then just participate and don't bring security issues

How was I to know it was your VPS? Again, I have no reason to want to touch it other than to help. If I want VPS access I have 2 of my own... One of which I bought specifically to help you host acwc

what does it change if it's my own VPS or not ? you have made a big mistake still..

I never even spoke to daylixx, I talked to harrek and gave him all he asked...

so what

? They couldn't see the unapproved users from the admin panel of the site, which is why I looked at the database to check it. I told them how I "thought" you had been approving teams and how they should add them.

Just by looking at 1 file you would have known what they had to do. And you have modified this file so you should have known.

So all in all they should have emailed you instead of contacting me. I have been totally screwed over for trying to help out.

Yes they should have emailed me, but they didn't guess you would do such a mistake.

[castiel]

"Published"? you can't be serious. First lets say the chance of somebody looking at the source, literally 0.

Then lets say they happen to realise what the random bit of commented out 'jibberish' is, literally 0.

1st you did catch my password and it's enough.
Also even is the risk is low, i don't think sending these informations to all clients is a good idea. A robot could have cached a few pages of my site during this period for example. It is obviously a security issue. You can't negate that.

Yes I did catch the password, but I was the only person in the WHOLE WORLD who knew what it was and why it was there. There WAS a "risk" BUT you changed the password thus nullifying the chance of ANYTHING happening.

I was modifying the source because you left and they came and asked me? Why didn't they just email you?

"They" are a bit responsible because "they" shared daylixx's password. But you could have used other methods to help them. Don't try to evade the problem please.

Evade the problem? I am the one who ignored emails, ims? If they are also responsible where is the punishment? You seem to be going out of your way to simply give me a miserable time.

What serious problem? If you've had any intrusions because of it please list them, because other than a minor incontinent task of you having to change your password. So no actual problems were caused.

You got my password. It is actually a problem. And some informations have been published for a few minutes on my server. It is a problem.

Something that was easily fixed. As of right now you have no problems and no issues.

Stay away for security reasons? All I wanted to do was participate...

then just participate and don't bring security issues

There would be no issues if I had not been asked, I did not bring this on myself.

I never even spoke to daylixx, I talked to harrek and gave him all he asked...

so what

? They couldn't see the unapproved users from the admin panel of the site, which is why I looked at the database to check it. I told them how I "thought" you had been approving teams and how they should add them.

Just by looking at 1 file you would have known what they had to do. And you have modified this file so you should have known.

1 file? It was messy as hell, thus why in the first place I suggested you use a framework or at least follow some sort of design pattern(this is besides the point).

I did not see from "1 file" what they had to do, so I looked at the database and told them what they wanted.

So all in all they should have emailed you instead of contacting me. I have been totally screwed over for trying to help out.

Yes they should have emailed me, but they didn't guess you would do such a mistake.

So you admit it is essentially their fault?

Whatever way you try to spin it. I was simply trying help and do what they asked me to do.

You can go on about "security issues" all day. But at the end of it all, I tried to help out(when I shouldn't have been asked) and accidentally did something you seem to deem [b]unforgivable[b](for what reason I cannot fathom). I have apologised and you and I both know that there is no longer a security risk, yet you still hell bent on giving me a hard time over it.

[tempest]

Castiel, it seems that you don't really understand the problem. The probability of such an event being maliciously exploited might be below zero, but still. Such events stack up, and eventually you'll get a server riddled with security holes like swiss cheese. It should be common sense that you wouldn't do something like that.
Guess how all those Anyonymous, LulzSec and similar jerks can run around and hack servers? It's not because they're so uber-savvy. It's because of lazy, unaware and dumb people fumbling around on servers.
Lucas is not overreacting, it's just an average reaction of a responsible administrator. I'm sure he recognizes your motivation, but if you think about it, you should understand why he's mad.

PS: Whether it was necessary to disqualify you from the cup is a different story.

[Luc@s]

Yes I did catch the password, but I was the only person in the WHOLE WORLD who knew what it was and why it was there. There WAS a "risk" BUT you changed the password thus nullifying the chance of ANYTHING happening.

hopefully i fixed the issue you did bring

Evade the problem? I am the one who ignored emails, ims? If they are also responsible where is the punishment? You seem to be going out of your way to simply give me a miserable time.

The only email i've ignored is yours if you mean i should have helped them myself.
Btw, please don't publish my emails. You're violating the privacy of this conversation, and it is illegal in my country.

Something that was easily fixed. As of right now you have no problems and no issues.

Again the fact i fixed the problem doesn't mean there was never any problem. You can't be serious ?!

There would be no issues if I had not been asked, I did not bring this on myself.

They asked you to help to find where to get teams registrations. Not to bring security issues as far as i know.

1 file? It was messy as hell, thus why in the first place I suggested you use a framework or at least follow some sort of design pattern(this is besides the point).

I did not see from "1 file" what they had to do, so I looked at the database and told them what they wanted.

should i take it as a personal attack ?
btw using a framework for such a small project is a mistake.
And yes you should have understood how it worked since you have modified the front-controller-like file where you could have found the URL to access the list of pending teams (the only thing they asked).

So you admit it is essentially their fault?

Whatever way you try to spin it. I was simply trying help and do what they asked me to do.

You can go on about "security issues" all day. But at the end of it all, I tried to help out(when I shouldn't have been asked) and accidentally did something you seem to deem [b]unforgivable[b](for what reason I cannot fathom). I have apologised and you and I both know that there is no longer a security risk, yet you still hell bent on giving me a hard time over it.

Are you trying to say you're the victim ?
You have penalized the security of the server, you failed to help daylixx and harrek.

And of course you have apologized. Of course there is no longer a security risk. But i don't trust you anymore.

[cOGhost]

Too much for me to read..

Mod edit: srsly, I told you either contribute or keep quiet. Warned.

[castiel]

I'm not asking you to trust me. I was trying to help, and in doing so accidentally caused an issue for you. I am sorry for this but I don't think I deserve not to play because of it.

[Reedie-oH]

Castiel try to help Daylixx while Lucas is away and then Castiel is ban
Did I forget something ?

[Luc@s]

Castiel try to help Daylixx while Lucas is away and then Castiel is ban
Did I forget something ?

yes you just forgot to read

[ExodusS]

History:
Castiel (the hero) tried all he could to help DaylixX (the bad guy) but Castiel made an error (a very bad error) but of course, it's Lucas' fault.

@Reedie-oH you forggot something but it's not the most important.

You'll say that i'm trolling but i just say all facts.

[titiPT]

Too much for me to read..

Then _don't post_. It's just that simple.

On the contrary, i did read everything.

Castiel try to help Daylixx while Lucas is away and then Castiel is ban

And this is all i got.

Edit: and what does unintentionally causing an issue for someone have to do with banning that person from playing in the acwc?

[Zarjio]

Just out of curiosity, what advantage did having this information give castiel? Or, how did he hurt the other teams by having this information?

[jAcKRoCk*]

It may have no real advantage, that's not the issue Luc@s is mad about, the fact is that he used his knowledge of php to get a private password and user name, causing Luc@s to not trust him anymore regardless of what he could have found.

Him beeing disqualified from the tournament it's the way Luc@s used to "punish" him, because as a player you can't have acces to certain things.

[M__Stayla]

Lucas, I don't know you well, but I know you enough to say you're a nice guy.

same for you castiel.

I understand Lucas, I'd be angry too.

But I also understand castiel, he just wanted to help, he didn't want something bad.

Why don't you 'take place' together in IRC and talk about this problem. Not just to discuss, who is right, also to find a solution, to solve the problem. Quoting and answering like here won't help at all!

Hope you'll find a Solution,

Me.

[Xenon]

Castiel has done nothing wrong. Read it all, my 2 cents

EDIT: Luc@s, how come Harrek + Daylixx get away with everything but Castiel doesn't. I think Castiel should not be banned, nor should anyone else. Harrek simply asked Castiel to help, I'm surprised some french people have stuck up for themselves this time and agreed.

[lucky]

Trying to help and getting banned from the cup....dont you think that is taking it a little too far? Sure he did get the pass and username but i dont believe he should be banned from the competition if he in no way meant to harm it. ($0.02)

[JamJamTheCalcMan]

ive read the whole thing, and i honestly dont understand why castiel is being grilled.

lucas: something has caused you discomfort. this doesnt mean you have to be rude to all posters, including castiel.

[MusicMan10]

i think disqualifying castiel from the ACWC was a gross overreaction

get over yourselves it's not the fucking olympics

[Nightmare]

i think disqualifying castiel from the ACWC was a gross overreaction

get over yourselves it's not the ice cream olympics

^this.

Especially since he admitted his mistake and apologized twice.
More <3 people!

[V-Man]

To be honest, I did look at the site's source when I first registered. Maybe it's a script nerd thing.

Web security is a serious issue. I think Castiel deserves a severe reprimand and lecture about it. To answer Zarj's question, having access to the site while also being an ACWC player gives not an immediate advantage, but a subtle potential for abuse that could mushroom out later. It's not that Castiel shouldn't be trusted, it's that nobody should be put into both positions at the same time. It's the potential for abuse that worries Lucas, not any suspicion of abuse or intent to abuse.

At the same time, I do not believe Castiel should be banned from the ACWC or the website. This is a bit far. I believe that the punishment that (as Lucas said) is made necessary by the situation could be satisfied in the stern rebuke and lecture, and nothing more.

And that does not need to be public. This could have been best resolved through PMs, in my opinion, provided both parties can get on the same page. M__Stayla has the right idea.

[castiel]

To be honest, I did look at the site's source when I first registered. Maybe it's a script nerd thing.

Web security is a serious issue. I think Castiel deserves a severe reprimand and lecture about it. To answer Zarj's question, having access to the site while also being an ACWC player gives not an immediate advantage, but a subtle potential for abuse that could mushroom out later. It's not that Castiel shouldn't be trusted, it's that nobody should be put into both positions at the same time. It's the potential for abuse that worries Lucas, not any suspicion of abuse or intent to abuse.

At the same time, I do not believe Castiel should be banned from the ACWC or the website. This is a bit far. I believe that the punishment that (as Lucas said) is made necessary by the situation could be satisfied in the stern rebuke and lecture, and nothing more.

And that does not need to be public. This could have been best resolved through PMs, in my opinion, provided both parties can get on the same page. M__Stayla has the right idea.

Yeah I do that aswell, as I said it was stupid when I look back on it.

I pretty much agree with everything you've said. I'm not saying I didn't stuff up, I just don't think I should be made to sit the tournament out because of it. If he(lucas) wishes for me not to access the acwc site that is fine, I can have a teammate let me know what is going on.

I understand I have lost his trust which is fair enough, but expelling me from a large tournament as you said, should not be the answer/outcome.


Just an example:

Lets say your manager gives you the code to your works safe as he is going on holidays for 2 days. You write it on a piece of paper so you remember it.

You then accidentally lose the piece of paper, but find it the next day on the floor at work.

Your manager gets back, and finds out what happens, he of course will check the contents of the safe and then change the code to ensure nothing is taken or stolen.

Now there is every chance he will sit you down and tell you the seriousness of what you have done and the risks involved, and probably not trust you with valuable data in the future.

But he isn't going to fire you for accidentally making a mistake.

This is essentially what I am trying to say.

[bballn45]

Sorry castiel but I disagree.

My example:

Say I were to hack admin on your server. What would you do to me? You would most likely ban me. But bans are not permanent so ya. Maybe even just the first match I don't know.

I hope were still friends but this is how I process the cituation.

[castiel]

Sorry castiel but I disagree.

My example:

Say I were to hack admin on your server. What would you do to me? You would most likely ban me. But bans are not permanent so ya. Maybe even just the first match I don't know.

I hope were still friends but this is how I process the cituation.

Reread the posts, I didn't forcibly hack his server.

[Luc@s]

[...] what does unintentionally causing an issue for someone have to do with banning that person from playing in the acwc?

He deserves a sanction. Instead of legal actions (and that would actually be an overreaction), i prefer a linked sanction (it's still about ACWC).

Just out of curiosity, what advantage did having this information give castiel? Or, how did he hurt the other teams by having this information?

If you speak about the username and password of my database, it gave him the advantage to do w/e he wants, like writing / modifying / reading any confidential informations (like passwords hash, email addresses, matches reports, etc.). Also he published these informations for more than 15 minutes and then he shared them with daylixx (yes he shared =>my<= password after stealing it).
Actually, he penalized the whole server security and user's informations privacy. It's not only about me, but about the hundred of registered users on acwc's web site.

It may have no real advantage, that's not the issue Luc@s is mad about, the fact is that he used his knowledge of php to get a private password and user name, causing Luc@s to not trust him anymore regardless of what he could have found.

exactly.

Lucas, I don't know you well, but I know you enough to say you're a nice guy.

same for you castiel.

I understand Lucas, I'd be angry too.

But I also understand castiel, he just wanted to help, he didn't want something bad.

Why don't you 'take place' together in IRC and talk about this problem. Not just to discuss, who is right, also to find a solution, to solve the problem. Quoting and answering like here won't help at all!

There is nothing to "solve", apart from the server security issue and it has been done. I'm just trying to explain the the others, like ACWC participants, that a sanction is needed and the issue is serious. I'm sharing a (expensive) VPS, my work and my time for the organization of this tournament. Assert the security of all users is part of my task.

Castiel has done nothing wrong. Read it all, my 2 cents

You must be kidding. He recognized himself he has done nothing wrong. He just said he had done it to help (which is right, but doesn't change my opinion).

EDIT: Luc@s, how come Harrek + Daylixx get away with everything but Castiel doesn't. I think Castiel should not be banned, nor should anyone else. Harrek simply asked Castiel to help, I'm surprised some french people have stuck up for themselves this time and agreed.

There is a huge difference between castiel's mistake and harrek's or daylixx's ones. Maybe you don't have to keys to understand why. Yet, you should have all informations about that in this thread. I suggest you read it again.
Also i trust harrek and daylixx.

Trying to help and getting banned from the cup....dont you think that is taking it a little too far? Sure he did get the pass and username but i dont believe he should be banned from the competition if he in no way meant to harm it. ($0.02)

You have definitively not understood the issue. Read tempest's posts if you think my point of view is not neutral enough. He just says in clearer words what i'm trying to explain.

ive read the whole thing, and i honestly dont understand why castiel is being grilled.

lucas: something has caused you discomfort. this doesnt mean you have to be rude to all posters, including castiel.

Castiel has violated my privacy, the privacy of all users of acwc, he has shared my password, published it. I'm not even being rude.

i think disqualifying castiel from the ACWC was a gross overreaction
get over yourselves it's not the fucking olympics

get a life

To be honest, I did look at the site's source when I first registered. Maybe it's a script nerd thing.

I usually do that. But it's not the debate anyway. Maybe someone has caught this informations, maybe a search engine did so. We'll never know!

Web security is a serious issue. I think Castiel deserves a severe reprimand and lecture about it. To answer Zarj's question, having access to the site while also being an ACWC player gives not an immediate advantage, but a subtle potential for abuse that could mushroom out later. It's not that Castiel shouldn't be trusted, it's that nobody should be put into both positions at the same time. It's the potential for abuse that worries Lucas, not any suspicion of abuse or intent to abuse.

Exactly.

At the same time, I do not believe Castiel should be banned from the ACWC or the website. This is a bit far. I believe that the punishment that (as Lucas said) is made necessary by the situation could be satisfied in the stern rebuke and lecture, and nothing more.

I banned castiel from the web site for security reasons. He's aware of the source, and again, i don't trust him anymore. It's not part of the "sanction".

Now about the sanction. What should i do then ? Some guys just don't understand what's the problem (maybe because of its technical aspect) so of course my decision sounds a bit rude for them. But i just can't let this unpunished. And the first and only sanction that came in my mind was to kick him from the tournament; instead of legal actions as said above. Seriously it's a light sanction compared to the offense.

And that does not need to be public. This could have been best resolved through PMs, in my opinion, provided both parties can get on the same page. M__Stayla has the right idea.

Castiel obliged me to react here with his thread. Also he obviously wanted to oblige me to change my decision, he knew he would get some approbation involving people who are clearly not able to make their statement about this technical issue.

If he(lucas) wishes for me not to access the acwc site that is fine, I can have a teammate let me know what is going on.

Yes, it's not really a sanction.

I understand I have lost his trust which is fair enough, but expelling me from a large tournament as you said, should not be the answer/outcome.

I know how disappointing it can be to be kicked from a "large tournament". But you deserve a sanction, related to acwc imo. And you'll have time to play other tournaments... I wish it to you. But not this one.

My example:

Say I were to hack admin on your server. What would you do to me? You would most likely ban me.

Reread the posts, I didn't forcibly hack his server.

Well you stole my password published and shared it.. it's still a serious issue.

[Orynge]

Personally, I think pretty much everything said so far is correct in some way.

Maybe just ban Cas from the site, but not the cup (my $0.02).

We're going to hit a dollar soon.

[castiel]

Nobody is saying I didn't do anything wrong and i'm fairy sure most people understand generally what has happened(even if they do not understand the specifics).

BUT it was an accident, you are acting like i've done this on purpose and treating me like a criminal.

Lets say 2 kids are playing soccer in the park. One kid does a mis-kick and the ball ends up on the road causing an accident. Would you charge the kid for causing the accident? Of course not as it was not done on purpose.