Responsible Disclosure (Security, Administrative, and Legal Issues)

Status
Not open for further replies.

cherbert

Revenge is a dish best served cold.
Founder
Retired Staff
#21
I am really confused by this. Talk about making a mountain out of a molehill. I am the legal owner of hollowworld.co.uk because I AM the legal owner of holloworld.co.uk!

I will continue to renew the domain every single year like I have done since 2011. Why would the 2018 renewal be any different?

The noted domain sitter godaddy is currently acquiring other common 'hollowworld' domains on various TLDs in anticipation for the expiry of this domain - it's a known thing that, and other, web registrar organizations do when they see a longrunning/visited domain about to expire.
You do realise its been 'about to expire' every single year since 2011? I renew it every 12 months. As for the godaddy thing I have no idea what you are babbling about. A large organisation like godaddy aren't going to waste loads of money 'aquiring' hollowworld domain names in anticipation for the expiry of hollowworld.co.uk especially when there is zero evidence to suggest it won't get renewed on the basis it has been for the last 7 years!! Jesus christ, who are you trying to compare us with NASA? Hollowworld is a nobody, a tiny blimp (if that) on the internet. I've never heard such a load of nonsense in all my life.

I am in regular contact with most people running this site and I have been involved in making sure this community forum is backed up on an hourly basis and at my own cost and time.

I might not be running this server or it's forum but I'm not about to shit on it and allow it to die which is why I have been in the background silently keeping it healthy and keeping it running. Out of respect for those running the server I have kept away from admin groups, discord and others areas as it's not my bag anymore.

I have already communicated to Tiberione that I am happy to transfer the domain name (at no cost). However, having it owned by Solus is no more or less a security risk. In fact, suggesting me to be somekind of security risk considering how long I have been around and the things I have done in the background is a bit disrespectful and a huge slap in the face.

I have spent the best part of my weekend helping Tiberione transfer these forums which is no small task considering the size of the files and it's database. One of the reasons for doing this was to give Tiberione and the owner their own web server so that they have easy access to the files and they can choose to update whatever security issues exist. Not that my server or Xenforo has EVER been hacked in the 7 years it's been hosted by me.

This entire post is just borderline absurd and over the top IMHO not to mention the way it assumes those running this site are idiots and don't know what they are doing.
 
Last edited:

Cymic_

Lord of Altera
#22
isnt it kind of ur own job to make urself contactable on perhaps more than 1 platform as a server owner
ppl cant really control or know that u blocked them considering how skype handles blocking so it seems reasonable to assume someone is ignoring you. i've done that before.
How is it her job to make her own personal skype available, it's completely non sequitor that she'd be obligated to hand her skype out freely just because she runs a minecraft server. The forums are readily available enough for him to make this post, they were readily available to PM her over the forums.

Naelwyn had a clear way to message her and it almost seems purposeful that the only way he attempted to contact solus was on a platform that she knowingly blocked him from just so he could have false reason to post this thread publicly.
 

Tohm

Lord of Altera
#23
How is it her job to make her own personal skype available, it's completely non sequitor that she'd be obligated to hand her skype out freely just because she runs a minecraft server. The forums are readily available enough for him to make this post, they were readily available to PM her over the forums.

Naelwyn had a clear way to message her and it almost seems purposeful that the only way he attempted to contact solus was on a platform that she knowingly blocked him from just so he could have false reason to post this thread publicly.
If I'm ever a staff member I'll post my phone number and address to make myself easily accessible.
 

Naelwyn

Non sum qualis eram
#24
How is it her job to make her own personal skype available, it's completely non sequitor that she'd be obligated to hand her skype out freely.

Naelwyn had a clear way to message her (via forums) and it almost seems purposeful that the only way he attempted to contact solus was on a platform that she knowingly blocked him from just so he could have false reason to post this thread publicly.
Came back just to disambiguate this. It seems people don't understand that when you're trying to tell people about something and offer to do a security detail on things because you've noticed issues, you do so on a platform where someone can't unilaterally delete the fact that you were given permission. It's kind of an important CYA. Skype provides me with my own paper trail that a forum message does not.

Skype, however, also gives utterly zero indication sent messages are not received due to hard blocks. As far as I was aware I was just taken off as a contact and unable to send chains of conversation until the request was accepted and that the messages were just being ignored.

I made a legitimate attempt to contact Solus privately /immediately/ upon finding something out on the 26th, right after saying I was going to try and contact her privately on the forums, and I tried again on the 7th. You can see things in the logs provided, that's not the chain of actions I'd be taking if I was just trying to raise a fuss.

This was not about causing them issues but informing them of pending things they might want to take care of- because, and this is fairly relevant -

I was operating under the assumption that Cherbert was no longer involved in the operations of this server, as I had been informed of as a staff member when working with Som, as I had come to understand was the situation under Readij.

When I reported the one voting site was out of date and pointing at the wrong website as of 2014, they didn't get a password from Cherbert - they created a whole new account and migrated to it - as though they weren't in contact with him in any way.

Thus, when I saw the domain under his ownership and set to expire, I attempted to contact them about it, seeing it was a relevant thing they'd need to have transferred over lest they run into issues.

The necessity of the entire chain of actions is made MUCH less relevant knowing Cherbert is still involved in the operations of the server. I know he's quite the competent individual, and in the future if I see anything requiring operations attention I'll keep that in mind.

It's just that's not exactly what the community was told or what I was operating under the assumption of.
 

Tiberione

The Chocolate Bar
Staff member
Tiberione
Tiberione
#25
Came back just to disambiguate this. It seems people don't understand that when you're trying to tell people about something and offer to do a security detail on things because you've noticed issues, you do so on a platform where someone can't unilaterally delete the fact that you were given permission. It's kind of an important CYA. Skype provides me with my own paper trail that a forum message does not.

Skype, however, also gives utterly zero indication sent messages are not received due to hard blocks. As far as I was aware I was just taken off as a contact and unable to send chains of conversation until the request was accepted and that the messages were just being ignored.

I made a legitimate attempt to contact Solus privately /immediately/ upon finding something out on the 26th, right after saying I was going to try and contact her privately on the forums, and I tried again on the 7th. You can see things in the logs provided, that's not the chain of actions I'd be taking if I was just trying to raise a fuss.

This was not about causing them issues but informing them of pending things they might want to take care of- because, and this is fairly relevant -

I was operating under the assumption that Cherbert was no longer involved in the operations of this server, as I had been informed of as a staff member when working with Som, as I had come to understand was the situation under Readij.

When I reported the one voting site was out of date and pointing at the wrong website as of 2014, they didn't get a password from Cherbert - they created a whole new account and migrated to it - as though they weren't in contact with him in any way.

Thus, when I saw the domain under his ownership and set to expire, I attempted to contact them about it, seeing it was a relevant thing they'd need to have transferred over lest they run into issues.

The necessity of the entire chain of actions is made MUCH less relevant knowing Cherbert is still involved in the operations of the server. I know he's quite the competent individual, and in the future if I see anything requiring operations attention I'll keep that in mind.

It's just that's not exactly what the community was told or what I was operating under the assumption of.
Forum PM is a super simple solution. You may say you didn't want to send it because a "hacker" may see it, but if they were able to see the message what exactly could they learn.

You made this public on purpose, as you have numerous times in the past instead of going through traditional chains.
 

I am Wake

Loyal Servant of Altera
Legend
I_am_Wake
I_am_Wake
Legend
#26
If I'm ever a staff member I'll post my phone number and address to make myself easily accessible.
Admirable, but I have never heard of such a thing out of my entire life on the internet! =) Only once had I heard of a staff member sharing his personal phone number, and it was only to other staff in his native country to make himself easily available for software attacks.
Gary's Mod was a rather violent place to run a server... Regardless, I do not think many would follow you in this expectation. To want upon a phone number of a staff member on a Minecraft Server is making your basic requirement to play on a server higher than any normal Human Being.

Most people do have lives outside of Minecraft that they reserve their phones for, aye? :)

On a funny side though, you made me think of this when you purposed to have your phone number publicly available:
 

Cymic_

Lord of Altera
#27
Admirable, but I have never heard of such a thing out of my entire life on the internet! =) Only once had I heard of a staff member sharing his personal phone number, and it was only to other staff in his native country to make himself easily available for software attacks.
Gary's Mod was a rather violent place to run a server... Regardless, I do not think many would follow you in this expectation. To want upon a phone number of a staff member on a Minecraft Server is making your basic requirement to play on a server higher than any normal Human Being.

Most people do have lives outside of Minecraft that they reserve their phones for, aye? :)

On a funny side though, you made me think of this when you purposed to have your phone number publicly available:
He was being sarcastic
 

Naelwyn

Non sum qualis eram
#29
You guys can basically discard all of that about contact details - it has literally nothing to do with the staff of the server and everything to do with me being uncertain if the internet registrar data was pointing to the accurate owner of the server or not.

If (Unlikely) I ever had to disclose anything of this sensitive nature again I'd just properly report via the whois and ARIN information given it's all accurate.
 

LeftwardElk

Lord of Altera
#30
"I did the right thing by contacting someone immediately on a device I knew they would never see. I totally did not send those messages as a form of blackmail. For the small subscription of $9.99 a month I can secure this website so that no dirty hackers can see my minecraft roleplay private messages."
 

Tiberione

The Chocolate Bar
Staff member
Tiberione
Tiberione
#31
If (Unlikely) I ever had to disclose anything of this sensitive nature again I'd just properly report via the whois and ARIN information given it's all accurate.
Or you could use forum PM, like a reasonable community member reporting an issue would.

Generally WHOIS contact information isn't checked as it's generally just spam. Oh well.

I'm convinced anyways if you were seriously concerned about security and not about making this a public spectacle as it has, that you would have messaged (on the forums) proper contacts, the owner and the coordinator for the software/hardware department.
 

Baron

Sovereign
Retired Staff
#33
"I did the right thing by contacting someone immediately on a device I knew they would never see. I totally did not send those messages as a form of blackmail. For the small subscription of $9.99 a month I can secure this website so that no dirty hackers can see my minecraft roleplay private messages."
"I've noticed the following issues may be problems in the future, you guys should probably get them fixed."

Yes, what a malicious blackmailer who also wants to get paid to remove the source of blackmail.
 

Baron

Sovereign
Retired Staff
#34
Wow, such a load of drama by one person over pretty much nothing... :confused:
Domain name: a problem he was unaware of Cherbert taking care of.

Xenforo: anyone with malicious intent can create a headache at best or a monetary loss at worst there by invoking the terms of the Xenforo license which at current are not being followed. I found this one easily enough.

Security issues: HW's version of Xenforo is 5 years out of date and multiple vulnerabilities have been disclosed. I don't need to get into it but a quick Google search reveals that the forums are very possibly vulnerable to remote code execution exploits, SQL injection attacks, and there have been XSS attacks on users already.
 

RagingLunacy

It took a lot to get here
#35
Let's not invent any fairy tales about this.
This is the... how-maniest time now that a 'benevolent and helpful' thread has been made here for the public, that could've been perfectly directed specifically to staff? PM exists, private group convo's exist.
Yet every single time we get a public forum post written in a way that the writer tries to make himself appear as the benevolent all helpful person that we need, and in several occassions also making implications that the people he's actually adressing don't know anything they're doing.

So please, let's be honest.
If there was any real honest concern here, this stuff would've all been handled with staff directly, not turning it into a giant billboard: "Hey guys look at me, aren't you glad I got your back, damn you all sure would've been in a mess if I didn't come here to warn you and share my wisdom!"
 
Last edited:

I am Wake

Loyal Servant of Altera
Legend
I_am_Wake
I_am_Wake
Legend
#36
"I've noticed the following issues may be problems in the future, you guys should probably get them fixed."

Yes, what a malicious blackmailer who also wants to get paid to remove the source of blackmail.
Allow me to explain (at least from my view):

As I could not arrange to speak to a managing individual privately, I am unable to disclose precisely what this issue is, as it would allow for any individual to immediately report as such to the Xenforo team.

Impact if unaccounted for: You may end up contacted by the Xenforo legal team, be issued a Cease & Desist, or have your license to use the forum software revoked.
It was this line, very particular, that strike me as hostile threat. The rest of it seemed to be unlogical after Solus's explanations to why we were even viewing it, even more so to Nael's later comment to "The Users now know" when we simply did not. Nobody quite understands what is being said aside from those related to the maintenance of the forums.

It was very threatening that Nael was, in a rather basic translated from formality into informality, saying:

"This is a security risk and it is against Xenforo's terms and conditions. Someone could report it, but I was unable to get into contact with the management (through Skype). You MAY be contacted by the Xenforo legal team."

The term "may" in this statement suggests Nael has leverage to report Hollowworld for being in the wrong. As I have stated, I know not what the forums are in the wrong of, but Tiber has commented rather politely that he shall sort it out. The drama would have been avoided, the community and Cherbert stated, if this was sent in a private message rather then a blatant message on Skype.
I trust you are both smart enough to know when you have upset someone/people and, aye, I have been blocked on Skype before and, yes, it doesn't state when messages are received.... but it does state that you are blocked. Blocked meaning: no messages get to them. Blocked.


This whole situation comes down to either a lack of foresight in the term "blocked" or rudeness from an easily avoided forum post.
 

Immerael

The Shadow Admín
Staff member
#38
Still baffled by this whole Xenforo license issue. I wish someone would enlighten me.
I’ll go ahead as I too was baffled and laughed when I found out. Our current forums background makes the Xeneforo legal stuff that’s supposed to be seen (I think it’s just a trademark but I could be wrong I just woke up) hard or impossible to see.

We could literally fix it in 45 seconds but we are taking our time because it’s been this way for years without issue. So currently last I heard there was debate on changing the theme vs using one as close as possible to our current one.
 

NIAH

Secretly Elz
Retired Staff
#39
I think this thread has run its natural course. I'm locking it because the issues have been stated, and the resolution of several items achieved by Solus, Tiberione, and cherbert. The below King's Law reminders go to multiple people.

King's Law
If you are aware of any player breaking these rules, send a private conversation to any active staff member with necessary information.

1. Discrimination, OOC racism, bullying, harassment are against the rules. Report any sign of such behavior to Staff immediately. Bullying in any form is a bannable offense, and it is not tolerated as HollowWorld is intended to be a safe and fun community for everyone.


8. Use the appropriate threads for requesting staff help and attention. All issues should be addressed in the Support Section of the forums, or the Help and Tutorials section. Unless it is urgent, in-game requests may be ignored.

18. Players must not incite drama storms. If you are reporting a problem or player, please provide proof and don't make it public - make a conversation with any staff member. Posts and OOC IG discussions designed to stir up trouble will be handled as Staff see necessary. If the discussion is causing trouble, whether intended or not, and the participants continue to escalate it despite Staff warnings, the thread may be locked and players given warnings.

19. Citizens are required to protect the harmony of the HollowWorld community and ensure that they contribute positively to it. This means players must behave in a manner befitting an upstanding HollowWorld Citizen and refraining from activities which could be construed as damaging the community by Staff.
 
Last edited:

cherbert

Revenge is a dish best served cold.
Founder
Retired Staff
#40
I’ll go ahead as I too was baffled and laughed when I found out. Our current forums background makes the Xeneforo legal stuff that’s supposed to be seen (I think it’s just a trademark but I could be wrong I just woke up) hard or impossible to see.

We could literally fix it in 45 seconds but we are taking our time because it’s been this way for years without issue. So currently last I heard there was debate on changing the theme vs using one as close as possible to our current one.
Fixed
 
Status
Not open for further replies.