Shadow Afforess wrote:Really? I stand corrected. I remember at one point time bbcodes mattered.
Yes, prior to May 2009. This came up recently here.
Advertisement
by Lord Whorfin » Sun Jan 26, 2014 3:04 pm
Shadow Afforess wrote:NS++ does not use cookies. NS++ uses your browser localStorage, which persists even if you close it. It sounds like you have set up special settings to clear this. Turn those off... I can't fix this, unless you think sending my server a list of your passwords is a good idea.
by Shadow Afforess » Sun Jan 26, 2014 3:43 pm
Lord Whorfin wrote:Shadow Afforess wrote:NS++ does not use cookies. NS++ uses your browser localStorage, which persists even if you close it. It sounds like you have set up special settings to clear this. Turn those off... I can't fix this, unless you think sending my server a list of your passwords is a good idea.
OK, I've messed around with the Firefox settings...nothing...which is it that allows/prohibits the localstorage? Please, and thankyou.
by Lord Whorfin » Sun Jan 26, 2014 4:21 pm
by Grenartia » Sun Jan 26, 2014 6:48 pm
by Shadow Afforess » Sun Jan 26, 2014 7:03 pm
Grenartia wrote:I think I've noticed a bug.
Whenever one searches a thread, the first result gets highlighted as if it were the OP of a thread, with any following results posted by that person also being highlighted.
Ex: a search of the latest TET for the word "the".
by The Soviet Republic of America » Sun Jan 26, 2014 8:25 pm
by Shadow Afforess » Sun Jan 26, 2014 8:57 pm
The Soviet Republic of America wrote:Could you add a feature that can lock a thread? Like the person who created the thread can put am option that only lets people from a specific region post... And also the ability to remove posts from a thread (but I think that power would be abused)
by [violet] » Mon Jan 27, 2014 3:48 pm
NationStates Moderators wrote:An irregular voting pattern has been detected on your dispatch "Chaos in Afforess, Bulletins terrorize citizens." This dispatch received a large number of votes in a very short period of time from unrelated nations and IP addresses, with an HTTP_REFERER header suggesting these were not cast from the "View Dispatch" page. Can you explain this?
Shadow Afforess wrote:Yes - Sorry, it was a mistake I made when trying to update code for the new dispatches. NS++ adds a "<a>" html link for factbook entries in national happenings. I was messing around and didn't realize I had made one of my toy test changes live by mistake. I reverted it about 5 seconds later, but it seems about 30 people grabbed the mistaken code while it was available in that window. It would be awesome if you could clear those out somehow. I don't have any way to revert or tell who I affected.
PS. I really wish there was a reply to moderator telegrams.
Thanks, Afforess
NationStates Moderators wrote:Will you be notifying NS++ users of this incident? In the interests of full disclosure, users should know that this happened.
Shadow Afforess wrote:Good idea. I've been meaning to create a development blog about NS++. I'll create one, write an incident report, and also notify users. Thanks for the advice.
Shadow Afforess wrote:How Do I Know This Is Safe?
You don't. While NationStates++ is an open-source browser extension, and so any developer with Javascript experience can inspect the code, that is not a guarantee of safety. Browser extensions do have an additional layer of safety, as the browser prevents addons or extensions from installing malware or harmful viruses. This layer security does not protect you from extensions that steal personal information or login information. Every program you install carries risk and relies on a certain level of trust. If you have specific concerns about safety or user security, you can telegram me or email me at Afforess [at] gmail.com for additional information.
by Leningrad Union » Mon Jan 27, 2014 3:52 pm
[violet] wrote:Incident report: Botnet behavior detected in NS++ nations
Shortly after the new Dispatches feature went live on January 23, 2014, NS++ author Shadow Afforess wrote a dispatch entitled "Chaos in Afforess, Bulletins terrorize citizens" (dispatch ID # 210526, since deleted). It received 36 positive votes, putting it at the top of the "New" list.
These votes came from unrelated nations in many regions, many of whom were WA members, with unrelated IP addresses. However, they displayed irregularities:
1. Thirty positive votes were received in a 40-second burst, at 10X the rate of all other votes; and
2. They were not sent by a user clicking a button on the dispatch page. Instead, the votes were issued by nations who were browsing their telegrams or viewing some other unrelated part of the site.
This exchange then took place between moderators and Shadow Afforess via telegram:NationStates Moderators wrote:An irregular voting pattern has been detected on your dispatch "Chaos in Afforess, Bulletins terrorize citizens." This dispatch received a large number of votes in a very short period of time from unrelated nations and IP addresses, with an HTTP_REFERER header suggesting these were not cast from the "View Dispatch" page. Can you explain this?Shadow Afforess wrote:Yes - Sorry, it was a mistake I made when trying to update code for the new dispatches. NS++ adds a "<a>" html link for factbook entries in national happenings. I was messing around and didn't realize I had made one of my toy test changes live by mistake. I reverted it about 5 seconds later, but it seems about 30 people grabbed the mistaken code while it was available in that window. It would be awesome if you could clear those out somehow. I don't have any way to revert or tell who I affected.
PS. I really wish there was a reply to moderator telegrams.
Thanks, Afforess
This confirmed:
- NS++ was the source of the votes; and
- NS++ had issued the votes silently in the background, with users unaware their nations had been used to vote.
NationStates Moderators wrote:Will you be notifying NS++ users of this incident? In the interests of full disclosure, users should know that this happened.Shadow Afforess wrote:Good idea. I've been meaning to create a development blog about NS++. I'll create one, write an incident report, and also notify users. Thanks for the advice.
Since then, several days have passed with no notification to users. For the reasons described below, we believe this is a serious matter that users deserve to be made aware of sooner rather than later.
About NS++
NS++ is an unofficial browser add-on for Firefox and Chrome written by the player Shadow Afforess. It provides many cosmetic and functional improvements to the site, such as regional newspapers and puppet management. NS++ must be manually installed into the browser by a user and granted permission to operate on the "nationstates.net" domain. If this is done, NS++ can see and modify all data that moves between the user and the site, including telegrams, passwords, and email address. NS++ can issue commands on behalf of your nation(s) with or without your knowledge. It auto-updates, so new functionality can be added at any time without the user's specific approval, and information is exchanged with central servers operated by Shadow Afforess.
Users install NS++ at their own risk and it is not officially endorsed by NationStates. As Afforess says in the FAQ of this thread:Shadow Afforess wrote:How Do I Know This Is Safe?
You don't. While NationStates++ is an open-source browser extension, and so any developer with Javascript experience can inspect the code, that is not a guarantee of safety. Browser extensions do have an additional layer of safety, as the browser prevents addons or extensions from installing malware or harmful viruses. This layer security does not protect you from extensions that steal personal information or login information. Every program you install carries risk and relies on a certain level of trust. If you have specific concerns about safety or user security, you can telegram me or email me at Afforess [at] gmail.com for additional information.
It is imperative, therefore, that NS++ users be able to trust Shadow Afforess. Until now, we have seen nothing to suggest that Shadow Afforess and NS++ are not trustworthy, and indeed we have supported NS++ development by adding API features for it. But this trust must be earned, and users should expect to be informed about incidents in which their nation was actually or potentially compromised.
Questions
1. Why didn't Shadow Afforess immediately announce this incident? Since it occurred, he has been a regular poster in these forums and he has released several upgrades to NS++. Yet even after prompting from moderators, there was no timely disclosure to users.
2. Why didn't Shadow Afforess report the incident when he became aware of it, rather than only responding when it was detected by moderators?
3. Have there been any other occasions in which NS++ has silently commanded nations to perform actions without users' knowledge?
4. The source code for NS++ is publicly viewable here, which should allow us to see what it does. However, the code change ("commit") described as a bug by Shadow Afforess is not immediately apparent. Where is it? If it doesn't exist, why is there a discrepancy between the code that is publicly viewable and the real code inside NS++? If it does exist, how does it explain why NS++ users only upvoted Shadow Afforess's dispatch, instead of exhibiting a more common bug-like effect, such as upvoting any dispatch the user happened to be viewing?
5. Does NS++ contain code that can cause nations to follow any command issued by a centralized server/controller (i.e. "botnet" behavior)? If so, why does this exist?
Conclusion
NS++ is a popular add-on and we have supported its development. However, this incident raises significant questions about its safety, which users deserve to have satisfactorily answered.
Mitigation
This mitigation information is offered simply to make users aware of their options; it is not a recommendation. NS++ is neither officially endorsed nor discouraged; users should decide for themselves whether they want it. To disable in Chrome: Tools -> Extensions -> NationStates++ -> uncheck Enabled. In Firefox: Tools -> Add-Ons -> NationStates++ -> Remove. Once removed or disabled, NS++ cannot see what you do on the site, nor issue commands on behalf of your nation; however, users should be aware that all information shared with it previously, such as your email address and password, could in theory have been collected. As such, users may wish to change passwords as well, which they should do after removing or disabling the add-on.
Scope
This incident only affects players running the NationStates++ browser add-on, and is not a case of "hacking" or server compromise.
by Leningrad Union » Mon Jan 27, 2014 3:53 pm
Leningrad Union wrote:[violet] wrote:Incident report: Botnet behavior detected in NS++ nations
Shortly after the new Dispatches feature went live on January 23, 2014, NS++ author Shadow Afforess wrote a dispatch entitled "Chaos in Afforess, Bulletins terrorize citizens" (dispatch ID # 210526, since deleted). It received 36 positive votes, putting it at the top of the "New" list.
These votes came from unrelated nations in many regions, many of whom were WA members, with unrelated IP addresses. However, they displayed irregularities:
1. Thirty positive votes were received in a 40-second burst, at 10X the rate of all other votes; and
2. They were not sent by a user clicking a button on the dispatch page. Instead, the votes were issued by nations who were browsing their telegrams or viewing some other unrelated part of the site.
This exchange then took place between moderators and Shadow Afforess via telegram:
This confirmed:
- NS++ was the source of the votes; and
- NS++ had issued the votes silently in the background, with users unaware their nations had been used to vote.
Since then, several days have passed with no notification to users. For the reasons described below, we believe this is a serious matter that users deserve to be made aware of sooner rather than later.
About NS++
NS++ is an unofficial browser add-on for Firefox and Chrome written by the player Shadow Afforess. It provides many cosmetic and functional improvements to the site, such as regional newspapers and puppet management. NS++ must be manually installed into the browser by a user and granted permission to operate on the "nationstates.net" domain. If this is done, NS++ can see and modify all data that moves between the user and the site, including telegrams, passwords, and email address. NS++ can issue commands on behalf of your nation(s) with or without your knowledge. It auto-updates, so new functionality can be added at any time without the user's specific approval, and information is exchanged with central servers operated by Shadow Afforess.
Users install NS++ at their own risk and it is not officially endorsed by NationStates. As Afforess says in the FAQ of this thread:
It is imperative, therefore, that NS++ users be able to trust Shadow Afforess. Until now, we have seen nothing to suggest that Shadow Afforess and NS++ are not trustworthy, and indeed we have supported NS++ development by adding API features for it. But this trust must be earned, and users should expect to be informed about incidents in which their nation was actually or potentially compromised.
Questions
1. Why didn't Shadow Afforess immediately announce this incident? Since it occurred, he has been a regular poster in these forums and he has released several upgrades to NS++. Yet even after prompting from moderators, there was no timely disclosure to users.
2. Why didn't Shadow Afforess report the incident when he became aware of it, rather than only responding when it was detected by moderators?
3. Have there been any other occasions in which NS++ has silently commanded nations to perform actions without users' knowledge?
4. The source code for NS++ is publicly viewable here, which should allow us to see what it does. However, the code change ("commit") described as a bug by Shadow Afforess is not immediately apparent. Where is it? If it doesn't exist, why is there a discrepancy between the code that is publicly viewable and the real code inside NS++? If it does exist, how does it explain why NS++ users only upvoted Shadow Afforess's dispatch, instead of exhibiting a more common bug-like effect, such as upvoting any dispatch the user happened to be viewing?
5. Does NS++ contain code that can cause nations to follow any command issued by a centralized server/controller (i.e. "botnet" behavior)? If so, why does this exist?
Conclusion
NS++ is a popular add-on and we have supported its development. However, this incident raises significant questions about its safety, which users deserve to have satisfactorily answered.
Mitigation
This mitigation information is offered simply to make users aware of their options; it is not a recommendation. NS++ is neither officially endorsed nor discouraged; users should decide for themselves whether they want it. To disable in Chrome: Tools -> Extensions -> NationStates++ -> uncheck Enabled. In Firefox: Tools -> Add-Ons -> NationStates++ -> Remove. Once removed or disabled, NS++ cannot see what you do on the site, nor issue commands on behalf of your nation; however, users should be aware that all information shared with it previously, such as your email address and password, could in theory have been collected. As such, users may wish to change passwords as well, which they should do after removing or disabling the add-on.
Scope
This incident only affects players running the NationStates++ browser add-on, and is not a case of "hacking" or server compromise.
Hello [violet], I have not yet had the pleasure to talk to you yet. My name is Leningrad Union and I'm the WA delegate of The Confederacy of Allied States. While I fully trust Afforess and I've worked with him before and I'm an editor on both RP and gameplay newspapers, is it possible for him to make me do any gameside or forum actions without me doing anything?
by SkyDip » Mon Jan 27, 2014 3:53 pm
Gordano and Lysandus wrote:SkyDip's actions have, ultimately, destroyed the World Assembly.
Eist wrote:Yea... If you are just going to casually dismiss SkyDip's advice, you are probably not going to get very far at all.
Sedgistan wrote:SkyDip is trying to help, and is giving sound advice. I'd suggestion listening to him, as he has experience of writing (and advising others with) legal proposals.
Frisbeeteria wrote:What Skydip said. This bitchfest is an embarrassment to the Security Council.
by The Black Hat Guy » Mon Jan 27, 2014 4:01 pm
by [violet] » Mon Jan 27, 2014 4:02 pm
Leningrad Union wrote:While I fully trust Afforess and I've worked with him before and I'm an editor on both RP and gameplay newspapers, is it possible for him to make me do any gameside or forum actions without me doing anything?
by Leningrad Union » Mon Jan 27, 2014 4:05 pm
[violet] wrote:Leningrad Union wrote:While I fully trust Afforess and I've worked with him before and I'm an editor on both RP and gameplay newspapers, is it possible for him to make me do any gameside or forum actions without me doing anything?
It's theoretically possible, since a browser add-on could have collected your password, and be subsequently used to take control of your nation even if you're not online. There's no indication at all that Afforess has done this, and it would be seriously malicious behavior, but it is possible. The incident we saw was NS++ nations who were all online at the time issuing a particular command in the background; it didn't involve any offline nations.
While you remain logged in, NS++ periodically issues requests on your nation's behalf to do things like refresh the sidebar panel, so while you're logged-in, it will send commands without you doing anything.
by Leningrad Union » Mon Jan 27, 2014 4:10 pm
by Shadow Afforess » Mon Jan 27, 2014 5:35 pm
Leningrad Union wrote:But if Afforess uses my accounts for malicious purposes while I'm offline and it's all traced to his IP, who gets punished? (Not that he would ever do that, but anything is possible)
[violet] wrote:Questions
1. Why didn't Shadow Afforess immediately announce this incident? Since it occurred, he has been a regular poster in these forums and he has released several upgrades to NS++. Yet even after prompting from moderators, there was no timely disclosure to users.
2. Why didn't Shadow Afforess report the incident when he became aware of it, rather than only responding when it was detected by moderators?
3. Have there been any other occasions in which NS++ has silently commanded nations to perform actions without users' knowledge?
4. The source code for NS++ is publicly viewable here, which should allow us to see what it does. However, the code change ("commit") described as a bug by Shadow Afforess is not immediately apparent. Where is it? If it doesn't exist, why is there a discrepancy between the code that is publicly viewable and the real code inside NS++? If it does exist, how does it explain why NS++ users only upvoted Shadow Afforess's dispatch, instead of exhibiting a more common bug-like effect, such as upvoting any dispatch the user happened to be viewing?
5. Does NS++ contain code that can cause nations to follow any command issued by a centralized server/controller (i.e. "botnet" behavior)? If so, why does this exist?
by Leningrad Union » Mon Jan 27, 2014 5:42 pm
Shadow Afforess wrote:
What does refreshing the page do?Leningrad Union wrote:But if Afforess uses my accounts for malicious purposes while I'm offline and it's all traced to his IP, who gets punished? (Not that he would ever do that, but anything is possible)
I do.
Nice writeup. I was working on a writeup over the weekend but I admit I get easily distracted. I was hoping to finish up the formatting for the "blog" for development, then advertise it. Clearly that didn't happen, so thanks for the timely notice.
http://blog.nationstatesplusplus.net/
by Shadow Afforess » Mon Jan 27, 2014 5:51 pm
Leningrad Union wrote:It goes to normal but I would not like it to happen in the first place
The Republic of Lanos wrote:Upon review, I've disabled the addon.
by Grenartia » Mon Jan 27, 2014 9:35 pm
Shadow Afforess wrote:Leningrad Union wrote:It goes to normal but I would not like it to happen in the first place
It's almost certainly a problem with your internet connection or browser & not the addon. It looks like the page didn't load the content fully.The Republic of Lanos wrote:Upon review, I've disabled the addon.
Hopefully you'll read my response at least. I've edited my post above.
by Shadow Afforess » Mon Jan 27, 2014 9:37 pm
Grenartia wrote:Just an FYI, I'm noticing that the blog is cut off at the bottom (yes, I tried refreshing).
by United Soviet Jason Republic » Tue Jan 28, 2014 8:46 am
by Shadow Afforess » Tue Jan 28, 2014 8:51 am
Capisaria wrote:Put this in combination with your flag, Shadow Afforess and things get creepy. What if you're the NSA of NS?
Advertisement
Users browsing this forum: Countriopia
Advertisement