As much as I truly, truly hate agreeing with EW. *shudder*
In this case I must. It is a security risk and a bug.
Advertisement
by Improving Wordiness » Tue Sep 06, 2011 3:38 pm
Klaus Devestatorie wrote:I'm a massive tool. ;)
by Mahaj » Tue Sep 06, 2011 3:39 pm
Johz wrote:Ostroeuropa wrote:
My sentiments exactly.
Not only that, but setting the precedent that people are encouraged to go rooting around in code finding bugs that provide new "Features" is a risk.
Well the chk code issue is a biggie, and, although the news post would solve the issue temporarily, newer nations may not read all of the news articles, and, in time, an issue like this could well rise back up again. Thus the argument is now that a safer alternative to a known placeholder effect be found for the continuation of a system with much precedent.
However, rooting around in code has been an aspect of our perusal of the game since time immemorial. Indeed, Ballotonia is pretty much the chief rooter. The problem then is, at what point does a bug become a feature and vice versa? In this situation, I'd argue that the bug was a bug, because it presented security issues. But without those security issues, it is a natural consequence of game design.
<Koth> I'm still going by the assumption that Mahaj is Unibot's kid brother or something
Kandarin(Naivetry): You're going to have a great NS career ahead of you if you want it, Mahaj. :)
<@Eluvatar> Why is SkyDip such a purist raiderist
<+frattastan> Because his region was never raided.
<+maxbarry> EarthAway: I guess I might dabble in raiding just to experience it better, but I would not like to raid regions of natives, so I'd probably be more interested in defense and liberations
by [violet] » Tue Sep 06, 2011 3:42 pm
by Mahaj » Tue Sep 06, 2011 3:46 pm
[violet] wrote:I prefer that a new thread be used to make the argument, "The ENDORSE button should work even when nations are in different regions." That would be a new feature. If the discussion happens here, the concept gets tangled up in ideas about URL manipulation and what's legal and what people are used to. And that's not relevant, except insofar as we have some historical data on how such a feature would likely be used.
<Koth> I'm still going by the assumption that Mahaj is Unibot's kid brother or something
Kandarin(Naivetry): You're going to have a great NS career ahead of you if you want it, Mahaj. :)
<@Eluvatar> Why is SkyDip such a purist raiderist
<+frattastan> Because his region was never raided.
<+maxbarry> EarthAway: I guess I might dabble in raiding just to experience it better, but I would not like to raid regions of natives, so I'd probably be more interested in defense and liberations
by [violet] » Tue Sep 06, 2011 3:49 pm
The Republic of Lanos wrote:Is URL manipulation, regardless of who's doing it, legal?
by Mahaj » Tue Sep 06, 2011 3:50 pm
[violet] wrote:The Republic of Lanos wrote:Is URL manipulation, regardless of who's doing it, legal?
Yes. Or, rather, it's irrelevant; it doesn't matter how you interact with the site, but what you do. In the same way, it's legal to access the site with a web browser, but illegal to use the browser to post spam.
If it's possible to do something important via URL manipulation that isn't possible otherwise, then it's a bug and admin is likely to eventually either (a) close that possibility, or (b) make it accessible to everyone, removing the need for URL manipulation. Because otherwise we have a game that you can only play properly if you manipulate URLs, and that is deeply weird.
<Koth> I'm still going by the assumption that Mahaj is Unibot's kid brother or something
Kandarin(Naivetry): You're going to have a great NS career ahead of you if you want it, Mahaj. :)
<@Eluvatar> Why is SkyDip such a purist raiderist
<+frattastan> Because his region was never raided.
<+maxbarry> EarthAway: I guess I might dabble in raiding just to experience it better, but I would not like to raid regions of natives, so I'd probably be more interested in defense and liberations
by [violet] » Tue Sep 06, 2011 4:07 pm
Mahaj wrote:So make a simple news post that you should never hand out your chk code. Problem solved! its like a password built into the game.
by Mahaj » Tue Sep 06, 2011 4:13 pm
[violet] wrote:Mahaj wrote:So make a simple news post that you should never hand out your chk code. Problem solved! its like a password built into the game.
Old-timers may remember that we used to have PIN codes built into URLs, and if you told anyone your PIN while you were still logged in -- for example, by posting an URL -- they could seize control of your nation. We tried valiantly to warn people not post PINs, but of course they did anyway, so we ended up rewriting the code.
CHK codes are a little different: they exist to save you from a malicious third party who tricks you into clicking a link. Without CHK codes, it would be possible for someone to post, say, "Check out my awesome new NS calculator!" and you click, and their server instructs your browser to send a few key commands to the NS server (change password, change email, endorse), which the NS server obeys because the requests are indeed coming from you, with a valid current session. This is called a cross-site scripting attack or XSS.
Normally, nobody notices CHK codes, because they're invisible unless you go digging around in page code. They are not usually anything you need to worry about.
However, if you dig out your current CHK code and reveal it to someone, then click on a link or type in an URL they control, they can immediately seize your nation. It's basically equivalent to revealing your login password.
<Koth> I'm still going by the assumption that Mahaj is Unibot's kid brother or something
Kandarin(Naivetry): You're going to have a great NS career ahead of you if you want it, Mahaj. :)
<@Eluvatar> Why is SkyDip such a purist raiderist
<+frattastan> Because his region was never raided.
<+maxbarry> EarthAway: I guess I might dabble in raiding just to experience it better, but I would not like to raid regions of natives, so I'd probably be more interested in defense and liberations
by Mahaj » Tue Sep 06, 2011 7:43 pm
Rozonia wrote:How many people read News posts? I agree with EW. This sounds like a security risk to me.
<Koth> I'm still going by the assumption that Mahaj is Unibot's kid brother or something
Kandarin(Naivetry): You're going to have a great NS career ahead of you if you want it, Mahaj. :)
<@Eluvatar> Why is SkyDip such a purist raiderist
<+frattastan> Because his region was never raided.
<+maxbarry> EarthAway: I guess I might dabble in raiding just to experience it better, but I would not like to raid regions of natives, so I'd probably be more interested in defense and liberations
by Mallorea and Riva » Tue Sep 06, 2011 8:41 pm
Users browsing this forum: Bali Kingdom, Empire of Dabiristan, Gravistar, Liravia, Louisiene, Patriums, Tiami, Tungstan