[Q] Legality of password-cracking to raid a region

[Sail Nation]

Woke up this morning to see my region's embassy with The Embassy was closing, due to a raid. For the record, we're putting aside the fiery debate on 'is raiding moral or not'.

Upon checking the regional activity, I saw that not once has the regional password been changed or removed (at least not recently). Therefore, the password must have been guessed, cracked or found out some other way.

So what are the rules on breaking regional password + it's relation with R/D gameplay? I suppose the rules are the same as with nations - no password cracking allowed. But is trying to search for clues and using social manipulation allowed, and if so, is that allowed for nation passwords (can someone steal a nation using those techniques)? Or is it a matter of intent - are people allowed to break into a region against the password-setters will and does that apply to nation passwords.

On the raid, I invite both the residents from The Embassy and the raiders who took a role in the process of obtaining the password to explain how the password was obtained. This is not about raiders v natives or the morals of raiding a password-protected region, but I believe that clearing up the rules on what is legal for both nations and regions is important, as it will hopefully prevent both raiders and defenders from accidentally crossing the line to raid or liberate a region (in the case of defenders this would be liberating a region password-protected by raiders), as well as ensuring that people can't abuse this to steal nations if the rules are the same.

I also repeat, this is moderation and this is about rules only. Other forums such as gameplay are there to debate the morals of raiding these regions (even though I do have strong feelings, I refrain from ranting here).

If the mods believe it would be a good idea, I'm happy to turn this into a discussion thread.

[Sedgistan]

The relevant rule, underlining is mine:

Impersonation: Any attempt to maliciously impersonate another nation or region, including employing a similar name or attempting to hack nation or region passwords, is illegal according to the FAQ. Passing nations from one player to another is legal, but inadvisable as the receiver also inherits any warning history attached to the nation.

The rule is applied the same whether it's R/D related or not.

Trying to get a regional password via infiltration of the region is okay (i.e. deceiving someone into willingly giving you the password), and nor is it a new practice. That is the case regardless of whether the region's password-setter wishes it or not.

That is different for nations. No attempt to access another player's nation is allowed, unless it has the owner of that nation's express permission. Trying to trick another player out of their nation is prohibited.

Looking at the way the rules are organised and worded, I think this could potentially do with being clearer; password cracking is a separate matter to "impersonation".

Finally, I think it highly unlikely that the player(s) who obtained your region will explain how they got the password, and nor are they obliged to. Intel, subterfuge and infiltration are an aspect of the game, and it is unlikely that players wish to give away their methods or sources, as that could compromise their ability to do the same again in the future.

[Lord Dominator]

Trust me, we raiders are quite aware of where the lines on passwords are, as are defenders. However, in this instance, the point has already publicly indicated how they got the password, prior to passing it on to all support:

Hello, I obtained the password to the Embassy through a months long process where I...

Founded Traveling Wilburys as Nelson Wilbury, then sent out over 24000 embassy requests with a friend.

Exchanged methods with Ambassadors Reception.

Started doing a song of the day to keep the persona alive.

Then got the password after offering to help maintain the Embassy.

Oh boy am I now doing maintenance work!

[Sail Nation]

Trust me, we raiders are quite aware of where the lines on passwords are, as are defenders. However, in this instance, the point has already publicly indicated how they got the password, prior to passing it on to all support:

Hello, I obtained the password to the Embassy through a months long process where I...

Founded Traveling Wilburys as Nelson Wilbury, then sent out over 24000 embassy requests with a friend.

Exchanged methods with Ambassadors Reception.

Started doing a song of the day to keep the persona alive.

Then got the password after offering to help maintain the Embassy.

Oh boy am I now doing maintenance work!

Thanks for that, and thanks to Frenchy for the clarification.

To be honest, I was really confused, as I'd read that The Ambassador's Reception was reluctant to give out the password to anyone, even trusted embassy collectors, but I see exactly what happened here, and while I don't like it, here is not the place for me to rant about it, because it's good to know that this was legal and not dangerous.

And Sedge, I do agree that rules might need a bit of re-writing, as attempting to hack a password is more than just impersonation - I personally think that there should be a section on passwords and what is and isn't legal for both nations and regions.

[Sedgistan]

I opened a discussion in our staff forum earlier this morning about re-writing the relevant parts. Such discussions do tend to move slowly, but we get there in the end.

[Lord Dominator]

I would agree however that there probably needs to be more specificity in the rules on password cracking - though the current rule with regions seems to be banning similar nation names in the hopes of confusing a password gover. That should probably stick around, if modern modly feelings on impersonation are the same.

[Anagonia]

I apologize for the intrusion, however I have a question related to this event. Is any password protected region safe from raiders? What I mean is, if a region is dedicated to role playing and a raider gains the password through these rules you've permitted, and the region wants nothing to do with raiding or defending, is that region simply out of luck?

I appreciate any clarification on this event and rule so I may properly plan my future in relevant regions. I once again apologize for the intrusion but sincerely hope the question is relevant to the discussion and warrants an answer.

Thank you.

[Lord Dominator]

Provided that we (raiders) gain your password through the legal means of convincing someone to give it to is (or getting someone inside prior to the password implementation), then yes you're out of luck in that regard.

[Anagonia]

Provided that we (raiders) gain your password through the legal means of convincing someone to give it to is (or getting someone inside prior to the password implementation), then yes you're out of luck in that regard.

Does this include granting passwords to new members of password protected regions to permit them entry or is that excluded? For example, raider 1 plays as a prospective member and uses that to join a password region that has had a password for a while. So he's finally granted entry and given password, then raider 1 gives password to raider 2 and so forth. Is that legal?

[Lord Dominator]

Provided that we (raiders) gain your password through the legal means of convincing someone to give it to is (or getting someone inside prior to the password implementation), then yes you're out of luck in that regard.

Does this include granting passwords to new members of password protected regions to permit them entry or is that excluded? For example, raider 1 plays as a prospective member and uses that to join a password region that has had a password for a while. So he's finally granted entry and given password, then raider 1 gives password to raider 2 and so forth. Is that legal?

Yes - once someone has legally obtained the password, they can tell whomever they wish

[Anagonia]

Does this include granting passwords to new members of password protected regions to permit them entry or is that excluded? For example, raider 1 plays as a prospective member and uses that to join a password region that has had a password for a while. So he's finally granted entry and given password, then raider 1 gives password to raider 2 and so forth. Is that legal?

Yes - once someone has legally obtained the password, they can tell whomever they wish

Just to be clear.

Even if a region isn't willingly participating in the gameplay side of things, a raider can obtain a password through espionage, and because it's completely legal to obtain it after they were given the password in good faith for a different purpose, raiders are completely legal to raid the region and do what they want?

Thanks for your answers so far.

[Frisbeeteria]

Even if a region isn't willingly participating in the gameplay side of things, a raider can obtain a password through espionage,

There's nothing preventing a Founder from admitting someone new, then changing the hidden password. The founder can do this without influence cost, unlike other officers with the ability to set passwords.

[Flanderlion]

Yes - once someone has legally obtained the password, they can tell whomever they wish

Just to be clear.

Even if a region isn't willingly participating in the gameplay side of things, a raider can obtain a password through espionage, and because it's completely legal to obtain it after they were given the password in good faith for a different purpose, raiders are completely legal to raid the region and do what they want?

Thanks for your answers so far.

Yep. Essentially, keep an active founder and you should be fine.

[The Universal Hegemony]

https://forum.nationstates.net/viewtopic.php?f=15&t=304114
The title rang a bell. From Ballotonia:

No, this is *NOT* legal.

In fact, it's stunning that you (or anyone) would think that bruteforce cracking a password would ever be considered legal."

[Lord Dominator]

https://forum.nationstates.net/viewtopic.php?f=15&t=304114
The title rang a bell. From Ballotonia:

No, this is *NOT* legal.

In fact, it's stunning that you (or anyone) would think that bruteforce cracking a password would ever be considered legal."

That describes random guessing of a password until you find it, which is indeed illegal (and not what happened here).

[Sedgistan]

Okay, a rule re-wording has been made as a result of this discussion:

Current bits of relevant rules:

Impersonation: Any attempt to maliciously impersonate another nation or region, including employing a similar name or attempting to hack nation or region passwords, is illegal according to the FAQ. Passing nations from one player to another is legal, but inadvisable as the receiver also inherits any warning history attached to the nation.

Nation Hijacking: Stealing someone else's nation by gaining their password is a very serious offense and likely to result in a permanent ban from the site. Note the section on shared accounts for when an account is shared.

New bits of relevant rules:

Impersonation: Any attempt to maliciously impersonate another nation or region, including employing a similar name is illegal according to the FAQ. Note that the impersonation must be "malicious" to be a prohibited action, and we generally require the report to come from the impersonated party.

Nation Hijacking: Stealing someone else's nation by gaining their password is a very serious offense and likely to result in a permanent ban from the site. Note the section on shared accounts for when an account is shared.

Regional passwords: Attempting to hack, crack or guess a region's password is prohibited. Note that using deception to gain a region's password through someone giving it to you willingly is not prohibited, so long as other rules (e.g. on Malicious Impersonation) are not violated in the process.

"Impersonation" has been made more focused - the bits on nation/region passwords removed, as well as the nation sharing part - all are covered elsewhere, and not really relevant to Impersonation.

"Nation Hijacking" is unchanged, I just posted it for reference.

"Regional passwords" is a new section.

[Anagonia]

I believe this question follows this discussion.

May I inquire the legality of an individual guessing the password correctly or being given the password by a disgruntled participant of a region with a founder having an non-executive delegacy being able to be banned from their own region, using the games own mechanics to "opt-out" of raiding against them? My further investigation into this extremely diverse issue keeps bringing up circumstances which entirely benefit the raiding/defending community and bring completely unfair consequences for those not involved. In this situation that I bring up, a raider, for example, can easily manipulate the situation to gain entry legally according to your site rules and - if they had enough top-level cooperation - ban the founder from the region.

Are there any staff interpretations of this issue or perspectives that limit the threat of this tactic? I appreciate any input and hope I've added to the discussion.

[Sedgistan]

You've given two situations in there, both of which are answered in the wording of the rule - guessing a password is illegal; being given it willingly is not.

A founder with a non-executive delegate position in their region cannot be banned unless they appoint a regional officer with border control powers.

[Comfed]

As far as I know guessing the password, even if you guess correctly, is against the rules. Someone giving you the password and you entering the region is fine, which is why you have to be very careful with who you tell the password.

[Anagonia]

Thank you sincerely for your replies. Please understand I am not attempting to address this issue unprofessionally and apologize if I approach it as such. Thank you for understanding. I will reply in best order.

As far as I know guessing the password, even if you guess correctly, is against the rules. Someone giving you the password and you entering the region is fine, which is why you have to be very careful with who you tell the password.

I appreciate the reply. For more clarification, in my scenario, a raider will be given the password and find mutual cooperation with top-level authority in the region. In Sedgistans reply he implicitly states the position that enables this to happen. My question was directly referencing the fairness of this and the defenses granted in such a situation or if in fact in this situation presented, the region is out of luck.

You've given two situations in there, both of which are answered in the wording of the rule - guessing a password is illegal; being given it willingly is not.

A founder with a non-executive delegate position in their region cannot be banned unless they appoint a regional officer with border control powers.

I sincerely apologize for the confusion Sedgistan!

As remarked in my reply to Comfed above, my issue is addressing the loopholes in the system that benefit a raider who plays the "long-game", as an example. We've already seen one such example of this - though admittedly not in this capacity - play out in recent history. The issue I am addressing here is a security issue wherein the founder can be ejected when they are attempting to prevent raiding/defending participating for their region. Since there is no explicit rule defending players who do not want to partake in this part of the game, the raiders themselves can easily begin their work and infiltrate legally the region. They can then work themselves up into the position you so accurately mentioned. At that point nothing stops them, even if they are found out, according to my understanding of your rules.

If I am incorrect in this situation please, I ask your correction. At this juncture I have not seen where it states a defense for regions suffering from a situation such as this. I greatly appreciate your reply and again apologize for the confusion.

[Sedgistan]

If a founder does the following:

1) doesn't cease to exist
2) remains in their region
3) ensures the Delegate position is non-executive
4) does not appoint any Regional Officers with Border Control powers

There is nothing at all that can be done to remove them from that region.

This is straying from the rules issue clarification that's been discussed in this thread.

[Anagonia]

If a founder does the following:

1) doesn't cease to exist
2) remains in their region
3) ensures the Delegate position is non-executive
4) does not appoint any Regional Officers with Border Control powers

There is nothing at all that can be done to remove them from that region.

This is straying from the rules issue clarification that's been discussed in this thread.

I appreciate your clarification. I'll address what I believe to be a flaw in the rules in a later discussion. Thank you sincerely for your explanation.

[Lord Dominator]

Additionally, even if the founder does gives others BC, they retain an unlimited ability to change the password and ban any raiders at no influence cost regardless of where they are - the only thing an executive founder can't do if they're not in the region is remove executive authority from the delegate position.