Just so you guys know, Mage's hub had no password (this was before you needed a hub password to display medals/scores). In no way did I use a DMB string extractor or whatever. The hub just didnt have a password set.

Aries wrote:

Just so you guys know, Mage's hub had no password (this was before you needed a hub password to display medals/scores). In no way did I use a DMB string extractor or whatever. The hub just didnt have a password set.

I realize blame goes both ways here because the author should have had the sense to use a hub password, but you have to understand that issues like this become an administrative hassle for us. Failing to put a hub password on an entry with medals is ill-advised, which is why every single reference entry on the subject said so, but people who ignore sound advice aren't actively causing trouble. And while they may have less right to complain about it than someone who took steps to secure their entry, complain they do and it isn't fair to just ignore them. They have a valid complaint.

The people behind this thought this was just a fun little prank, but it isn't. It's an annoyance and a hassle. Please, everyone, put some more thought into your actions in the future. It's also understood, I hope, that we expect this kind of thing to stop. That goes beyond just abusing the medal/score system, understand; having a whole forum thread dedicated to pointing out which hub entries are unprotected is simply not acceptable.

Lummox JR

GhostAnime wrote:

When someone is going to make some medals, make the website check if they have a hub password. If they don't, let there be a notice saying that they must have a hub password in order to have medals and redirect to the appropriate page. If one already exists, just continue on as normal.

That has since been implemented, yeah. You can't mess with hub scores or medals w/o a hub_password being defined.

Tell you what though, I know of a certain hub entry that might be abused because of this. It has a hub_password, but the value is common knowledge to everyone.

I should of realized that it would of caused you hassle. I apologize for my behaviour.

Mista-mage123 wrote:

(Are you the one that put the ''PWNED'' category in my leaderboards, in 'hide' status?)

Not I.

Falacy wrote:

Tiberath wrote:

Unless I'm mistaken, the DMB doesn't contain the hub password, merely a hash of it. Making the use of string extraction here quite meaningless.

You're mistaken, as discussed in this topic [link]

As has already been pointed out, yes, you're mistaken.

So yeah, stronger hub password is the way to go.

Personally, I don't feel what the big deal about using a stronger hub password is. It doesn't exactly need to be something you have to remember. Iam93m4nv9r04m isn't likely to be bested by anyone. Make it, copy and paste it into your code and forget about it.

The point behind all this is these people didn't just randomly guess these passwords because they were 'weak'. Even weak passwords are very unlikely to be guessed unless you're freakin stupid (i.e: Mystic Journey hub password Mystic Journey) and even then the person would have to guess that. The constant 'omg better password' suggesting isn't helpful because it isn't the root of the problem.

AJX wrote:

As has already been pointed out, yes, you're mistaken.

Until the undoubted fix comes for it, then we're all the way back to square one, using stronger hub passwords.

The point behind all this is these people didn't just randomly guess these passwords because they were 'weak'. Even weak passwords are very unlikely to be guessed unless you're freakin stupid (i.e: Mystic Journey hub password Mystic Journey) and even then the person would have to guess that.

That's where your wrong. Countless hub_passwords (as well as email passwords, FTP passwords, user passwords for other sites and whatnot) are guessed every day. People seem to think passwords like Password123 are okay because no one will ever guess the 123 or the capital P! You're wrong.

Passwords are definitely not as secure as you think.

The constant 'omg better password' suggesting isn't helpful because it isn't the root of the problem.

Actually in this thread, it was. (The hub page linked by OP doesn't contain a download for a DMB, so the DMB is not available to extract thus there is no way a user can get the hub_password.)

And it goes further than that. What is your expectation to fix this problem? I'm willing to bet most of the occurrences where this has happened has been a users lack of security to begin with, not someone doing fancy DMB string extractions. This has been made fact ages ago when someone was complaining 'hackers' were hosting their games under his protected hub. After days of discussion and convincing him his hub password was easily guessed, the problem went away.

If people getting a hold of other peoples hub_passwords via string extraction was that big of a deal for everyone, problems would have occurred a while back, not now.

Airjoe wrote:

Tiberath wrote:

AJX wrote:

As has already been pointed out, yes, you're mistaken.

Until the undoubted fix comes for it, then we're all the way back to square one, using stronger hub passwords.

No, until the fix comes, we're screwed. Stronger passwords don't make a lick of difference if they can be directly extracted from the dmb. What are you missing here?

Well actually, we're not screwed. People who release their DMBs are screwed. But that's semantics. I doubt anyone truly malicious will go out of their way to use a string extractor to cause trouble. Especially after Tom himself has threatened a ban.

Tiberath wrote:

If people getting a hold of other peoples hub_passwords via string extraction was that big of a deal for everyone, problems would have occurred a while back, not now.

If the rampant use of string extractors was that big of a deal, it would have been made known a long time ago. Because someone would have undoubtedly started hosting their stuff under other (more popular) hubs in order to steal traffic and annoy other developers.

I still stand by my original opinion. Once the hub_password extraction is a thing of the past, the hub owners who don't make use of appropriate security have only themselves to blame.

Falacy wrote:

Seriously? That's your stance on the matter?

My stance on the matter doesn't hold any weight. It's merely my opinion. It's not my place to have a stance.

I'd say we should ban you along with them.

And what grounds do you have for that? I know of the existence of two guilds that cause trouble, and my every attempt to get them removed was shot down. All of a sudden, it's up in arms because they started a list of unprotected hubs. Please. They've been collecting dirt on BYOND users for a lot more time. If you're going to ban someone, at least use a solid reason.

At one stage, I remember them grabbing the WHOIS information off Masterdan's(?) domain name and spreading that around. You'd think that is more deserving of a ban than simply messing with a medal or score system.

Just for the fact that you've not only known of guilds whose soul purpose is to f*ck up the community and piss people off, and decided not to do anything about it.

What exactly do you want me to do about them? I've brought them to the attention to the powers that be, as have others. I did all I can do. I have a feeling you think I can do far more than I actually can. (I'm a volunteer not a staff member. Okay?)

Yes, they should be banned as soon as they started it, and they should definitely be banned now that everyone seems to be in agreement on blatant proof of their misdoings.

I agree, they should have been banned a long time ago. But seeing as they've gotten away with things much worse than this, I don't see it as being worth the trouble now. Especially since all they've done is force people to improve their own security.

Imagine what happens if BYOND implements something else into the hub system, manipulable by code which can do far more damage than simply messing up some scores. How many hubs who fell victim to their 'pranks' would be effected by this had it not happened?

You can argue semantics all you want. The fact of the matter is, people are responsible for their own security. For Airjoe's terrible place to hide a door key to Mista's initial lack of hub password. I'm not saying what people have done isn't wrong, but I am saying the blame doesn't lay only with them. And punishing them so harshly for something like this (considering they've done far worse in the past) is nothing more than hypocritical.

Its retarded administrative attitudes like this that have turned BYOND into the cesspool that it currently is.

Actually, I'm more inclined to think it's users who do nothing but complain that cause the community to go sour. I see lots of people with potential to do a lot, but end up doing very little. But it's okay, I'll take the blame for BYOND's current state, after all, it is clearly all my fault.

"Yea we need more rips to bring in more players!"

I don't think I've ever said that, nor can I think off the top of my head who has actually said so. It's fact however, BYOND Anime, which is comprised of a lot of "rips" is the number one bringer of users.

If you have a problem with this, then make games for other guilds and advertise them elsewhere. I'm perplexed that you think this is somehow my or even BYONDs fault.

"Resource extractors are OK to distribute, as long as you don't do it by spamming them on the forums!"

What can BYOND do besides say "you're not allowed to distribute these on the BYOND site". BYOND doesn't own the internet, if people want to distribute it, there's nothing that can be done. Well, I suppose BYOND could find some cause to go through some lengthy and costly court proceedings, but I believe that's time and money down the drain. You own the copyright on resources you produce yourself, go ahead and sue somebody who uses them without permission.

As stated in other threads, BYOND could add some kind of encryption for the RSC. But then, how long until a clever little fella out there cracks it and a new generation of RSC extractors are born? This results in a never ending arms race. A pointless one, seeing as people can just use PrintScreen to get the graphics they desire anyway.

"No we won't improve any type of security on OUR systems, handle it yourselves!"

I'm sorry, where was this said? Are you referring to the fact I think people not using hub passwords are to blame? What other method do you suggest then besides a hub password? Enlighten me. Perhaps the programmers key can be embedded into the DMB and if it doesn't match the hub it's trying to contact, refuse the connection. Or perhaps some kind of string I can place on the hub and inside the DMB that when compared, will allow the connection...

"Cheating yourself onto the top of somebody's score board? Well that's just halarious, have fun!"

This gets the same paragraph as above.

I'm curious as to why you seem to think I can solve all these issues with a twitch of my magic fingers.

Falacy wrote:

Clearly I've greatly over estimated the power of moderators; assuming they could actually moderate something.

Well, in my position, I can moderate this forum, the BYOND Help guild, the BYOND RPG guild, several user guild (probably some I don't even know about) forums and the members front page. Anything outside of that and you're looking for someone higher up. So perhaps I'm just not as great as my reputation makes me out to be. At least, not yet. =)

None of those quote-ish statements were directed at you except the last one. As for you saying I should be doing something about these problems, if a person in your position can't do anything about it, then what could a lowly user ever be expected to do?

Something along the lines of generate non-"ripped" content bringing in users who are more interested in the original works of BYOND and thus not likely to fall prey to "rips" or even become "rippers" themselves.

It's funny how doing something can be constituted to making original games. Enough people 'do something' and advertise outside of BYOND, more users will come and the glorious wave of fresh minds will be washed into BYOND. So it is written in the Prophecy of the Internet: More Content = More Users = More Content = More Users (it just goes on like). As for me, I am doing my part, rest assured of that.

And as for the extractors! There are 100,000 ways they could go about doing something, anything, to stop and/or even just slow down the rippers, instead they choose to do absolutely nothing, and pretty much gave them full support up until just a few days ago; not even attempting to ever punish or even scold anyone involved.

XxDarkWizardxX was banned, banned again, banned a third time, then he disappeared for a while, and when he returned was probably banned again. He was the one who released one of the now many RSC extractors circulating around BYOND.

(Unless I'm mistaken, you were banned from BYOND at one stage? The system we used allowed you to come back, so why should they be treated any harsher?)

That print screen argument is tired and idiotic. Its like comparing making a withdrawal from a bank vs robbing the bank.

Actually, that comparison doesn't work. It'd be more like using an ATM or talking to a employee. Talking to the employee is the longer, more frustrating course of action because it requires waiting in line, and often proof of identification. Where as an ATM line moves quicker and the ATM is all business. Clearly screenshotting is talking to an employee and RSC extraction is an ATM.

But then, RSC encryption comes in, so someone makes a program that records the screen for a little while, cuts up all the icons in 32x32 blocks and if necessary, adds in necessary movement animations. It's not perfect, but it'll get the job done. Effectively the same as screenshotting, but it can have the prettier name of "Screen Harvesting".

Regardless, this argument is inane.