Page 1 of 3
**Terror banned from Longturn**
Posted: Thu May 03, 2012 1:15 pm
by Marduk
There is conclusive evidence that Terror has hacked accounts in LT30 and on this forum. This is the worst thing that has ever happened to Longturn.
Terror is now banned from all LT games and from this forum.
I'm very sorry for the players who were affected by these hacks. Since the beginning of LT it's taken a lot of work to fix exploits and bugs in Freeciv. We've made great progress with help of everyone in the LT community, but we're not there yet. Let's work together to fix any issues we find.
Posted: Thu May 03, 2012 3:13 pm
by kevin551
Marduk wrote:This is the worst thing that has ever happened to Longturn.
No, it's not. The exact same things (DOS attacks, password hacking) have happened before. The culprit about three years ago was KDE. The solution was the same, he was banned from longturn and has not returned.
Terror has also been banned in the past (as user mi3ex). He is longturn's best player but takes losing a game too seriously. Getting banned for today's actions is the correct decision. But I will not complain if in the future he returns with a different username.
Posted: Thu May 03, 2012 4:16 pm
by jhh
kevin551 wrote:Terror has also been banned in the past (as user mi3ex). He is longturn's best player but takes losing a game too seriously. Getting banned for today's actions is the correct decision. But I will not complain if in the future he returns with a different username.
Yeah. For guys like Terror it is probably enough punishment that he looses his ranking and gets banned even if he returns later...
Posted: Thu May 03, 2012 5:41 pm
by monamipierrot
It's really hard for me to even believe this.
I'd not call anyone a "Loser" just on the account he is a bad player and has no chance in winning. I would call him a "Loser" if he is - e.g. - the best player of all times AND he can't stand losing...
Before blaming at him, are you sure it was Terror himself to do the h(ij)ack thing? I'm going to listen his own version of the facts if he wants to post, so please think twice before banning him from the forum.
Anyway I must confess I really like when some andrenaline shocks my peaceful playstyle. This was not andrenaline of course, it was a nasty and dangerous drug, and I didn't like it. But I'm willing to forget it and continue playing.
I liked the fact that for the 1st time in traditional LT, a giant "peace" alliance of "simciters" was strong enough to face some of the Top10 and most aggressive players of all times, despite of the winner limit. It was the proof that some alternative play style is possible. "Winning" this way, if you like this kind of winning, is also possible.
I didn't see much rock'n roll in this game cause it was always my interest in avoiding all military action (I had a huge piece of land to colonize myself). Exactly when war was not far from my troops, this happened. Sad.
I hope that someone takes over Terror account and the game resumes as fair as it can be.
Posted: Thu May 03, 2012 9:34 pm
by det0r
terror has done more than most for LT in terms of code development etc, but I guess the admins have made their decision?
Posted: Fri May 04, 2012 6:02 am
by Marduk
det0r wrote:terror has done more than most for LT in terms of code development etc, but I guess the admins have made their decision?
He did a lot for LT, so it's very sad that Terror decided to try to destroy what he helped to create. With KDE it was much easier, that guy never contributed anything and started hacking almost as soon as he joined LT. But hacking and ruining a game always means a ban from LT no matter who it is.
Posted: Sun May 06, 2012 8:26 am
by mrsynical
Marduk - I agree with you to a large degree, but I don't believe that you (alone) have the authority to ban somebody from forum or game. Akfaew possibly is the only one who has the authority but once again I think it would be unwise for him to unilaterally ban somebody.
Marduk wrote:det0r wrote:terror has done more than most for LT in terms of code development etc, but I guess the admins have made their decision?
He did a lot for LT, so it's very sad that Terror decided to try to destroy what he helped to create. With KDE it was much easier, that guy never contributed anything and started hacking almost as soon as he joined LT. But hacking and ruining a game always means a ban from LT no matter who it is.
Posted: Sun May 06, 2012 11:11 am
by Marduk
mrsynical wrote:Marduk - I agree with you to a large degree, but I don't believe that you (alone) have the authority to ban somebody from forum or game. Akfaew possibly is the only one who has the authority but once again I think it would be unwise for him to unilaterally ban somebody.
I think we both agree that if we let hackers run wild on our servers this community will crash and burn. People invest a lot of time in a LT game so if someone decides to ruin it in a few minutes then that's a serious issue. Banning someone by democratic vote is impossible (conflict of interest, and it might even turn into a popularity contest), so Akfaew and me have together made the decision to ban him.
Since Maho, Lohoris, some of Maho's Polish friends and me started the first public Longturn game we never had a clear authority structure. When it makes sense to do something democratically, that's what we do. When an important decision has to be made then the admins make it together. Btw we welcome other players to join the admin team if they have the right skills, it's not a closed group. We've called for more admins earlier and this call is still open.
In sum: we couldn't keep Longturn in limbo so a decision had to be made fast, and I don't see a better way then having the admins take it together.
Posted: Sun May 06, 2012 3:59 pm
by jhh
Marduk wrote:I think we both agree that if we let hackers run wild on our servers this community will crash and burn. People invest a lot of time in a LT game so if someone decides to ruin it in a few minutes then that's a serious issue. Banning someone by democratic vote is impossible (conflict of interest, and it might even turn into a popularity contest), so Akfaew and me have together made the decision to ban him.
This was the right solution -- we would have done it in our local community the same way -- it's admins job to use that authority (when there is no judges) and banning is the punishment written in Longturn.org rules, too.
Marduk wrote:In sum: we couldn't keep Longturn in limbo so a decision had to be made fast, and I don't see a better way then having the admins take it together.
Yeah, these kind of actions need to be executed faster than usual voting takes place.
Posted: Mon May 07, 2012 1:31 am
by mrsynical
okay - as long as you had discussed with somebody like Akfaew. I was not expecting a global vote.
Marduk wrote:mrsynical wrote:Marduk - I agree with you to a large degree, but I don't believe that you (alone) have the authority to ban somebody from forum or game. Akfaew possibly is the only one who has the authority but once again I think it would be unwise for him to unilaterally ban somebody.
I think we both agree that if we let hackers run wild on our servers this community will crash and burn. People invest a lot of time in a LT game so if someone decides to ruin it in a few minutes then that's a serious issue. Banning someone by democratic vote is impossible (conflict of interest, and it might even turn into a popularity contest), so Akfaew and me have together made the decision to ban him.
Since Maho, Lohoris, some of Maho's Polish friends and me started the first public Longturn game we never had a clear authority structure. When it makes sense to do something democratically, that's what we do. When an important decision has to be made then the admins make it together. Btw we welcome other players to join the admin team if they have the right skills, it's not a closed group. We've called for more admins earlier and this call is still open.
In sum: we couldn't keep Longturn in limbo so a decision had to be made fast, and I don't see a better way then having the admins take it together.
Posted: Fri May 11, 2012 2:28 pm
by bli
Marduk wrote:
In sum: we couldn't keep Longturn in limbo so a decision had to be made fast, and I don't see a better way then having the admins take it together.
And the ban prevents him from using other accounts with hacked passwords?
Posted: Fri May 11, 2012 3:41 pm
by jhh
bli wrote:And the ban prevents him from using other accounts with hacked passwords?
Unfortunately no. He has been using other accounts with leaked passwords even after the ban. Probably also voted and used forum with those accounts since AFAIK there is no support for banning IP addresses ATM (although that wouldn't help much).
As I've suggested the admins should check which passwords are still unchanged and change them -- or actually force changing and email verification for all accounts, since Terror might have changed those passwords after he hacked the account.
Posted: Sat May 12, 2012 8:16 am
by jhh
akfaew wrote:Well jhh, I've suggested to you to give me a list of hacked accounts but you wouldn't.
I don't have that leaked password file and you see it better from the server logs.
I don't use logger either and I don't have (standard) logs in client from more than few days if even that (it crashed yesterday).
Terror has been using the same IP address, so it should be easy to check which accounts has been used by that IP address.
Anyway why do you think I know that and I should be the person listing those accounts?
Posted: Sat May 12, 2012 11:28 pm
by det0r
jhh wrote:akfaew wrote:Well jhh, I've suggested to you to give me a list of hacked accounts but you wouldn't.
Anyway why do you think I know that and I should be the person listing those accounts?
Because:
- you keep going on about it, so you're obviously paying attention to terror logging in with these 'hacked' accounts
- akfaew is busy with other things, like class, work, maintaining this website, trying to get LT31 going, making modifications for LTeX etc.
So, akfaew is probably thinking 'if jhh cares that much, he can send through the information and I will deal with it, but I'm too busy to go around looking at the server logs myself'
Posted: Sat May 12, 2012 11:39 pm
by jhh
det0r wrote:
- you keep going on about it, so you're obviously paying attention to terror logging in with these 'hacked' accounts
- akfaew is busy with other things, like class, work, maintaining this website, trying to get LT31 going, making modifications for LTeX etc.
So, akfaew is probably thinking 'if jhh cares that much, he can send through the information and I will deal with it, but I'm too busy to go around looking at the server logs myself'
I think it's admins job to fix this thing ASAP before LT31 starts, otherwise it's going to be fucked up too. At this point I don't see any other way but email verification to clean the user database.
Most people don't want to play games against 50+ terror clones and voting is practically fucked up when terror can vote with 50+ votes. So yes, I do pay attention to this -- you should, too.
Mostly my information is second hand info, for example, I heard in IRC that just two days ago "somebody" from Terror's IP logged in as one of the players (probably was in LT30, not sure). There is no public logs about how much he uses those accounts on the website or if he has changed passwords. For inactive accounts the owner might not even notice that and Terror could use stolen "identity".
Posted: Sat May 12, 2012 11:57 pm
by det0r
I think terror has better things to do with his life than hack 50 LT accounts so that he can play them all simultaneously. You probably don't remember, but when he first identified the security flaw he warned everybody and people were told to change their passwords. He's not some evil supervillain with a singular purpose of trolling the finnish LT players.
Perhaps you could make akfaew's life a bit easier and put together the list of accounts you know are hacked, and he will fix those. It would be a bit more constructive than just complaining about it.
Posted: Sun May 13, 2012 12:06 am
by jhh
det0r wrote:I think terror has better things to do with his life than hack 50 LT accounts so that he can play them all simultaneously. You probably don't remember, but when he first identified the security flaw he warned everybody and people were told to change their passwords. He's not some evil supervillain with a singular purpose of trolling the finnish LT players.
His actions indicate otherwise. Also don't forget that the password file was leaked and other people might have it, too. It has clearly been shown that there is still lots of accounts without changed password.
Actually I cannot be sure if I am now speaking to Terror.
det0r wrote:Perhaps you could make akfaew's life a bit easier and put together the list of accounts you know are hacked, and he will fix those. It would be a bit more constructive than just complaining about it.
As I've explained, I don't have that information and at this moment the easiest way is to check the server logs as admin. If I would be the admin I would have done just that in the first place and the whole thing would be over now.
I don't really care anymore. I am probably not going to participate in next game and maybe never again. It feels that you guys really cannot separate your attitude from one game and outside games, since this really feels like you are trying to make this issue harder than it really is. However not my problem.
Posted: Sun May 13, 2012 1:28 am
by det0r
We're not trying to make it harder, we're simply asking you to engage in the solution.
You obviously know of five or six potentially hacked accounts. All you need to do is put them together in a single post and I'm sure akfaew will do his best to resolve the issue (reset the passwords probably). The simple fact is that akfaew doesn't have time to look through the (massive) server logs, so if you put together a reasonable request for him (by compiling a specific list of accounts to fix), then he will attempt to resolve the situation. If you think server logs are the best way to go about it, ask akfaew to send you the server logs. He doesn't get paid and this isn't a #1 priority for him.
Posted: Sun May 13, 2012 3:25 am
by Joe9009
Wow this some heavy stuff. Hacked accounts, possible spys, are we being watched at this very moment? Sorry I just watched Person of Interest. Good show I recommend it.
Admins thanks for doing what you can, most of us understand that you do this work for free and are grateful that there is a place like this and skilled individuals like yourself willing to spend the time to set up games for us all. I hope that this unfortunate situation dose not make you lose the fulfillment you get out of refereeing this digital circus of settlers, because it is a wonderful thing.
Posted: Sun May 13, 2012 7:04 am
by IllvilJa
adsynth (ruling Babylonia) is the only one who, by himself, has explicitly said to me he was hacked. However, others have been reported to have been logged in to from the same address as being used when adsynth was hacked, among those I know LatroSurdus (North Korea) was one. LatroSurdus all units were disbanded, then adsynth's units were used to take all LatroSurdus cities on the mainland. (I was not online ingame when these incidents happened, so I had no opportunity to write down neither targets of the attacks or the address used to attack from)
I've been very busy IRL so I have not had time to write this until now.
akfaew, det0r, Marduk: the situation is sensitive, so please be careful how you handle it and communicate about it. I want to believe that you consider it as serious as the rest of us, that we have a person who has the potential and will to continue to take control over ingame players (in current and future games) and forum accounts in LT. However, some communication some of you have provided gives an impression, hopefully unintentionally, that you are not that interested having this problem properly addressed.
Of course others can provide valuable information to assist you, but as jhh points out, there is reason to believe that you have plenty of information already to start identifying accounts that have been attacked. For instance, in logs for access to the forum and LT30 (and perhaps the Ex game as well), investigate if there is any address on the internet used to connect to a large number of accounts. If one such address stands out, all the accounts being logged on to recently from that address are potentially hacked, at least in my eyes.
There are a few sets of two-three accounts being accessed from similar/identical addresses (me, Sweden, and my son, Estonia accessing from our home is one example, Bluemoth, MrSynical and someone else working/studying in the same organizaion is another and... was it Szigy also having a son...?). I want to point out that I'm not referring to any of THOSE accounts or addresses in my above paragraph (Even if Bluemoth got hacked if I recall correctly, but obviously then from an address that will stand out as being one of the hostile ones (or the only hostile one, I don't know if attacks have used multiple or a single attack)).
Best regards
/IllvilJa
Edit: Pickyness against myself as I spotted a place I was unclear.
Posted: Sun May 13, 2012 9:08 am
by Marduk
Thanks to everyone who's helping by providing information. I'd like to reiterate that we
welcome players to apply for being an admin, that would give us more capacity to respond to these problems.
Posted: Tue May 15, 2012 4:39 pm
by bli
jhh wrote:bli wrote:And the ban prevents him from using other accounts with hacked passwords?
Unfortunately no.
Do you want to say that the argument for banning terror without poll in order to "not to keep Longturn in limbo" was quite pointless?