Rainy

Regarding New Jersey And VSP

47 posts in this topic

The post you linked to links to an error. I think you accidentally linked to an admin-only area.

 

Mind replacing it with a screenshot of the post?

Share this post


Link to post
Share on other sites

Thank you, Simple. An admin shouldn't be handing out things like this to people because they're his friends.

Share this post


Link to post
Share on other sites

 

 

 

I wished that this would never happen... But all I can do is stand by and watch the changes that will happen... Dinky is a good caring person who cares very deeply about his friends that are very dear to him... He has worked very hard on the Versus Ponyville server... I would stand and defend him if anyone decides to bash and insult his work and well being.

New Jersey had a bad community led by a bad admin. Friendlies are against the rules, but Dashy allowed them anyway. He also handed out admin to people like it was candy, regardless of how questionable they were as players. Admin abuse was frequent. As Raini pointed out, the plugin was not only poorly coded but based on stolen work. Say what you want, but there's no justifying his actions.

 

The only admin I know Dinky has given out was to his closest friends, and that was very early during the Versus Ponyville development.  The mod being "Poorly coded" was him learning through experences as if you were learning how to make music or build your first computer.  Dinky is not an admin, he is the Owner of the server.  He is usually on when he is testing the mod he has worked on for so long.  Also, Freak Fortress 2 is a Public Mod if I am not mistaken.  He may have used it to practice his skills as a scripter.  So far in my eyes, he has done a great job and has made amazing progress in both his mod and his skills coding the server, and I am sure he is still learning as he continues to work on the mod.

 

It's licensed under the GPL and that requires you to give full credit to the original authors of whatever it is. Removing credits and replacing it with your own while failing to mention the original authors is a violation of the GPL and has actually led to lawsuits before.

 

I hate this quoting system...

 

 

This could be relevant: http://www.sourcemod.net/license.php

Share this post


Link to post
Share on other sites

For all of those who are wondering, the Versus Pony mod we have on right now has nothing in common with Dashy's mod. The mod we have now has been built over the past 3 days from the FF2 base with publicly available plugins, with absolutely no assistance, influence, or contribution from Dashy/Pinkamena/Genshi.

 

 

 

The only things that our two mods share are most of the sounds and the pony models, made by jug.

 

 

NONE OF DASHY'S CODE WAS USED TO CREATE THIS VERSION OF THE MOD. ALL OF THE NEW CODE INVOLVED WAS CUSTOM CREATED FOR THESE SERVERS BY US.

Share this post


Link to post
Share on other sites

If I can get everything working again, Jug did ask me to do things for the models along with him.

Edited by Solar

Share this post


Link to post
Share on other sites

 

The only admin I know Dinky has given out was to his closest friends, and that was very early during the Versus Ponyville development.  The mod being "Poorly coded" was him learning through experences as if you were learning how to make music or build your first computer.  Dinky is not an admin, he is the Owner of the server.  He is usually on when he is testing the mod he has worked on for so long.  Also, Freak Fortress 2 is a Public Mod if I am not mistaken.  He may have used it to practice his skills as a scripter.  So far in my eyes, he has done a great job and has made amazing progress in both his mod and his skills coding the server, and I am sure he is still learning as he continues to work on the mod.

The databases.cfg contained on every server stores passwords in plain text for databases relating to our forums, sourcebans, and even donor system (which connects directly to my PayPal account). Dinky shared this access with one of his friends, Genshi, and never informed me. Genshi consistently accessed the FTP for over a year until I was made aware of his access via his own gloating. Dinky's only justification for sharing this access with Genshi, who had recently been removed as an Admin, was that he was "his friend." Dinky was the only other person besides myself with full FTP access to all Ponyville.net servers and promised that he would never share that access without my knowledge or consent.

Dinky has always insisted that his personal friends be given full Admin powers in this community, irregardless of their qualifications, contributions, or level of maturity. Whenever issues arose as a result of undeniable Admin Abuse on the part of his friends, Dinky would insist that the abuse was irrelevant. If powers were ever removed from his friends, Dinky would hold this community hostage by threatening to lock all of the staff out unless concessions were met. Even after we created a new server (Dallas VSP) with the mutual understanding of giving players a place to go away from Jersey staff, Dinky would still place the whims of his friends over his word to staff and the community.

 

If the Jersey staff won't have access to Texas to enforce the rules there then nobody will have that with the exeception of you, me and Simple. That or I will restrict every single command on that server to my personal admin flag, making it impossible for every other admin to use a single command there.

 

Yes, Dinky "cares" about his close circle of friends. It is just too bad for this community that he didn't care about anyone other than them.

 

 

I'm not taking sides on this.  I just have to ask.  As someone such as yourself familiar with programming, why are passwords stored at all in plaintext?  That is a big security no no.  Even if you trust everyone who has access.  Just ask Sony, who had a major issue with this just last year.  I would ask that if my information is really stored in plain text, that it be stripped from the servers until such a time where it is at least hash + salted, if not encrypted.

 

Edit:  If you don't know how to go about performing these actions, feel free to message me.  I know how to implement these solutions as I've been programming for 17 years.

Edited by Zazabar

Share this post


Link to post
Share on other sites

I'm not taking sides on this.  I just have to ask.  As someone such as yourself familiar with programming, why are passwords stored at all in plaintext?

Because that is the way the people behind TF2 and Sourcemod designed it.

Share this post


Link to post
Share on other sites

 

I'm not taking sides on this.  I just have to ask.  As someone such as yourself familiar with programming, why are passwords stored at all in plaintext?

Because that is the way the people behind TF2 and Sourcemod designed it.

 

 

But to verify, information about forum users passwords and such are not in that file, right?

Share this post


Link to post
Share on other sites

Here's my next question: what will happen to all the existing donors?  Have their perks been stripped, or is it just not going to be available for a certain time?

Share this post


Link to post
Share on other sites

I'm not taking sides on this. I just have to ask. As someone such as yourself familiar with programming, why are passwords stored at all in plaintext?

Because that is the way the people behind TF2 and Sourcemod designed it.
But to verify, information about forum users passwords and such are not in that file, right?

No, passwords for forum users are not kept within that file, but in a separate database off the game server. It would have been possible however to do a lot of malicious things to this forum using the database passwords contained within the game server's databases.cfg.

Upon discovering that Dinky had shared FTP access, I checked the connection logs for all of these databases, and I did not discover any evidence of IPs that I did not recognize connecting to them. The point remains however that the access should have never been shared with an outside party in the first place; especially not an ex-Admin who was removed due to abuse.

 

Here's my next question: what will happen to all the existing donors? Have their perks been stripped, or is it just not going to be available for a certain time?

Donors will continue to have all of their perks on all of our servers: Ponyville California (8.6.2.175:27015), Ponyville VSP #1 (68.232.161.2:27015), and Ponyville VSP #2 (209.246.143.162:27015). If you are not seeing your Donor perks on one of these servers right now, it is because I am still in the process of reinstalling the server and/or transferring files. All existing Donors will be credited for every day that they are not receiving their perks on the servers.

Share this post


Link to post
Share on other sites

 

 

 

I'm not taking sides on this. I just have to ask. As someone such as yourself familiar with programming, why are passwords stored at all in plaintext?

Because that is the way the people behind TF2 and Sourcemod designed it.

 

But to verify, information about forum users passwords and such are not in that file, right?

 

No, passwords for forum users are not kept within that file, but in a separate database off the game server. It would have been possible however to do a lot of malicious things to this forum using the database passwords contained within the game server's databases.cfg.

Upon discovering that Dinky had shared FTP access, I checked the connection logs for all of these databases, and I did not discover any evidence of IPs that I did not recognize connecting to them. The point remains however that the access should have never been shared with an outside party in the first place; especially not an ex-Admin who was removed due to abuse.

 

Here's my next question: what will happen to all the existing donors? Have their perks been stripped, or is it just not going to be available for a certain time?

Donors will continue to have all of their perks on all of our servers: Ponyville California (8.6.2.175:27015), Ponyville VSP #1 (68.232.161.2:27015), and Ponyville VSP #2 (209.246.143.162:27015). If you are not seeing your Donor perks on one of these servers right now, it is because I am still in the process of reinstalling the server and/or transferring files. All existing Donors will be credited for every day that they are not receiving their perks on the servers.

 

 

A security suggestion if you are willing to listen.  Each instance of database access should have it's own username and permissions.  So for instance, if the database.cfg contains a database user/password to access the database for say, a tf2 table, it should not have permissions to access data from other tables.  If you give each access point it's own user/permissions, you reduce risk dramatically.  No script should have a user account that can globally access the databases.  That way, even if someone were to say, steal the info from database.cfg, they wouldn't be able to do anything to the forums.

 

Edit:  Also, you should limit the IPs that can connect to the database to only include localhost, the ips for the servers themselves that need to access it, and that is it.  Any database updating can be done through cpanel or whatever site suite you use.  No one should need remote access to the database.

Edited by Zazabar

Share this post


Link to post
Share on other sites

I'm not taking sides on this. I just have to ask. As someone such as yourself familiar with programming, why are passwords stored at all in plaintext?

Because that is the way the people behind TF2 and Sourcemod designed it.
But to verify, information about forum users passwords and such are not in that file, right?

No, passwords for forum users are not kept within that file, but in a separate database off the game server. It would have been possible however to do a lot of malicious things to this forum using the database passwords contained within the game server's databases.cfg.

Upon discovering that Dinky had shared FTP access, I checked the connection logs for all of these databases, and I did not discover any evidence of IPs that I did not recognize connecting to them. The point remains however that the access should have never been shared with an outside party in the first place; especially not an ex-Admin who was removed due to abuse.

 

Here's my next question: what will happen to all the existing donors? Have their perks been stripped, or is it just not going to be available for a certain time?

Donors will continue to have all of their perks on all of our servers: Ponyville California (8.6.2.175:27015), Ponyville VSP #1 (68.232.161.2:27015), and Ponyville VSP #2 (209.246.143.162:27015). If you are not seeing your Donor perks on one of these servers right now, it is because I am still in the process of reinstalling the server and/or transferring files. All existing Donors will be credited for every day that they are not receiving their perks on the servers.

 

A security suggestion if you are willing to listen.  Each instance of database access should have it's own username and permissions.  So for instance, if the database.cfg contains a database user/password to access the database for say, a tf2 table, it should not have permissions to access data from other tables.  If you give each access point it's own user/permissions, you reduce risk dramatically.  No script should have a user account that can globally access the databases.  That way, even if someone were to say, steal the info from database.cfg, they wouldn't be able to do anything to the forums.

 

Edit:  Also, you should limit the IPs that can connect to the database to only include localhost, the ips for the servers themselves that need to access it, and that is it.  Any database updating can be done through cpanel or whatever site suite you use.  No one should need remote access to the database.

It's pretty commonplace for php scripts and stuff like sourcemod to store database passwords in plaintext unfortunately. It's also pretty common for gameservers to host MySQL remotely, as these machines do not have the resoruces to run it (since they have tons of dedicated server processes on them). With properly configured hosts, you can set the SQL server to only accept outside connections from specific hosts, but many hosting companies do not allow much configuration to SQL aside from configuration of your own databases/tables (which it creates all under your single login/account). That being said, limiting to localhost is not an option, and using a different password for each DB is not an option, nor is using different passwords for each DB (since each db just gets a different prefix but uses your same account/pw). The passwords of users and such for forums would be stored in md5 hashes inside of the database though, so there's that. Could always segregate the donor/forum db but it most likely already is. probably not a big deal. Same kinda thing goes for webservers, that stuff will all be plaintext too.

Share this post


Link to post
Share on other sites

 

 

 

 

 

I'm not taking sides on this. I just have to ask. As someone such as yourself familiar with programming, why are passwords stored at all in plaintext?

Because that is the way the people behind TF2 and Sourcemod designed it.

 

But to verify, information about forum users passwords and such are not in that file, right?

 

No, passwords for forum users are not kept within that file, but in a separate database off the game server. It would have been possible however to do a lot of malicious things to this forum using the database passwords contained within the game server's databases.cfg.

Upon discovering that Dinky had shared FTP access, I checked the connection logs for all of these databases, and I did not discover any evidence of IPs that I did not recognize connecting to them. The point remains however that the access should have never been shared with an outside party in the first place; especially not an ex-Admin who was removed due to abuse.

 

Here's my next question: what will happen to all the existing donors? Have their perks been stripped, or is it just not going to be available for a certain time?

Donors will continue to have all of their perks on all of our servers: Ponyville California (8.6.2.175:27015), Ponyville VSP #1 (68.232.161.2:27015), and Ponyville VSP #2 (209.246.143.162:27015). If you are not seeing your Donor perks on one of these servers right now, it is because I am still in the process of reinstalling the server and/or transferring files. All existing Donors will be credited for every day that they are not receiving their perks on the servers.

 

 

A security suggestion if you are willing to listen.  Each instance of database access should have it's own username and permissions.  So for instance, if the database.cfg contains a database user/password to access the database for say, a tf2 table, it should not have permissions to access data from other tables.  If you give each access point it's own user/permissions, you reduce risk dramatically.  No script should have a user account that can globally access the databases.  That way, even if someone were to say, steal the info from database.cfg, they wouldn't be able to do anything to the forums.

 

Edit:  Also, you should limit the IPs that can connect to the database to only include localhost, the ips for the servers themselves that need to access it, and that is it.  Any database updating can be done through cpanel or whatever site suite you use.  No one should need remote access to the database.

 

It's pretty commonplace for php scripts and stuff like sourcemod to store database passwords in plaintext unfortunately. It's also pretty common for gameservers to host MySQL remotely, as these machines do not have the resoruces to run it (since they have tons of dedicated server processes on them). With properly configured hosts, you can set the SQL server to only accept outside connections from specific hosts, but many hosting companies do not allow much configuration to SQL aside from configuration of your own databases/tables (which it creates all under your single login/account). That being said, limiting to localhost is not an option, and using a different password for each DB is not an option, nor is using different passwords for each DB (since each db just gets a different prefix but uses your same account/pw). The passwords of users and such for forums would be stored in md5 hashes inside of the database though, so there's that. Could always segregate the donor/forum db but it most likely already is. probably not a big deal. Same kinda thing goes for webservers, that stuff will all be plaintext too.

 

 

Why is using separate passwords for different databases not an option?  I do it on every single server I run. Even the most basic hosting services allow for adding database users and adjusting permissions to different databases.

 

And I'm quite aware of how many config files store things in plaintext.  I'm sure the passwords for the forum itself here are stored in plaintext for it's config.php file. 

Share this post


Link to post
Share on other sites

Hi, you must be new:

"Databases"

{

"driver_default" "mysql"

"default"

{

"driver" "mysql"

"host" "webserverURL"

"database" "databasename"

"user" "databaseuser"

"pass" "dbpassword"

//"timeout" "0"

"port" "3306"

}

"storage-local"

{

"driver" "sqlite"

"database" "sourcemod-local"

}

"clientprefs"

{

"driver" "mysql"

"host" "webserverURL"

"database" "databasename"

"user" "databaseuser"

"pass" "dbpassword"

//"timeout" "0"

"port" "3306"

}

"psstats"

{

"driver" "mysql"

"host" "webserverURL"

"database" "ps_database"

"user" "ps_dbuser"

"pass" "ps_dbpw"

//"timeout" "0"

"port" "3306"

}

"sourcebans"

{

"driver" "default"

"host" "webserverURL"

"database" "databasename"

"user" "databaseuser"

"pass" "dbpassword"

//"timeout" "0"

"port" "3306"

}

"admintools"

{

"driver" "default"

"host" "webserverURL"

"database" "databasename"

"user" "databaseuser"

"pass" "dbpassword"

//"timeout" "0"

"port" "3306"

}

}

now, it's all dandy and all. But if you want to do things like say, integrate your donators with your forums, you need some db that sourcemod can connect to to manage your db. Your forums must then be able to access this db too. You can have as many dbs with unique passwords as ya like, but they still must be interconnected at some point. Sure the forums db is not THE SAME as the donor db, but the donor db still has all the donors in it (in some form), which was the point, which isn't even a big deal really. This argument doesn't really matter, and your point doesn't because you have none.

Share this post


Link to post
Share on other sites

No, I am not new.  You can easily do the following:

 

Database 1:  Forums

Database 2:  Donator Info

Database 3:  Server Shit

 

User 1 : Has read/wire to forums, read to donator

User 2:  Has read/write to server, read to donator

 

User 1:  used in config.php

User 2:  used in database.cfg

 

Bam, if someone steals the database.cfg stuff, they can not modify the forum.

Share this post


Link to post
Share on other sites

You do know that not everyone has your host / your configuration options, correct?

Actually, most gameservers/gameserver hosts that provide SQL, give you almost no configuration options.

With some hosts you are not even allowed to name the databases. Some will allow you only a single database...

I've worked with over a dozen different major hosting companies, and strangely enough, even companies that offer top of the line machines, with free access to sql packages fall short. And these are not cheap machines, I'm talking dedicated e2690 machines, with 64g memory. Most users still opt to have SSDs installed and run their own MYSQL servers just so that they can limit/control access because the free/hosted packages are so limited.

Sometimes, things just are the way things are, and you just have to deal with it.

Now, you can go rent one of those machines, or buy one and colocate, but that will be a few hundred a month, or a few thousand, so have fun with that.

Share this post


Link to post
Share on other sites

I would figure that since Raini is running forums, that she has more than one server in which she is hosting, since she is probably hosting the databases on here and not on the gameserver. 

 

If you are gonna run a full game server/forum/donate setup, you really should have a basic webserver that can run these very basic things. 

 

Edit:  I would also like to add that I get the above setup for $7/mo.  So if I can get it, anyone can.

Edited by Zazabar

Share this post


Link to post
Share on other sites

And on a final note.  Run a domain whois on ponyville.net.  You will find that they are being hosted by dreamhost.  All of dreamhost's hosting options include the ability to add multiple databases and database users.  So there is no reason why this can not be done here.

Share this post


Link to post
Share on other sites

Friagram runs his own community with a back-end far more advanced than forums or anything else here on Ponyville.net. I'm fairly certain that he knows how to properly configure an SQL database without you lecturing him about it (and I'd like to believe that I do, too). I don't know why you're assuming that nobody here other than you has a basic understanding of how to setup a database or take security precautions. No, our databases are not all connected to the exact same username/password (although as Friagram mentioned, this is unavoidable for some communities, depending on their host).

 

The weak link here is not how I setup my databases, but how the game server, or SourceMod, communicates to them. The copypasta that Friagram posted earlier is literally what the game server uses to establish a connection. Read up on how SourceMod works here.

 

The issue here was the breach of trust by Dinky in granting his personal friends access to things that they were not supposed to have access to in the first place (special Admin flags that he had personally hardcoded to abusive server commands, FTP access that was supposed to be limited to only the two of us, etc. etc.). The final straw was when Dinky shared every bit of content/code that he had access to from this community with one of his friends who was an ex-Admin solely for the purpose of duplicating this entire community (right down to such superficial things as the code, font, and text of our SourceBans page and MOTD). There was no way that we could continue to maintain a relationship with Dinky when we could not trust him with future access, future code developed by us, and so forth. This was the primary reason for his removal, and this thread.

 

Anything else, such as how the databases are configured, is ultimately irrelevant.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.