Popular Minecraft mod had a back-door.

Popular Minecraft mod had a back-door.

Users of the popular Minecraft server management modMCAdmin were in shock when someone discovered a back-hole left by the developer namedDoridian. People were angry because Doridian had misused the trust of his users. Of course, I'd be angry too. If I download a program and found it had a back-door, I'd delete it in a second. Doridian was able to go on any server that ran MCAdmin and become a developer status. This made him able to ban people on his server just joined nearly 5 seconds ago. I'd be worried if I was an admin of a server and this guy appeared. Also, he was able to shut down a server remotely from his desktop on any server running MCAdmin. And he did! He shut down Bradster's server because Bradster did not like him, allegedly. This, as you can see, caused an uproar.

[caption id="attachment_1209" align="alignnone" width="553" caption="A pig to brighten your day."][/caption]

So, the story first started when Bradstar was running a server using MCAdmin. In this topic, he explains how someone (Doridian) he didn't know, at the time, had the [DEV] status already. Then Bradster proceeded to ban him. Then Bradster, himself, was banned by Doridian. Bradster thought this was shady, so he unbanned him and turned off the global-ban option. Doridian came back on, and explained to him in a serious tone. Bradster didn't like this, Doridian banned Bradster from his own server.

Here is how it went down:


IP ### logged in as Doridian!

<Bradster> hello?

<Doridian> hai

<Bradster> dev?


As it said in the Terms I just quoted, developers get a [DEV] tag, hence this question, it'd be weird to see someone connect to your server and get a [DEV] tag
<Doridian> if i suppose you being the owner of this correctly

<Doridian> then you should know who i am

<Bradster> i own this server..

Doridian (IP: ###) disconnected (Message: Kick-Banned by Bradster)!

Bradster kick-banned Doridian


I'd do the same thing here, some random guy comes in, gets a custom tag out of nowhere and then starts acting really weird about how I should "know who he is" He's getting a ban for sure.
IP ### connected!

IP ### logged in as Doridian!

Doridian (IP: ###) disconnected (Message: You're banned)!

IP ### connected!

IP ### logged in as Doridian!

Doridian (IP: ###) disconnected (Message: You're banned)!

Heartbeat fail: Unban Doridian!!

Bradster (IP: 127.0.0.1) disconnected (Message: Globally banned. Visit http://bans.mcadmin.eu/?user=Bradster)!


At this point the server host (Bradster) got banned from his own server (since it was using MCAdmin to manage bans) simply because he banned Doridian. It continues:
<Doridian> banning the main developer

<Doridian> no good idea

<Bradster> I don't even know who you are?

<Doridian> also

<Doridian> someone insulted me

<Doridian> i say shut up

<Doridian> and get banned

<Doridian> wtf?

<Bradster> Yeah not me

<Bradster> And anyway

<Bradster> It's my server, not yours, you have no right to ban my friends

<Doridian> i have the global banlist feature

<Bradster> What's your point?

<Doridian> my point is you didnt disable the global banlist

<Doridian> which tells me you accept whomever i ban

<Bradster> Disabled...

<Doridian> another point is

<Doridian> do not expect help from me

<Doridian> if theres people running around

<Doridian> who dont like me

<Bradster> I don't know who you are, nor care

<Bradster> So go away please

<Doridian> i made MCAdmin

<Bradster> Oh right, good for you

<Doridian> the admin tool you use

<Bradster> Have a drink on me

<Doridian> why are you that much of a pain to me


Seriously? Bradster hasn't said anything out of the norm. His servers were essentially invaded and he was banned from his own server. He hasn't really been a pain at all.
<Doridian> i mean

<Doridian> why do you hate me that much

<Doridian> what the fuck have i done to you?

<Bradster> Your e-penis must be so huge for you to banhammer anyone you want

<Doridian> HEY

<Bradster> The point is...

<Bradster> It's my server, not yours, you may have made it, and i appreciate the free software

<Bradster> But that doesn't make you a God on every server that runs it

<Doridian> i would never go as far as banning someone locally

<Doridian> i just globalban people who insult me


Which is just another reason why nobody should use this wrapper, what a power-tripping asshole.

And finally, showing that after being banned a second time, Doridian remotely killed the server:

Doridian (IP: ###) disconnected (Message: Kick-Banned by Bradster)!

Bradster kick-banned Doridian

Heartbeat fail: Unban Doridian!!

Heartbeat fail: Unban Doridian!!

Heartbeat fail: Unban Doridian!!

Server killed!



During this debocle, Doridian came onto the topic and explained how he would not have done this for a reason. Then he goes on to say how he never even wanted to implement the feature in the first place. Also, how the back-door is completely safe from your computer. Then one of MCAdmin's developers, Toxicated, explained how MCAdmin had no back-doors and backed up Doridian's post. This topic went back and forth on the ethics of computer programming for third-party applications. Then, Obsidian_, a computer programmer, took it a "I-know-what-I'm-talking-about" post and blasted the creators of the software. Later, ashmaker, a lawyer (so he says), came onto the topic. He stated the breaches the two guys were breaking from a legal standpoint.

A day later, FullDisclosure decided to see what was up in this topic. He wanted to prove to everyone where that back-door was in the program. Lo-and-behold, he found it. A part of the program gave Doridian and toxication special access to any server they went on. Soon after, many people took to Notch to complain. Then the topic blasted onto a full-on debate about the ethics of a programmer.

Then, reddit's Minecraft got in a heated discussion. It had over 200 comments. You can tell this thing went south for Doridian. One of the things that stood out the most were the chat logs between FullDisclosure and Doridian. Here's the scariest log:

03:18 Doridian i could abuse the autoupdate feature

03:18 Doridian to make them run ANY code i want

03:18 Doridian sooo

03:18 FullDisclosure Indeed you could

03:18 Doridian i technically have all power

03:19 FullDisclosure Indeed you do

03:19 Doridian so they should not bitch about one little thing

03:19 Doridian allowing me to run commands on their server


So, as you can see. Now things are finally going "right". Just kidding, the end of the story was hit by an apology letter from Doridian. In the letter he stated his actions and such:
Read this
In the last few days I messed up badly. I played with the trust of my users, I abused it to be precise.

So what did I do?
I integrated a feature into MCAdmin which made me unkickable and unbannable.
Also I made a feature which could set my level to admin level.
And the last thing was I could remotely disable any server from running MCAdmin

Now why would I do that?
Well, the first feature was made because some admins kicked me thinking I was a hacker (because of my [Dev] tag).
The second feature I integrated to help admins of servers, so I can show them around the commands, and how they work with MCAdmin and resolve issues right on-the-server.
And for the last thing, I don't know why I did it, I had the idea of some servers harming the community or something.

So, what now?
Well, the features are all removed already. I cannot remotely shutdown your server nor am I any kind of special.
Now all I can do is saying sorry. I never thought people would call this abusive, I would have never abused it.
But I understand people might think like that.

So what's with that guy (Bradster) whos server you disabled because of disliking him?
I disabled his server after he insulted me, not because I dislike him. You have to see, at that time, one guy ont he server insulted me (a guest) so I said "shut up". This got me banned, Then I reconnected because I got unbanned just to be yelled at how I should not decide how I am running my admin mod or not. Thus I disabled his server.
This was not right and all I can do is saying I am sorry for that, too. I overreacted.

But what's the "Developer mode" about now?
Well, now it prompts you to accept my request for "developer mode", this will grant me all rights. If you do not wish that, you can just click "no" on the box and nothing will happen.


And here we are now. It all started on October 26 and it has, hopefully, ended today. This giant mess won't leave our minds anytime soon. But it does leave theinevitablestatement... "Watch what you download." Sure, installing Minecraft mods can strengthen the Minecraft experience, but sometimes a bad one can come along. As for Doridian, I hope he's learned better.

Short url : http://crafthub.net/blog/QZ/

Pingbacks are open.