Now knowing that MCAdmin has backdoors in it to allow the creator/s to bypass a banlist to access any server they like I will no longer be using MCAdmin as my Minecraft server software.
I'm a major in IT and generally having that "feature" is very unsafe and in learning about the IT field and server software this is only the tip of the iceberg if he can get around a banlist and even shut down my server without my consent whos to say he can't get into my server box and **** with it?
I would rather run the stock server which has less features than run a piece of software that can be remotely controlled by its creator by a backdoor.
I hope everyone sees this flaw for what it really is instead of saying "Oh its just one little feature blah blah blah" and moving on with their life.
I actually did have the pleasure of chatting with Doridian for a good half an hour or so while he was on my server, I'm sorry but it's incredibly noticeable how unstable he is.
It's not even the fact that there's a "backdoor" I would trust Notch with something like this, but someone mentally and socially unstable? Absolutely not.
I did lose 3 hours of work last night due to the little mishap of the, "You're not allowed to use MCAdmin" or a text of that sort, and I'm absolutely sure everyone was hit by this which rolled them back.
Maybe he was arguing with someone and triggered a global drop?
Who knows, I'm not going to start theories here, but the fact of the matter is that I can't let my server's stability rely on someone's emotional stability.
As someone who is majoring in the IT field I find this "feature" very dangerous. The reason being is it does not use a token of any sort it only checks names, which allows anyone to be a dev by using a hacked version of the client that allows you to use any name that you please. Furthermore someone was saying that a remote shutdown feature is in the code as well... This is a very slipery slope that the devs are going down. First allowing one to work around all bans and whitelists but being able to take my MCAdmin server down? What's next? A feature to browse my computer to see what I am doing? This is highly unethical and highly illegal in the US and most everywhere else.
Not only will I be deleting MCAdmin but I will be encouraging my two friends which prefer MCAdmin (and are also in the IT field) to discontinue using it. It may have a nice set of features but it appears as if running stock would be better than leaving my users hard work and maybe even my servers configuration (remote shutdown? no thanks) at risk of the devs. People get drunk and make mistakes and my server is not going to be one of those mistakes.
3. MCAdmin contains what is called "Developers Mode", this Developers mode is only enabled after you have given your consent or it has been stated otherwise you require assistance. This "Developer's Mode" can only be enabled by the Official Developers of MCAdmin. This Developer's Mode enables the Developer to enter Developer's Mode, after enabling Developer's Mode it will show up on your server chat and logs [MCAdmin] User entered developer mode! This will enable you to see when a Developer has used Developer's Mode.
So if I read this correctly based on what was posted elsewhere from the decompiled code:
-More code needs to be added to make the dev commands actually toggle on and off.
-A text parser of some form will search for a command sent by Toxicated or Doridian each time someone says something in game.
-The mode is only enabled when the ADMIN OR HOST requests it. This is not to say the [Dev] tag may or may not be there, but the commands to help allow them to help you are not supposed to be activated unless you give them permission, and will show up in your logs that they have done so.
As it stands, this means that as someone using the server software, you would need to NEVER run your server in offline mode, and if the name verification goes down like it did for the week (or so) previously, then you should either take the server offline till its working again, or copy your world folder somewhere safe, put up a temporary motd, telling your players nothing is being saved, screw around at whim due to the unknown in built commands someone could use if they used Tox's or Doridian's names and could figure out the toggle (griefers bent on complete chaos having no reason not to could decompile the code, find the commands and activation phrase) and wreck utter havok. I am hoping these commands and activation means are hidden and obscured in the code for this reason.
I am sure it is a helpful tool to provide assistance assuming someone can get the server running, but unable to get the configuration right. I am both glad to see it, and concerned. Concerned because I do run the software, and glad due to the number of people who seem to have issues setting this up.
Personal Experience time:
Toxicated came onto my server before the [Dev] tag implementation (Sunday night, MST if I remember correctly). I knew Doridian (having his name glare at me for hours on end would do that) by name, but Tox I did not. He pointed out to check the main minecraft.eu site, and there his name was. Reason I even called him out was him overstepping what I felt was appropriate. He called someone out on griefing in !tell, and threatened them with a ban. The person in question fled, however I was not amused by his actions. I explained that was not how I run my server, and to respect my decision about how such things are handled on it. He kept trying to tell me how he was only trying to help, and eventually left.
The next night (or the night after) he returned with his [Dev] tag, and after a short exchange, left again. He accused me of being rude, but no disabling came about. He entered no commands that I could see, and kept trying to say he was only trying to help.
I considered it rude of him to try and step in and deal with administrative things on a server without talking to any ops/admin (I was at the console, and had an OP online) previous to it, but I can appreciate the intent to a degree. Griefers are a community problem, and without input from that community, they stay at large.
Well, for whoever is or was bitching at me: Now have fun at decompiling it.
I removed all exceptions for any devs, only the tag is left.
And if you kick or ban a dev, it will only alert you of what you just did, but not block it (you could have accidentially banned me because you thought i hacked the Dev tag in for example).
Developer mode now asks in local console for consent (a simple yes/no messagebox).
And I removed my ability to remotely shutdown servers.
//EDIT: But that does not mean I will help or support you in any way if you ban me off your server, of course (well, how can I help without being in there, mh?)
This resolves some concerns of mine also. 3 days ago, Toxicated was on my server and threatened me with being globally banned if I told him what to do again (I didn't understand the dev tag and when he mentioned spawing blocks I warned him about my no hacking/duping policy). He was rude to my players and told one to smarten up or he'd be in trouble next time. The next morning I woke to find my server killed and a message saying I was no longer able to use MCAdmin. A quick restart and everything looked fine. Was this done to prove a point?
I enjoy the software and was pretty disappointed by the behavior of a developer. I'm a little concerned to find a whole thread full of complaints.
Anyway, let's hope this is the end of it. I'd hate to change servers.
And if you kick or ban a dev, it will only alert you of what you just did, but not block it (you could have accidentially banned me because you thought i hacked the Dev tag in for example).
So as I understand this won't actually kick/ban the devs? What, do the devs deserve a high throne on the servers that they're not welcome on?! I think most people here don't even care about you or any of the devs. Its their server, they get to choose who goes in and who stays out, not you!
Well, for whoever is or was bitching at me: Now have fun at decompiling it. I removed all exceptions for any devs, only the tag is left.
And by 'bitching' you mean raising valid concerns about severe breeches of ethical and possibly legal statures.
You have done the right thing by removing the code, but it appears for the wrong reasons. I only hope you learn some professional candor for your next project or even for the continuation of this one.
So yeah, I just want to know why limiting lava buckets doesn't work per rank anymore. It limits everyone regardless of the rank.
I could care less about the mentality of the developer as long as I can run the server and get the frequent updates which have been released, as well as support when I need it. As far as i'm concerned, I love this server and I have no intention of switching because frankly (in my opinion) this is the best server wrapper right now. It's ease of use to feature ratio is perfect.
Great job Doridian. I just want to know why lava bucket block limiting rank specification is broken.
I still will not be using MCAdmin until the ability to kill my server remotely is removed completely. Yeah I could ban a dev but what good would that do if they can just retaliate by shutting my server down.
Well, you could IP ban them not only through the server software, but through the server OS and/or the router. Then again, nothing can be effective until the real problem is solved, which involves the devs themselves.
@Wjykk: This is not true and would not solve the remote shutdown issue. It is built into MCAdmin itself and most likely can be triggered by some client software they have on their end.
But if they are completely banned from even reaching your router, they cannot do anything about it. If proper measures will be taken, they can try and try again to get past the router to no avail. The only exception is if they hack to go through your router, in which case you should call their ISP and report the incident.
@wjykk: I don't think you understand. As long as you are running the server it is reporting to their system about your stats. Whos to say they don't have a client sitting there using that same connection to remotely shutdown any server they wish. Furthermore if that ip/connection is blocked the server probably will not run. Its not just their IP in fact any experienced person knows how to retrieve a new IP from their ISP in 3 easy clicks so blocking an IP really does no good at all.
I hope the Devs look greater into the legality of their actions before they access anyone else's server without authorization.
Here is an example of a Tennessee State Statute on point. Most states have a similar law.
Tenn. Code Ann. 39-14-602(:cool.gif:
Whoever intentionally and without authorization, directly or indirectly:
(1) Accesses any computer, computer system, or computer network commits a Class C misdemeanor. Operating a computer network in such a way as to allow anonymous access to that network shall constitute implicit consent to access under this part;
[And you border on this much more serious charge:]
(4) Accesses, causes to be accessed, or attempts to access any computer software, computer network, or any part thereof, for the purpose of maliciously gaining access to computer material or to tamper maliciously with computer security devices including, but not limited to, system hackers, commits a Class A misdemeanor;
PS: as a reminder, the kid from TN who changed Sarah Palin's yahoo email password using PUBLIC information is facing up to 20 years in prison for accessing the email and then trying to destroy his hard drive.
Now knowing that MCAdmin has backdoors in it to allow the creator/s to bypass a banlist to access any server they like I will no longer be using MCAdmin as my Minecraft server software.
I'm a major in IT and generally having that "feature" is very unsafe and in learning about the IT field and server software this is only the tip of the iceberg if he can get around a banlist and even shut down my server without my consent whos to say he can't get into my server box and **** with it?
I would rather run the stock server which has less features than run a piece of software that can be remotely controlled by its creator by a backdoor.
I hope everyone sees this flaw for what it really is instead of saying "Oh its just one little feature blah blah blah" and moving on with their life.
Goodbye MCAdmin you will not be missed.
Thank you and agreed.
I actually did have the pleasure of chatting with Doridian for a good half an hour or so while he was on my server, I'm sorry but it's incredibly noticeable how unstable he is.
It's not even the fact that there's a "backdoor" I would trust Notch with something like this, but someone mentally and socially unstable? Absolutely not.
I did lose 3 hours of work last night due to the little mishap of the, "You're not allowed to use MCAdmin" or a text of that sort, and I'm absolutely sure everyone was hit by this which rolled them back.
Maybe he was arguing with someone and triggered a global drop?
Who knows, I'm not going to start theories here, but the fact of the matter is that I can't let my server's stability rely on someone's emotional stability.
As someone who is majoring in the IT field I find this "feature" very dangerous. The reason being is it does not use a token of any sort it only checks names, which allows anyone to be a dev by using a hacked version of the client that allows you to use any name that you please. Furthermore someone was saying that a remote shutdown feature is in the code as well... This is a very slipery slope that the devs are going down. First allowing one to work around all bans and whitelists but being able to take my MCAdmin server down? What's next? A feature to browse my computer to see what I am doing? This is highly unethical and highly illegal in the US and most everywhere else.
Not only will I be deleting MCAdmin but I will be encouraging my two friends which prefer MCAdmin (and are also in the IT field) to discontinue using it. It may have a nice set of features but it appears as if running stock would be better than leaving my users hard work and maybe even my servers configuration (remote shutdown? no thanks) at risk of the devs. People get drunk and make mistakes and my server is not going to be one of those mistakes.
3. MCAdmin contains what is called "Developers Mode", this Developers mode is only enabled after you have given your consent or it has been stated otherwise you require assistance. This "Developer's Mode" can only be enabled by the Official Developers of MCAdmin. This Developer's Mode enables the Developer to enter Developer's Mode, after enabling Developer's Mode it will show up on your server chat and logs [MCAdmin] User entered developer mode! This will enable you to see when a Developer has used Developer's Mode.
So if I read this correctly based on what was posted elsewhere from the decompiled code:
-More code needs to be added to make the dev commands actually toggle on and off.
-A text parser of some form will search for a command sent by Toxicated or Doridian each time someone says something in game.
-The mode is only enabled when the ADMIN OR HOST requests it. This is not to say the [Dev] tag may or may not be there, but the commands to help allow them to help you are not supposed to be activated unless you give them permission, and will show up in your logs that they have done so.
As it stands, this means that as someone using the server software, you would need to NEVER run your server in offline mode, and if the name verification goes down like it did for the week (or so) previously, then you should either take the server offline till its working again, or copy your world folder somewhere safe, put up a temporary motd, telling your players nothing is being saved, screw around at whim due to the unknown in built commands someone could use if they used Tox's or Doridian's names and could figure out the toggle (griefers bent on complete chaos having no reason not to could decompile the code, find the commands and activation phrase) and wreck utter havok. I am hoping these commands and activation means are hidden and obscured in the code for this reason.
I am sure it is a helpful tool to provide assistance assuming someone can get the server running, but unable to get the configuration right. I am both glad to see it, and concerned. Concerned because I do run the software, and glad due to the number of people who seem to have issues setting this up.
Personal Experience time:
Toxicated came onto my server before the [Dev] tag implementation (Sunday night, MST if I remember correctly). I knew Doridian (having his name glare at me for hours on end would do that) by name, but Tox I did not. He pointed out to check the main minecraft.eu site, and there his name was. Reason I even called him out was him overstepping what I felt was appropriate. He called someone out on griefing in !tell, and threatened them with a ban. The person in question fled, however I was not amused by his actions. I explained that was not how I run my server, and to respect my decision about how such things are handled on it. He kept trying to tell me how he was only trying to help, and eventually left.
The next night (or the night after) he returned with his [Dev] tag, and after a short exchange, left again. He accused me of being rude, but no disabling came about. He entered no commands that I could see, and kept trying to say he was only trying to help.
I considered it rude of him to try and step in and deal with administrative things on a server without talking to any ops/admin (I was at the console, and had an OP online) previous to it, but I can appreciate the intent to a degree. Griefers are a community problem, and without input from that community, they stay at large.
I removed all exceptions for any devs, only the tag is left.
And if you kick or ban a dev, it will only alert you of what you just did, but not block it (you could have accidentially banned me because you thought i hacked the Dev tag in for example).
Developer mode now asks in local console for consent (a simple yes/no messagebox).
And I removed my ability to remotely shutdown servers.
//EDIT: But that does not mean I will help or support you in any way if you ban me off your server, of course (well, how can I help without being in there, mh?)
I enjoy the software and was pretty disappointed by the behavior of a developer. I'm a little concerned to find a whole thread full of complaints.
Anyway, let's hope this is the end of it. I'd hate to change servers.
g
And by 'bitching' you mean raising valid concerns about severe breeches of ethical and possibly legal statures.
You have done the right thing by removing the code, but it appears for the wrong reasons. I only hope you learn some professional candor for your next project or even for the continuation of this one.
I also donated 20 euros for your efforts.
I could care less about the mentality of the developer as long as I can run the server and get the frequent updates which have been released, as well as support when I need it. As far as i'm concerned, I love this server and I have no intention of switching because frankly (in my opinion) this is the best server wrapper right now. It's ease of use to feature ratio is perfect.
Great job Doridian. I just want to know why lava bucket block limiting rank specification is broken.
Thanks.
Server problems? Email me: [email protected]
This as well.
Here is an example of a Tennessee State Statute on point. Most states have a similar law.
Tenn. Code Ann. 39-14-602(:cool.gif:
Whoever intentionally and without authorization, directly or indirectly:
(1) Accesses any computer, computer system, or computer network commits a Class C misdemeanor. Operating a computer network in such a way as to allow anonymous access to that network shall constitute implicit consent to access under this part;
[And you border on this much more serious charge:]
(4) Accesses, causes to be accessed, or attempts to access any computer software, computer network, or any part thereof, for the purpose of maliciously gaining access to computer material or to tamper maliciously with computer security devices including, but not limited to, system hackers, commits a Class A misdemeanor;
PS: as a reminder, the kid from TN who changed Sarah Palin's yahoo email password using PUBLIC information is facing up to 20 years in prison for accessing the email and then trying to destroy his hard drive.