About the Security Issues

[Krayzie 0]

Yeah getting malware on my computer kind of fucking sucked but oh well at least I got it off (hopefully).

[DeathFX 0]

Second off rocket is trying his damnedest to make this mod work correctly and this isn't his job so it might take some time for things to happen.

"might!!!" find it is his job if you do some research before ass-kissing ;)

although i agree he is working hard and probably flat out when he can on the mod.

Was also told he and Vipeax are the only coders don't know if that's true,

Vip on server connection side or something, so it pretty much is a one man... wait one man machine producing what you play :)

just my 2 cents

--DeathFX

P.s before i forget :

http://www.pcgamer.com/2012/06/06/rumour-dayz-creator-instructed-to-work-on-mod-full-time-by-bohemia/?ns_campaign=article-feed&ns_mchannel=ref&ns_source=steam&ns_linkname=0&ns_fee=0

[Zul99 1]

\

"might!!!" find it is his job if you do some research before ass-kissing ;)

although i agree he is working hard and probably flat out when he can on the mod.

--DeathFX

P.s before i forget :

http://www.pcgamer.com/2012/06/06/rumour-dayz-creator-instructed-to-work-on-mod-full-time-by-bohemia/?ns_campaign=article-feed&ns_mchannel=ref&ns_source=steam&ns_linkname=0&ns_fee=0

I'm not ass-kissing at all, it sucks to make a mod while people are whining and bitching because it isn't optimized or some features don't work correctly because its an alpha. Also it says that's a rumor so it holds no ground unless someone else confirms it.

[DeathFX 0]

hence why i said "might!!!"

sorry if i offended you was meant light heartedly :)

--DeathFX

[landshark 1]

With great power comes great responsibility.

Rocket created a monster of a mod and as a result now has a lot of power over tens of thousands of eager gamers and some of their personal info.

When something gets hacked that has potentially 100k+ members, it's important to treat it pretty freaking serious like.

I don't see how Tonic believed he could just "email everyone and warn them about the hack" when he already rolled back and removed tens of thousands of forum accounts. Who's he going to email?

Also, unless you dig around for the info, the fact that the Db/forum was hacked and people's username/passwords may have been compromised is not readily apparent. Shouldn't there be something about it on the front page of www.dayzmod.com to at least give people a heads up about why their accounts are gone and to maybe warn them to change any passwords on other sites that might coincide with what they used here?

[rocket 16567]

You're forum passwords were not at risk as they were, in the parlance of our time, "salted".

[dale0404 16]

Yeah getting malware on my computer kind of fucking sucked but oh well at least I got it off (hopefully).

And that has to do with what exactly? Oh I get it, your trying to say that because these forums got hacked you got malware on your computer, is that it?

If so, you fail. Miserably.

[Krayzie 0]

Yeah getting malware on my computer kind of fucking sucked but oh well at least I got it off (hopefully).

And that has to do with what exactly? Oh I get it' date=' your trying to say that because these forums got hacked you got malware on your computer, is that it?

If so, you fail. Miserably.

[/quote']

No I say that because of the dayz updater that was in the US mirror that got taken down, which is what started this whole thing.

http://www.dayzmod.com/forum/showthread.php?tid=9123 If you didn't see

[Felix (DayZ) 21]

The DayZ team has been stepping away from administering the servers ourselves for the last three weeks' date=' as we simply cannot cope with the volume of server requests and setting them up. Hence, we only have direct access to less than 15% of total servers. So any claims that anything being compromised would allow the rise of us wielding a network that could be a "giant botnet" are incorrect and misinformed.

[/quote']

Wait, does that mean you're NOT taking over the world by next spring?

[Laxxon 0]

Just want to put this out there.

Rocket, thanks for all the work you're doing. I love this mod and I think there should be more games out there like this, a lot more games. I love the work you and your team are doing and although there are problems, this is an alpha and this is to be expected.

Keep up the good work. Don't listen to the haters.

[DrRageQuit 17]

I should be shocked at the fucking cheek these kids have to derail every thread with their own petty demands. Ban the lot of them.

Tonic did a pretty good job under the circumstances. Sure, mistakes were made but the issue had potential to spread like wildfire and could have ruined peoples trust in the team very quickly. When the shit hits the fan you dont always have time to put up your umbrella.

Well done for taking the time to set things straight to us all anyway.

[fackstah 31]

You're forum passwords were not at risk as they were' date=' in the parlance of our time, "salted".

[/quote']

They were salted with the tears of carebears

we have nothing to worries about everyone !

( on a side note you you should open up a store and sell these tears :P )

[Huey (DayZ) 87]

Instead of saying "FIX IT"#&*%@&!%&(" i am just going to say :

People make mistakes, i make them all day lol !

You`re doing a great job Rocket, Tonic + others.

[vanrosemont 26]

Thanks rocket, your info is always clear and devoid of bullshit. much appreciated. kudos to the team in what must be a rollercoaster in a tornado.

To the haters: for shame.

[Guest]

lol

[demine0 43]

Fact: One of our Artist's PC's was hacked by a person known to him.

And then in Tonic's sticky post:

A person has gained access to our main email account which have details listed for our FTP's' date=' etc.[/quote']

So can I assume that this artist had access to that main e-mail account which has details listed for your FTP's, ect?

Server hosts who provided us with RDP details are comprised and need to thoroughly scan their server for the same type of processes and to change their servers RDP details

So' date=' I'm assuming all of our RDP Information was also stored in this account as well? When I sent my RDP information, I remember sending it to a gmail account, of which the address was publicly well known, and everyone who knew that address, knew that RDP information was being sent to it. That alone makes it an obvious hack target.

He then uploaded a malicious application to the US file host which has since been taken offline.

The file was called dayz_auto_updater.exe

This malicious software is lead to be a backdoor / bot.

So it's NOT just servers that were compromised then? It was essentially anyone who trusted dayz enough to download what they thought was an automatic updater for dayz.

Why wasn't your US mirror running antivirus software on it? MS security essentials is free for servers, and finds that variant of malware. That should have been a REQUIREMENT on all dayz servers, as I had mentioned in the past. If the mirror was linux, clamav is free, and has realtime ftp upload plugins.

He managed to get a database backup from the 22nd

So, not only did that account have FTP passwords, donor's RDP server details in it, but it also had login details for accounts you guys use for backup's and mirror's too?

Why did an artist even have access to that account? What purpose does an Artist have with your backup location FTP, and your forums FTP? Why would you give them access to that account knowing RDP details,are being sent to that account?

Why are you keeping PLAIN TEXT passwords in a GMAIL account? Even if you switched everything over to in house email hosting, why are you keeping passwords in an e-mail account at all? Especially Donor server RDP details? Those passwords should have been deleted from the e-mail as soon as they we're received, and placed into a secure database. Honestly e-mail shouldn't even be used. What would have been even quicker and more secure, is a VERY simple https page with a form for players to submit their details to an sql database. Something i'm capable of doing in less than an hours time. So time constraints really not an excuse in this case for a lack of basic security.

I really hope your not downplaying it as much internally as you guys are publicly, because these are all really serious security issues that need to be dealt with. Do you have anyone who is in charge of your IT security? If not, you guys should probably find one. If you allready do have someone, then you need to fire them because they either have no clue how to do their job, or much like everyone else on your team, they're over worked. I've been managing an IT security and engineering firm for 6 years, and have seen my fair share of network admins and security consultants come and go. I would expect the greenest security consultant I hire to be able to take care of all of the above issues that I touched on. For everything above to slip through, was a MAJOR over sight.

How is the DayZ staff going to handle server support now? I have atleast one new PM in my inbox every day from some poor server admin, begging me to help them because they've either been waiting weeks to get there server setup, or has had their server broken and abandoned by the dev team for some reason or another. I can't imagine these new restrictions your staff is going to have to deal with will help take the load off on these issues either.

The one thing that really irks me about this entire situation as a server host myself, is that multiple hosts have made the DayZ team aware of many of the security issues and server hosting issues that are present. Myself and other respected server hosts had even come up with procedures and systems that could be put in place to make support more streamlined, and secure, I've talked to Lightfoot over skype about some of them, and he seemed excited about the idea's we all put together, but I never heard back from him.

[Vipeax 318]

I really hope your not downplaying it as much internally as you guys are publicly' date=' because these are all really serious security issues that need to be dealt with.[/quote']

Was already taken care of, before this thread was made.

Do you have anyone who is in charge of your IT security? If not' date=' you guys should probably find one. If you allready do have someone, then you need to fire them because they either have no clue how to do their job, or much like everyone else on your team, they're over worked.[/quote']

There is quite a difference between a bunch of guys working together across the globe (for free/side-project) and a firm where you are all on the same LAN, having it a lot easier to protect PCs and prevent them from being accessed by others.

How is the DayZ staff going to handle server support now? I have atleast one new PM in my inbox every day from some poor server admin' date=' begging me to help them because they've either been waiting weeks to get there server setup, or has had their server broken and abandoned by the dev team for some reason or another. I can't imagine these new restrictions your staff is going to have to deal with will help take the load off on these issues either.[/quote']

Server setups won't be done anymore as the whole system was setup for <10 servers, not >500 servers. Changes were already planned, but were planned for right after the E3, as the little time before the E3 was already filled with as much fixes as possible for the time that was remaining (as E3 would almost freeze the project).

The one thing that really irks me about this entire situation as a server host myself' date=' is that multiple hosts have made the DayZ team aware of many of the security issues and server hosting issues that are present. Myself and other respected server hosts had even come up with procedures and systems that could be put in place to make support more streamlined, and secure, I've talked to Lightfoot over skype about some of them, and he seemed excited about the idea's we all put together, but I never heard back from him.

[/quote']

Said this a zillion times on these forums, when you expect <10 servers with <200 active players and get >500 servers with >10.000 active players (over 50.000 play every single day of the week) you also run into a wall when it comes to your original plans.

We care a lot, we learned a lot, we changed a lot.

^ My view on what was, what happened and what's coming next.

[hatesauce 99]

To be quite honest I think the DayZ staff handled this even more swiftly than some larger paid game companies to which I won't name names as it's irrelevant who. I just want to point out to people that this kind of stuff happens to a lot of studios/games/sites at least once or twice in their existence.

This can be pretty much considered part of the growth process. Not only does the DayZ staff now know what type of policies they may need to enforce going forth but, have potentially learned how this can be avoided in the future.

I think that the community should be patting you guys on the back for the attention and haste in which you handled this and with a public and detailed manner.

Thank you.

[robosheriff 13]

good to see that the team cares enough to give an official word on whats happening.

i would give you interwebs rep if it had any sort of system lol

[castun66 20]

I'm glad to see that the issue was dealt with swiftly and the script kiddie banned. Anyone that is whining about non-related issues in this thread should be banned as well, but that's IMHO. :)

[ominouspenguin 10]

You're forum passwords were not at risk as they were' date=' in the parlance of our time, "salted".

[/quote']

The attacker had FTP access? So he had access to the PHP files containing the algorithm that generates the salt? If that is the case then the passwords are at risk. Is this not the case?

I use random passwords so I'm not bothered, but others might have reason for concern.

[stevejeon 0]

Pffffttt..

Doesn't matter. Nothing of interest was lost and the code base remains secure.

Nice of you to say but kudos to Tonic.

He done the job with the info he had and it worked. Might not have been completely accurate which is understandable (never is with a compromise) but it still worked, he let people know which is the important thing.

Its all good, despite some apparent whinging to the contrary no one died.

[coronel_niel 0]

Shoe on head Tonic?

[fackstah 31]

Shoe on head Tonic?

i think it is the only solution !

haha but really people calm down the more pressure you put on them the harder it will be for them to release content and try to put together the logistics that has become the monster known as DayZ

[djshauny1 222]

Thanks for the heads up rocket