[IDEA] Sponge "Hack-a-thon"

Squawkers13 · March 31, 2015, 12:57am

Continuing the discussion from Suspicious Plugin Response Team Training [CLOSED see post for details]:

I think it would be a good idea to do some of this, so we can find vulnerabilities in the Sponge API.
Also so we can create plugin upload screening software

modwizcode · March 31, 2015, 1:04am

I think my post explains why this is not a great idea pretty well. @Zidane maybe you could do some tweaking to my post to make this fact clear?

Squawkers13 · March 31, 2015, 1:13am

Maybe I should just turn it into a forum game then?

RobodudeMC · March 31, 2015, 1:21am

On another topic

I didn’t do this alone, I’m sorry if that wasn’t clear from my post. I had a discussion with several fellow members of the staff on IRC and we came to the conclusion, which I now fully recognize, that the competition overlooked the negative aspect of encouraging people to provide what is basically, malware. Specifically putting this up for people to freely download gives them ready made exploits to use or start from. Additionally, instead of having many novice or intermediate type exploitative plugins, the competition may lower the bar to the time-consuming advanced and expert level exploits.

If you wish to create another topic or have a conversation on IRC with the staff and/or the community, then go right ahead. However I don’t wish anyone to think that I was “forced out”, I simply missed the big picture result of what I had invented. I also knew that when I wrote it, the rest of the team would either be thrilled, or annoyed and I was waiting to see which would win. It was initially pretty good but more experienced people have more experiences that I’m going to recognize and yield to the wisdom of.

This was the explanation that I was given after talking with @modwizcode I wish we could do it too…

Squawkers13 · March 31, 2015, 1:38am

That’s a great explanation.

However, I still think plugin upload screening software would be useful.
(Or you could just remove any mention of setting op status from Sponge.)

modwizcode · March 31, 2015, 1:57am

Plugin screening will be done by people, they may be aided by tools but plugins are manually reviewed. Uploads MUST go through people before they are posted. It’s far easier to trick a screening tool than someone possessing a copy of the bytecode and running through it line by line at worst.

doot · March 31, 2015, 2:13am

But won’t that get to a point where plugins will take forever to get approved?

RobodudeMC · March 31, 2015, 2:49am

I really don’t see another way tbh. I have spent a good amount of time trying to think of alternatives.

doot · March 31, 2015, 3:13am

How about: Plugins can be uploaded without approval, but until approved, there is a big warning to downloaders that the plugin hasn’t been approved, or similar.

RobodudeMC · March 31, 2015, 3:15am

That does work to solve the issue of a backlog, still requires fairly large manpower to not get incredibly behind though. Also, amateur server owners probably are not even aware a plugin could exploit their setup and leave them vulnerable, what happens when someone uploads a malicious plugin? You see how well ASOs listen on sponge when we have at multiple locations that it is not ready for download. They are going to look right past a warning label.

modwizcode · March 31, 2015, 3:59am

BukkitDev may have been fairly slow, but it was a lot faster than getting new updates to an iPhone app. So as long as we are faster than that, I think the Ore plugin response team will be fine. I know I don’t want any links even with cigarette ad style warnings in front of them if the file is unapproved, since many misguided server owners don’t read the messages.

RobodudeMC · March 31, 2015, 4:04am

WARNING: INSTALLING UNAPPROVED MODS IS HAZARDOUS TO YOUR SERVERS HEALTH.

http://www.eyeofthegeek.com/gallery/var/albums/ComputerDemolition/ServerDestroyed/Picture%20014.jpg?m=1343768558
This message brought to you by the sysadmin general.

doot · March 31, 2015, 4:06am

ASOs probably won’t even recognize what that is though.

bdubz4552 · March 31, 2015, 4:31am

That mobo got rekt… scratches head How does that even happen?

Should probably make this more relevant to the original topic…

My university has a hack-a-thon, but its not about hacking and breaking things, rather, its a 24 hour competition to build some piece of software. Some great things come out of timed competitions (I believe the Trouble in Terrorist Town Garry’s Mod gamemode was made in some sort of timed competition, don’t quote me on that, though) and I do think that could be beneficial for the community.

mbaxter · March 31, 2015, 2:50pm

We regularly had approval measured in minutes rather than hours. The difficulty isn’t the system itself it’s getting volunteers willing to suffer through review, and then deal with an utterly ungrateful community in the extremely rare event they make a mistake.

simon816 · March 31, 2015, 5:58pm

There’s been many discussions on that particular topic already

etc