A new server is being developed: Kaya.gs

[linuxdaemon]

They have a "feedback" button on the site that goes to: http://kaya.uservoice.com/forums/130479 ... s-for-kaya

I'd recommend adding your suggestion there.

[Kaya.gs]

I have a suggestion for a feature.

I'd like the players to have the option of making comments to the audience that the opponent can't see.

There is an entire feature described in the feedback section talking about this, which comes from this very forum because of the malkovich games.

Up vote it

[illluck]

Something here does not fill me with confidence about security/privacy handling for Kaya.

"To log-in to alpha, your password will be the same as your nickname. I cannot provide a more secure option because i dont have your emails in an organized and reliable fashion."



Let's for the moment ignore why the e-mails are not organized and reliable, but look at the potential issues with having passwords be the same as usernames.

My immediate reaction after I read that was "the alpha server must be private?" Perhaps the address would be sent via e-mail or something. (Alternatively, can e-mail the fact that the passwords will be the same as usernames). It still wouldn't be secure, but a lot better than making everything public (I definitely wouldn't find out, at least).

http://kaya.gs/kayags/project.php

Turns out that the alpha server is available from the front page

It's a good thing that we don't know the usernames of the founder accounts, the-

Wait...

http://kaya.gs/kayags/board_of_fame.php



Oh well, at least it's just the alpha test, nothing important in there at all, right?

Actually, it turns out that the e-mail as well as the option for changing it is visible.

This makes me very hesitant about whether I would provide ANY private (especially financial) information to Kaya in the future.

[Kaya.gs]

Something here does not fill me with confidence about security/privacy handling for Kaya.

"To log-in to alpha, your password will be the same as your nickname. I cannot provide a more secure option because i dont have your emails in an organized and reliable fashion."



Let's for the moment ignore why the e-mails are not organized and reliable, but look at the potential issues with having passwords be the same as usernames.

My immediate reaction after I read that was "the alpha server must be private?" Perhaps the address would be sent via e-mail or something. (Alternatively, can e-mail the fact that the passwords will be the same as usernames). It still wouldn't be secure, but a lot better than making everything public (I definitely wouldn't find out, at least).

http://kaya.gs/kayags/project.php

Turns out that the alpha server is available from the front page

It's a good thing that we don't know the usernames of the founder accounts, the-

Wait...

http://kaya.gs/kayags/board_of_fame.php



Oh well, at least it's just the alpha test, nothing important in there at all, right?

Actually, it turns out that the e-mail as well as the option for changing it is visible.

This makes me very hesitant about whether I would provide ANY private (especially financial) information to Kaya in the future.

If security is truly your concern, i can gadly inform you that this is the safest procedure i can do that allows founders to access the server without having to authenticate every single email by hand, which would take me hours and hence days of work.

If you want to know why i don't have the emails, its simple because most users dont use the paypal email as their regular account sign-up email. So i'm gathering from each time founders ask for a nickname, or they put it themselves on the server.

You do well to distrust giving finantial information, because no site should ever ask or save those kind of things on their own. You may have made a grave mistake if you ever handed such information to a non-banking institution for their keeping.

I noted that people could get other peoples emails by the procedure u note here and i have taken action on preventing it until we can safely make people register their accounts without curious users such as yourself able to pass as them. You can check it yourself if you wish.


I hope this addresses your concerns and so of the people reading this post.

Regards.

EDIT: Before this post has any time to raise seriouos concerns, i have implemented passwords and sent it to founders emails. Those founders who didnt get the email (check your spam folder, unfortunately) should email me.
The latest at the blog.

[illluck]

I checked last night and indeed e-mails were not visible anymore, and today the alpha passwords seem to no longer be the account names. Congratulations on the quick response.

However, several other things are rather worrisome, and I would like explanations.

You posted this in the K.gs chat last night:

"22:24 conanbatt(8d): u wouldnt believe what im doing now -.-
22:25 Nezumi(7d): what are you doing?
22:27 conanbatt(8d): getting every single email
22:27 conanbatt(8d): to put in the passwords
22:27 conanbatt(8d): this mfer in life19 made very public that u can get in without being a founder
22:27 conanbatt(8d): thing we founders knew already, but now being so public is an issue
22:27 conanbatt(8d): many people can try to log in
22:27 conanbatt(8d): so im gathering all the emails, one by one
22:28 conanbatt(8d): so i can send u passwords"

Let's for the moment ignore why you need to gather all the e-mails "one by one", but instead examine the mindset your comments reveal.

So, it appears that you knew that non-supporters can log in and yet took no precautions, which speaks well of your ability but rather poorly of your basic grasp of security. I have no experience in such things, but even I immediately saw the glaring issue when I read that blog entry.

Originally, I had planned to make a short post to ask you to explain your word choice, but I received a private message earlier today:

"I dont really take your post seriously, but i know other people might. Just in case that you really intended to put ur 2 cents and not just negatively blabbering about something, i must say that the greatest "security concern" to ever happen at Kaya.gs was you, by publicizing things that might want other users try to break things up, or panic.

So in interest of doing things better, any concern like this should be brought privately to us, and publicly only if we fail to react, as is the standard practice.

_________________
Founder of Kaya.gs "

I did consider submitting a feedback regarding it, but I suspected that I would simply be asked to remain silent.

It's rather weird to say that I made this issue public when everything required was already widely-accessible. Do you seriously not see that what you have decided to do was not a great idea? You have willingly left private information of your users open to the public on purpose.

The biggest security concern really isn't me.

It's you.

[RBerenguel]

Thanks for posting illluck. I was thinking about becoming a founder of kaya.gs, it looks an interesting project. I'd rather not, even more after reading yesterday the PR onslaught on the avenger controller PR-guy.

Security by obscurity in very-late-2011? Seriously? And what do we do when all our emails (possibly also Facebook, Twitter, paypal and more information) are compromised because the server was broken because "you knew about the SSH patch but thought it was not that important/known"?

[daal]

Illuck made nothing public that wasn't already obvious, and the tone of Gabriel's responses is extremely disappointing to this "founder" and probably more damaging to kaya.gs than anything anyone else could say.

[cata]

I don't give a crap about the security of the alpha test (although it's sort of bizarre that Kaya wouldn't just email out registration links where you can set your password and be done with it) nor do I really care what anyone says in a chatroom, but when I read this PM excerpt

"I dont really take your post seriously, but i know other people might. Just in case that you really intended to put ur 2 cents and not just negatively blabbering about something, i must say that the greatest "security concern" to ever happen at Kaya.gs was you, by publicizing things that might want other users try to break things up, or panic."

it made me wish I could withdraw the donation I made earlier this year. Just some feedback on customer relations.

[CnP]

Another founder here, but still happy to be one. Perhaps I'm naive but I thought the risk from someone knowing my email address was largely limited to getting rude emails. And the login issue could let someone login to kaya.gs as me. Period. So he let off steam and wrote an email whilst angry, which wasnt intended for public forums and shouldn't really be posted here IMO. I'm happy to wait and see how kaya.gs shapes up rather than jump to assumptions. Happy to have my donation as a donation. If kaya.gs were 100% finished it wouldn't be alpha. No offence intended to anyone.

[Kaya.gs]

I will answer the other people that are concerned about this issue.

Thanks for posting illluck. I was thinking about becoming a founder of kaya.gs, it looks an interesting project. I'd rather not, even more after reading yesterday the PR onslaught on the avenger controller PR-guy.

Security by obscurity in very-late-2011? Seriously? And what do we do when all our emails (possibly also Facebook, Twitter, paypal and more information) are compromised because the server was broken because "you knew about the SSH patch but thought it was not that important/known"?

First of all RBerenguel, take let's take a step back and look at the situation as a whole. Kaya.gs Alpha had no security breach because it had no sensitive information. How things were handle was known for all users right from the start, because it was of public domain. illuck's post doesnt not reveal any information founders didnt know right from the start, which is why people that considered their email sensitive, sent apersonal email to me, instead of putting it in the server.

There is no security issue in kaya because we do NOT store passwords and certainly not any other kind of sensitive information. That is not how a basic security system works.
If we were to handle such, we would take the proper cautionary precautions as i did as soon as i saw fit that a user had intentions of posing other users for his own content, which is what happened.

I don't give a crap about the security of the alpha test (although it's sort of bizarre that Kaya wouldn't just email out registration links where you can set your password and be done with it) nor do I really care what anyone says in a chatroom, but when I read this PM excerpt

"I dont really take your post seriously, but i know other people might. Just in case that you really intended to put ur 2 cents and not just negatively blabbering about something, i must say that the greatest "security concern" to ever happen at Kaya.gs was you, by publicizing things that might want other users try to break things up, or panic."

it made me wish I could withdraw the donation I made earlier this year. Just some feedback on customer relations.

I am sorry that you perceive something so negative about that private message i sent to Illuck. It might be lost in translation ,but even re-reading it after a good night sleep, the point still stands. He made an aggressive post, that showed me he had intentions of impersonating other users, which is why i promptly (in the next 2 hours) i put up the passwords, which were already implemented well from before, but i needed to be able to send them to as most founders that i could.

Regarding the chat in the server, it is taken quite out of context, as several founders know i even jokingly call dp such when something has to be done on the design/board functionality.

I am sorry i have made you or anyone else that supports this project upset at this event. I will be more carefuly with my wording in the future.

Just take into account the facts, as how someone made a very agressive post in a very bad tone:
-I responded both publicly (explaining and determining a course of action) in a polite manner,
-I responded privately (telling him what is the proper procedure if security concerns are really legitimate).
-I reacted to the situation by promptly fixing it.
-Right from the appearence of the post, i told all founders that were in the server and was completely open about the issue, the process of the solution and the outcome as they were being developed. Let me add that this "illuck's issue" was discussed and talked over many times inside the server with the founders and had founderst shown or expressed any concern from it, i would have finished it before.

The only reason why i delayed it was the bureacracy of matching emails with the paypal donations.

I have no intentions of responding to Illuck's posts as they are obviously meant to be inflammatory, which is why my private message was sterile. He has done things with ill intentions , including publicizing private messages and impersonating a founder. I also understand that the standard for me is higher than him, as i have more responsibilities, which is why i repeat, im sorry of this dissapointment for you (or any other founder that might feel the same) and i will be more careful in the future in the way i communicate with hostile and ill-intended users.

I stand by the message now public message, that illucks concerns are not shared by my own. But as it is usual in human behaviour, if someone says its serious, others can believe it even though its not. I was not demeaning the concern of adding passwords, i was stating that the message he originally posted made the "problem" much much worse, by showing that at least one user(himself) had intentions to log in as another founder, and inciting others to do so by providing the means comfortable through links to all the informatino.

Maybe i perceive a tone of agressiveness from this posts that other users don't, but they are certainly meant for that.
I did learn a lesson from this, and that holding this project raises my profile and some people can be tempted into damaging my image or worse, the projects image. I promess i will make an effort to keep such opportunities to the minimum.

I hope you feel better about this whole matter after reading this post, cata.

Illuck made nothing public that wasn't already obvious, and the tone of Gabriel's responses is extremely disappointing to this "founder" and probably more damaging to kaya.gs than anything anyone else could say.

Except he has a name i dont know, or he really didnt want me to know he was a founder, he isn't one. illuck has no relation whatsoever to the Kaya.gs project ,other than his curiosity. He is not a customer or a user, he is just someone that read the blog and blew public information out of proportion.
You can talk to any founder in the server and ask them how i have been treating them, and i assure you they will tell you that i've done everything in my power to be of assistance.



Just in case im totally wrong about him, i invite him to continue a private conversation, were all the details can be discussed and ironed out, and later on we can post a public message in mutual agreement with our conclusions of the whole ordeal.

[cata]

Thanks for the clarification. I like that you addressed the issue so quickly -- actions speak loudest. I guess we just have a difference of opinion about illluck's intent. I disagree that his (original) post was meant to be inflammatory, aggressive, or threatening; maybe it's just an Internet culture thing.

Here's hoping things are calmer in the future.

[Kirby]

In general, it is polite to inform a company privately of security issues before making it public. It's, of course optional, but a courtesy that one can make if they are truly interested in the security of a particular system.

[Mr. Mormon]

On the other hand, perhaps making it public has succeeded in increasing the care the kaya developers will take in the future.

[speedchase]

On the other hand, perhaps making it public has succeeded in increasing the care the kaya developers will take in the future.

Why is this necessary if they respond to private messages.

[Mr. Mormon]

Punishment? You can't always expect the first person to find a weakness to be the reporting kind. But it still looks like kaya will have your average website security, so there's nothing to worry about too much here.