Ethics of Exploitation

[Nosajimiki]

So... I was recently informed that one of the criteria of "Ethical Hacking" is to obtain permission from the owner of the data or system and to request a scope of how far is too far. So as a question for Schine (and in specific cases, server owners), how far do you want/not want players to attempt to hack/exploit systems for the purposes of alpha testing? Do you want us to just be testing for balance? Should we be looking for in-game exploits? Should we be testing the game against external vulnerabilities. Should we avoid looking for vulnerabilities that might reveal PPI or information about the servers that are running the game, etc?

 

[Ithirahad]

So... I was recently informed that one of the criteria of "Ethical Hacking" is to obtain permission from the owner of the data or system and to request a scope of how far is too far. So as a question for Schine (and in specific cases, server owners), how far do you want/not want players to attempt to hack/exploit systems for the purposes of alpha testing? Do you want us to just be testing for balance? Should we be looking for in-game exploits? Should we be testing the game against external vulnerabilities. Should we avoid looking for vulnerabilities that might reveal PPI or information about the servers that are running the game, etc?

I think the requested policy is, more or less, do pretty much whatever is necessary for testing's sake, but report and do not reveal (or, preferably, use) the exploits.

 

[Az14el]

"im testing lolol" ~choir of the shipyard dupers

this is probably better answered by an inevitable jury of your peers if you really NEED that kind of ethical hand-holding, but i doubt the vast majority of us do

 

[JinM]

Should we be testing the game against external vulnerabilities. Should we avoid looking for vulnerabilities that might reveal PPI or information about the servers that are running the game, etc?

I now assume you talk about vulnerability of important information, like password hashes and extended profile data like mails and clear names. The examples that you give are not really important information. Extended server info and PPI are not really a big deal... (I guess you mean PPI in context of the programmable periphal interface. Or do you mean personal profile information? Because if you mean the second, then you should edit your OP and clarify this. This isnt an IT-professional forum, most people here are foreign language gamers and don't know what you mean with this fancy acronym.)

Yes, ofcourse you should look for such stuff. Shine is grateful if you send them information about such leaks via a private channel.

And if you put the word ethical into the context: It's also very ethical to reveal dangerous exploits to the public, if they don't get fixed in a reasonable time. I mean if you can find them, others can too. But be aware, dangerous is a broad term. I wouldn't call an IP reveal, or the reveal of client's Java version as dangerous. Dangerous exploits are for example vulnerability of extended login data, like password hashes, or extended Starmade profile information, like mail and clear names.

If you reveal how to hack the game to reveal client's IP adresses you are not helping, as this is not a major security flaw. It's a minor one, and fixing it can happen over time. (IP adresses can be read by every server owner and website owner, and is visitting any website in the www dangerous in itself?)

Please explain to me, why you think extended server information can be harmful though. It's just like knowing the IP or the client's browser version imo. If Starmade reveals critical server data it's another road ofcourse. But I doubt that the vague information about the server as you give them in your example, are really harmfull.

 

[Nosajimiki]

I now assume you talk about vulnerability of important information, like password hashes and extended profile data like mails and clear names. The examples that you give are not really important information. Extended server info and PPI are not really a big deal... (I guess you mean PPI in context of the programmable periphal interface. Or do you mean personal profile information? Because if you mean the second, then you should edit your OP and clarify this. This isnt an IT-professional forum, most people here are foreign language gamers and don't know what you mean with this fancy acronym.)

Yes, ofcourse you should look for such stuff. Shine is grateful if you send them information about such leaks via a private channel.

And if you put the word ethical into the context: It's also very ethical to reveal dangerous exploits to the public, if they don't get fixed in a reasonable time. I mean if you can find them, others can too. But be aware, dangerous is a broad term. I wouldn't call an IP reveal, or the reveal of client's Java version as dangerous. Dangerous exploits are for example vulnerability of extended login data, like password hashes, or extended Starmade profile information, like mail and clear names.

If you reveal how to hack the game to reveal client's IP adresses you are not helping, as this is not a major security flaw. It's a minor one, and fixing it can happen over time. (IP adresses can be read by every server owner and website owner, and is visitting any website in the www dangerous in itself?)

Please explain to me, why you think extended server information can be harmful though. It's just like knowing the IP or the client's browser version imo. If Starmade reveals critical server data it's another road ofcourse. But I doubt that the vague information about the server as you give them in your example, are really harmfull.

My point is this: This is not our game and (with the exception of a few people) these are not our servers . Although we are not employees, as early access gamers testing is expected, but to what scope?

In the past people some people have revealed, not just in-game, but out of game exploits such as the one for blueprint stealing which could be used to steal what could be considered copyrighted materials. Some people have used the game to revel PPI, or at least collect enough information to derive PPI from. Ethical hackers are always supposed to have a scope about how far they are allowed to dig. For example: should we try to inject scripts to see if we can inject malware? Is decompiling the game and looking around at the nuts and bolts of it to find things out okay. Is breaking into Schine's servers to prove that the game's installer or source code can be compromised okay? Are there hosting server owners who do not want certain "tests" done on their servers for integrity sake? I know most people do what THEY think is okay, but that is not always legal or ethical whether they realize it or not.

 

[JinM]

Allright I have three answers, two short and one longer:

1: Just pm Schema directly and ask what he does if you privately send him flaws that only can be obtained via decompiling the code. And also state that you only want his answer for yourself individually, and that you don't ask for others. Others have to ask seperately. Don't ask for permission, you ask for a semi-permission: ask if he will take legal actions in any case.


2: If you still have the urge to find exploits via decompiling the code, you can allways send in found flaws anonymously. (If Schema doesn't give you an individual semi-approval.)


3: I assume that you mean with ethical hacking, how Shine reacts to exploitatioin and how their stance is. This is more a legal question. And smaller companies tend to say a general "no" on any decompiling or hacking of their code.

That doesn't mean they will prosecute anyone who sends them found flaws via those illegal methods privately and doesn't make them public. But formulating policies for ethical hacking is easily abusabable, as you basically say "you are allowed to decompile the code, if...". And it's very risky to use such a policy, but just saying "you are not allowed to decompile hack and exploit, no matter what" puts the developer allways on the save side.

So I guess no, it's not legally allowed to practise something what you consider "ethical hacking" with Starmade. And I guess there will never be any public approval of any ethical hacking pactises from any smaller developer. Just because approving it can easily be abused. Big companies have the lawyers to handle such abuse and complicated problems. Small companies are very likely to go the safe way.


I hope this answers helped you.

 

[Ithirahad]

Should we try to inject scripts to see if we can inject malware?

If it's into a local server or one designated for this kind of thing (as opposed to a public server, testserver, etc.), sure. I see no reason why not.

Is breaking into Schine's servers to prove that the game's installer or source code can be compromised okay?

Probably not. This is kind of outside of the scope most people are thinking of when your topic title is "ethics of exploitation."

Are there hosting server owners who do not want certain "tests" done on their servers for integrity sake?

Probably, and this is a reasonable thing to consider. Attempting to hack a service-hosted server doesn't strike me as the best idea in general (unless given express permission).