Inactive [DEV] BukkitContrib Alpha 0.1.7 [1000]

Discussion in 'Inactive/Unsupported Plugins' started by Afforess, May 21, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    Afforess

    BukkitContrib is superseded by Spout, the new Bukkit/Client framework.
     
  2. Offline

    mooglestar

    Sorry for the late reply. I am on mac OS 10.6.8, and on Java 1.6_026
    All the chunks were loaded as well, and my computer is high end. It just didn't seem to want to work!
     
  3. Offline

    FrostyWolf

    Read back some, I've had this discussion with him already. The short answer is no, but he might add a option minimap.
     
  4. Offline

    Evenprime

    I've added a feature request to Bukkits bugtracker http://leaky.bukkit.org/issues/1074 for a new Event I'd call "PlayerVelocityChange". I'll just copy the short version of the description over here, the long version with more technical details is available at the tracker:

    There is no reliable way to find out what "velocity" packets the server sends to the client.
    These packets however have great impact on how a player will move afterwards, therefore it
    would be interesting to be able to capture/read/modify/cancel sending of these.
    It'd also help me greatly with my NoCheat plugin which suffers from the lack of such a
    "PlayerVelocityChange" event.

    Now I wanted to ask, in the case that the Bukkit team doesn't want to implement a thing like that (or doesn't have the time), would it be technically possible for BukkitContrib to provide something similar? It'd really help me out a lot to have that kind of access to the velocity data that gets sent to players.
     
  5. Offline

    Snookieboy

    I just witnessed with this plugin, Server Admins pulling Clipboard data from clients without a single prompt or warning. Nor did this Mod provide clients warning that installing it made there personal information public.

    How can a Mod like this even been welcomed by the community???
    Surely if its going to steal personal info and provide it to server owners, it should at least have some safety measures in like 'Server would like to read your clipboard, Allow/Deny' or 'Server would like to set your clipboard, Allow/Deny'.

    Luckily I only had an email address copied, but imagine if someone copied a password or something important, without knowing this mod made that information public?
     
    Jan Tojnar likes this.
  6. Offline

    dumptruckman

    This is a pretty valid point... But I'm quite sure the intention, as added in BukkitContrib, was not to steal information from users. I agree, it should mention that in the install or w/e. BukkitContrib itself does not do this but allows for plugins to be made that could do it. I agree, there should be some sort of safety measure... Perhaps one could be added when GUI support is available.
     
  7. Offline

    Redyugi

    Sounds like I wouldn't be going to that server any more, if the Admins are doing that. I don't know any decent people who would use this plugin like that, so obviously, you have dishonest admins, and that is where the problem lies.

    I wanna do something special for my server with this... Not sure what yet, but at least I have this to help. Thanks @Afforess :)
     
  8. Offline

    Snookieboy

    Redyugi, you say don't go back. but how would people joining servers know about this? Infact the entire operation could be done on the quiet logging peoples usernames and clipboards, it wouldn't be hard for them to eventually get a hit. The only good thing is these Admins made public the vulnerability and provided proof of concept.

    Its the Mod API creators fault for even thinking such a command of reading users clipboard was a clever idea without prompt, and awareness needs to spread about how this mod API leaks personal details BY DESIGN until at least common sense security practice is applied to this API's development.
     
  9. Offline

    dumptruckman

    I have opened a support ticket for a possible option to disable this feature upon installation.
     
  10. Offline

    FrostyWolf

    This is not a API probem. If your connecting a server that went out of there way to steal your personal information, thats their issue. These are tools, how they are used are up to the plug in developers. Every time someone shoots some one we don't arrest the gun makers, everytime someone speeds we don't arrest the company that made their cars.
    If this feature didn't exsist in this API, the people that made the mod to steal your information can just as eaisly add it in themselves, the mod is open source. When you download a client side mod your taking a risk.
    There is no way to prevent this. If he adds a option to turn it off, the server thats stealing your info is just going to modify the source so that its always on. If he removes it, there just going to add it in. This is NOT his problem.
     
  11. Offline

    Snookieboy

    I think your missing the point, there was a specific API made to pull copied data from a clients clipboard, this was not written by a mod maker using the API, but an actual function that existed in it which serves no legit purpose. Quite frankly it should be pre-programmed if it needs to pull that data, to prompt a user.

    You gave examples of guns and cars, but got the example wrong. Could throw this back at you: If a car maker made a car with non-working breaks, and a user crashed the car and killed someone without meaning to, would you sue the maker? Damn right.

    If he removes it, they can't add it back in without making there own unofficial build, which hopefully will not get community approval and hence wouldn't spread much at all and no threat.
    The point is, this build is being loved by Mod Makers and the community, but such security holes exist in this version. So it is his problem, and your problem, but then again the opinion you have, you either want to get praise from the author for sticking up for such a point or you really don't have much care for personal information security.

    Either way, I hope I've raised awareness of this issue.
     
  12. Offline

    RGadelha

    Ok, thanks.
    Using CJB's for now.
     
  13. Offline

    jessenic

    Getting data from clipboard is too easy, it could be hidden in a closed source plugin somehow too.

    @Afforess, could you look into making a prompt if it was allowed or an option in settings or something, it is not good now. Also, have you looked into MC1.4's april fool's joke chest GUI, might have some use with custom GUIs (like clipboard prompt). I have the jar if you need it.

    P.S. Might BukkitContrib have something to do with tose "Access to clipboard Denied" errors on other apps like Trillian, skype, notepad, chrome... All apps actually.
     
  14. Offline

    matze134

    You are a God for Minecraft...
     
  15. Offline

    FrostyWolf

    No you are missing the point. Nothing is broken here, and if you read the comments, he clearly added this feature knowing this could happen. There is nothing he can do to fix this issue. Did you read what I posted? This is open source. If he removes that feature, he is only going to be hurting people that plan on ligitimently using in for mods. If anyone wanted to steal your clipboard data, THEY CAN DO IT ANYWAY. As soon as you install a client mod, the server thats hosting it can modify it anyway they want. They will just add it back in. Or make there own.
    The only issues here are that:
    1) People are installing client side mods with out understanding the risk, a risk notch has vocalized on his blog many times.
    2) How would your password be on your clipboard. You either save it in the client or type it. You would have to have some text document on your computer full of password you copy and paste out of, which is a MUCH higher secruity risk then this will ever be.
    You are simply blowing nothing out of proportion cause you either do not understand it or you have come to instagate a troll fight. Either way, both of my posts have plently of reasons why this is not something that is in the mod API hands to fix, nor is it possible for him to fix unless he goes to lengths to remove the code completely or disable it, which will completly not matter because most servers that use this mod have instructions and download links on there webpage, and can easily direct those links to there own version of the mod that has said secruity messures removed, with out there users having any idea it is happening. Most users don't even know what bukkit is, they will have no idea whether or not their client mod is the "offical" build or not.
    Your came here accusing him of leaving open secruity holes in a mod API that does nothing. The second you touch mods for ANY game, this issue exsits. It is the MODS themselves, not the API's you have to worry about. This API does NOTHING to take your data, unless someone makes a MOD that does so. Limiting features on a API is not going to fix this issue for you. Finding a server you can trust and not storing your passwords in a horribly unsafe matter will.
    Don't get me wrong, I'm not saying that a option to turn it off is a bad thing. I'm not saying a warning is a bad thing. But your missing the concept of the internet...if someone wants to do it, they are going to do it anyway. There is no secruity messure that he can put into the mod that will stop this from happening if the server exsits to be maliclious in the first place.
     
  16. Offline

    paully104

    @Afforess looking into the issue a little bit only i the server host can connect when forcing the client. Everybody else disconnects in 3 seconds and can't stay in the game even with the client installed :\
     
  17. Offline

    Afforess

    Not with this plugin, you didn't.

    Yes, I expose the clipboard, it's not hidden, it's in public view.

    I'm sorry, but I don't see the issue. A plugin would have to be specifically coded to give admins the clipboard, and you have to join their server. What part of that involves me?

    Um, it's public information, I liked to it in the Javadocs.

    There are plenty of legit purposes. Copying and pasting into the chat bar? Setting the clipboard to a url so players can vote up the server? I could go on...

    How is the car defective? You got the car for free, you can't really sue for damages in the first place. Your analogy is terrible.

    I'm not removing the feature, I've not seen any compelling arguments against it, only anger and fear-mongering, which I can not tolerate. Give me serious, rational arguments, and I'll consider your suggestions. Post absurd scare tactics, and don't be surprised by my scorn.
     
    BigRenegade and iPhysX like this.
  18. Offline

    Snookieboy

    We will never see eye to eye on this, but here goes.

    Tell me the legit use of reading a users clipboard? Setting it may have a little use for whatever reason, reading it not so much. No doubt your reply with some random use for it to justify it, however I dont see how or why a prompt can't exist, so fire in command Window: Server wants to read contents of your clipboard, allow? Simple enough, heck with all the GUI stuff going into it I'm sure a visual prompt can exist for it.

    And yes, your correct its highly unlikely that your have a list of all your passwords in your clipboard while playing Minecraft, but you tell me, over a course of the entire week if you even thought about what you copy and paste on your own local machine? I'm pretty sure at some point you have copied a email address or something you wouldn't want public. Its unlikely, but I think I'm raising a valid point on this matter which lets be honest, could lead to security risk. When I had it done to me, all I had was someones Gmail address that I copied from Facebook to dump into Google+ but I'm pretty sure that person didn't want there email being made public.

    I feel I'm not blowing it out of proportion, but no doubt thats how you feel I am handling the matter, but I think this is an issue which shouldn't be overlooked. There is no awareness that this mod, which is recommend by Bukkit Plugin authors as well as the majority of the community, has pre-programmed API's which pretty much breach your personal data security. I'm still lost to think what use this has compared to the possible security issues.

    Whats next, an API used to pass ANY file including the Windows Registry to the Server Owner, just incase one or two user made mods would like to use an API to return a file?

    And It is the API's I need to be worried about, there enabling this information grab by a sanctioned easy to use call. and yes you can go on about how its open source, but like I made in a previous post that would be a seperate build which doesn't have the trust and awareness this build does - this is heading towards mainstream, so it would be nice if client security was taken into account.

    Is it really that much of a bother to you the point that is being made?
     
  19. Offline

    jessenic

    Yes, legit purposes on setting the clipboard data. But getting is not so useful, BukkitContrib allows Ctrl+V in chat so that should be enough. Also, I have passwords on my clipboard all the time, I know the risk but I have to. There are many web services that send passwords via email and some don't allow to change the password to easier, more remember-able password, so I prefer copying and pasting them instead of typing them. I know, I should remember them but you don't just look at them and memorize them first time you see them, so you have to use copy and paste all the time. Also, if you are not going to make a GUI prompt, make a clientside chat command. Zan's clientside Shape Builder cuboid plugin for SMP (I don't remember the name) did that well.
     
    Jan Tojnar likes this.
  20. Offline

    alta189

    I am going to use getting the clipboard in a plugin I am working on
     
  21. Offline

    Afforess

    I understand your concern, but it ignores one fact - you've ignored the security of all your other applications too. After all Chrome, Office, Microsoft, Apple, Etc all have this same access to the clipboard, and I see no hell being raised over them.

    In fact, if security is so huge, why not write a plugin that wipes your clipboard after you log in? Then no plugins will be able to access the data at all.
     
  22. Offline

    jessenic

    It has it's good uses, but also bad uses. What are you going to use it for? I don't see getClipboard() useful without a prompt that asks the player to give the server and it's plugins access to the player's personal data.

    P.S. @Afforess, could you answer this:
     
  23. Offline

    Afforess

    FYI: I am on #bukkitdev right now if you want to discuss things with me.

    I'm investigating the cause of the clipboard issue.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jul 15, 2016
  24. Offline

    alta189

    I am coding a plugin where you can tie keys to commands with variables suck as the clipboard and many others
     
  25. Offline

    Snookieboy

    I appreicate your views on the matter Afforess and the manner in which it was brought up wasnt ideal, but I'd like to really end the possible flame war thats going to come by providing my final thoughts on the matter, then leave it up to you to best judge with your Mod API the way you would like to go forward.

    I would go to say, around 98% of Minecraft users who install your mod, do not fully understand what its capable of. There taking it based on recommendations from fellow players, its placement in this forum and other factors. As a programmer, you need to appreciate that users are placing a level of trust in you, most people do not understanding programming or have the ability to fully grasp how your Mod works. Those users will most likely assume that you have put responsible safe guards into your API as to where possible, stop it being used for expoilting there personal information.

    While yes, I can see there may be cases where setting a users clipboard may be useful, I don't see much of a case for reading a users clipboard, especially as Jessenic pointed out users can now copy and paste into the chat window using your mod. It comes down to the debate, is the feature of reading a clipboard going to be more useful to Mod writers, or do more damage than good with a risk for personal data theft. Do you believe the feature has more good, vs the possible dangers (espically taking into account a user CAN paste in the chat window now).

    I meant no evil with my posts, though I honestly and personally believe that the issue raised is of a concern, there is a chance that personal information can be leaked. You stated what Mod authors do with your API isnt your problem or your thought, but you are providing them with a platform that enables them. A simple solution if you wanted to keep the API is to give the users a choice. That way, users can be informed and make there own judgement on whenever or not the server really needs to read there clipboard.

    As a programmer, your capable of many amazing accomplishments, but when weighing in features its worth considering the security issues resulting from them. When users install your Mod API they do in most cases expect the code to work in a safe and controlled manner. Your reference to documentation showing that the call exists, lets be honest, most users wouldnt understand or take the time to read. Is that there fault? To a degree yes. But this community should know better and do what it can to protect the less experienced users. When they install a plugin, they should expect it will collect only the data it needs to operate. When you install McBans, you expect it to log joiners and check them against a known database, when you install Logbook you expect it to read and log every block break, chat, command etc. Its a level of expections. I'm not to sure if users were made aware in clear english during the install or first run that 'Server owners can read any data you have in your clipboard' that they would be overally happy, but it is essentially what is happening.

    I appreciate the time to review the issue.
     
  26. Offline

    Afforess

    @Snookieboy

    What would you have me do? Rip the feature out? BukkitContrib is about expanding horizons, not curtailing them. I could provide a server config option to block access to any players clipboards, but you seem to be worried about malicious server owners, which that will do nothing to protect against. Should I add client side configuration with the ability to block clipboard access? If so, I doubt many will know it exists, or disable it. If I disable it by default, I essentially removed the feature for, as you put it, 98% of users.

    There's no winning scenario. Either way, I'm the bad guy. Either I "ignored" security concerns, or I removed valuable development features.
     
    Hirutenshi and Redyugi like this.
  27. Offline

    matze134

    I get this error if i started Minecraft with the "Having Crashing issues with the client?"

    java.lang.ClassNotFoundException: net.minecraft.client.MinecraftApplet
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at net.minecraft.GameUpdater.createApplet(GameUpdater.java:423)
    at net.minecraft.Launcher$1.run(Launcher.java:87)

    When I start the "Download BukkitContrib SP for the MC client
    (Double click the jar and follow the installers instructions)" installer the cmd window opens and close, but nothing happens

    I added the Files manually and it works fine (after I delete the meta-inf Folder... :D)
    Can you write behind the link? :D so you do not forget it
     
  28. Offline

    alta189

    @Snookieboy
    It's the job of the server admin to not put anything that is not a good plugin on their server, they are the ones responsible for their users
     
  29. Offline

    Skeven

    Last I checked, these companies/programs can't remotely access your clipboard and read/use your information. They only use clipboard data when the end-user pastes it or calls it from another function. And in most cases that's typically data only between the end-user and the program, and not a 3rd party.

    How is allowing a users clipboard to be discreetly read by others, without their consent, considered a feature?

    You're essentially saying that BukkitContrib is "not a good plugin", and shouldn't be installed on servers
     
  30. Offline

    Afforess

    Did you read that 100 page EULA when you installed the program? I expect the rights to your soul were somewhere in there too...

    Anyway, I will be providing an option to opt out before the official 0.2 release cycle.
     
  31. Offline

    Skeven

    Much appreciated.
     
Thread Status:
Not open for further replies.

Share This Page