Weekly update #10

Still need to work on updating Cloudflare API… Getting an MRI today :O (Thursday 5 am)

Weekly update #9

Well, I didn’t get any extra work on Gamocosm done after the weekend >< Pretty stressed with problem set tomorrow and midterm on Friday :/ Might be able to do something after handing in the pset…

Weekly update #8

Reading break for school, hope to (finally) do more work this week. Preparing server upgrade (fixing version dependencies). Went through GitHub issues. Fixed GitHub settings so I should finally receive proper email notifications ><

Weekly update #7

I’ve updated the Security and Privacy page with information on user data being stored. I plan to add HTTPS on the Gamocosm server side (currently only HTTPS connection from user to Cloudflare) this week with Let’s Encrypt (during original development and deployment Let’s Encrypt was still in development). The reason this still hasn’t been done sooner is because there will be short downtime as I may need to redirect Gamocosm’s DNS temporarily for Let’s Encrypt verification. I want to make sure I do it properly and have been procrastinating it :sweat_smile:

Reason for delays: I have an important (and hard) midterm this coming week on Wednesday. I’ve also been having particularly bad headaches this past week.

Weekly update #6

This is late again :sweat_smile: but still it’s here now! I started writing up the Security and Privacy page on the wiki, procrastinating on digging up all the references I need :sweat_smile: (I’m intending to do it properly, so it’s not easy!)

Also, I recently got back into IRC, so you can possibly find me as user raekye on freenode.net or esper.net. The #gamocosm channel is on EsperNet, but I “should” always be connected via a “The Lounge” self-hosted IRC client (running 24/7 on a server), so you can direct message me. I’m not sure how often the IRC history “hmmmbot” dies to netsplits or something, and I haven’t seen how well The Lounge handles netsplits/other disconnections, so there’s a chance I lose messages but it should be extremely small. Anyways, the most reliable way to reach me is still by reddit PM. But IRC is back on the table!

Hmmm, not to turn this into a personal depression-blog, but I also have been having chronic headaches since the summer. I’ve seen an optometrist (because at first I thought it was related to my eyes), and have been seeing a GP for several months now (and a social worker and a therapist :sweat_smile: ). The headaches can be pretty bad - up to 6-7 days a week almost continuously (e.g. go to sleep with a headache, wake up with the same headache), and intense to the point I struggle to do any work. Today (Friday, real date of this blog post :sweat_smile: ) was one of those particularly bad days where I could barely even focus to do anything (and yet I still had to force myself to lecture and office hours and finish an abstract algebra problem set). Still haven’t found the cause… It should still be statistically unlikely to be something serious, but I will be getting an MRI sometime maybe in the next month or two. On the off chance I do go completely silent… maybe ‘so it goes’ :P

Weekly update #5

Well, this isn’t looking so good except for the fact I’m still coming back weekly :sweat__smile: Working on problem set and doing stuff for research project.. the Sunday night classic… Ok promise now, no more trolling. Update coming before next Sunday.

Weekly update #4

Still too swamped to get anything done >< But at least this time around (lack of updates) I haven’t forgotten about Gamocosm! Hope this week will be better *embarassed face*

Weekly update #3

A little late, been super busy these days. On the bright side, a week after the security incidence it seems things are running smoothly and there were no other problems. Schedule starts to loosen up a bit after Wednesday. Hope to write more about Gamocosm’s security on the weekend.

GitHub account compromise resolved and Security disclosure

The following is a preliminary review of my GitHub account compromise (not GitHub’s fault) and related Gamocosm security. Gamocosm is a project of transparency; I may not be professional, but I intend to be genuine. I will continue documenting the security status and practices of Gamocosm over the next while. As bad as this incident was, I would like to reiterate that Gamocosm servers and data were not compromised.

Around 12:00 noon eastern time on 2018 January 7, a hacker gained access to my GitHub account and deleted the Gamocosm organization along with all the repositories. He/she then attempted to logon to my personal Digital Ocean account, presumably to try to delete the Gamocosm servers. Digital Ocean detected suspicious activity, automatically blocked the logon, and emailed me.

Fortunately, I just happened to be checking my email and quickly changed all my passwords. Unfortunately, before I could save it, he/she also deleted my personal Gamocosm account. There was a small window he/she could have done more damage on GitHub, but it seems deleting Gamocosm was all.

This security breach was at no fault of GitHub’s; it was purely enabled by my own negligence of not protecting my logins and not enabling 2 factor authentication. I have updated all my passwords, enabled 2fa, and from this experience recommend all of you to too (I will look into adding 2fa to Gamocosm).

Fortunately, GitHub support was very helpful and able to restore the organization with all the old data such as the wiki and submitted issues. If they were not able to, I would have been able to restore Gamocosm itself (have copy of the source code), but we would lose some updated wiki pages and other data such as issues and discussions on them.

After thorough investigation (within my power), Gamocosm servers and data were not compromised. The servers and services used by Gamocosm were under better security than my personal accounts, though I’ve taken the time to tighten them up too. If Gamocosm’s database was breached, the following user data could be leaked:

  • emails
  • passwords salted and hashed with bcrypt (practically uncrackable; Gamocosm is following best practices)
  • Digital Ocean API keys (ability to destroy your servers and snapshots, or spawn many servers/use many resources)
  • any live server IPs, and the Minecraft Server Wrapper key (ability to start/stop/run commands on Minecraft server)

If Gamocosm’s server was completely breached, the following data would additionally be breached: - Gamocosm’s SSH key, able to log in as root on users’ servers to execute commands (run setup and update)

So the hacker(s) would have root access to your servers. This may be a huge oversight/something I should have made clear before, but there is no good way around it, and I considered Gamocosm to be very secure (possibly justified).

As of my GitHub account hack, it had no relation to the security of Gamocosm’s servers.

If the hacker chose to upload malicious code in the gamocosm-minecraft-flavours repository, he would be able to run said code as an unprivileged user on a new server. This step is performed before user SSH keys are uploaded (and root SSH keys are OS filesystem permissions protected), so the only sensitive data that could be leaked is the MCSW key. This could later be used to start/stop/run commands on the Minecraft server. The hacker could install his/her own SSH keys and other user level programs to continue snooping on a newly created server.

If the hacker tried to write malicious code in the primary Gamocosm repository (for the Gamocosm server), the Gamocosm server would only pull the code if someone with access to the server did so. This is a possibility if I am careless and do not review all git commits.

Further security documentation will be posted soon. Thank you again for your patience and support.

Urgent: my GitHub account compromised and Gamocosm organization deleted

Important notes:

  • Gamocosm servers have not been compromised (confident)
    • passwords in the database are salted and hashed with bcrypt (no nonsense, following good practices)
  • However, Gamocosm will fail to create new servers for now
  • Source code will eventually be restored on GitHub

I have no idea how and who did this… I am doing my best to restore this…

Update 7 (~20:05 ET) (final): Gamocosm GitHub has been restored. More information to be released tonight.

Update 1: (placeholder because I started counting updates at “2”)

Update 2 (~12:10 ET): I have reviewed and believe the Gamocosm server is still secure (my GitHub account was compromised). Furthermore, user passwords are salted and hashed with bcrypt, and should not be crackable.

Update 3 (~12:15 ET): It seems the hacker just targetted deleting Gamocosm… I have no idea why someone would want to do this… It seems he only had access to my personal accounts, fortunately, only the Gamocosm GitHub is directly under my account.

Update 4 (~12:20 ET): I have reserved the Gamocosm organization name and contacted GitHub support. Their page https://help.github.com/articles/deleting-an-organization-account/ says deletions are permanent.. but at least they used to keep deleted user accounts for ~24 hours for emergencies. Hopefully this can be restored… I do have the source code for Gamocosm locally, but would lose the project history, issues, pull requests, wiki, and others.

Update 5 (~13:45 ET): No response from GitHub yet. Again, I can restore to GitHub the code relevant to Gamocosm’s function, currently still evaluating the situation. It seems the hacker deleted my personal Gamocosm account and servers too.. As I suspected earlier, it looks more like a personal attack on Gamocosm, although I cannot imagine why anyone would do this given Gamocosm’s completely free and open nature. Again, no breach of actual Gamocosm servers detected (especially considering he/she probably would have done much worse…). I’ve changed all my personal passwords, but this is still so devasting… Yeah you won hacker, I hope someone is happy out of this…

Update 6 (~13:50 ET) As mentioned, in the case of a server breach, your passwords should still be cryptographically safe. However, a hacker would be able to access and destroy your droplets. Reiterating, there has not been a server breach yet. I intend to be fully transparent with this issue and will post more detailed information after the urgent issues are resolved.