[QUOTE=Gott;43469812]Well, right now, I would need access to all the stuff to install your mod and DropParty. Every minute my server is running unmodded is bad, and just shutting it down would be worse. And I really don't want to wipe again.
But when my server was running modded, I needed access to the output log, so I could continue to futilely seek help with a problem concerning a player being unable to connect to my server for the past three days. [url]http://facepunch.com/showthread.php?t=1344903[/url]
But again, right now, my server is running un-modded, and I'm not happy about that.[/QUOTE]
I understand that and i feel for you, but give it some time for them to secure things & set up some rules. tonight ill do a proof of concept mod to see how much damage i could potentially do, and run it on multiple GSPs and if it works, ill let them know and they'll need to do the same process.
[editline]9th January 2014[/editline]
[QUOTE=AADiC;43469833]We tried for 3 hours last night to install you MOD VIA HFB's installer, i did not work. Multiple tickets with them, they say it worked, it never did. We did a manual install, which is not possible any longer, and it works fine. So sorry, if we are a little hesitant about these changes, but its from experience.
BTW does Rust ++ have Whitelisting capability?[/QUOTE]
Not at the moment, it will get it though. for now you could use GroupGate and make a steam group.
maybe HFB's mod installer wasn't working correctly, im happy to work with GSP's to ensure everything works.
Did you guys ever consider not offering mods that create the exploit in the first place?
Just submitted a ticket asking for a refund for the coming month that i allready paid, will post again with updates
[QUOTE=xEnt22;43469849]I understand that and i feel for you, but give it some time for them to secure things & set up some rules. tonight ill do a proof of concept mod to see how much damage i could potentially do, and run it on multiple GSPs and if it works, ill let them know and they'll need to do the same process.[/QUOTE]
Why is it your responsibility to do the troubleshooting for these GSP's?
Shouldn't they be held responsible? and as such, take on these tasks themselves? I just don't see the logic behind this. I get that you're trying to help, which in turn will help the entire Rust community as a whole, but why you and not them?
[QUOTE=Skynet;43469649]Revoking full FTP access after you've sold it to me as part of my package, is the very definition of a bait and switch[/QUOTE]
Don't start. I'm no fan of HFB but this is definitely not a "bait & switch". He has the right to make temporary changes to your server in order to protect his infrastructure and other customers. You also agreed to let him make these changes when you signed up for service and accepted their [URL="https://www.hfbservers.com/index.php/terms"]terms of service[/URL]:
[I]
HFBServers reserves the right to modify its network and facilities used to provide the Services. At all times, you bear full risk of loss of any content and software you place on the HFBServers servers. NEITHER HFBSERVERS, ITS EMPLOYEES, AFFILIATES, AGENTS, SUPPLIERS, THIRD-PARTY INFORMATION PROVIDERS, MERCHANTS, LICENSORS NOR THE LIKE MAKE ANY WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT FOR THE SERVICES OR ANY EQUIPMENT HFBSERVERS PROVIDES. NEITHER HFBSERVERS, ITS EMPLOYEES, AFFILIATES, AGENTS, THIRD-PARTY INFORMATION PROVIDERS, MERCHANTS, LICENSORS OR THE LIKE, WARRANT THAT THE SERVICES WILL NOT BE INTERRUPTED OR ERROR FREE; NOR DO ANY OF THEM MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICES OR AS TO THE ACCURACY, RELIABILITY OR CONTENT OF ANY INFORMATION SERVICES OR MERCHANDISE CONTAINED IN OR PROVIDED THROUGH THE SERVICES. HFBSERVERS IS NOT LIABLE FOR THE CONTENT OR LOSS OF ANY DATA TRANSFERRED EITHER TO OR FROM YOU OR STORED BY YOU OR ANY OF YOUR CLIENTELE VIA THE SERVICES PROVIDED BY HFBSERVERS. IN NO EVENT SHALL HFBSERVERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR LOSS OF PROFITS, REVENUE, DATA OR USE, SUFFERED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT, TORT OR STRICT LIABILITY OR OTHER LEGAL THEORY, EVEN IF HFBSERVERS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.[/I]
(sorry for the caps; that's straight from their site)
However, this part makes me laugh:
[i]In the event you dispute charges contrary to this agreement, we reserve the right to add a $150 collection chargeback fee and to refer your account or sell your debt to a third party collection agency. We also reserve the right to take further legal action against you. [/i]
Hahahaha, no. Not every contract is binding and not every contract term is enforceable. The first time a small claims judge hears this in court he's going to open the floodgates for every penny of statutory damages against the host:
"Your honor, we're suing the plaintiff today for $150 because he didn't email us before he filed a chargeback."
"Are you saying you're attempting to penalize the defendant for exercising his legal rights in good faith?"
"Er, well, you see, we have this contract, and the defendant agreed to..."
"Did the defendant win the chargeback?"
"Well, yes, but..."
"Why did he file the chargeback?"
"Well, your honor, you see, we were unable to provide service for 10% of the month (3 days), and ..."
"Dismissed with prejudice. I find in favor of the defendant's counterclaim for legal expenses and lost wages in the amount of $750."
[QUOTE=canzer;43469874]Did you guys ever consider not offering mods that create the exploit in the first place?[/QUOTE]
It is not the MOD that is the issue, its the loader.
Correct me if I am wrong.
[QUOTE=Maximum Over;43469883]Don't start.[/quote]
I'll say whatever I damned well please, if you don't like it, don't read it. This thread doesn't even apply to you, so why are you here again?
[QUOTE=Maximum Over;43469883]I'm no fan of HFB but this is definitely not a "bait & switch". [/QUOTE]
It is absolutely a bait and switch, regardless of what you may think.
Maximum...
You left out this part of the TOS:
[I]​[/I]HFBServers shall use reasonable efforts to notify you in advance of any planned changes to HFBServers network or facilities that may adversely affect the Services provided under this Agreement.
EDIT: I still haven't gotten an email.
[QUOTE=Skynet;43469896]I'll say whatever I damned well please, if you don't like it, don't read it. This thread doesn't even apply to you, so why are you here again?[/quote]
Wrong. It's a forum. If you don't want other people replying to your posts, don't make them.
[quote]It is absolutely a bait and switch, regardless of what you may think.[/QUOTE]
Oh? Really? So when you placed that order, they had no intention of delivering FTP service? Funny, mine only went down today. And you somehow have proof that this is NOT an emergency action taken to stop an exploit, but rather part of some pre-conceived scam to obtain more customers? And you say HFB tried to upsell you to a more expensive service with similar features? Please, enlighten the rest of us with your proof.
That's right. They didn't, and you don't have any, because you don't know what "bait and switch" actually means. You just thought it sounded "neat" so you're going to throw it around.
Next.
[editline]9th January 2014[/editline]
[QUOTE=Sievers808;43469935]Maximum...
You left out this part of the TOS:
[I]​[/I]HFBServers shall use reasonable efforts to notify you in advance of any planned changes to HFBServers network or facilities that may adversely affect the Services provided under this Agreement.[/QUOTE]
"Reasonable effort" and "planned changes". The difference here is that if they were switching datacenters on March 15, they'd be obligated by their terms to make a "reasonable effort" to give you advance notice. This doesn't cover action taken to defend against unforeseen threats, unfortunately. This is further clarified by their disclaimer of warranty, which basically translates to "look, we're not saying your service will never go down unexpectedly".
[editline]9th January 2014[/editline]
Also, found this little nugget in their terms:
[i]You also agree that you will Not attempt to slander or post negative reviews for HFBServers LLC on any online medium including but not limited to review websites, game forums, clan forums, youtube videos and more as a result of a move or load balance.[/i]
Seriously? HFBServers will come after you if you post a negative review? Good luck with THAT one.
I've seen some ridiculous terms in my day but these take the cake.
[QUOTE=Maximum Over;43470038]
"Reasonable effort" and "planned changes". The difference here is that if they were switching datacenters on March 15, they'd be obligated by their terms to make a "reasonable effort" to give you advance notice. This doesn't cover action taken to defend against unforeseen threats, unfortunately.[/QUOTE]
Unforseen threats? If the servers were sandboxed like they should be it would never be a threat in the first place.
Besides, it seems like it would be too easy to just say "oh, I didn't even think about it, I just made the change. So obviously it wasn't 'planned.'"
However, from a strictly legal standpoint you are likely correct, as far as I understand it.
The website is still advertising Full FTP Access... so that would definitely work against them. They should make the change on the site as soon as possible to prevent further grief about this.
[QUOTE=xEnt22;43469849]
Not at the moment, it will get it though. for now you could use GroupGate and make a steam group.
[/QUOTE]
How do you propose we use it if we cant use Leather with HFB
Ah-hah! An email about it! Finally! lol
And yes, Maximum... I noticed that little part of the terms, it's rather ridiculous.
The TOS have all sorts of grammar errors throughout...
[QUOTE=Sievers808;43470121]Unforseen threats? If the servers were sandboxed like they should be it would never be a threat in the first place.[/quote]
No argument here. To be perfectly blunt, I suspect this is a compromise between the desire to make money and the fact that Rust is still in alpha. I'm guessing the server side isn't fully baked, hence the reason it's only available to "select GSPs". Just my hunch, though.
[quote]Besides, it seems like it would be too easy to just say "oh, I didn't even think about it, I just made the change. So obviously it wasn't 'planned.'"[/quote]
Sadly this is true, and it does happen this way all the time. Not just with GSPs but service providers in general. Even the big names.
[quote]However, from a strictly legal standpoint you are likely correct, as far as I understand it.
The website is still advertising Full FTP Access... so that would definitely work against them. They should make the change on the site as soon as possible to prevent further grief about this.[/QUOTE]
If someone signed up right now expecting FTP access and didn't get it, and they requested a refund before the FTP service came back, it would be in HFB's best interests to issue it. The simplest and best solution is, as you said, to simply update their website to note the lack of FTP. It's a quick fix that takes seconds, and it can be switched back just as quickly when FTP comes back online.
[editline]9th January 2014[/editline]
[QUOTE=Sievers808;43470129]And yes, Maximum... I noticed that little part of the terms, it's rather ridiculous.
The TOS have all sorts of grammar errors throughout...[/QUOTE]
You can always tell "home brew" legal documents versus professionally prepared ones. A good lawyer will usually only charge a few hundred to review and update a document that size, give or take depending on their local market. Considering a typical server might run $5k - $10k, that's peanuts.
Hopefully everybody with HFB stuff comes back soon. We're probably finding another provider.
I'm fine with them removing FTP access while they work out a solution. They have a fair price, are always prompt to deal with my issues and questions, couldn't expect more than that.
Hey. I understand the desire to remove FTP access.
Please at least offer Rust Essentials as a mod.
[url]http://facepunch.com/showthread.php?t=1344425[/url]
It has a whitelist feature that allows admins to deny access to the server to anyone who isnt on the whitelist. We have been using this feature to keep unknowns/hackers off the server and rely on it.
[QUOTE=brandeni;43470861]Hey. I understand the desire to remove FTP access.
Please at least offer Rust Essentials as a mod.
[url]http://facepunch.com/showthread.php?t=1344425[/url]
It has a whitelist feature that allows admins to deny access to the server to anyone who isnt on the whitelist. We have been using this feature to keep unknowns/hackers off the server and rely on it.[/QUOTE]
This and other such mods will be available shortly once we add them to the control panel.
[QUOTE=HFBServers;43470914]This and other such mods will be available shortly once we add them to the control panel.[/QUOTE]
Awesome! Thanks.
So from what I can gather, the problem was that Leather created a vulnerability which allowed someone to gain access to the entire server (potentially other Rust instances running on the same server)?
It seems to me this must be the result of poorly structured security.
For instance, I know of one general-purpose server provider, LeaseWeb, which not only gives you a server, they even let you remote-desktop into the server and do whatever the hell you want in there. They don't suffer security issues.
There are two ways LeaseWeb provides a server.
1.) You can rent a dedicated machine. It's yours, and only yours.
2.) You can rent a VPS. Your server runs in a virtual machine instance on a server. As far as the customer is concerned, it's a dedicated server, but the service provider can pack more than one on a single server and has a fairly high degree of control over security.
Both are very common cases for general server providers.
Just seems odd to me that HFB servers could be exploited so simply.
Its an exploit on any server thats running Leather, not just HFB.
[QUOTE=KillaMaaki;43471018]So from what I can gather, the problem was that Leather created a vulnerability which allowed someone to gain access to the entire server (potentially other Rust instances running on the same server)?
It seems to me this must be the result of poorly structured security.
For instance, I know of one general-purpose server provider, LeaseWeb, which not only gives you a server, they even let you remote-desktop into the server and do whatever the hell you want in there. They don't suffer security issues.
There are two ways LeaseWeb provides a server.
1.) You can rent a dedicated machine. It's yours, and only yours.
2.) You can rent a VPS. Your server runs in a virtual machine instance on a server. As far as the customer is concerned, it's a dedicated server, but the service provider can pack more than one on a single server and has a fairly high degree of control over security.
Both are very common cases for general server providers.
Just seems odd to me that HFB servers could be exploited so simply.[/QUOTE]
[QUOTE=Protimus;43471136]Its an exploit on any server thats running Leather, not just HFB.[/QUOTE]
Yes that is true, but if you are the only user on whatever instance/VM on the physical server then the exploit doesn't really matter because they can still only affect their little piece of the server, and then they lock down the user that is running the modded program even further so they can't do much of anything anyways.
I feel that this would be much easier to implement in Linux, I always forget that the Rust servers are running Windows.
I get why they (and other GSPs ) are doing this but doesn't this restrict modding? How am I meant to test my plugins/mods that I make if GSPs have to whitelist them? Any plugin/mod I now make has to be inspected, approved and made public, or what?
We installed Rust Essentials last night and I need to update it and it's config files - now I can't. I created a plugin to adminster my server with ease ([url]http://facepunch.com/showthread.php?t=1339129&p=43447336&viewfull=1#post43447336[/url]) and I wanted to update it - now I can't. We do not run a vanilla server - we have customized drop tables that I need to be able to edit also.
Are we going to get access back to the public folder once Leather improve their security (question goes out to any GSP), or is this how it's going to be?
EDIT: Nevermind, HFB said it'll be restricted until Leather or whatever other mod loader fixes up their stuff.
There's not been a single day in the last 5 that I have owned a server where there hasn't been some major issue with HFB destroying my server population.
Example: With Oxide installed, I could limit Explosive drops so my pop can grow a bit before chaos ensues. This allows me to have air drops at low populations. With no notice whatsoever, HFB removes Oxide, restarts my server without it, while I am offline, so then Airdrops start and now my server is full of Explosives leaving me no choice but to essentially roll back or live with the new chaos, and a server which is not running as I wanted.
What you could have done is simply shut down the server and email me, so I could edit the files to avoid this. But no... you have no concern whatsoever for what your actions do to your clients.
So thanks again HFB... you almost made it a full day without doing some crap that took down my server and pissed off my player base. 5 days owned... 5 days of hassles... can't wait for tomorrow's new and exciting round of crap.
[QUOTE=HFBServers;43469342]FTP is coming back, probably in the next few moments. Rust++ will be coming back as xEnt22 stated, we will most likely be adding other mods as well. Rust++ was moved yesterday as well.
Oxide has also been disabled and deleted from every single server.
However, full FTP access will not be given any longer as it is a security issue with Leather allowing almost any code to execute. So the plan is to give clients the ability to install Mods in their Game Panel but not install any mods themselves manually until such a time that these exploits are fixed. (Probably would take an actual Rust patch? Not 100% sure though) This issue exists really with any host that allows modifying of the mainData file as far as we can tell.
Obviously we would of loved to have emailed out to all clients prior to doing anything like this and given them notification but due to this exploit allowing almost any code to execute there was not enough time. Clients will be getting an email very soon that details this and possible more information.[/QUOTE]
So you just randomly delete Oxide from all servers, even when some people only purchased servers at HFB because of the mods?
I assume those people will get a refund?
HFB looks like a 'company' that is being ran by a few students on your attic. Am I right?
You lack support, fail to communicate with your clients, and aren't even capable of managing the servers properly.
Not to mention all the downtimes.
[QUOTE=Mousejockey;43471965]- snip -[/QUOTE]
It's a prime example why forcing us to use GSPs is a bad idea. I totally understand Facepunch's stance on server hosting while it's in alpha - but I sincerely hope this changes once the server/game is at a certain point. If we were trusted to host the game servers ourselves, we wouldn't have to worry about sandboxing because I know exactly what plugins I enable and I always divulge through the code before hand (the beauty of .NET).
We've already had to reset the server once in the past week because of the duping and we've managed to keep it clean since then due to running server mods, but if these are being removed then we're back to square one. What's really annoying is that I developed a Mod so that we can kick/ban people using their IDs rather than names, and if I'm no longer able to use my Mod then I may as well stop hosting a server for the time being because I cannot remove such people from the server.
Quite frankly, the whole situation is irritating and it comes down to forcing us to use GSPs. I don't blame anyone specifically - but that's the problem here.
[QUOTE=iDyn;43472405]It's a prime example why forcing us to use GSPs is a bad idea. I totally understand Facepunch's stance on server hosting while it's in alpha - but I sincerely hope this changes once the server/game is at a certain point. If we were trusted to host the game servers ourselves, we wouldn't have to worry about sandboxing because I know exactly what plugins I enable and I always divulge through the code before hand (the beauty of .NET).
We've already had to reset the server once in the past week because of the duping and we've managed to keep it clean since then due to running server mods, but if these are being removed then we're back to square one. What's really annoying is that I developed a Mod so that we can kick/ban people using their IDs rather than names, and if I'm no longer able to use my Mod then I may as well stop hosting a server for the time being because I cannot remove such people from the server.
Quite frankly, the whole situation is irritating and it comes down to forcing us to use GSPs. I don't blame anyone specifically - but that's the problem here.[/QUOTE]
If they had released server files from day one do you have any idea what kind of exploits would be out there? Imagine the scale of the uLink problem but a new exploit being found every couple of days. It would be hard to build a community like rust has if all the servers were down due to exploits 24/7.
[QUOTE=mastercookie;43473957]If they had released server files from day one do you have any idea what kind of exploits would be out there? Imagine the scale of the uLink problem but a new exploit being found every couple of days. It would be hard to build a community like rust has if all the servers were down due to exploits 24/7.[/QUOTE]
I'm a game developer for a large MMO, so yes, I'm well aware of what kind of exploits there could be because I've fixed many exploits / bugs in our game myself.
The whole point of Alpha/Beta is to find and fix any crucial bugs/exploits. The faster we identify them, the faster they get fixed. How many of you would complain when the game comes out of Alpha/Beta or Beta/Live and there's still exploits that haven't been fixed?
Locking us into GSPs is one thing (albeit temporarily - I assume), but then we have GSPs specifically stating what modifications we can and can't do. This was the point I made because it would not be an issue if we were entrusted to run the servers ourselves.
[QUOTE=iDyn;43471877]I get why they (and other GSPs ) are doing this but doesn't this restrict modding? How am I meant to test my plugins/mods that I make if GSPs have to whitelist them? Any plugin/mod I now make has to be inspected, approved and made public, or what?
We installed Rust Essentials last night and I need to update it and it's config files - now I can't. I created a plugin to adminster my server with ease ([url]http://facepunch.com/showthread.php?t=1339129&p=43447336&viewfull=1#post43447336[/url]) and I wanted to update it - now I can't. We do not run a vanilla server - we have customized drop tables that I need to be able to edit also.
Are we going to get access back to the public folder once Leather improve their security (question goes out to any GSP), or is this how it's going to be?
EDIT: Nevermind, HFB said it'll be restricted until Leather or whatever other mod loader fixes up their stuff.[/QUOTE]
I am a server owner.. Dear god you would be a saint if you shared that admin tool with me. We ban upwards of 20 noclippers a night and this would be soooooo useful.
At least i got my refund :D
[QUOTE=mastercookie;43473957]If they had released server files from day one do you have any idea what kind of exploits would be out there? Imagine the scale of the uLink problem but a new exploit being found every couple of days. It would be hard to build a community like rust has if all the servers were down due to exploits 24/7.[/QUOTE]
All the server files are already out there and has been for a long time.
The way it works right now is just really messy, the server providers trying to support bugged mods for a bugged alpha.
The mod creators creating bugged mods and refusing to make the mods public.
And just because of mods which I don't really care about yet, I suddenly get restricted access to the server files, this is not how indie games with modding are supposed to work. :p
Sorry, you need to Log In to post a reply to this thread.
