Posts by wild1145
-
-
↩ DragonSlayer2189 That has a dependency on the Discord bot by the looks of it and sending credentials in that way is not secure in any way shape or form. It also doesn't solve the issues around syncing things nor does it reduce the risk associated with the additional load of accounts.
The way we use AMP now is different to how we did previously due to it not just running a single instance and a single MC Server...
-
↩ DragonSlayer2189 In short no, it's not viable. That was the original hope but there are no existing tools out there to do it, and we have not got the development capacity to do it. Even if we did, it would require a custom panel or add-ons to AMP. It's just unfortunately not a viable option.
-
Quote
↩ FromTimeToTime i always wondered why 2b2t considered sato’s timeline as the standard when prettier and more useful ones exist, including interactive webpages with animations, searchable text, and hover text which explains each event in greater depth. as a newer player, i have no idea what “admin crews readded” or “First TF switch say” (sic) are supposed to mean, or what the significance was of UYScutix’s DMs.
I think as part of the website re-design I'm quite keen to build the timeline into the website, and where possible then have information that can be elaborated on. I think it's a damn shame that we don't showcase our history as well as we could.
-
In terms of some notable events from where that timeline ends currently.
- I was appointed to owner
- The conduct policy has been totally over-hauled.
- Steven was appointed owner of the Freedom game-mode as part of re-structuring
- Mark transferred domain ownership to me
-
I've split this thread out because it's not directly related to the panel pilot notification but is a reasonably conversation to have.
-
↩ Telesphoreo There is a way to enforce 2FA, that doesn't solve the issues I'm talking about though... I've explained it 4 times in 4 different places already but the TLDR is accounts being compromised (And the increased risk because self-managing and self-hosting) is one of a number of issues that result in it not being practical to allow standard admins access to the panel when it goes live.
-
-
-
↩ videogamesm12 Because then you could manage panel access for servers which you have no rights to access. The security issue is that we then have an additional place where accounts and accesses need to be managed for our most critical infrastructure, and by having more accounts potentially with less secure credentials and with a significantly higher risk of human error on my part by forgetting to give the correct perms, forgetting to disable them when they're removed or otherwise, makes it an unacceptable risk profile for me to take.
This is the cost of having a panel, I've been saying this for a year now that it's a bad idea for us to rush getting a panel, but my hand has been forced and these are the compromises we have to now make to minimise the increased attack surface we will be exposing and to ensure this is manageable long term, it took me over 40 mins yesterday to create and send details for the panel access for the 4 developers, it doesn't scale. I've said this for a year, you all couldn't be bothered to listen, so we're compromising.
Sorry, I know it's shit, but there are no better options now. After yesterday with more false information being spread about my company and my decisions, my hand has been forced to mitigate it in the way that the community has been demanding, and that's by rolling out a panel to replace the discord bot that you yourself claimed to be insecure.
-
I'll also clarify as I did in discord yesterday.
We will be moving to amp on all servers in the coming weeks subject to the pilot not raising any catastrophic technical issues.
We won't consider moving to another panel unless we out grow the max licenses on amp or amp closes down because of the huge effort required.
The discord bot will lose its sever management access because there will be no need for it when the panel is live and the increased attack surface is unacceptable.
-
↩ videogamesm12 That's not possible due to the significant increase in security issues and attack surface we expose. It would also result in me having to remove the ability for admins to be managed by anyone other than me due to having to ensure panel permissions are accurate.
Senior admins will be the only ones with panel access for the freedom server and the policies for managing senior admins will also be changed to require my confirmation that panel access is updated prior to approvals / rejections / suspensions type situations.
This is one of the compromises I've had to make to meet community demands.
-
-
↩ Tizz No... Admins will lose their abilities to execute commands without telnet or being in game or controlling the server in any meaningful way. We won't introduce a new rank, just make use of the senior admins one.
↩ erin My hands are tied, we can't continue to use the discord bot as well as the panel as it significantly increases the attack footprint. Everyone tells me the bot it a security threat so we're removing it's ability to manage the server.
We have no ability then to have an allow and deny list of console commands, there's a strong chance we won't let seniors use the console either for this reason. I've not fully decided yet.
Ip verification is something you'd need to speak to @"StevenNL2000"#2 about, it's down to him and @"Paldiu"#89 to agree the priorities but there is no guarantee it'll be done prior to panel go live and bot decommissioning.
I know admins are more active but this is the real price of moving to another solution that's stand alone to the existing user community.
-
↩ erin The ability for the bot to control the server will be fully retired and the panel will be the only way to administer the server going forward.
↩ root it's simply not sustainable to have so many accounts. Introduces too great a risk and generally admins are more likely to be removed or suspended than a senior admin. Given we aren't able to link into an external idp or use another platform like we do on discord where it's automatic, I'm not happy giving admins panel access until we can automate it if it's even possible.
-
↩ simplynick Due to how painful it is to set accounts up it'll likely only be senior admins for the foreseeable future.
-
↩ Telesphoreo But it does meet more of the requirements we have... AMP is the only panel that has been identified as having the majority of what we need. Ptero may be less buggy but the bottom line is it doesn't meet our requirements so won't be something we can use.
-
↩ Telesphoreo As I've said 100 times before... Ptero isn't fit for purpose, and meets even less of the requirements I have.
And no, it's not an issue with OpenVZ / KVM / Hyper-V / Xen / Anything else, the fact it requires me to run everything in Docker, makes it utterly un-fit for purpose.
-
↩ RedEastWood I strongly disagree with using a panel, especially when it doesn't meet 100% of the requirements, but after the other threads and the ongoing nagging people have pushed to me, I don't really have a choice, so I've dropped my personal plans for today to help get this working and it's what we're going to have to make the best of.
↩ Telesphoreo AMP.
-
Quote
Given how buggy the panel software has been, I'll believe that when I see it...
QuoteNo it just moves it from being a single bot associated with Discord creds, to a load of WebUI's that are prime pickings for brute force attacks. Risk of compromise has significantly increased. Also means we have an extra place we have to manage access, so far more likely to accidentality forget to remove peoples access from it.
