I've never played on this "TotalFreedom" server, but this sure seems like the end of an era
Posts by k3das
Please Note: The TotalFreedom Forum has now been put into a read-only mode. Total Freedom has now closed down and will not be returning in any way, shape or form. It has been a pleasure to lead this community and I wish you all the best for your futures.
-
-
-
@videogamesm12#17557 Yup, I completely agree.
-
@lyicx#17555 OSINT is typically the use of publicly found data to aid in an investigation. It stands for open source intelligence. Most people who practice OSINT download breaches to aid their investigations. Yet data is still often found on places like google.
-
Quote
@wild1145#17548 It really wouldn't. It wouldn't have been hard to have denied any breach at all. UK law (which we are primarily governed by) has no requirement for disclosure in these circumstances. That's what the majority of companies do.
The issue would've been that there would be even less confirmed information going around. For a lot of companies they're pressured to include responsible disclosure in their breach mitigation plan, because otherwise people hear "there was a breach," and don't understand what really happened.
Quote@wild1145#17548 The dev server will always have "live" data as players are regularly invited to join the server for testing. While lessons have been learnt and when more information is known and confirmed, we will publish more information and cover off those lessons and the changes to be made going forward.
Then you have a different explanation to why 7,932 player profiles have appeared in /plugins/Essentials/userdata at exactly 19:50:12 EST on 02/13/2021. All of THIS data shouldn't have been copied, but it was. Yes, there are 12 new profiles that were likely caused by the dev team. About votifier keys, this shouldn't be a problem because they were thankfully changed:
Quote@redeastwood#17552 I changed these almost immediately.
@wild1145#17548 The original announcement has all of the information known to date. Any information stated otherwise should be assumed to be false.
Yet people don't assume things to be false, it should be partially your responsibility to spread real information so people don't need to guess. You did this well with the original announcement, I'm not really blaming you for this part.
Quote@wild1145#17548 At this time there is no evidence to confirm this. We are still investigating the exact content of the breach and other content which may have been impacted. Right now you are simply adding to the mis information...
I guess a screenshot wont be enough to convince you that there are people who collect data breaches for their own OSINT:
Quote@wild1145#17548 At the current time we have consulted with the information commissioners office and they have confirmed based off the data we have confirmed to be leaked, there is no requirement for disclosure to end users or to them. We've disclosed to end users because I personally believe that the right thing to do.
I'm not well-versed in GDPR, but to my understanding, you'd need T&Cs regarding what data you collect on the forum, and who you share it with, although I might be wrong.
Quote@wild1145#17548 I have and continue to do so...
Well I guess so, It was my poor judgement in the middle of the night.
-
These are my seven cents:
- Ryan, if you hadn't disclosed this breach it would've been a lot worse for you, so stop making it seem like you're being nice to us.
- None of this would've been an issue if the dev server didn't have live data. I completely understand the importance of a good dev server, but real player IPs do not belong there.
- There is way too much general misinformation going around on this thread, and on the discord, so here is my attempt to try to clear things up:
a. Access tokens will not be leaked if you click on a link, due to cookies being restricted per domain.
b. Your IP cannot be leaked if you clicked on the .onion link, because if by some miracle it opened in a tor browser, and loaded, your IP will be still masked by the tor network.
c. The newest player data in the leak was from 03/25/2021, but it looks like almost all player data was added on 02/13/2021. In total, almost 8k player profiles were in the leak.
d. For most players, their IP very likely already changed due to ISPs mainly using dynamic IPs.
e. The leak also contained ban data.
f. Yes there were Votifier keys, but I hope that those were changed since then.
Quote@redeastwood#17552 I changed these almost immediately.
g. A panel wouldn't really make a difference.
- Ryan, please stop saying things along the lines of "people are stupid." It doesn't inspire professionalism, and a better solution for you would be to try to clear up some misinformation.
- There has hardly been any transparency before this, and you should have the systems in place to detect somebody using a dev's credentials to download 1.1GB of data off a dev server.
- Also, isn't posting banned player's IPs in public chat breaching PPI? I don't think I can find any TOS, T&Cs, etc on your website or forum, and no cookie notice. All of which are a breach of GDPR.
- Please acknowledge you and your team's mistakes.