As some of you may have noticed, a user named Alkali9 (and consequently Alkali10) attempted to exploit the Halite servers. Though he was only able to win a number of games and temporarily climb up the ranks, we take these attempts very seriously, and his user was swiftly struck out of the rankings. Note that the word "Exploit" is placed within quotes, because I'm not sure I'd classify something this simple (and ultimately harmless) as an exploit. Following is a Post Mortem as to what happened, what we did to prevent future exploits, and how we dealt with the situation, respectively:
It turns out we had put all security in place, except we forgot to update file permissions (mea culpa). As such, a user could read/write each other's files locally. I emphasize locally in an effort to point out that the files were not extracted from the server in any way, and Alkali could only manipulate them. No one's bot was read, and no real data was changed in the long run. Simply said, Alkali would delete the other bot's files to break them. If he was unable to delete, he would replace his own bot with the top bot's MyBot file. He also attempted to exploit a loopback vulnerability that we protect against, and in the process we now even more strongly protect against. That was not exploited, nor was it going to be/will it be; nonetheless we believe in the belt-and-suspenders methodology, wherein we prefer to overprotect.
Preventing Future Exploits
This is a simple one: we actually got file permissions up. Now you can only read/modify/add your own files. I'm honestly a bit surprised he was the first person to figure this out.
We also strengthened IPTables/firewall definitions to prevent further people trying to game the network.
How We Dealt with the Situation
- We downloaded and read the code.
1.1 We have access to all code submitted, and the user submitted clean, unobfuscated code.
- We met and discussed how best to mitigate in the future.
2.1 We started patcheing things at this point.
- Now, this part is tricky: having dealt with a fair number of trolls/script kiddies/hackers in my day, I know that possibly the worst way to deal with the situation is to institute a ban: if you ban a user and (s)he is malicious, the user will just start spamming new accounts; you may try to block IP ranges, but they will just use VPNs at that point and you're stuck in a pointless chase. I find the best way to tackle the situation then is to be comical and institute "punishment" in a jocular manner. Thus why his name is now "scriptkiddy" and his score -1337.
- I traced the user and found his personal information
4.1 This part is complicated to explain in a short post, but there are a great number of books on white-hat methodologies to do so, legally. From there we got his personal email address (as well as name and more personal information), and reminded him of the Terms of Service.
- I wrote this Post Mortem.
What To Do If You Find an Exploit
As we kindly explained to Alkali9: though you might wish for your own personal flair score of -1337, there are usually better rewards for finding exploits through the proper channels. If you do find an exploit, please e-mail us at firstname.lastname@example.org and we may have some awesome swag for you.