Saturday, August 4, 2018

/v/scape BTFO (Port-Mortem)

tl;dr /v/scape server was compromised. Consider everything tied to /v/scape compromised. Your passwords were in plain text so if you have any accounts using that password, you should change them immediately. Your /v/scape account may be locked and you will need to contact a staff member to unlock the account. This is to protect your account.

On August 3 2018 at ~19:30 UTC our server was broken into. This was after a two week+ sustained attack. We were using a password login for the server with no alerts on failed login attempts (I am serious, unfortunately). This made it relatively easy for the attacker to gain access. On August 3 2018 at ~20:15 UTC we noticed what was happening and took action. The VPS provider was emailed and the server reinstall was complete on August 4 2018 at ~2:00 UTC. Our backups were recent so players should experience no data loss from this episode.

The attacker had access to everything related to /v/scape. Everything should be considered compromised at this point including, but not limited to, usernames, passwords, PINs, IPs, MACs, and email addresses from the Mantis. Any accounts that use your password from /v/scape should be changed immediately.

Ironically, we had been working on password hashing/salting and authentication recently. It was planned that we would roll that out in the next couple of days, but obviously that was too late. There were a number of things we should have done differently and they should have been done years ago, but we naively thought we wouldn't be targeted by anyone and maintained an extremely lax security posture. We have already taken steps to better protect ourselves in the future. Among them is hash the passwords instead of letting them sit in the player files in plain text. This is now implemented and your password will be stored as a hash once you have logged in and out of the server as of today (August 4 2018). Two-factor authentication for your accounts will be (optionally) available soon. We also will no longer be using password logins for the VPS. Much more has been done and will be done over the coming weeks.

If your account is locked, you will need to contact a staff member to have it unlocked for you. We are going to restore all accounts no matter how long that takes us. You can message us on Steam from the /v/scape Steam group or make a new account and message us in game.

Lastly, I want to apologize to all of you. This failure was entirely our own. We knew the weaknesses and took years to fix them. We ignored common sense and we knew better. There's nothing I can say here that can or should restore your trust in us (if you ever had any). All I can offer you is an apology and a promise that we are taking all steps we can to prevent this from ever happening again. I am personally taking a more active role in ensuring server security and I know the rest of the team is taking this much more seriously as well.

Latent

Monday, April 2, 2018

Vidyascape Q1 Update

Dear Shareholders,

I am writing this today to perhaps settle some of your minds regarding the future of the next couple of quarters of the Vidyascape fiscal year. We have had a slow first quarter which has closed at us as down 4.2 points in our index. Our two major prospects for Q1 have been delayed into Q2 including the "Anniversary" deal and the Easter merger. We are still working on finishing both of these and while late, it is better nonetheless to close while we still can.

To preface our delays I must divulge vital information to you to keep interest in our company alive. Starting late last quarter I, Pickles t. Frogman, took on responsibilities in a separate company which occupies 40 hours of my time each week. While detrimental to the steady progress of Vidyascape Inc., it was a decision that had to be made with regards to my own personal interests. We are currently still adapting to this loss of productivity.

Now, to explain the tardiness of our first quarter prospects I can offer some exciting news. While the Construction wing of our offices still needs a few polishing touches in some corners it seems to be working as an excellent addition to our company! We have remained silent about another similar expansion in order to expediently complete the work and close the deal properly. Our original intent was to create these offices with funds raised by Anniversary Holdings Et. Al but we have suffered financial setbacks to the completion date. Nonetheless, we are pleased to announce that our Hunter wing of offices will be completed by end of April!

The Hunter expansion to our company is largely the explanation to our recent decline in visible progression with our company. We have been working since Q4 of 2017 on this project and are excited to present the finished results to you all by end of month. However, our immediate concern is also finishing the merger with Easter Question Mark LLC. Dubbed the "Easter" merger internally and promised externally to be closed by April 1st we have obviously failed to meet this deadline. There are many reasons why this occurred but I will not waste your time with details; know it will be done at the latest by business close Friday, April 6th.

We at Vidyascape Inc. look forward to a productive second quarter and will keep you the shareholders up to date with the new projects and additions discussed above. With your continued support we can make 2018 great again.

Sincerely,

Pickles t. Frogman
CTO
Vidyascape, Inc.

Tuesday, January 2, 2018

New year, address and client

Woah, we are slacking pretty hard on writing blog posts.  I've been wanting to do a 2017 recap post and explain the new client details so here we are.  First off, we bought vidyascape.org, so our address is a bit nicer and it ended up being really cheap to do once we found the right place to make it happen.  The new client 5.9.5 is now updated to use this address and the same goes for the Vidyascape launcher v0.4. Version 0.3 will keep working for a short time as we still have vidyascape.no-ip.org registered, but eventually it will stop working so make sure you get the new one at some point!  There were a few small client fixes we've had ready for a while, moving the update/server message/private messages so they don't float in the middle of the screen in resize mode as well as better supporting Linux and *nix systems.  It just takes a while to have a reason to update the client as it's never a smooth transition.

I'm gonna work through the year backwards and make small comments on some of the larger things we achieved this year.

Pickles tossed together a Christmas event on Christmas Day, Saxi ran through it and checked it out quickly and I drove an hour home to go update the server... (grandma's house has really garbage internet now?).  We cut it pretty close but we rallied and got it out before the day was over (at least for North America).

A lot of people had a hand in getting Kingdom Management rolled out and working correctly.  We had a problem (payments and approval were going over 50k/100% and giving really large rewards), so we had to disable collection for a few days and work on it.  I personally spent a lot of time on it and made sure to fix it in a way that still gives people credit for the time it was disabled.  Herbs and seeds still need rewritten to work correctly, hopefully we get to that soon.

Benny added ducks to the fishing guild.

Halloween came and went with a nice event (by lead event developer Pickles) that allowed you to choose a reward from Halloweens past, something that will probably see a return with events in general.

Highscores was changed to show if you're looking at an ironman with a little icon next to their name on the list and now counts ironmen among other players in the rankings.  We chose to change herbs to have a "unid" appearance now,

Sheep herder was added and as anything involving npc movement, needed a couple patches.  Agility Pyramid which some thought we weren't going to be able to add to our server was implemented. The middle of the year mostly saw the standard quests and bugfixes, other than Easter and Fourth of July events.  Devious Minds, Wanted, Sea Slug, Between a Rock and Rag and Bone Man rounded out the year.

Oh and the most complex thing we've ever added, construction happened 364 days ago.

All in all it seemed like a quiet year, but looking at about 500 commits, hundreds of fixes and 7 quests I still feel proud of what everyone achieved.  We're well funded, we have players and we're making progress.

Happy (late) New Year everyone!