Warning: spybots might be trying to gain access to your GC

[Alternity]

Hello people


This morning as I logged on I noticed something peculiar from my GC bot:

[Spartans] ******: Player Tyrence27 was denied access to command join.
[Spartans] ******: Player Tyrence27 was denied access to command online.

Let's take a look at Tyrence27:

Detailed Info for Tyrence27

Name: "Tyrence27" Lookup
Guild: Friends With Benefits (5138)
Guild Rank: Applicant (4)
Breed: Nano
Gender: Female
Profession: Nano-Technician (Novice)
Level: 2
AI Level: 0 (None)
Faction: Neutral
Status: Offline
Character ID: 481935 Lookup

Source: people.anarchy-online.com (current-cache)

Name History

Tyrence27 13-Dec-2014 05:33 UTC

To me this seams like nothing other than a bot toon, whatever Tyrence27 is he logged off right after being denied.

I suggest you contact your GC bot admin and make sure you have proper security in place.


Darkempire

[Vhab]

Please note all Budabots have phone-home functionality, which provides Tyrence among others with a full list of currently running Budabots.
It might be possible to turn this functionality off.

[Vinkera]

I recall seeing something like that. I think it was toward the end of the "!config" section.

Edit: Here is the exact command to turn it off:
!config event 24hrs usagecontroller.submitAnonymousUsage disable all

I also had to explicitly deny access to my chat channels from strangers when setting it up, if I recall correctly.

[Alternity]

I ended up with banning the Org: Friends With Benefits


Found it fitting

[Teeko]

Tyrence27 is the lead coder on the budabot project. I would say your best bet is to head over to the budabot forums and check with him what was going on. And yes, Vhab is correct in that all budabots "phone home" in the form of the usage module. You can easily disable that module same as any other, it is only used to track usage of commands/modules for removing unused commands.

[Raggy]

Thanks for the heads up gents.

[Emma]

I recall seeing something like that. I think it was toward the end of the "!config" section.

Edit: Here is the exact command to turn it off:
!config event 24hrs usagecontroller.submitAnonymousUsage disable all

I also had to explicitly deny access to my chat channels from strangers when setting it up, if I recall correctly.

Is that command in the Events_Module? I didn't see it, but apparently I had the whole module disabled anyways.

I have seen that same denied access notice in a guest channel I am in, but have not seen in our org channels.

Emma

[Vinkera]

Is that command in the Events_Module? I didn't see it, but apparently I had the whole module disabled anyways.

I have seen that same denied access notice in a guest channel I am in, but have not seen in our org channels.

Emma

I think you're mixing two things together. That command is to turn off the anonymous usage statistics. Channel permissions are set under other modules.

[Bekrowe]

Removed posts which were fighting over something which was not even on topic with this thread. Please keep it on topic.

[hamms]

I found some 217 org-less player spamming my bot recently with !whatbuffs over and over. That was quite annoying.

[Cratertina]

Nice Tyrance is back? Long time no see...

Oh also Vhab HAi there mr Mongo-Code.

[Alternity]

Even if the bots have a call home function used to gather statistics. It compromises privacy. Gathering online numbers and even eavesdropping on chat, the latter is highly possible and highly wrong.

[Teeko]

The bot is 100% open source, feel free to check the code. The bot doesn't do anything but send the usage statistics, doesn't even send the bot name. Its all anonymized. How Tyrence got the bot name and what he was doing is not known to me at this time, but I can tell you it is not a security issue in the bot.

[Teeko]

In the interest of transparency, the command to completely disable submitting usage statistics is !config mod USAGE disable all

For more information on the anonymization of the module from the budabot forums at the release of Budabot v2.3:

Also, Budabot now tracks command usage (!usage) which tells you the most used commands and also the people who use the bot the most. By default, Budabot will submit these usage stats (command names only; no character or org names or anything that could be use to identify you) to the Budabot.com website once a day. You can disable this if you wish from the !config USAGE menu, however, we encourage you to leave it enabled as it helps the Budabot team determine which commands to focus on and which commands are not used. It is our intention to make this info public, so that you can see which commands are most used from all Budabot stats, however, this has not been done yet, but we will let you know when it happens.

(http://budabot.com/forum/viewtopic.php?f=8&t=906)

If you do !config USAGE and look at the line that says "Botid", that is all that is sent to budabot's usage statistics server. Your bot's name or any other information is never shared, only how often and which commands are used.

[Teeko]

Also, its very easy to find anyone's bot names by checking online lists of an org. For example:

[Dreadloch Corp.] *****: !orglist alternity
[Dreadloch Corp.] *****: Downloading org roster for org id 4650...
[Dreadloch Corp.] *****: Checking online status for 1466 members of 'Spartans'...
[Dreadloch Corp.] *****: Orglist for 'Spartans' (1 / 1466) (Page 1 / 3)

It is very easy to find out which of those is your bot. Obviously in this case it is the only character on, but in normal cases, bots generally have names tied to the org names, or are the only level 1 character logged on. From there it is quite easy to try standard commands(!join and !online) to see if someone can gain access to your bot. In this particular case, I have spoken to Tyrence and he said he was looking for a specific person in your org and he was trying to check if that person was on an alt.

Any other questions about the bot, usage statistics, etc. feel free to ask and I'll field them the best I can, although some more technical questions may require some research and/or talking to Tyrence himself, so may be delayed. I'm glad that you watch your bot logs so carefully, and I encourage everyone else to do the same. Also, I repeat what Alternity said in the first post, check with the person who runs/manages your bot and ask them to review your bot's permission to make sure they are set exactly the way you want them.

[Alternity]

Teeko Org list is ok, and I know the bot is open source because I've read through some of the module code. I also run the bots/server, and I am very su****ious by nature. If this was a "false positive" then all is fine, agree?

[Teeko]

I agree, I just want to keep everyone at ease because I'm sure this freaked atleast a couple people out! I don't want people to get the wrong idea when these things in the bot are features designed to help and are easily turned off and noone is spying on your org chats and bots.

[Le-Quack]

gah this thread is ruind.. drama removed..
i was looking forward to watch this thread when i woke up