Several people (Ouft and Alkaz come to mind, at present) have been fired lately for reasons beyond their control; they've been hacked. In order to keep Lee's thank you thread relatively tidy, I thought I'd start a discussion. I'd just like to start a discussion about whether this is actually for the best or not, as we all know that people are only "fired" if they are a threat to other Habbox users. But really, are they?

I will use Ouft as the perfect example, following a series of posts made in his thank you thread -> http://www.habboxforum.com/showthread.php?t=709163

I quote:

Yet again, I can't help but find it odd that someone is fired for this. It's not like Lee was out there advertising that he wanted to be hacked and had intention to cause disruption to Habbox. In addition, from the sounds of Kfnx' post, it appears that the work he put into Habbox far outweighs the amount of damage done. David seemed to be able to remove the piece of code in a flash, yet we have a hard-working, "team player with very good bonds" being fired for something which wasn't his fault.

It baffles me why Habbox are firing people when they have actually done nothing wrong. Ouft wasn't out there shouting "hey come embed some dodgy code on Habbox!!" - he was doing his job to the best of his ability, as always. Sadly, it just so happens that he was unlucky enough to be the chosen one to be compromised. Not only is Lee upset that his account has been compromised in the first place (I exaggerate, of course), but he now has to face the disappointment, finding out he's been fired from his role at Habbox.

Some people at Habbox put an immense amount of time and effort into this site and if you're hacked, it's all forgotten about. Gone. Kaput. From reading his thank you thread, it appears that Ouft put in a lot of work and it will be a dint in the department now he isn't there. Surely his contribution to Habbox outweights the short amount of time it took you to remove the problem? :)


But, there are precautions one can take as to avoid being hacked. We can only do as much as to preach security to staff members. We can't oversee that they're using strong unguessable passwords, secure email accounts, not using desktop sharing, logging into Habbox accounts at public spaces or scanning their computers for trojans.
None of the above would have stopped Ouft being hacked last night. Obviously I don't know the details, but in the event that he clicked a link to someone's tumblr and it just so happened it was dodgy, then you can't "preach" whether staff members click links or not.


Especially when a staff member is hacked and damage is caused we cannot just undo that damage and hand their account and authority back to them, where is the assurance that the same thing wont happen again a week from now? It's just too big a security risk for Habbox to take.
Where is the assurance that the same thing won't happen a month from now, when he's allowed to apply for RV again? Surely if you've been hacked once then you're an easy target for next time, no?


We cannot afford to turn blind eyes or respond slowly to threats.
Gotta give you some credit here for sorting it all out so quickly last night, Dave.


The most thorough way of doing this is often, regrettably, removing the hacked individual's staff role. This is foremost a security precaution but also serves as a sort of lesson to the individual to take security more seriously in the future.
That's rather patronising and I find it quite unreasonable to suggest Habbox's new moral is to teach the wonders of security. Yet again, what's to say it won't happen again in a month?

Thanks,
Matt

He's got a point as in you need to learn to be able to secure yourself if you've got powers (well to be fair ether way you should be secure) obviously ouft didn't get hacked by a clickjacker as they took his Habbox account, never the less i do feel its rather harsh, I'd personally demote them to the next level down.
Ross

Hmm yeah the logic behind it has a flaw in it when you know they're allowed back in a month's time. You're essentially just "letting them stay at habbox in the hope they dont get hacked again." So you either fire them and they remain fired forever (which seems rather harsh) or you don't fire them at all!

Of course it is right to fire a staff member if they've been hacked. They can reapply and learn from their mistakes. Don't click links, accept files and be sure to make your password difficult to crack. It's all a learning process, next time they'll be less likely to make silly mistakes and get their accounts compromised. It's different if a regular user is hacked, they don't have any permissions to leak information or to give a hacker access to a part of the site.

Several people (Ouft and Alkaz come to mind, at present) have been fired lately for reasons beyond their control; they've been hacked. In order to keep Lee's thank you thread relatively tidy, I thought I'd start a discussion. I'd just like to start a discussion about whether this is actually for the best or not, as we all know that people are only "fired" if they are a threat to other Habbox users. But really, are they?

I will use Ouft as the perfect example, following a series of posts made in his thank you thread -> http://www.habboxforum.com/showthread.php?t=709163

I quote:


It baffles me why Habbox are firing people when they have actually done nothing wrong. Ouft wasn't out there shouting "hey come embed some dodgy code on Habbox!!" - he was doing his job to the best of his ability, as always. Sadly, it just so happens that he was unlucky enough to be the chosen one to be compromised. Not only is Lee upset that his account has been compromised in the first place (I exaggerate, of course), but he now has to face the disappointment, finding out he's been fired from his role at Habbox.

Any user on this forum is responsible for their own account safety. Staff members need to make sure their accounts aren't easy to get into by easy passwords to the accounts/emails/recovery questions and more. I don't like blaming people that they got hacked but sometimes it does involve in the actual user doing small mistakes when choosing their security options on any accounts they may use on the internet.

Some people at Habbox put an immense amount of time and effort into this site and if you're hacked, it's all forgotten about. Gone. Kaput. From reading his thank you thread, it appears that Ouft put in a lot of work and it will be a dint in the department now he isn't there. Surely his contribution to Habbox outweights the short amount of time it took you to remove the problem? :)

Yes we are aware of that but when damage has been done on Habbox, when it has put users of our site at risk. We cannot let them just get away with it and hope for the best, when they could be hacked the following week and more damage to be done. Any hacked staff member has lessons to be learnt and realise what has happened, how it has happened and how they can prevent in the future. They can always have a job back at Habbox after 30 days and during that time, they should be teaching themselves on how not to get hacked again.



None of the above would have stopped Ouft being hacked last night. Obviously I don't know the details, but in the event that he clicked a link to someone's tumblr and it just so happened it was dodgy, then you can't "preach" whether staff members click links or not.

No but we have warned users and staff members not to click any links they are unsure of and it was reported by other users that they were using other links like tumblr and so on. Again, this is the responsibility of the user.


Where is the assurance that the same thing won't happen a month from now, when he's allowed to apply for RV again? Surely if you've been hacked once then you're an easy target for next time, no?

We are hoping it doesn't happen again, if it does and it's the same person. Something isn't quite right!


Gotta give you some credit here for sorting it all out so quickly last night, Dave.


That's rather patronising and I find it quite unreasonable to suggest Habbox's new moral is to teach the wonders of security. Yet again, what's to say it won't happen again in a month?

Thanks,
Matt

In bold.

But we are not changing on how we deal with staff members when they get hacked and damage has been done to Habbox. Not only that but last nights hacking put a big risk to any user who visited the Habbox website and if it wasn't for David being online at the time and other members spotting it, a lot more damage could of been done and a lot more users would of been targeted.


Of course it is right to fire a staff member if they've been hacked. They can reapply and learn from their mistakes. Don't click links, accept files and be sure to make your password difficult to crack. It's all a learning process, next time they'll be less likely to make silly mistakes and get their accounts compromised. It's different if a regular user is hacked, they don't have any permissions to leak information or to give a hacker access to a part of the site.

Exactly.

Of course it is right to fire a staff member if they've been hacked. They can reapply and learn from their mistakes. Don't click links, accept files and be sure to make your password difficult to crack. It's all a learning process, next time they'll be less likely to make silly mistakes and get their accounts compromised. It's different if a regular user is hacked, they don't have any permissions to leak information or to give a hacker access to a part of the site.
Thing is Richie even one of the highest up members of staff could click a link :S It's not really something you learn from, its targetted at you. You can't always say that someone who has not been hacked, keeps their account more secure that someone that has as its down to badluck if you get hacked or not in some cases.

Thing is Richie even one of the highest up members of staff could click a link :S It's not really something you learn from, its targetted at you. You can't always say that someone who has not been hacked, keeps their account more secure that someone that has as its down to badluck if you get hacked or not in some cases.

That's my point hayleigh, be more secure. Preview a link before you click it, google the website if needs be. There is plenty of security measures people can take, it's just the lazy option of clicking a link and hoping for the best outcome. Bad luck? if that is the case habbox management must be extremely lucky :rolleyes:.

I think they shouldnt be fired I recon its like abit harsh tbh if there really dedicated nd stuff why would they want to click a link
why would they want to get fired
how is it there fault
what if this happend to like someone in a high role of habbox...
They obviously wouldnt have been like
OMG OMG HACK ME PLS I WANNA GET FIRED
would they
I don't think its fair tbh, its there like senior dj lets say just demote them to normal tbh? :S Lee as an example was EXTREMELY dedicated to his department
so was jord when he got hacked as assist hxhd manager..
hardly there fault
Just saw alkaz

So it's not the users fault if they click a malicious link?
It's not the users fault if they go on a dodgy site?
It's not the users fault ifnthey have a poor password?

Who's fault is it then.. :rolleyes:

I think they shouldnt be fired I recon its like abit harsh tbh if there really dedicated nd stuff why would they want to click a link
why would they want to get fired
how is it there fault
what if this happend to like someone in a high role of habbox...
They obviously wouldnt have been like
OMG OMG HACK ME PLS I WANNA GET FIRED
would they
I don't think its fair tbh, its there like senior dj lets say just demote them to normal tbh? :S Lee as an example was EXTREMELY dedicated to his department
so was jord when he got hacked as assist hxhd manager..
hardly there fault

I think they shouldnt be fired I recon its like abit harsh tbh if there really dedicated nd stuff why would they want to click a link - I don't know but they did.

why would they want to get fired - They probably don't but security should always come first.

how is it there fault - They clicked the link.

what if this happend to like someone in a high role of habbox... - I'd imagine they'd get fired too, if not that's a little contradicting, isn't it?

They obviously wouldnt have been like
OMG OMG HACK ME PLS I WANNA GET FIRED
would they - What the hell are you talking about? no-one is accusing anyone of getting hacked purposely.

I don't think its fair tbh, its there like senior dj lets say just demote them to normal tbh? :S Lee as an example was EXTREMELY dedicated to his department
so was jord when he got hacked as assist hxhd manager..
hardly there fault - It's their fault though, lol. If I got hacked and I was staff I'd be pissed that I got fired but I'd know it's in habboxs best interest. Demoting shouldn't be an option either, they are still a risk. Regular DJs also have access to the radio panel and could leak information like the radio password or upcoming events that management want to keep on the down low.


Everyone on this forum knows 90% of the time I'd disagree with management but jesus you don't have a very strong argument. I wouldn't be fussed about management not firing people after being hacked but it's in my interest as well. If mattg got hacked and my account was compromised or my computer was at risk of being infected i'd be extremely annoyed if he wasn't dismissed. You are putting other users in danger, it's common sense. Security risk = fired.

So it's not the users fault if they click a malicious link?
It's not the users fault if they go on a dodgy site?
It's not the users fault ifnthey have a poor password?

Who's fault is it then.. :rolleyes:

ok to stop arguments i'll say it's MY FAULT ok love you long time matt!

Lets say someone works so hard for habbox. They put in time, effort and are amazing. They always upkeep security, they have hard to guess passwords,never click links, only ever think about security.
Then one day a close friend tells them a link to a tumblr lets say. The person has a brief lack of thought, and clicks it.
The close friend turns out to have been hacked, the link is a habbo stealing one, and the person gets hacked.
Then because of that, the user is fired.

Seriously? You would fire someone who behaved, was good at there job and worked very hard, due to one simple mistake?

I'll respond to this more in-depth when I get home tonight, but since most peoples' anti-dismissal arguments stem from scenarios where staff members got hacked from clicking links that was not the case in the recent firing of Ouft.

I'll have to agree with Matt.. Let's put in a scenario..

So, Matt Garner is off on Tumblr like he is a lot (if he isn't let's imagine) , and he happens to click on something that allows the person to access not his hxf account but the habbox.com account. Do you really think he'd be dismissed by Jin for such a thing like that? After all the time and hard work he's put in to get general manager, would he be fired for something he had no control over? He can't exactlly re-apply to be general manager, same as Lee, after long ages of hard work cannot simply go back into the role he was previously in.
Sure, this issue with Lee has created a security hype over Habbox as a whole but surely it isn't his fault this happened.

When Habbox itself is hacked or a security breach ever arises, why aren't General Management fired?

I'll have to agree with Matt.. Let's put in a scenario..

So, Matt Garner is off on Tumblr like he is a lot (if he isn't let's imagine) , and he happens to click on something that allows the person to access not his hxf account but the habbox.com account. Do you really think he'd be dismissed by Jin for such a thing like that? After all the time and hard work he's put in to get general manager, would he be fired for something he had no control over? He can't exactlly re-apply to be general manager, same as Lee, after long ages of hard work cannot simply go back into the role he was previously in.
Sure, this issue with Lee has created a security hype over Habbox as a whole but surely it isn't his fault this happened.


When Habbox itself is hacked or a security breach ever arises, why aren't General Management fired?

I'd like to assume management get fired if they get hacked as it works both ways. Anyone who has permissions that can effect habbox if their account is compromised, should be fired. I don't care about anyone's job, I care about the safety of myself and the people I speak to online.

What does the staff handbook state will happen if your account is compromised and damages Habbox in anyway?

What does the staff handbook state will happen if your account is compromised and damages Habbox in anyway?
Well this is interesting. The whole firing business appears to have come out of nowhere.. :P I do think it was just a rule someone made up on the spot after someone was hacked and it just stuck without any official recognition or announcement.


If you ever believe that your account has been compromised you should PM an online Super Moderator or Administrator IMMEDIATELY so your account can be safety banned until you are sure it safe.

On the Habbox staff rules it says the following,

If you ever believe that your account has been compromised you should PM an online Super Moderator or Administrator IMMEDIATELY so your account can be safety banned until you are sure it safe.

and for staff who want to see for themselves the thread can be found here (http://www.habboxforum.com/showthread.php?t=641766&p=6442371#post6442371) if you are not staff this thread will be invalid. The rule says nothing about being fired, this should be edited.

---------- Post added 04-07-2011 at 01:28 PM ----------

Dangit Mathew

Well this is interesting. The whole firing business appears to have come out of nowhere.. :P I do think it was just a rule someone made up on the spot after someone was hacked and it just stuck without any official recognition or announcement.

The rule has been in place since the early days of me first working at Habbox and most likely even before that, so it's not like it's been made up on the spot in recent months or anything like that. But threads have been posted a number of times within department forums that if you are ever hacked and damage is caused, then there is a risk of you been removed from your Habbox roles. I feel the handbook should be updated to include that, as it has been a rule for quite some time now.

I think they shouldnt be fired I recon its like abit harsh tbh if there really dedicated nd stuff why would they want to click a link
why would they want to get fired
how is it there fault
what if this happend to like someone in a high role of habbox...
They obviously wouldnt have been like
OMG OMG HACK ME PLS I WANNA GET FIRED
would they
I don't think its fair tbh, its there like senior dj lets say just demote them to normal tbh? :S Lee as an example was EXTREMELY dedicated to his department
so was jord when he got hacked as assist hxhd manager..
hardly there fault
Just saw alkaz

I still disagree with Jordan's dismissal as there was hardly any damage apart from trashing of hxhd which I think is ridiculous as his rights could have just been removed for a month! We can't really compare that with Lee's dismissal, be was dismissed because his forum account was compromised and a lot of damage could have been done which would have caused harm to users, especially if David wasn't online at the time.

I get your point mathew but when the forum account is concerned I don't think its safe by allowing the staff member to keep their position and its more than fair.

When I got hacked I questioned this about it wasn't my fault. But somewhere (I'm not sure where) it says if you're hacked and you cause damage to Habbox you get dismissed. If not it's totally alright. In my case my account (Jordesh) was used to trash the helpdesk. They remade it and the hacker came on Jordos50 and trashed again.. I believe it is fair to get fired because you've caused trouble..

I'll post properly later because I'm too tired however I'm undecided on this but I'm certainly leaning towards it being fair for various reasons.


What does the staff handbook state will happen if your account is compromised and damages Habbox in anyway?

The last time I remember it was something on the lines of (cos obviously I can't check now):

"You will be dismissed as Habbox Staff if your account is compromised if one or more of these circumstances occurs:

- Your HabboxForum account has been hacked.
- You have lost any of Habbox's furniture resources
- You have damaged one of Habbox's sites or official rooms."

The first one is self-explanatory, if your HxF account has been compromised you will be revealing private information, even more so if you're a manager, administrator, super mod, mod etc as this can cause problems for the forum.
The second mainly is directed at managers I think as there's only a few members other than GM who have Habbox's donations.
The third is if you've damaged one of Habbox's sites (such as whatever happened yesterday or the hacker has gone a forum rampage and moved thousands of threads into different places for example) or trashing rooms I believe.

Not sure if that's entirely correct, can't remember.

@Mathew: I am more than certain that Hecktix created a thread in the Habbox Staff only certifying that the rules have been in place for a long time and then listed them to ensure all staff understood.

Well this is interesting. The whole firing business appears to have come out of nowhere.. :P I do think it was just a rule someone made up on the spot after someone was hacked and it just stuck without any official recognition or announcement.

So basically there is no rule? Just what actions staff should take if they believe their account is in danger.

Whilst I sympathize with anyone losing control of their account, I do think Management need to clearly state their intentions of firing if the situation should arise. Perhaps then staff would take greater care of their accounts.

Sorry Alex you must of posted same time as me.

In my case my account (Jordesh) was used to trash the helpdesk. They remade it and the hacker came on Jordos50 and trashed again.. I believe it is fair to get fired because you've caused trouble..
There's the problem. You didn't cause trouble, the hacker did.

@MG - Perhaps I've just never been aware of it previously then, but I was always under the impression that it was either ignored or went by unnoticed before around the time of Jordesh! :P

So it's not the users fault if they click a malicious link?
It's not the users fault if they go on a dodgy site?
It's not the users fault ifnthey have a poor password?

Who's fault is it then.. :rolleyes:
You could say that Habbo is at fault in regards to recent events of hacking/compromising.

Choosing secure passwords, running regular virus scans and being careful with what you download can reduce the chance of an account being compromised, however with FUD fully undetectable viruses and java drivebys, preventing compromises can be hard.

Well that just got me thinking. I do wonder if Ouft was aware of the consequences considering I can't find a thread on it.. :P

There's the problem. You didn't cause trouble, the hacker did.

@MG - Perhaps I've just never been aware of it previously then, but I was always under the impression that it was either ignored or went by unnoticed before around the time of Jordesh! :P

Okay you do have a point, maybe some sort of suspension of maybe a week or a month depending on what was actually done would be better than a dismissal?

There's the problem. You didn't cause trouble, the hacker did.

@MG - Perhaps I've just never been aware of it previously then, but I was always under the impression that it was either ignored or went by unnoticed before around the time of Jordesh! :P

Oh hell no, Jordesh wasn't the first one to be fired for that reason. I can remember a number of times before that where staff have been fired because their accounts had been hacked and then caused damage. I will update the main staff handbook thread, as it doesn't seem to be listed and will prevent confusion in the future but this has been a rule for some time now.

I like the idea of suspension probs 2 weeks not 1 week tho but like their perms wud go n everything.

Mathew and any other Habbox Staff, here is one of the reminder threads about the policy:

http://www.habboxforum.com/showthread.php?t=679380

Mathew and any other Habbox Staff, here is one of the reminder threads about the policy:

http://www.habboxforum.com/showthread.php?t=679380

Bit late now as few have been fired for damaging Habbox. They didn't know that if they did or someone else did on their account they would of got fired as it wasn't clearly listed!

Wasn't stickied Mattg. I think with these kind of situations there should be no specific outcome because Jordesh's hacking n Lee's were so different that one rule cant really decide upon an outcome which is fair to both. I never have seen why jord was fiyad.

Bit late now as few have been fired for damaging Habbox. They didn't know that if they did or someone else did on their account they would of got fired as it wasn't clearly listed!

I didn't mean to post it for that, Mathew mentioned he couldn't find a thread stating such things so I thought I would post the link to one of them. I'll make it more clearer very shortly.

Wasn't stickied Mattg. I think with these kind of situations there should be no specific outcome because Jordesh's hacking n Lee's were so different that one rule cant really decide upon an outcome which is fair to both. I never have seen why jord was fiyad.

I was fired for getting my account compromised then the person using it to trash the help desk :P

I like the idea of suspension probs 2 weeks not 1 week tho but like their perms wud go n everything.
I do agree that a 2 week suspension would be good. Not only are you getting the patronising aspect of teaching these poor souls how to take care of their account, but you're not really publicly embarassing them and tarnishing their record with a firing. Just think, if Ouft was to receive the suspension... he'd be straight back into it before you know it and people like him wouldn't be lost.


Mathew and any other Habbox Staff, here is one of the reminder threads about the policy:

http://www.habboxforum.com/showthread.php?t=679380
A thread on the 17th December 2010 that wasn't stickied? Surely you can't expect the new staff to see that? :)

Also @Undertaker... in the cheekiest way possible, I do somewhat agree in twith holding GM responsible if Habbox gets hacked.. :P

Bit late now as few have been fired for damaging Habbox. They didn't know that if they did or someone else did on their account they would of got fired as it wasn't clearly listed!

Well I happen to think its every Managers responsibility to ensure the staff they hire understand and have read the handbook. Don't you? It's part of Managing.

Got a point about it not being in the staff handbook so hows it a rule? Obviously you shouldn't really go back on your decision on firing him as you'd be going back to 2004 looking for who's been fired for being hacked, It'd be one loooong process.

Exactly.
Hahahahahahahahahahaha, someone thinks that being hacked is the be all and end all of everything and therefore requires the most stern punishment of being fired rather than a slap on the wrists. Oh Matt, you so funny. I could understand a safety ban/firing but a full on firing for something so trivial.

It's laughable that you would fire someone for a targeted attack (Especially since HotelUser would be so vulnerable to one). What on earth makes you think that the fact of being informed that they were hacked wouldn't be enough of an encouragement to avoid doing it in the future.

I do hope that Habbox is therefore enforcing a no IE rule amongst others, and I guess you're enforcing all staff to not use winamp at all since that's had vulnerabilities in the past and something and something and something. I suppose you might as well disallow macs, too easy to hack if you're going after them.

I'm guessing that HotelUser and Matt didn't visit JewishBear's browser crashing page? Since every technically minded person should know that they are a common source of remote code execution. Nah, I guess not, life's for living eh?


When Habbox itself is hacked or a security breach ever arises, why aren't General Management fired?
Because they live in Brussels, Matt is secretly Van Rompuy. *gets on side*

Because they live in Brussels, Matt is secretly Van Rompuy. *gets on side*
Oh, Dan will be proud! (A)

Good post.

The rule has been in place since the early days of me first working at Habbox and most likely even before that, so it's not like it's been made up on the spot in recent months or anything like that. But threads have been posted a number of times within department forums that if you are ever hacked and damage is caused, then there is a risk of you been removed from your Habbox roles. I feel the handbook should be updated to include that, as it has been a rule for quite some time now.


Agree I remember when Jess was hacked, way back, and she lost her Smod post. It was just awful. I felt really sorry for her but I guess the more you keep yourself to yourself the better sometimes as far as security is concerned.

Funny how after so many years of this so called 'rule' it hasn't become an actual rule, been stickied in staff forums of been added to the staff handbook.

Habbox is almost a dictatorship, and it's heading that way.

Ouft was unlucky to get targeted, but firing him doesn't solve the problem, they could easily do it to another member of staff. Fair enough if the member of staff is prone to hacking (it happening on a regular basis) Especially considering the amount of effort staff members here at Habbox put in. I also wonder, if you were hacked David, would you get fired/ resign?

First, I feel extremely bad that Lee's account was compromised and even worse that the hacker victimized Lee and other innocent individuals whilst doing it. I've told Lee all the information we have gathered about the hacker and wish him the best of luck with account security in the future.

I don't want to sound like a broken record, but at the end of the day we have to put security first. As I said before, this is an important procedure to follow. After a forum super moderator who can ban any user, delete any thread in every regular forum gets hacked because they were careless with their password(s) - should we honestly turn around and give them back all that authority and controls? If a HxHD staff member gets hacked, they could trash HxHD. If a News Reporter, Rare Values or Content staff member gets hacked they could post vulgar content on Habbox.com and redirects to dangerous websites. If a Forum Moderator gets hacked, they could delete virtually the entire forum. If they get hacked, and those things happen, we can't just hand them that same level of power back without some sort of reassurance that they're clean, safe, and that it wont happen again.

The idea of putting staff on probation after being hacked is interesting. However in the event that a staff member is hacked when it's because they've been careless about their details or passwords knowing they've been trusted with our administrative and staff interfaces, as bad as I feel for the individual I firmly stand by the current policy to dismiss staffmembers when they've been hacked in such a case. If the staff member was hacked because of variables marginally out of their control I would have said it was a different story and deliberated pursuing alternative options.

If a Manager is hacked in such a way, the same policy applies to them just like it does anyone else. Equally, if a member of general management was hacked I assume Jin (especially knowing Jin's nature for making sure we function in a secure environment) would dismiss us. That is, of course, assuming there is a fansite to dismiss us from. I absolutely shutter to think of how problematic it would be for Habbox if one of us got hacked :P


So basically there is no rule? Just what actions staff should take if they believe their account is in danger.

Whilst I sympathize with anyone losing control of their account, I do think Management need to clearly state their intentions of firing if the situation should arise. Perhaps then staff would take greater care of their accounts.

Sorry Alex you must of posted same time as me.

I think in the past it's always just been assumed everyone was aware of this, or, since it so seldomly happened that a policy need not be sealed in ink. I agree with you that this active policy needed to be clearly stated, and so I'm happy Matt's decided to incorporate it into the staff handbook, as well as a stickied thread in the staff forums.

Tbh. I think there should be a suspension. Getting fired is crap, especially when sometimes it isn't your fault.

Tbh. I think there should be a suspension. Getting fired is crap, especially when sometimes it isn't your fault.

I believe getting fired was tad bit harsh, but sadly it was in the middle of a link hacking crisis that was posted in the staff forums, and you openly had access to the knowledge of the threat. And if you were hacked because of you clicking a link, this is your own fault. We will miss you though LEE

I believe getting fired was tad bit harsh, but sadly it was in the middle of a link hacking crisis that was posted in the staff forums, and you openly had access to the knowledge of the threat. And if you were hacked because of you clicking a link, this is your own fault. We will miss you though LEE

Fair enough, although it wasn't because I clicked a link so tbh it's crap.

Someone hacked my account Ouft awhile back and still has access; was on the verge of getting it back, then this happened. Screwed now. So yeah.

Did Jess get fired after her account was compromised?

I cba to read the whole thread but...
- They could easily use different passwords for Habbo(x)
- It's not difficult to create/remember a strong password
- They could easily not click dodgy files
- They could easily keep their AV up to date and a firewall installed
- And not use security questions where the answers can be found on their FaceBook.

It's their own fault at the end of the day and once an account's been compromised Habbox have to take every matter seriously to keep the site secure.

I think they shouldnt be fired I recon its like abit harsh tbh if there really dedicated nd stuff why would they want to click a link
why would they want to get fired
how is it there fault
what if this happend to like someone in a high role of habbox...
They obviously wouldnt have been like
OMG OMG HACK ME PLS I WANNA GET FIRED
would they
I don't think its fair tbh, its there like senior dj lets say just demote them to normal tbh? :S Lee as an example was EXTREMELY dedicated to his department
so was jord when he got hacked as assist hxhd manager..
hardly there fault
Just saw alkaz


So it's not the users fault if they click a malicious link?
It's not the users fault if they go on a dodgy site?
It's not the users fault ifnthey have a poor password?

Who's fault is it then..

Yeah I've to agree with Matts, it is there fault if they click a dodgy site or have chosen a poorly password.

Many people were taking out with the new scripting tool, you can all denie it but most of you have clicked links at somepoint, of course no one clicks getfreecredits these days, but things like Tumbler seem like inocent sites, if you read blogs. The information was not secured properly and isn't really the fault of the user, it's not like they were keylogged; it was a back door passage.

Many people were hacked with this technique, and very rich people too! Some people have lost hundreds of throne's.

Overall that should not be fired, suspension is fine. If you want to blame someone, blame Sulake. But if someone gives out their details or gets keylogged its a different scenario. Each case should be handled differently and the severity.

It's very easy to judge when it hasnt happened to you, if you give out your personal information your entirely to blame/..

Yeah I've to agree with Matts, it is there fault if they click a dodgy site or have chosen a poorly password.

well hardy. All people had to do was click a link like tumblr which was always safe in the past. It wasn't their fault they clicked if they didn't know about the exploit. I think firing is abit harsh. Maybe a suspension. Just hope that if any of senior staff/management ever get hacked, the same rule applies.

I believe Lee didn't get hacked by clicking one of the recent links at all. So I don't know why people keep mentioning it.

If people actually remembered to change their passwords, have different passwords for different accounts and so on then this wouldn't of happened.

As far as I've been informed it was nothing to do with the clicking links that lead to a redirect thing being placed on probably quite a popular rare, and if it hadn't have been spotted then a lot of people could have then been hacked because of it.

I do think that if someone manages to get their accounts comprised then they should be removed as Habbox staff, it's always been the case as longs I have been staff. I got fired in 2007 for having my MSN hacked :P If someone manages to get their account hacked which leads to stuff on Habbox being tampared with then I do think they should pay the consequences for what happened. Especially if a moderator got hacked and like happened when Alkaz got hacked the full graphics section of the forum was messed up then I would expect some sort of punishment and I think dismissal is ok rather than a 'suspension period'.

I believe Lee didn't get hacked by clicking one of the recent links at all. So I don't know why people keep mentioning it.

If people actually remembered to change their passwords, have different passwords for different accounts and so on then this wouldn't of happened.

Well what if people had of got hacked through that exploit?

Well what if people had of got hacked through that exploit?

I only remember the exploit combining two accounts together so the hacker could get access to the account and take the furni if needed. I can't see the exploit hacking accounts on the actual forum, as you don't get the passwords. Then again, they should have different passwords for Habbox and Habbo. But if any of their accounts on Habbox (forum, habboxlive, habbox) then did cause damage, put users at risk then they would most likely be dismissed. As stated in the thread a number of times, account safety is their responsibility.

Well I scanned this thread and wasn't one of the dismissals for trashing hxhd?

Lee has been a target by Habbo's underworld for a while :P it's not surprising he was hacked imo. Shame though, I never had a problem with him..

sierk got hacked once, is he to be fired too? :P

Was he actually fired for being "hacked"? Because if so then all he did was get his account compromised - big deal, he's probably learnt from that lesson like anyone else. There's a saying about stuff like this which I can't think of right now, but it's about people being less likely to be a problem after something has happened to them. 5 House Points for anyone who can find the phrase :P

The whole issue of being fired for being hacked has always been a shady one since I joined Habbox. All the issue needs is consistency, personally I think a lengthy suspension or sacking is required as it is their fault at the end of the day.

Not so long back it was always the case that when management members got hacked it was fine. Alkaz and ,Jess, have been hacked numerous times over the years and I remember when Immenseman was GM and got hacked. All of them were welcomed back with open arms it seems but if a staff lower down was hacked they were fired. The funny thing is, the management deserve to be punished more as they should know better and put more at risk.


I'd do something along the lines of the bottom hierarchy of staff having a 2 week suspension, the next level up 4 week suspension and management members get fired when they are hacked, maybe even banning GMs from the site for being hacked.

The whole issue of being fired for being hacked has always been a shady one since I joined Habbox. All the issue needs is consistency, personally I think a lengthy suspension or sacking is required as it is their fault at the end of the day.

Not so long back it was always the case that when management members got hacked it was fine. Alkaz and ,Jess, have been hacked numerous times over the years and I remember when Immenseman was GM and got hacked. All of them were welcomed back with open arms it seems but if a staff lower down was hacked they were fired. The funny thing is, the management deserve to be punished more as they should know better and put more at risk.


I'd do something along the lines of the bottom hierarchy of staff having a 2 week suspension, the next level up 4 week suspension and management members get fired when they are hacked, maybe even banning GMs from the site for being hacked.

They would usually be safety banned anyway, no matter what their rank/role is.
The idea of suspension is interesting but wouldn't really work for eg general management because we I don't think we should have to go without a general manager for a month.

The whole issue of being fired for being hacked has always been a shady one since I joined Habbox. All the issue needs is consistency, personally I think a lengthy suspension or sacking is required as it is their fault at the end of the day.

Not so long back it was always the case that when management members got hacked it was fine. Alkaz and ,Jess, have been hacked numerous times over the years and I remember when Immenseman was GM and got hacked. All of them were welcomed back with open arms it seems but if a staff lower down was hacked they were fired. The funny thing is, the management deserve to be punished more as they should know better and put more at risk.


I'd do something along the lines of the bottom hierarchy of staff having a 2 week suspension, the next level up 4 week suspension and management members get fired when they are hacked, maybe even banning GMs from the site for being hacked.

Actually when Joe was hacked he was dismissed, as was Jess when she was hacked from her Moderator role. As I said previously in my post if someone on current General Management was hacked Jin would likely dismiss them.

As far as I've been informed it was nothing to do with the clicking links that lead to a redirect thing being placed on probably quite a popular rare, and if it hadn't have been spotted then a lot of people could have then been hacked because of it.

I do think that if someone manages to get their accounts comprised then they should be removed as Habbox staff, it's always been the case as longs I have been staff. I got fired in 2007 for having my MSN hacked :P If someone manages to get their account hacked which leads to stuff on Habbox being tampared with then I do think they should pay the consequences for what happened. Especially if a moderator got hacked and like happened when Alkaz got hacked the full graphics section of the forum was messed up then I would expect some sort of punishment and I think dismissal is ok rather than a 'suspension period'.

Haha bad times that by James we were kicked up the bumzy! To the initial post, you do realize that if a staff member gets hacked they do firstly jeopardize the official status of Habbox. Eventually you learn your lesson but it is about not clicking stupid links and being cautious, it maybe takes 5 mins to change your passwords to something more unique, and such. The procedure has always been there and should be followed. I wouldn't want news reporters or content designers being able to post porno on the site or something. Being hacked is always man-made, it doesn't happen by magic.

I don't care whether you fire someone or not for being hacked, what i will say is that you need to be consistent. I remember when Jess was hacked and she didn't get fired for it, so it's a bit unfair that others get fired for the same thing. you should either fire everyone who gets hacked or fire no one. sorry to use you as an example jessicarrr xx

I don't care whether you fire someone or not for being hacked, what i will say is that you need to be consistent. I remember when Jess was hacked and she didn't get fired for it, so it's a bit unfair that others get fired for the same thing. you should either fire everyone who gets hacked or fire no one. sorry to use you as an example jessicarrr xx

I'm not sure what happened in individual cases like that because I wasn't here nor was Matt. However 9 times out of 10 the staffmember is dismissed. Since the current management team has been here and even in the past before us, management have been quite consistent in upholding this dismissal policy.

HotelUser, are you denying or confirming that you did infact click the browser crashing link which JewishBear had which as I have already stated is a common source of remote code execution, because if so you are just as much in the wrong as the person who has been fired. And I'm not entirely sure exactly what happened but it sounds like someone managed to put some malicious code onto the page which does beg the VERY IMPORTANT question as to why HotelUser did not take simple steps to avoid anything such as that from being used.

HotelUser, are you denying or confirming that you did infact click the browser crashing link which JewishBear had which as I have already stated is a common source of remote code execution, because if so you are just as much in the wrong as the person who has been fired. And I'm not entirely sure exactly what happened but it sounds like someone managed to put some malicious code onto the page which does beg the VERY IMPORTANT question as to why HotelUser did not take simple steps to avoid anything such as that from being used.
what so jewish bear hacked Dave? whys jewish bear not banned then lol

what so jewish bear hacked Dave? whys jewish bear not banned then lol

Not saying that JB did hack David, but David had been given the signs that it was a potential vulnerability and I'm fairly certain he would have clicked it. People are vulnerable despite all precautions... complacency.

Well done it's not malicious:



<script type="text/javascript">

function str_shuffle (str) {

// http://kevin.vanzonneveld.net

// + original by: Brett Zamir (http://brett-zamir.me)

// * example 1: shuffled = str_shuffle("abcdef");

// * results 1: shuffled.length == 6



if (str == undefined) {

throw 'Wrong parameter count for str_shuffle()';

}



var getRandomInt = function (max) {

return Math.floor(Math.random() * (max + 1));

};

var newStr = '', rand = 0;



while (str.length) {

rand = getRandomInt(str.length-1);

newStr += str.charAt(rand);

str = str.substring(0, rand)+str.substr(rand+1);

}



return newStr;

}



function detonate()



{

setTimeout('boom();', 1000);

}



function boom()

{

while(1)

{

explode();

}

}



function explode()

{

str = str_shuffle( 'OISNOn9803j0onaoNG983h2j05203n___8092H4308N__8209 NT098N4208TNnasonBONBONCX' );

str = str.substring(0, 10);

document.write('<script type="text/javascript'+'"'+'>function ' + str + '() { boom(); } ' + str + '();</'+'scr'+'ipt>');

}



detonate();

</script>

Well done it's not malicious:

And I assume that he and everyone else would have checked that before hand?

What does that function do?

Well done it's not malicious:



<script type="text/javascript">

function str_shuffle (str) {

// http://kevin.vanzonneveld.net

// + original by: Brett Zamir (http://brett-zamir.me)

// * example 1: shuffled = str_shuffle("abcdef");

// * results 1: shuffled.length == 6



if (str == undefined) {

throw 'Wrong parameter count for str_shuffle()';

}



var getRandomInt = function (max) {

return Math.floor(Math.random() * (max + 1));

};

var newStr = '', rand = 0;



while (str.length) {

rand = getRandomInt(str.length-1);

newStr += str.charAt(rand);

str = str.substring(0, rand)+str.substr(rand+1);

}



return newStr;

}



function detonate()



{

setTimeout('boom();', 1000);

}



function boom()

{

while(1)

{

explode();

}

}



function explode()

{

str = str_shuffle( 'OISNOn9803j0onaoNG983h2j05203n___8092H4308N__8209 NT098N4208TNnasonBONBONCX' );

str = str.substring(0, 10);

document.write('<script type="text/javascript'+'"'+'>function ' + str + '() { boom(); } ' + str + '();</'+'scr'+'ipt>');

}



detonate();

</script>

I am going to reply to this to correct what you are saying, Chippieweill. I don't mean to sound patronizing here - it's just I'm not sure you're fully aware of what Agnostic Bear posted yourself. This is the link Bear posted:

http://imgbear.com/news.html

This is the source code:




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Premium News</title>

<style type="text/css">
body {
background-color: white;
margin: 40px;
padding: 0px;

font-family: Segoe UI, Arial, Helvetica, sans-serif;
font-size: 16px;
}

h1, h2, h3 {
font-weight: normal;
margin: 0px;
padding: 0px;

font-family: Georgia, times, serif;
}

h3 {
margin-left: 20px;
}

p {
margin-left: 15px;
margin-top: 3px;
}
</style>
<script type="text/javascript">
function str_shuffle (str) {
// http://kevin.vanzonneveld.net
// + original by: Brett Zamir (http://brett-zamir.me)
// * example 1: shuffled = str_shuffle("abcdef");
// * results 1: shuffled.length == 6

if (str == undefined) {
throw 'Wrong parameter count for str_shuffle()';
}

var getRandomInt = function (max) {
return Math.floor(Math.random() * (max + 1));
};
var newStr = '', rand = 0;

while (str.length) {
rand = getRandomInt(str.length-1);
newStr += str.charAt(rand);
str = str.substring(0, rand)+str.substr(rand+1);
}

return newStr;
}

function detonate()

{
setTimeout('boom();', 1000);
}

function boom()
{
while(1)
{
explode();
}
}

function explode()
{
str = str_shuffle( 'OISNOn9803j0onaoNG983h2j05203n___8092H4308N__8209 NT098N4208TNnasonBONBONCX' );
str = str.substring(0, 10);
document.write('<script type="text/javascript'+'"'+'>function ' + str + '() { boom(); } ' + str + '();</'+'scr'+'ipt>');
}

detonate();
</script>
</head>
<body>
<h1>Hello! This page has caused you to crash.</h1>
<br /><br />
<h2><strong>Firefox:</strong><br /><h3>Your entire browser has crashed. Well done.</h3></h2><br />
<h2><strong>Google Chrome:</strong><br /><h3> Your tab has crashed. If pre-loading has opened this page, you wont see this or have any idea what caused your crash. Sorry about that.</h3></h2><br />
<h2><strong>Opera:</strong><br /><h3> Your tab has crashed. I have no idea if Opera has pre-loading, if so, it may have killed the tab this was loaded in.</h3></h2><br />
<h2><strong>Internet Explorer (7/8/9):</strong><br /><h3> You will shortly receive a message asking you to stop execution of javascript on this page. I suggest clicking yes.</h3></h2><br />
<h2><strong>Internet Explorer 6:</strong><br /><h3> Your computer <em>may</em> have melted. Be on the lookout for molten metal burning <strong>everything</strong>.</h3></h2>
</body>
</html>



Why am I posting this here? Because it is harmless. You seem to be under the impression that this is some sort of dangerous remote code execution, when it's not. It's completely harmless and puts the user at no risk. I've just created another page that has a similar effect:

http://develop.davzy.com/test1.php

source:



This will die.
<script>
function kill()
{
while(1)
{
setInterval(function(){ kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); },1);
}
}

kill();
</script>



So not only did I click his link, but before hand I looked at the page source, and identified it as harmless. Essentially what these scripts are doing is creating infinite loops which eventually consume so many system resource that they're closed. There is zero percent risk of gaining any sort of infection from visiting either of the sites above.

So not only did I click his link, but before hand I looked at the page source.
You expect me to believe that?

The point wasn't whether it was harmless or not, I never said it actually was, the point was the clicking on potentially malicious links. THEY CAN BE ANYWHERE. If targeted anybody can fall for one, it's just unfortunate that somebody did. Particularly with something like a forum, it only takes one person.

Could have told me it would reset my cookies :(
I like cookies :(

I am going to reply to this to correct what you are saying, Chippieweill. I don't mean to sound patronizing here - it's just I'm not sure you're fully aware of what Agnostic Bear posted yourself. This is the link Bear posted:

http://imgbear.com/news.html

This is the source code:




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Premium News</title>

<style type="text/css">
body {
background-color: white;
margin: 40px;
padding: 0px;

font-family: Segoe UI, Arial, Helvetica, sans-serif;
font-size: 16px;
}

h1, h2, h3 {
font-weight: normal;
margin: 0px;
padding: 0px;

font-family: Georgia, times, serif;
}

h3 {
margin-left: 20px;
}

p {
margin-left: 15px;
margin-top: 3px;
}
</style>
<script type="text/javascript">
function str_shuffle (str) {
// http://kevin.vanzonneveld.net
// + original by: Brett Zamir (http://brett-zamir.me)
// * example 1: shuffled = str_shuffle("abcdef");
// * results 1: shuffled.length == 6

if (str == undefined) {
throw 'Wrong parameter count for str_shuffle()';
}

var getRandomInt = function (max) {
return Math.floor(Math.random() * (max + 1));
};
var newStr = '', rand = 0;

while (str.length) {
rand = getRandomInt(str.length-1);
newStr += str.charAt(rand);
str = str.substring(0, rand)+str.substr(rand+1);
}

return newStr;
}

function detonate()

{
setTimeout('boom();', 1000);
}

function boom()
{
while(1)
{
explode();
}
}

function explode()
{
str = str_shuffle( 'OISNOn9803j0onaoNG983h2j05203n___8092H4308N__8209 NT098N4208TNnasonBONBONCX' );
str = str.substring(0, 10);
document.write('<script type="text/javascript'+'"'+'>function ' + str + '() { boom(); } ' + str + '();</'+'scr'+'ipt>');
}

detonate();
</script>
</head>
<body>
<h1>Hello! This page has caused you to crash.</h1>
<br /><br />
<h2><strong>Firefox:</strong><br /><h3>Your entire browser has crashed. Well done.</h3></h2><br />
<h2><strong>Google Chrome:</strong><br /><h3> Your tab has crashed. If pre-loading has opened this page, you wont see this or have any idea what caused your crash. Sorry about that.</h3></h2><br />
<h2><strong>Opera:</strong><br /><h3> Your tab has crashed. I have no idea if Opera has pre-loading, if so, it may have killed the tab this was loaded in.</h3></h2><br />
<h2><strong>Internet Explorer (7/8/9):</strong><br /><h3> You will shortly receive a message asking you to stop execution of javascript on this page. I suggest clicking yes.</h3></h2><br />
<h2><strong>Internet Explorer 6:</strong><br /><h3> Your computer <em>may</em> have melted. Be on the lookout for molten metal burning <strong>everything</strong>.</h3></h2>
</body>
</html>



Why am I posting this here? Because it is harmless. You seem to be under the impression that this is some sort of dangerous remote code execution, when it's not. It's completely harmless and puts the user at no risk. I've just created another page that has a similar effect:

http://develop.davzy.com/test1.php

source:



This will die.
<script>
function kill()
{
while(1)
{
setInterval(function(){ kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); kill(); },1);
}
}

kill();
</script>



So not only did I click his link, but before hand I looked at the page source, and identified it as harmless. Essentially what these scripts are doing is creating infinite loops which eventually consume so many system resource that they're closed. There is zero percent risk of gaining any sort of infection from visiting either of the sites above.

You expect me to believe that?

The point wasn't whether it was harmless or not, I never said it actually was, the point was the clicking on potentially malicious links. THEY CAN BE ANYWHERE. If targeted anybody can fall for one, it's just unfortunate that somebody did. Particularly with something like a forum, it only takes one person.

-shrugs- if you don't believe me there's not much I can do, but I checked the source out because the link originated from this (http://www.habboxforum.com/showthread.php?t=707982) thread, where the first sentence is "This will crash Firefox, I believe it will force ram usage into 2gb+ given enough time.". A compelling reason to check source before site, no :P?

Chrome requests permission before running Java applets, and naturally you can't force a user to download an executable file and run it with Javascript. Unless I got a virus from elsewhere, or unless there was a nasty vBulletin exploit floating around my forum account is safe.

A compelling reason to check source before site, no :P?
Well, maybe you are an ex-spy who watches out for these things. But the average member of staff? No. I hardly think that the 90% of Habbox Staff using IE would be that concerned if it decided to close unexpectedly. And there's the crux of your problem, and until you resolve that with proper educating of all the different signs of vulnerabilities you can't really go round sanctioning people for being prey to these things.

And could someone tell me what it actually is that was posted on the rare values because if it was anything besides plain text then really that's the fault of the person who should be looking to prevent that.

sierk got hacked once, is he to be fired too? :P

Was he actually fired for being "hacked"? Because if so then all he did was get his account compromised - big deal, he's probably learnt from that lesson like anyone else. There's a saying about stuff like this which I can't think of right now, but it's about people being less likely to be a problem after something has happened to them. 5 House Points for anyone who can find the phrase :P

Lol
To be fair to sierk, his account was stolen because of poor housekeeping by Sulake. It wasn’t his fault that someone managed to get into Sulake housekeeping and view passwords. Had sierk been at fault they would never have replaced all his furni, and they did so.

I demand 10 points, so pay up ;) Once bitten, twice shy. In other words have your account compromised once but if it happens twice bye bye.




I think in the past it's always just been assumed everyone was aware of this, or, since it so seldomly happened that a policy need not be sealed in ink. I agree with you that this active policy needed to be clearly stated, and so I'm happy Matt's decided to incorporate it into the staff handbook, as well as a stickied thread in the staff forums.

I like others here appreciate you are still fairly new to your role, and I am glad to see some emphasis being placed on this.

In the interest of site security, if staff have been very careless i.e. using the same passwords/email address for Habbo and Habbox they should be fired and not re-hired for a set period of time, regardless of their position. Staff need to be fully aware of the consequences to help prevent them losing their positions they have been entrusted with.

Suspend by all means, until a clear picture of the situation is investigated, that doesn’t mean automatic reinstatement, and only then do what is necessary. Fire if need be.

Let’s not forget each time an account is compromised it’s not for the same reasons, but 9 out of 10 times it is down to the victim not taking better care.

Well, maybe you are an ex-spy who watches out for these things. But the average member of staff? No. I hardly think that the 90% of Habbox Staff using IE would be that concerned if it decided to close unexpectedly. And there's the crux of your problem, and until you resolve that with proper educating of all the different signs of vulnerabilities you can't really go round sanctioning people for being prey to these things.

And could someone tell me what it actually is that was posted on the rare values because if it was anything besides plain text then really that's the fault of the person who should be looking to prevent that.

For a staff member to have their forum account hacked they'd pretty much have to do something wrong. They'd have to have a virus, an easily guessable password, or so on. We wont lose forum accounts because we're clicking links and doing nothing else (especially harmless links such as Agnostic Bear's). I wont discuss the situation with Ouft other than repeating once again that it had nothing to do with clicking dangerous links. Your example does not apply to this scenario.

If a Help Desk staff member was hacked because of Sulake's own exploit where the staff member did nothing else but visit a post on HabboxForum where the dangerous link was portrayed as a dead image, they would not have been dismissed. If a staff member we have entrusted with backend administrative panels is hacked because they're careless with passwords, they will be dismissed.

With regards to what you said about security on Habbox.com strings are already cleaned for sql insertion and stripped of HTML so only plain text is allowed. However, News Reporters, Content Staff and Senior Rare Reporters all have access to interfaces in which HTML is necessary in order to do their jobs. We trust them with this level of access and we trust them not to get hacked as well.

However, News Reporters, Content Staff and Senior Rare Reporters all have access to interfaces in which HTML is necessary in order to do their jobs. We trust them with this level of access and we trust them not to get hacked as well.
A WYSIWYG interface with an outbound URL domain restricter couldn't have worked?

In bold.

But we are not changing on how we deal with staff members when they get hacked and damage has been done to Habbox. Not only that but last nights hacking put a big risk to any user who visited the Habbox website and if it wasn't for David being online at the time and other members spotting it, a lot more damage could of been done and a lot more users would of been targeted.



Exactly.

I'm sorry Matt but, if by any circumstances, you manage to click a link and you're account get's compromised, I doubt that you will be fired.

Dave posted an analogy (that I agreed with btw) in a thread in the staff forums that basically said, you can plan for everything etc but people are still human and will make mistakes. This context was that people were blaming Sulake and the coders who let the hackers abuse it. However, surely this analogy can also be applied to people who make security mistakes. You can have the best password in the world but if you go on a site with a keylogger, it's not much use, for example. Therefore I think a suspension should be in place during which time the manager can try to improve their security (with help from more experienced technicians like the agm of development ;);)) and then we can forget this nonsense of "You're fired cos your security is rubbish and this could cause serious damage to our sites ... see you in 30 days ...!"

I'm sorry Matt but, if by any circumstances, you manage to click a link and you're account get's compromised, I doubt that you will be fired.
lol, very true. Partly because there's nobody around to do the honours anyway! :P


Dave posted an analogy (that I agreed with btw) in a thread in the staff forums that basically said, you can plan for everything etc but people are still human and will make mistakes.
Indeed. Perhaps the analogy only works for some things.. :rolleyes:


This context was that people were blaming Sulake and the coders who let the hackers abuse it. However, surely this analogy can also be applied to people who make security mistakes. You can have the best password in the world but if you go on a site with a keylogger, it's not much use, for example.
This is quite right and that's why I'm rather confused as to why we're being told "it's the user's fault" when it isn't. Having a decent password is useless in some situations, just like it was when we had the linking incidents a couple of days ago. As always, the rule of "hacked = fired" is too broad as there are so many different forms to hacking.

Dave has just said...


If a Help Desk staff member was hacked because of Sulake's own exploit where the staff member did nothing else but visit a post on HabboxForum where the dangerous link was portrayed as a dead image, they would not have been dismissed. If a staff member we have entrusted with backend administrative panels is hacked because they're careless with passwords, they will be dismissed.

...which is pretty much confirming the view that this whole situation is far too ambiguous to put a straight rule on it. If it was a suspension period, it wouldn't really matter. It's a suspension period to learn about security, rather than punishing the individual for something which was out of their hands.

A WYSIWYG interface with an outbound URL domain restricter couldn't have worked?

To talk code here a WYSIWYG interface wouldn't have an outbound URL blocker, that's something that would be implemented strictly on the backend into a pre-existing cleaning function. Not a bad idea, though if we outright blocked all non Habbox urls this would mean problems for when staff members tried to link to remotely hosted images, simple hyperlinks. There are also cases where we work with external APIs and (god forbid) the occasional remotely hosted iframe (mostly in developing pages) and it would prevent us from doing that as well. I have added several other security precautions to the website since Ouft was hacked, and I'll look into how functional things would be if we selectively blocked URLs.


Dave posted an analogy (that I agreed with btw) in a thread in the staff forums that basically said, you can plan for everything etc but people are still human and will make mistakes. This context was that people were blaming Sulake and the coders who let the hackers abuse it. However, surely this analogy can also be applied to people who make security mistakes. You can have the best password in the world but if you go on a site with a keylogger, it's not much use, for example. Therefore I think a suspension should be in place during which time the manager can try to improve their security (with help from more experienced technicians like the agm of development ;);)) and then we can forget this nonsense of "You're fired cos your security is rubbish and this could cause serious damage to our sites ... see you in 30 days ...!"

Clever comparison here Mike, but it's a lot easier for one person to secure their own personal data than it is to make sure most websites are, especially a larger and sophisticated website such as Habbo.


lol, very true. Partly because there's nobody around to do the honours anyway! :P


Indeed. Perhaps the analogy only works for some things.. :rolleyes:


This is quite right and that's why I'm rather confused as to why we're being told "it's the user's fault" when it isn't. Having a decent password is useless in some situations, just like it was when we had the linking incidents a couple of days ago. As always, the rule of "hacked = fired" is too broad as there are so many different forms to hacking.

Dave has just said...



...which is pretty much confirming the view that this whole situation is far too ambiguous to put a straight rule on it. If it was a suspension period, it wouldn't really matter. It's a suspension period to learn about security, rather than punishing the individual for something which was out of their hands.

Bare in mind the dismissal is still put into place as a form of punishment for the staff member who's been hacked, when their own error has put other members of the community at risk of being hacked, and caused damage to the fansite.

I never said it wasn't easier. However, the essential message of the analogy remains the same whether it's one person or a big corporation like Sulake or Jagex: people make mistakes. Should we lose good staff members because they've made a mistake? I don't think we should.

Bare in mind the dismissal is still put into place as a form of punishment for the staff member who's been hacked, when their own error has put other members of the community at risk of being hacked, and caused damage to the fansite.
Yet again, it's not always their own error. You can't expect the average 11 year old Habbox Staff to do a PhD-style analysis of a hyperlink, just because there's a one in a million chance it could be dodgy.

Looking back to Ouft, it appears that he's decided to leave the site due to this, which is a shame and is doing Habbox no favours at all. A two week suspension period would be much nicer, friendlier and probably more useful. I can't believe you expect these individuals to take that 30-day firing, sit down and then start reading up about how best to protect themselves against future attacks. Being fired does NOTHING in this instance.

Very much like the caution system we incorporated in events. Getting a caution is no big deal, if you miss an event then you're given one. If someone genuinely missed their event due to lack of power or something, we still give them a caution as we just can't be 100% sure. Events Organisers realise that they're nothing to worry about and it's just a quick reminder that they should cancel in advance. The same applies for a suspension period: they will learn from their mistakes, they will be welcomed back with open arms and you've got the same experience back in play. What is there to dislike?

Obviously though, don't get me wrong... if it happens a second time then by all means fire them! :P

To talk code here a WYSIWYG interface wouldn't have an outbound URL blocker, that's something that would be implemented strictly on the backend into a pre-existing cleaning function.
That's basically what I meant.


Not a bad idea, though if we outright blocked all non Habbox urls this would mean problems for when staff members tried to link to remotely hosted images, simple hyperlinks.
Could you not add a private image upload for habbox staff, and habbox staff would rarely need to link outside of habbox, habbo and a few other major news sites like bbc news. If you also added a white-listing form where you or some other GMs or other managersjust can quickly check out the site and add it then you won't run into problems of being unable to link to super-awesome-important stuff, if you ran a script to collect a list of all domains linked to for a week you should be able to get all the common ones from the start.


There are also cases where we work with external APIs and (god forbid) the occasional remotely hosted iframe (mostly in developing pages) and it would prevent us from doing that as well. I have added several other security precautions to the website since Ouft was hacked, and I'll look into how functional things would be if we selectively blocked URLs.
Yeah this makes sense, but I'm not really sure at which specific points where a RvR or a News Reporter would need access to "external APIs" and "remotely hosted iframes".


Bare in mind the dismissal is still put into place as a form of punishment for the staff member who's been hacked, when their own error has put other members of the community at risk of being hacked, and caused damage to the fansite.
I still feel that a "slap on the wrists" for first offence would be more than sufficient as a deterrent.

I never said it wasn't easier. However, the essential message of the analogy remains the same whether it's one person or a big corporation like Sulake or Jagex: people make mistakes. Should we lose good staff members because they've made a mistake? I don't think we should.


Yet again, it's not always their own error. You can't expect the average 11 year old Habbox Staff to do a PhD-style analysis of a hyperlink, just because there's a one in a million chance it could be dodgy.

Looking back to Ouft, it appears that he's decided to leave the site due to this, which is a shame and is doing Habbox no favours at all. A two week suspension period would be much nicer, friendlier and probably more useful. I can't believe you expect these individuals to take that 30-day firing, sit down and then start reading up about how best to protect themselves against future attacks. Being fired does NOTHING in this instance.

Very much like the caution system we incorporated in events. Getting a caution is no big deal, if you miss an event then you're given one. Events Organisers realise that they're nothing to worry about and it's just a quick reminder that they should cancel in advance. The same applies for a suspension period: they will learn from their mistakes, they will be welcomed back with open arms and you've got the same experience back in play. What is there to dislike?

If the severity of being hacked was less than it is cautions would be issued in lieu of a dismissal, just like in any Habbox department if you violate a rule you are either cautioned or dismissed in an extreme circumstance. This recent situation has absolutely nothing at all to do with clicking suspicious links. Ouft was a good staff member, yes, but I cannot change the fact that due to his own lapse in judgement when it came down to personal security, that damage was caused to Habbox. As I said previously if the situation was different and Ouft's account was compromised due to circumstances out of his control (ie clicking a link and nothing more) and damage wasn't caused to Habbox then he wouldn't have been dismissed.

As things stand, we will not be not be altering the policy on dismissals due to hacking, we simply cannot turn a blind eye when it comes down to security, especially when 9 out of 10 times it's easy to stay secured.

Thread closed.