Fired for being hacked

[lRhyss]

In bold.

But we are not changing on how we deal with staff members when they get hacked and damage has been done to Habbox. Not only that but last nights hacking put a big risk to any user who visited the Habbox website and if it wasn't for David being online at the time and other members spotting it, a lot more damage could of been done and a lot more users would of been targeted.



Exactly.

I'm sorry Matt but, if by any circumstances, you manage to click a link and you're account get's compromised, I doubt that you will be fired.

[Inseriousity.]

Dave posted an analogy (that I agreed with btw) in a thread in the staff forums that basically said, you can plan for everything etc but people are still human and will make mistakes. This context was that people were blaming Sulake and the coders who let the hackers abuse it. However, surely this analogy can also be applied to people who make security mistakes. You can have the best password in the world but if you go on a site with a keylogger, it's not much use, for example. Therefore I think a suspension should be in place during which time the manager can try to improve their security (with help from more experienced technicians like the agm of development ) and then we can forget this nonsense of "You're fired cos your security is rubbish and this could cause serious damage to our sites ... see you in 30 days ...!"

[Mathew]

I'm sorry Matt but, if by any circumstances, you manage to click a link and you're account get's compromised, I doubt that you will be fired.

lol, very true. Partly because there's nobody around to do the honours anyway!

Dave posted an analogy (that I agreed with btw) in a thread in the staff forums that basically said, you can plan for everything etc but people are still human and will make mistakes.

Indeed. Perhaps the analogy only works for some things.. :rolleyes:

This context was that people were blaming Sulake and the coders who let the hackers abuse it. However, surely this analogy can also be applied to people who make security mistakes. You can have the best password in the world but if you go on a site with a keylogger, it's not much use, for example.

This is quite right and that's why I'm rather confused as to why we're being told "it's the user's fault" when it isn't. Having a decent password is useless in some situations, just like it was when we had the linking incidents a couple of days ago. As always, the rule of "hacked = fired" is too broad as there are so many different forms to hacking.

Dave has just said...

If a Help Desk staff member was hacked because of Sulake's own exploit where the staff member did nothing else but visit a post on HabboxForum where the dangerous link was portrayed as a dead image, they would not have been dismissed. If a staff member we have entrusted with backend administrative panels is hacked because they're careless with passwords, they will be dismissed.

...which is pretty much confirming the view that this whole situation is far too ambiguous to put a straight rule on it. If it was a suspension period, it wouldn't really matter. It's a suspension period to learn about security, rather than punishing the individual for something which was out of their hands.

[HotelUser]

A WYSIWYG interface with an outbound URL domain restricter couldn't have worked?

To talk code here a WYSIWYG interface wouldn't have an outbound URL blocker, that's something that would be implemented strictly on the backend into a pre-existing cleaning function. Not a bad idea, though if we outright blocked all non Habbox urls this would mean problems for when staff members tried to link to remotely hosted images, simple hyperlinks. There are also cases where we work with external APIs and (god forbid) the occasional remotely hosted iframe (mostly in developing pages) and it would prevent us from doing that as well. I have added several other security precautions to the website since Ouft was hacked, and I'll look into how functional things would be if we selectively blocked URLs.

Dave posted an analogy (that I agreed with btw) in a thread in the staff forums that basically said, you can plan for everything etc but people are still human and will make mistakes. This context was that people were blaming Sulake and the coders who let the hackers abuse it. However, surely this analogy can also be applied to people who make security mistakes. You can have the best password in the world but if you go on a site with a keylogger, it's not much use, for example. Therefore I think a suspension should be in place during which time the manager can try to improve their security (with help from more experienced technicians like the agm of development ) and then we can forget this nonsense of "You're fired cos your security is rubbish and this could cause serious damage to our sites ... see you in 30 days ...!"

Clever comparison here Mike, but it's a lot easier for one person to secure their own personal data than it is to make sure most websites are, especially a larger and sophisticated website such as Habbo.

lol, very true. Partly because there's nobody around to do the honours anyway!


Indeed. Perhaps the analogy only works for some things.. :rolleyes:


This is quite right and that's why I'm rather confused as to why we're being told "it's the user's fault" when it isn't. Having a decent password is useless in some situations, just like it was when we had the linking incidents a couple of days ago. As always, the rule of "hacked = fired" is too broad as there are so many different forms to hacking.

Dave has just said...



...which is pretty much confirming the view that this whole situation is far too ambiguous to put a straight rule on it. If it was a suspension period, it wouldn't really matter. It's a suspension period to learn about security, rather than punishing the individual for something which was out of their hands.

Bare in mind the dismissal is still put into place as a form of punishment for the staff member who's been hacked, when their own error has put other members of the community at risk of being hacked, and caused damage to the fansite.

[Inseriousity.]

I never said it wasn't easier. However, the essential message of the analogy remains the same whether it's one person or a big corporation like Sulake or Jagex: people make mistakes. Should we lose good staff members because they've made a mistake? I don't think we should.

[Mathew]

Bare in mind the dismissal is still put into place as a form of punishment for the staff member who's been hacked, when their own error has put other members of the community at risk of being hacked, and caused damage to the fansite.

Yet again, it's not always their own error. You can't expect the average 11 year old Habbox Staff to do a PhD-style analysis of a hyperlink, just because there's a one in a million chance it could be dodgy.

Looking back to Ouft, it appears that he's decided to leave the site due to this, which is a shame and is doing Habbox no favours at all. A two week suspension period would be much nicer, friendlier and probably more useful. I can't believe you expect these individuals to take that 30-day firing, sit down and then start reading up about how best to protect themselves against future attacks. Being fired does NOTHING in this instance.

Very much like the caution system we incorporated in events. Getting a caution is no big deal, if you miss an event then you're given one. If someone genuinely missed their event due to lack of power or something, we still give them a caution as we just can't be 100% sure. Events Organisers realise that they're nothing to worry about and it's just a quick reminder that they should cancel in advance. The same applies for a suspension period: they will learn from their mistakes, they will be welcomed back with open arms and you've got the same experience back in play. What is there to dislike?

Obviously though, don't get me wrong... if it happens a second time then by all means fire them!

[Chippiewill]

To talk code here a WYSIWYG interface wouldn't have an outbound URL blocker, that's something that would be implemented strictly on the backend into a pre-existing cleaning function.

That's basically what I meant.

Not a bad idea, though if we outright blocked all non Habbox urls this would mean problems for when staff members tried to link to remotely hosted images, simple hyperlinks.

Could you not add a private image upload for habbox staff, and habbox staff would rarely need to link outside of habbox, habbo and a few other major news sites like bbc news. If you also added a white-listing form where you or some other GMs or other managersjust can quickly check out the site and add it then you won't run into problems of being unable to link to super-awesome-important stuff, if you ran a script to collect a list of all domains linked to for a week you should be able to get all the common ones from the start.

There are also cases where we work with external APIs and (god forbid) the occasional remotely hosted iframe (mostly in developing pages) and it would prevent us from doing that as well. I have added several other security precautions to the website since Ouft was hacked, and I'll look into how functional things would be if we selectively blocked URLs.

Yeah this makes sense, but I'm not really sure at which specific points where a RvR or a News Reporter would need access to "external APIs" and "remotely hosted iframes".

Bare in mind the dismissal is still put into place as a form of punishment for the staff member who's been hacked, when their own error has put other members of the community at risk of being hacked, and caused damage to the fansite.

I still feel that a "slap on the wrists" for first offence would be more than sufficient as a deterrent.

[HotelUser]

I never said it wasn't easier. However, the essential message of the analogy remains the same whether it's one person or a big corporation like Sulake or Jagex: people make mistakes. Should we lose good staff members because they've made a mistake? I don't think we should.

Yet again, it's not always their own error. You can't expect the average 11 year old Habbox Staff to do a PhD-style analysis of a hyperlink, just because there's a one in a million chance it could be dodgy.

Looking back to Ouft, it appears that he's decided to leave the site due to this, which is a shame and is doing Habbox no favours at all. A two week suspension period would be much nicer, friendlier and probably more useful. I can't believe you expect these individuals to take that 30-day firing, sit down and then start reading up about how best to protect themselves against future attacks. Being fired does NOTHING in this instance.

Very much like the caution system we incorporated in events. Getting a caution is no big deal, if you miss an event then you're given one. Events Organisers realise that they're nothing to worry about and it's just a quick reminder that they should cancel in advance. The same applies for a suspension period: they will learn from their mistakes, they will be welcomed back with open arms and you've got the same experience back in play. What is there to dislike?

If the severity of being hacked was less than it is cautions would be issued in lieu of a dismissal, just like in any Habbox department if you violate a rule you are either cautioned or dismissed in an extreme circumstance. This recent situation has absolutely nothing at all to do with clicking suspicious links. Ouft was a good staff member, yes, but I cannot change the fact that due to his own lapse in judgement when it came down to personal security, that damage was caused to Habbox. As I said previously if the situation was different and Ouft's account was compromised due to circumstances out of his control (ie clicking a link and nothing more) and damage wasn't caused to Habbox then he wouldn't have been dismissed.

As things stand, we will not be not be altering the policy on dismissals due to hacking, we simply cannot turn a blind eye when it comes down to security, especially when 9 out of 10 times it's easy to stay secured.

Thread closed.