Deactivate administrative permissions on accounts that are logging in under suspicious circumstances, pending a response to a security question. We can automate this, but doing it manually would suffice for now.
Mandatory criteria for suspicious circumstances:
1. Hasn't logged in for a time period, ideally a week, but a month at most.
2. Has logged in on a new IP address. No exceptions, even if the CID matches, because modern ban evasion tools can spoof a specific CID and due to other SS13 servers suffering worse security breaches to their database in the past, we can't verify that nobody doesn't know an admin's CID.
3. Has logged in on a new CID.
4. Is manually marked as "suspicious" by another admin.
This does not protect against RAT attacks, but will protect against social engineering attacks and "big company fucked up and now your password is leaked" attacks.
Require admins to verify their identity in #adminbus on discord via a security question of their choosing stored with headmins or MSO to regain their permissions. We can also script this into the discord bots and TGS3/4, so that admins could verify from in-game as well.
We have approximately 120 people on the admins.txt as per Statbus's listings at https://atlantaned.space/infobus/adminwho/ and every time a password breach occurs, we roll the dice for every one of these accounts that someone who isn't the account owner logs in and fucks with things during lowpop hours with no admins logged in, even in stealthmin mode, which happens frequently during dead hours.
This is no longer hypothetical. It has happened, as evidenced by the ban log.
All it takes is one person with a functional banning panel to fuck up an insane amount of bans, delete a bunch of notes, and cause a lot of havoc in the span of five minutes.
We are very, very lucky that these two dumbasses unbanned themselves instead of choosing to use javascript to automatically unban a very large chunk of the ban table before being caught.
A real attacker with sufficient time and preparation could have used the absolute trust we give administrator accounts to unban a significant amount of people via automation before being caught if they timed it right.
How soon can we expect /tg/ administration to take action? If you guys refuse, you're announcing to every bad actor we have in this community that it's open season on breaching administrator accounts every time some admin's Ashley Madison account gets compromised and sold in a password dump because the statistics prove a vast majority of users do not change their passwords, and that a majority of users share passwords.
Here's the results from a survey the CSID did!
https://www.csid.com/wp-content/uploads ... _FINAL.pdf
Here's some handy graphs from that survey!
That's 73 of 120 admins who use their BYOND password on Ashley Madison or Adobe or some other fuckin website that did a dumb and had plaintext passwords leaked as listed on haveibeenpwned.
"What if admins just have good passwords?"
Good passwords get cracked when they're shared with other sites.
Can you verify that all 120+ people on the admins.txt has a unique password for BYOND only?
No, you can't, not without asking for their password and that's unacceptable. Hence why we should use security questions as a method of 2FA.
