PROVING A POINT
Written by HotStuff (#59035), with slight editing by Chubbles.
Let me offer you some info on a semi-infamous multi of mine, Gamebreaker (#189668), and his clans "Proving a Point" and subsequent ones...
I was out of the country during the Black Sunday debacle, and the game I came back to was very different than the one I left. While I had been a bit of a bugfinder before I left town, when I came back and saw the chaos bugs could cause, I decided to put some serious effort into rooting out anything I could find.
I began systematically poking at every PHP file I could find. Some bugs I found caused irreversible damage to the characters, so I primarily used multis like Gamebreaker for testing. Around the end of August I found a few interesting holes -- I managed to (in one day, and at no adventure cost) get Gamebreaker's familiar, Exploit the Blood-Faced Volleyball, to 40,000 kills, which was then #1 on the leaderboard. Gamebreaker also had the 300 lb. Familiar trophy having only played 10 turns.
I shifted my attention to the clan PHP files and noticed a few potential exploits. It has always been a bit difficult to persuade Jick that bugs need fixing, so I had Gamebreaker found the clan Proving a Point, which I then proceeded to place in first place on the clan warfare leaderboard with 300 (late in August), and then 1000 wins (again in one day, on August 31, 2004).
(Editor’s
note: On September 8, 2004, it was noted in the forums that Gamebreaker had also
figured out a way to attack the same clan more than once per three hours. This
exploit was different from the 1000-win exploit, which did not take any actual
attacks, per se, but rather jumps through holes in coding.)
There was a bit of controversy about it at the time, nothing too severe, as most folks (even those in head clan, who were vying for the top spots) agreed that the exploits should be closed. It took Jick a few weeks to do it, and once he did, I disbanded the clan.
About a month later, SolarFlare found an interesting security hole that allowed clans to use images as their title. Gamebreaker got involved, and there is still a memorial message on Warehouse 23's clan board where clan (image here) attacked.
This was a huge security hole, however, for it was not just images that could be posted – javascript could as well. As a proof of concept, Boozerbear and I wrote a neat little javascript that caused anyone who looked at a particular player's profile (listing their clan, or clan title) to kmail me their password hash and 1 million meat. Jick very quickly closed those security holes.
When Jick cleaned up the clan database, he deleted all the clan names that included images. For most he created fake names, but for some reason for Gamebreaker's clan, he just left it blank. So that is the clan that Gamebreaker currently uses -- the null set (the clan is #15810). You can't search for the clan, nor click on it in Gamebreaker's profile.