IMPORTANT Official Statement

Status
Not open for further replies.

Coban

Well-Known Member
Developer
Jul 31, 2014
272
1,621
93
This is a follow up to the older clarification topic, if you wish to read it, click here.

You may have seen the recent spamming and talk on the forums and the server claiming we have malicious intents, such as stealing Minecraft accounts, passwords and so on.

By this statement, I deny all those claims against us, they are all false and were only spread around to cause corruption in our community, and to get our players to move to a different server, which I will be talking about in a second.

We as owners of McCities do not have the ability, nor the intention to see or use your passwords. All of your passwords, whether it is on the forums' or the server, they are always hidden from us, AND they are encrypted, and this ofcourse to ensure maximum security, and for your safety, always been like that and will never change.

The screenshot you may have seen with the "save pass" module, said to steal your passwords, it is not a module nor does it send your password to a magical database. It's nothing but coding of the forum's software itself to allow you to login, that is all. It's literally on all forums. You may research it all you wish, our forums software is called Xenforo.

Now for the final and last point, us stealing your credit card information. We yet again do not have access to such information, nor do we seek them, at all. All payments done on our store are processed by a well known company called Buycraft, and furthermore, they are all handled by PayPal. Again, do your research if you wish.

All your information are safe, and again I repeat, those words being spread around are false information, with the sole intention of damaging our reputation and getting our players to leave.

Those who have done that are nothing different than scammers. With no morals, or self-respect. Whether they are the puppets following orders for personal gains, or those who are in-charge themselves.

Willing to damage others' reputation just for their own good, even if they know they are innocent, and even if it opposes their religion, or so called missing morals and manners.
If you don't know who those people are, they were previous owners of McCites, exactly the same ones kicked because they scammed us, and now they are the ones who created a new server using our own server files calling it their own.

I hereby state that we are not linked with whatever happened with their server recently, I'd much rather have respect for myself, my age and my nature than running around on Minecraft servers hoping for their failure just for personal gains.

I hope this statement made it clear for you all -- Every word said here is the truth, it's up to you whether to believe me or not. I certainly hope you do trust in me, because I have nothing to hide nor am I afraid of them because I am not on the wrong.
I also have bolded out names of services, or phrases we use to double-check everything I have said on your own.

Nothing will stop us from progressing, we've lately been working on new updates so expect a new announcement soon with much more exciting news!

-Coban. Owner of McCities.
 
D

Deleted member 832

Guest
This is a follow up to the older clarification topic, if you wish to read it, click here.

You may have seen the recent spamming and talk on the forums and the server claiming we have malicious intents, such as stealing Minecraft accounts, passwords and so on.

By this statement, I deny all those claims against us, they are all false and were only spread around to cause corruption in our community, and to get our players to move to a different server, which I will be talking about in a second.

We as owners of McCities do not have the ability, nor the intention to see or use your passwords. All of your passwords, whether it is on the forums' or the server, they are always hidden from us, AND they are encrypted, and this ofcourse to ensure your safety, always been like that and will never change.

The screenshot you may have seen with the "save pass" module, said to steal your passwords, it is not a module nor does it send your password to a magical database. It's nothing but coding of the forum's software itself to allow you to login, that is all. You may research it all you wish, our forums software is called Xenforo.

Now for the final and last point, us stealing your credit card information. We yet again do not have access to such information, nor do we seek them, at all. All payments done on our store are processed by a well known company called Buycraft, and furthermore, they are all handled by PayPal. Again, do your research if you wish.

All your information are safe, and again I repeat, those words being spread around are false information, with the sole intent of damaging our reputation and getting our players to leave.

Those who have done that are nothing different than scammers. With no morals, or self-respect. Whether they are the puppets following orders for personal gains, or those who are in-charge themselves.

Willing to damage others' reputation just for their own good, even if they know they are innocent, and even if it opposes their religion, or so called missing morals and manners.
If you don't know who those people are, they were previous owners of McCites, exactly the same ones kicked because they scammed us, and now they are the ones who created a new server using our own server files calling it their own.

I hope this statement made it clear for you all -- Every word said here is the truth, it's up to you whether to believe me or not. I certainly hope you do trust in me, because I have nothing to hide nor am I afraid of them because I am not on the wrong.
I also have bolded out names of services, or phrases we use to double-check everything I have said on your own.

Nothing will stop us from progressing, we've lately been working on new updates so expect a new announcement soon with much more exciting news!

-Coban. Owner of McCities.
Thanks coban- private convo me please i need to talk
 

Powerfull

Well-Known Member
Former Staff
Verified
Powerfull
Powerfull
Citizen
Mar 22, 2017
2,012
4,754
113
I'm glad this has been resolved- I don't understand it all, as I joined a month or so after this, but I have loved the server!!! Shoutout to @Coban and @nibble for such a great server! (Idk Many's forums name)
 

TheDiamondTiger

Cyber Bullied
Maggot
Feb 19, 2017
1,294
1,531
113
Diamond Cave, Quartz Forest, Kepler 186f
Well, you are correct in saying that all the passwords are encrypted, but that doesn't mean they are safe. If I send an encrypted message to the host computer, it incorrectly decrypts it (not https), hence passwords can be intercepted (if you want a detailed explanation of why and how this works, google it). If your mc password is the same as your forums account password, then your account isn't safe. Now in NO WAY am I saying that any staff would, but am merely stating that it is possible.
 

TheDiamondTiger

Cyber Bullied
Maggot
Feb 19, 2017
1,294
1,531
113
Diamond Cave, Quartz Forest, Kepler 186f
wow i heard about them making a similar server, but wow. I never thought any of this crap lol
im scarrreeed xD
The situation is that Craftizz's (an admin on the other server) MC account was hacked into by presumably Kiri, and went onto that server, and spawned tnt everywhere and reset everyone's bals. Now, what they are claiming is that it was Kiri who hacked Craftizz's account, and copied people's passwords and emails for this forum to get their mc passwords. I am NOT claiming that this is true, but this is the current situation.
 

nibble

Administrator
Staff member
Administrator
Mouse
Mouse
Expatriate
Jan 18, 2016
688
10,454
137
24
The situation is that Craftizz's (an admin on the other server) MC account was hacked into by presumably Kiri, and went onto that server, and spawned tnt everywhere and reset everyone's bals. Now, what they are claiming is that it was Kiri who hacked Craftizz's account, and copied people's passwords and emails for this forum to get their mc passwords. I am NOT claiming that this is true, but this is the current situation.
I won't go into much detail, but they had other security flaws. Xenforo wouldn't be one of the most widely used forum software if it was not secure. It's easy to say that anything can be decrypted, but it's really not an easy task.
 

Coban

Well-Known Member
Developer
Jul 31, 2014
272
1,621
93
Well, you are correct in saying that all the passwords are encrypted, but that doesn't mean they are safe. If I send an encrypted message to the host computer, it incorrectly decrypts it (not https), hence passwords can be intercepted (if you want a detailed explanation of why and how this works, google it). If your mc password is the same as your forums account password, then your account isn't safe. Now in NO WAY am I saying that any staff would, but am merely stating that it is possible.
Well, feel free not to hold back on your information.
Passwords are salt hashed on our database, and are only decrypted when authenticating using the forum's board.

"If I send an encrypted message to the host computer, it incorrectly decrypts it (not https)" -- It wouldn't be called encryption if literally the decrypted data left the operating server now would it?

Also SSL, aka "https" literally has nothing to do with SQL table encryption, both are completely separate and operate differently.

I have previous experience with Xenforo's code, and I am aware of the encryption methods, and I can assure you that when authenticated, it compares the input password, hashed with the already existing hash (sha265 in that sense, we might be even running double protection, haven't checked if we do).

Example code (Simplified for ease of understanding, not proper syntax but same idea)
$NewlyPassword = (Crypt(InputPassword)) [Temporarily assigning an encryption to the input]
$NewlyPassword == $DatabasePassword [Comparing both values, input and existing hash]


For you to access one's authentication cookie, you either a) need direct access to their internet session or b) simulate the cookie cache.
For those two cases, a is only possible when a user's computer is compromised, and for b only possible if the system board itself, xenforo is exploited which right now, there is none considering we have always been updating following the hot patches. (PS - The SQL injection which is known for month now was already hotfixed, aka the data table is safe)
 

TheDiamondTiger

Cyber Bullied
Maggot
Feb 19, 2017
1,294
1,531
113
Diamond Cave, Quartz Forest, Kepler 186f
Well, feel free not to hold back on your information.
Passwords are salt hashed on our database, and are only decrypted when authenticating using the forum's board.

"If I send an encrypted message to the host computer, it incorrectly decrypts it (not https)" -- It wouldn't be called encryption if literally the decrypted data left the operating server now would it?

Also SSL, aka "https" literally has nothing to do with SQL table encryption, both are completely separate and operate differently.

I have previous experience with Xenforo's code, and I am aware of the encryption methods, and I can assure you that when authenticated, it compares the input password, hashed with the already existing hash (sha265 in that sense, we might be even running double protection, haven't checked if we do).

Example code (Simplified for ease of understanding, not proper syntax but same idea)
$NewlyPassword = (Crypt(InputPassword)) [Temporarily assigning an encryption to the input]
$NewlyPassword == $DatabasePassword [Comparing both values, input and existing hash]


For you to access one's authentication cookie, you either a) need direct access to their internet session or b) simulate the cookie cache.
For those two cases, a is only possible when a user's computer is compromised, and for b only possible if the system board itself, xenforo is exploited which right now, there is none considering we have always been updating following the hot patches. (PS - The SQL injection which is known for month now was already hotfixed, aka the data table is safe)
I'm not saying this, I am saying that the connection between a user and the system can be interrupted and passwords stolen that way, but the "interceptor" would only be able to get intercepted information. The website isn't secure, so it is possible for a MITM attack to be executed.
 
Last edited:
D

Deleted member 832

Guest
Well, feel free not to hold back on your information.
Passwords are salt hashed on our database, and are only decrypted when authenticating using the forum's board.

"If I send an encrypted message to the host computer, it incorrectly decrypts it (not https)" -- It wouldn't be called encryption if literally the decrypted data left the operating server now would it?

Also SSL, aka "https" literally has nothing to do with SQL table encryption, both are completely separate and operate differently.

I have previous experience with Xenforo's code, and I am aware of the encryption methods, and I can assure you that when authenticated, it compares the input password, hashed with the already existing hash (sha265 in that sense, we might be even running double protection, haven't checked if we do).

Example code (Simplified for ease of understanding, not proper syntax but same idea)
$NewlyPassword = (Crypt(InputPassword)) [Temporarily assigning an encryption to the input]
$NewlyPassword == $DatabasePassword [Comparing both values, input and existing hash]


For you to access one's authentication cookie, you either a) need direct access to their internet session or b) simulate the cookie cache.
For those two cases, a is only possible when a user's computer is compromised, and for b only possible if the system board itself, xenforo is exploited which right now, there is none considering we have always been updating following the hot patches. (PS - The SQL injection which is known for month now was already hotfixed, aka the data table is safe)
Also, I'm pretty sure it's VERY illegal for data to be sent to the XenForo servers and decrypted by you, I don't believe that anyone here would do such a thing
 
  • Like
Reactions: ChChris1065

Coban

Well-Known Member
Developer
Jul 31, 2014
272
1,621
93
I'm not saying this, I am saying that the connection between a user and the system can be interrupted and passwords stolen that way, but the "interceptor" would only be able to get intercepted information. The website isn't secure, so it is possible for a MITM attack to be executed.
By that sense, literally any website that does not support an SSL layer would've been hacked the moment it went up.
For any organization, or service; and I mean any, there is always a possibility of breaching, but however that does not mean it's child's play.
Example:
If Client A sends a packet to Server A -- this sent packet cannot be intercepted unless either the server, or the client have been breached, and vice versa for the destination.
For the server to be breached, we surely should have noticed by now, don't you think?

Any possible breach would be an SQL injection, which again easier said than done. Hopefully such a thing does not happen to us.
 

ReverseFlassh

Member
Oct 30, 2016
47
45
18
People who do not know how a website works or what goes into a website should not be talking. Logins and user activity is managed by XenForo, which allows for the website to be online. Mc Cities staff manage what is on the website and can manage who is on the website, what goes on it, and what happens when certain actions are done. Cities, like other XenForo or Enjin websites, cannot see user credentials, just user logins. The most Cities staff can see, is your IP, which virtually every website you go to on the internet can track and see. Therefore, calling cities a threat, or trying to bring rumors into reality is pointless and a waste of time.
 
Status
Not open for further replies.