Here’s a bot developer’s view on the bot situation that occured in the FSP discord. I recommend reading the long version as it includes all the facts and points which may prove what I’m saying but if you’re busy or too lazy feel free to read the short version. I call for a termination of the “bot developer” as his actions should NOT be tolerated in the department.
Long version
In the “full story” the bot developer and the Sergeant writing the release states this “The initial testing phase showed no issues in the bots’ source code, nor in functionality.”, all bot developers to use the “client secret” in other words the code linked to the bot user which we need to use to have the bot running. But what does this have with the case to do? The “client secret” has a regenerate button which provides a new code which is used to make sure no one has your code. Here’s an example of a “client secret”, this is how one looks like “pSEUbjwgr5QpfVBge8j1o4jCTNlU6VM” (keep in mind this code is regenerated and no longer use able). What’s the chances for a single person finding all the letters and numbers perfectly correct? The chances are way too small. So it’s obvious that he either shared the “client secret” or did all this himself. He said his friend hosted the bot, so that’s one guy knowing the “client secret”, the Superintendent as shown the code thus two. I have reasons to believe more people was shown it but at the moment we have three people we know for true knew the “client secret”. What a huge security hole? It’s common sense to not share your “client secret” and this is a very good example. So let’s assume he shared it and someone either leaked it or used it against him. But who? Very few people here in FSP does even have an idea what discord.js is. This leads the suspicion back to the bot developer.
Now onto another statement “At this time, the bot’s creator had only switched hosts roughly 3 minutes prior. Dev_havoc had changed hosts from a server in his friends house to HEROKU.”, but when you change hosts there’s a common rule. You should ALWAYS regenerate your “client secret”. Heroku is a professional hosting service and is not guilty, I even use it myself at some points.
Let’s look closer into this “Dev_havoc then left his computer (after changing hosts) and returned roughly five minutes later to see that his computer was turned off, and his internet had been cut out” if your computer were turned off how could you know your Internet had been cut out? “This wasn’t common and he rarely turns his machine off. This started to sound alarm bells for havoc. When he booted his PC back up, he was greeted by this:” And magic the Internet is back as normal? “We suspect that dev_havoc was DDOS’d, which took down his internet and PC, which also allowed the unauthorized user time to abuse the Bots permissions” Let’s check what DDOS is: “In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.” as you see a DDOS can get his internet down indeed, but not take control of his bot. What does this mean? The bot developer or the”friend” (the host) is guilty. The Superintendent wouldn’t be able to do all this, he’s not a developer. The “friend” has zero connection with FSP and wouldn’t have any need of doing all this which leaves it to the bot developer, dev_havoc.
Short Version
The were several holes in the security, there were far too many people trusted with the “client secret” (the bot’s secret code to the bot user) and what they claimed to be a DDOS wasn’t a DDOS. When taking all facts together it looks like the bot developer, dev_havoc did this on purpose.