#fast-fire

Part 1: Moongourd Memes

A couple of months ago, a European archer came to me asking about making Rapid Fire work faster, and for once, I was actually bored enough to give it a try. It worked, and I extended it to Burning Heart and Burst Fire, and then I made a post about it. Cool.

Since then, it’s been passed around to a few people here and there, and we’ve been able to identify and remove some bugs and exploits. There’s still some massive desync problems that I hoped to address sometime, but I just haven’t had the time to get around to it.

tera-proxy has always been an unstable abomination, and despite being around for a number of years, I'm still finding and fixing bugs and crashes. That extends to this new fast-fire mod as well, and that's why I've mostly been telling people to keep this stuff on the down-low. If I publicly release something with a major exploit, that's bad. If there's lots of crashes and bugs, people swarm me for support, and that's also bad.

My biggest priority for a very long time now has been "Baldera", intended to be a GUI to make it easier for people to use and configure tera-proxy while also receiving automatic updates so I don't have to track down everyone using it to tell them which files to change. This is what I was, and still am, waiting for.

Cue my surprise when suddenly this "0 ping RF" suddenly blows up. Big.

Now there was all this talk of "packet injecting" and threats of getting banned from Moongourd. A prepackaged version of tera-proxy + fast-fire was being given out in Global chats.

I had joined the Moongourd Discord a day or two prior, just to see what all the buzz was about, but I stayed completely silent. People were talking about me as if I weren't there at all.

From what I gather, teri was upset about some Amaterasu people using fast-fire, and tensions between both parties escalated this to a full Moongourd ban on all Amaterasu people.

All this drama was pretty amusing to me, so I broke my silence to say only two things, with some irrelevant messages omitted:

"Discussions" grew worse and worse until the Moongourd Discord was engulfed in memes. It was memed so hard that the admins locked it down and prevented anyone from talking.

A few minutes later, without hearing anything from anyone, I was promoted to the "Devs" rank on the Moongourd Discord. Several more minutes later, I discovered that the reason for this was to have a talk about how best to address everything going forward.

I don't have a good answer to share with anyone on that. All there is to do for now is wait and see, so that concludes this chapter.

Part 2: Gmail Hacked

4:43 am: I had had a very fun and eventful day, so sleep was a little difficult. I was still awake when I received a message on my main Gmail account saying there was a new sign-in on my alt Gmail account: Firefox on Windows, IP address 37.35.105.82.

That's weird. I don't use Firefox.

4:46 am: Just to make sure things were okay, I tried to log in on my phone, which was a terrible idea because my phone is crap and the login didn't seem like it would happen anytime soon.

4:48 am: I pulled out my laptop and logged into the alt account. Google didn't give any extra information on the IP address, but searching it revealed that it was from Switzerland, along with a couple of pages about it being the source of some forum spam.

4:50 am: The attacker searched "discord" and went to the homepage, only to be alerted of me changing the password on the Gmail account.

4:53 am: The attacker retaliates by changing the password again, changing the recovery email address, and deleting the security question.

4:55 am: The attacker sent my main Gmail a message titled "F" and containing "ICARUS HAS FOUND YOU" repeated 95 times. Unfortunately I am not very familiar with Deus Ex, otherwise the message would've been cooler.

Immediately afterwards, the attacker went and issued a password reset on the linked Discord account. Luckily, it was just a bot for my guild's Discord, but they were able to log in and change the email address linked with that account.

After doing so, they sent me a friendly greeting:

I immediately kicked the bot from the Discord, but didn't do anything else with it. I wanted to see if they'd send me more messages. (They didn't. Oh well.)

4:58 am: The attacker started signing up for a Dropbox account with the compromised Gmail account. Dropbox sent a verification email.

5:01 am: The attacker issued a password reset on the attached Twitter account and logged into it—again, Firefox on Windows. Too bad this was a Twitter RP account that I last used in 2012. Nothing juicy here, just some mildly embarrassing roleplay.

5:05 am: The attacker Googled "enmasse signup" and went to the account creation page, and then Googled "enmasse support" and went to the support page. I'm guessing they planned to reset my info here too, but I only have three alt accounts made for now defunct guild banks linked with this email so they wouldn't have found anything interesting anyway.

5:08 am: Google sends the compromised account a verification code during my first attempt to get back into the account. Since I couldn't get this code, Google prompted me to prove account ownership by providing the old password before sending a code to the old recovery email. The code didn't work for me. Pretty discouraging for it to say it couldn't verify my identity.

5:13 am: The attacker completes the Dropbox signup, and I try to get back into the Gmail account a second time. The new code succeeds, and I'm greeted with a form to explain my situation to Google in order for them to transfer control of the account back to me.

5:16 am: The attacker issues a password reset on my Newgrounds account. I didn't even remember I had a Newgrounds account. Last used 2010 at the latest, probably. All I did was post a couple of music tracks. Nothing exciting. You can keep this one, buddy, but the email was still marked unread so I don't think you finished resetting it. Not like I remember the real password anyway.

5:25 am: The attacker decides to send my main email account another message titled "HELP", containing "SEEK HELP [my real name]" repeated 175 times. Spooky. I don't like to give out my real name, but I have it in some GitHub files and a few YouTube videos on my main email account, none of which are very difficult to find, so I wasn't scared to see it pop up.

5:32 am: Google finishes manually checking the account takeover and gives me a link to recover it. It's still not a particularly important account to me, but just to secure it anyway, I immediately add a recovery phone number and enable 2-step verification.

After making sure all the security settings are in order, I take a peek at Gmail:

This was an alt Gmail account I used for places I knew I wouldn't use but still required registration, or for places that looked sketch. There were thousands of unread email, newsletters and regular updates and the like, but all of it was gone once I logged back in.

I'm guessing the attacker saw that password change email, panicked, and decided to send those three "BALDERA" emails since they knew the jig was up.

I did some digging around and Google has a form to recover deleted emails, so I filled that out to figure out which accounts were issued password resets. Since then, I've changed passwords and verified there was no other malicious activity on the Gmail and Twitter accounts. I deleted the Dropbox account, which was completely unused, and nothing seems to have happened to the three alt TERA accounts. I'm not even going to bother touching the Newgrounds account, and Discord won't do anything with the compromised account, which is fine because I just made a new one and invited it to my Discord again.

That about wraps up this chapter as well, but it was interesting to experience first-hand what that kind of cyberattack is like. Everything I've detailed above was pieced back together using a log of Google searches and the recovered emails on the compromised account.

As I said before, the Gmail account was intended to be a sort of fodder account, so it had an extremely weak, reused password with minimal extra security. The loss of the Discord account was just about the worst that happened with it, but I don't think there was anything else important on there.

My main accounts use strong passwords and two-factor authentication, and my main Gmail, Dropbox, Discord, etc. remain untouched. I might even move the Discord bot to my main Gmail, just because there's plenty of potential for very bad things if that gets compromised again.

The only thing that eludes me is how the attacker knew of that email address since I couldn't recall posting it anywhere. I could only think of one related place where it was used, and that was to register a test Moongourd account to see what the site was like before I registered with my main account.

While pondering it, I noticed emails about an old GitHub repository I contributed to under the alt email account, and I remembered that meishuu was an alt GitHub account which subsequently became my main account and was linked with my main email instead. So I'm guessing they noticed I had used this alt email on meishuu at some point.

The Gmail password is extremely easy to brute force, although Have I Been Pwned? says the account was in the Nexus Mods breach. I probably used the same password there too. Who knows?

But at the end of the day, the main takeaway is just to practice good computer security. Don't let something like this happen to you on an account that has all your sensitive information on it. Even though there wasn't much lost for me, it was still an eye-opening hour in an otherwise sleepless night. I'm glad I was awake to ward it off before it got too bad.

Aftermath

All of that covers about a 12 hour period where an average day for me turned into a rollercoaster of events. After all this, there's been a brief spike in people messaging me for tera-proxy help. Sorry, but I know absolutely nothing about any of the other regions, so I can't help with EU, TW, etc., and if you don't know how to set up tera-proxy and install rapid-fire by yourself, I'm currently not offering support unless I know you.

The GUI is still next on my plate, and after (or maybe even during) that, I'd like to have a go at my own meter and site. I've had plenty of ideas, both new features to add as well as criticisms with how old and current meters and parse archives do things, so it's just down to a matter of setting aside time to do it.

In the meantime? I just want to play the game with friends and enjoy the rest of my holiday season. Aiming for an Ambush bow and maybe doing HH on my mystic, but CH is a sad place for HH. (Though on that note, if anyone wants to RP, hit me up!)

There's been some talk of what EME/BHS might do in the future, and honestly? I'll deal with that when we get there.

That's all for now. Thanks for everyone's support; I'm sorry it's taking me so long to work on these things, but now we've seen what happens when it goes full public. Just remember to have fun, enjoy the rest of the year, and try not to get too mad about video games.

Over the past month or so, the internals of... pretty much everything has been rewritten. That’s not really an explanation for delays or anything, but the code is a lot neater and gets to make use of nice, very new features. Should make things more maintainable too.

I don’t think I’ve ever mentioned it on here but I’ve also had a bot that relays messages between a Discord channel and TERA /g chat. I updated stuff for guild quests and it turns out that a ShinraMeter dev credited me for some of that data even though some of it was wrong. So that’s cool.

(And while I’m here: No, I’m not ever going to write a script to accept rally quests. I won’t ever use one and I won’t ever write one. Please do not ask me.)

I’ve also worked out a system to keep up with TERA updates as fast and easy as possible. Packet definitions will still have to be done manually, but keeping up with everything else should be much easier going forward – which means Arborean Apparel can effortlessly get updated costume data the very same day it gets patched in.

Lastly, I’ve recently started work on the GUI “Baldera” again... which makes it the third time I’ve tried to start on it, but at this stage I really want to be able to release even an alpha to some people, and hopefully development (and motivations) should pick up soon after.