AAL545 wrote in Tue May 07, 2019 5:08 pm:It seems that someone has enough knowledge of the MP infrastructure or has spent enough time to learn it for malicious purpose, sad!!!!
It doesn't take a lot of knowledge. All you need to know is how to set your callsign, and that there is no authentication; virtually everyone who has ever been on FG MP at all knows enough to do this kind of thing. I know that more than a handful of people have a problem with Jomo, for better or worse, and while most of them just silently move on, I wouldn't be surprised to see one or two react more destructively.
AAL545 wrote in Tue May 07, 2019 5:08 pm:Then that is a system bug, it should be possible to set up that there is only one user name allowed, and only one call sign, if not then we can have a mess!!
It probably should, but the problem is that this requires a lot more infrastructure, effort, and ongoing maintenance than the current situation. Right now, FG itself just sends the callsign as a property like every other, and the MP server just accepts packets from anyone who connects. Easy. But if you want authentication, you need:
- An authentication database that stores and manages users, their credentials, their passwords, and their callsigns.
- A frontend to that database that people can use to sign up and manage their accounts.
- An API on top of that database that applications (including FG and the MP servers) can connect to, including some sort of login / session / token mechanism.
- An SMTP server, because none of this will work if you can't send mail.
- A mechanism for FG to log into the API and forward the token that proves the validity of the login to the MP server it connects to.
- A mechanism in the MP server software to receive that token, talk to the API to verify it, and reject traffic from unauthenticated users / callsigns.
- Some sort of moderation mechanism; the whole login system only makes sense if we can use it to kick out / block /shadowban / ... people who misbehave.
And to make all that happen, you will need:
- Someone to provide the infrastructure (servers, domain names, storage, bandwidth)
- Someone to actually build that software
- Someone to keep it running (perform server maintenance, keep an eye on monitoring and server logs)
- Someone to actually police the whole thing
None of this is impossible, but it's not a trivial effort, and not having it isn't so much a bug as it is a decision to not implement something for which the resources aren't available.
FG and its ecosystem are, by and large, open source, so that means things happen if and when someone steps forward and makes them happen, because they want them to happen badly enough to either do the work themselves, or pay someone to do it for them.
But there's another side to all this, which is that despite all the friction we've seen lately, a substantial number of people in the community are actually very happy with the "free for all" situation, and they will (rightfully) argue that more restrictive alternatives already exist: you can always run your own MP server, and putting some sort of authentication mechanism in front of that is perfectly possible (IIRC the OPRF folks do exactly this); and starting with the 2019.2 release, you can fly FG on VATSIM (I've tried it; there are a few rough edges still, but it works fine), where all of the above things, and then some, already exist in production-ready, battle-hardened quality. FG MP is chaotic, but that's not ONLY a bad thing.