Atlas Defense Industries Exploited RSI Database and are liars

Montoya

Administrator
Staff member
Oct 31, 2013
10,053
55,493
3,180
RSI Handle
Montoya
There is a huge shit storm around this topic.

ADI Atlas Defense Industries lies to their own members and thinks everybody is stupid.

They spam out invites using a bot and insist they are not doing it, even though the actual guy who wrote them the script told us himself! lol

Please do not link this post anywhere externally, there is no reason to broadcast this outside of these forums.

(I should just preface the whole thing by saying I am coming into this as a 100% neutral party. I have never spoken to anybody from Atlas, I have no hard feelings, anger or any kind of fetish where I like to see people get upset. I just want to set the record straight because now they are saying we are liars.

Lets begin, Atlas put out a big letter denying everything:

We’ve largely ignored baseless and false accusations against Atlas Defense Industries (ADI - www.adicklan.com) in hopes that the attempts at causing drama and meta-gaming would blow over so that we could get back to the hard work of running the largest and most active exclusive organization within the Star Citizen community.

We’d like to thank all 1300+ members of Atlas Defense Industries for standing by the organization for the last week while the organization has been assaulted with false, unfounded accusations without a shred of proof of wrong doing given to justify their allegations.

We want to be clear in our statement that these allegations made against us are not true in any way, shape, or form.
  • We’ve never accessed a database at CIG.
  • We’ve never used an API to query a database at CIG looking for newly registered users.
  • We’ve never visited an URL (web page) that has a list of recently registered users at CIG.
  • We don’t have a program that automatically sends invites to new RSI members.
At no time has any member of ADI been contacted by CIG and been asked about our recruitment process. It’s our understanding that the offending exploit has been resolved; this fix has had no impact on our recruiting process. We’re still doing the exact same thing today as we were doing last week and last month.

Like the rest of the Star Citizen community the first we heard about this issue was via a Reddit post. We were shocked like all of you that such an exploit existed, and happy to hear that this issue has been resolved by the great team at CIG.

We understand that our growth and success in recruiting some of the best and brightest members in the Star Citizen community has caused concerns with some other organizations. So while not going into a lot of detail on our exact methods, we’d like to clear the air on why we’re able to recruit so many new members.
  • Being the 6th largest organization (in actual members) in the game, we take pride in being very active within the community. It’s not unusual for us to remain in the top 6 most active orgs 24/7 for days at a time, often in one of the top 3 positions.
  • We have a very simple rule set, and quickly remove folks that aren’t a good fit. We’re told this is a very attractive aspect of our organization.
    • Don’t be a jerk
    • Don’t cause drama
    • Real life always comes first!
  • Our mumble server is always busy, often with 90-110 members chatting, playing different games, and having a good time.
  • Growth at this stage in the game is a key part of our operations plan. Therefore we prioritize recruiting of new members at all levels of our organization. All leadership positions spend time each week recruiting new members. All new staff must spend time as a recruiter before moving into a leadership position within the organization. We feel quality is just as important as quantity to be successful in the PU.
  • We realize our culture isn’t for everybody, so we want to make sure it’s a good fit for all of our members. We don’t take just anybody into the organization, we currently reject well over 30% of applicants. We also have a one on one meeting with each prospective member in our mumble server to make sure they’re a good fit for ADI, and we’re a good fit for them.
  • We also use a number of methods to help meet new members of the Star Citizen community, and invite them to meet us to see if they’d be a good fit for ADI. Since all of our leadership and staff positions involve some recruiting each week, we have a lot of contact with new members. Here are some interesting facts about our recruiting program.
    • We don’t send a lot of invites, averaging only 16 per day over the lifetime of the organization.
    • The live support chat on our website helps us interact with potential new members quickly and easy. As soon as a new visitor comes to the website, one of our recruiters opens up a chat session with them; this has helped our growth since we can quickly interact with interested prospective new members.
    • We’re constantly looking at the RSI forums for prospective new members. We prefer to contact people privately instead of posting massive walls of information over and over again on every post.
    • We have a small recruiter tool that helps us keep track of who has been contacted, and by whom. We use this tool to keep from contacting a prospective member more than once, saving us both time, and from annoying the prospective member in the process.
    • All invites and private messages sent by ADI recruiters and staff are generated by hand. This is only after they’ve reviewed the prospective members’ dossier, and forum posts to make sure there are no red flags. This would prevent them from being a good fit within our organization.
    • We don’t waste time sending invites to people who are already members of another organization. If they want to quit their current org and join us, they’ll find us.
We realize our success in recruiting new members has raised questions throughout the community. Many cannot understand how we’re able to recruit so many new members each week. It’s easy to assume that we must have access to information that is inaccessible to other organizations.

Nothing could be further from the truth; everything we use is publicly available information that every organization has access to. We don’t access anything other than the standard forum interface or citizen dossier.

The real reason we are successful is nothing more than a lot of hard work. ADI staff spend more than 200 hours each week looking for and recruiting prospective new members.

We look forward to seeing everybody in the ‘verse!

We will have no further comment on the matter, and considered it closed.
Basically that letter means that Citizen404 is a big fat liar.

Citizen404 is the most pure, innocent and milky, smooth skinned person I know. He has no reason to lie about something like this.

I spoke with him early today and asked if he is 100% positive that this was the method and that there is absolutely no other way Atlas could get 90 main members per week, a feat not even XPLOR could pull.

He says with 100% certainty that there is no way to access this kind of information other than what I will demonstrate below.

Ladies and Gentlemen of the jury I will now proceed to prove, without the shadow of a doubt that Atlas has been using this exploit for months.
 

Montoya

Administrator
Staff member
Oct 31, 2013
10,053
55,493
3,180
RSI Handle
Montoya
We’ve never accessed a database at CIG.
TRUE!

We’ve never used an API to query a database at CIG looking for newly registered users.
FALSE!

(See below)

We’ve never visited an URL (web page) that has a list of recently registered users at CIG.
FALSE!

But to be accurate, its not a page with a list of recently registered users, its the output text of a JSON call with a single new user. Example will be shown below.

We don’t have a program that automatically sends invites to new RSI members.
POSSIBLY TRUE, you do not need a script do to this, it can be done manually. A script that cut n pastes a name from a list into the invite window is not magical or tough to make, this is not really an issue.

Let me stop here for a second and say that if there is another way to do what I am showing you, then the final outcome is still the same, regardless of how the goal was achieved.

And now for the evidence:

If you go and look at Atlas' most recent members, majority of them have something in common. They have zero posts, and are brand new to the RSI forums.

I went and took a look at the five most recent arrivals, three of the five fit the profile:



The image above shows you that these members have never posted on RSI before. Zero comments, zero discussions.

The way the invite system works on RSI is that you need to have a username to enter into the invite list.

The only way to get a username is if the person has posted on the RSI forums or if they are in live chat and you approached them and said "Hey there! Come join my org!"

Let us rule out the latter because it would be impossible to recruit these kind of numbers through RSI live chat, its statistically impossible. We know, we tried in our early days.

The only remaining way to get an invite out is if the invite sender had some way of getting your username!

This is where Citizen404 comes in and what triggered his investigation which lead to this most exciting of dramas!

Back in Sept of last year, Citizen404, in all his cunning, created an alt named Citizen406. That alt sat idle, never posted on the forums, never used. He logged into his Citizen406 account some time in Feb to buy a ship for that account. Very shortly after he did that, he got an invitation.



How is it possible to get an invite if you have never posted, never been on RSI live chat, never done anything that could result in your username ending up on an invite list?

Just to prove this is not a photoshop, here is a webarchive showing zero activity, zero posts:

https://web.archive.org/web/20150513185013/https://forums.robertsspaceindustries.com/profile/Citizen406

Being up for a challenge Citizen404 decided to try figure out how the hell somebody managed to find his very secret username.

The normal forward facing APIs do not do it.

A webscrape of the forums could not do it.

There is no cache, no record, no google search that could do it.

After many hours of eating kimchi and drinking warm beer, he found the answer!
 
Last edited by a moderator:

Montoya

Administrator
Staff member
Oct 31, 2013
10,053
55,493
3,180
RSI Handle
Montoya
CIG has since blocked the hole, you can no longer use this method so I feel I can post this, but just to play it safe, I will block the URL.

To be very clear, this is not a hack and no sensitive information is being exposed. All you get to see is some very basic information, but most important to us the username.

(May 17th update: Turns out there is another way to do this without using the JSON call, it is similar enough, results are the same)

Here I have a screen shot of what the output looks like, taken from a some random site I found that uses the Vanilla Forum platform.

THIS IS NOT RSI!

RSI HAS BLOCKED THIS METHOD
!



So what does this show me?

Its fairly simple, and rather ingenious!

UserID is consecutive, meaning if you join RSI right now, you get a number somewhere around 450000.

All you need to do to find the most recent person joining RSI is to put in the most recent number, and out pops the persons username along with information such as the date when they were last active.

This is how the magic happens.

If somebody wanted to send invites out to high numbered accounts that have been active recently, it would be a simple matter of writing a script to pull those fields and spit out a list of names.

Since Citizen406 logged in to add a ship to his account, the "DateLastActive" field would have been within the desired date range of the script. The name gets identified and off it goes to be added to the list of invites.

If there is another explanation of how hundreds of newly registered, zero post, zero comment members who have never been active on the forums all end up with the same org, then I am interested in hearing about it.

In conclusion, as far as we know, this is the one and only way to collect a username that has no activity.

If I am wrong about anything written in these posts, then I ask for your forgiveness and will gladly publicly apologize for the mess that Citizen404 has caused. I am simply showing evidence to back the arguments made by Citizen404.

TEST, let this be the last topic on this subject.

As an org leader, I know all to well the stress and frustration that events like these can bring, so lets put this nonsense behind us and help Atlas move along and become the great org they want to be!

All spelling mistakes are intentional.
 
Last edited:

NKato

Grand Admiral
Apr 25, 2014
1,202
1,207
960
RSI Handle
NKato
Waiting for the next two posts to be filled in before I comment.

And that's the end of it, gentlemen. If ADI tries to rebut our case - which is rather well laid out - don't bother responding, guys.
 
Last edited:
  • Like
Reactions: Pendali

AntiSqueaker

Space Marshal
Apr 23, 2014
2,157
5,559
2,920
RSI Handle
Anti-Squeaker
ANGRY AT ADI?

WANT TO JOIN THE ANGRY MOB?

I'VE GOT YOU COVERED!

COME ON DOWN TO ANTISQUEAKER'S PITCHFORK EMPORIUM!

I GOT 'EM ALL!

Traditional

---E

Left Handed

3---

Fancy

---{

I EVEN HAVE DISCOUNTED CLEARANCE FORKS!

---F

---L

---e

NEW IN STOCK. DIRECTLY FROM LICHTENSTEIN. EUROPEAN MODELS!

---€

---£

TORCHES NOW BOGO!

COME ONE COME ALL, DON'T GET LEFT BEHIND!
 

JaqHass

Captain
Donor
Apr 17, 2015
48
47
260
RSI Handle
JaqHass
Drama is just a waste of energy.
Dont you dare turn your back again Montoya! Or i will sit on your picture!
 

Black Sunder

Rock Raiders
Officer
Jun 19, 2014
8,270
26,834
3,045
RSI Handle
Black_Sunder
ANGRY AT ADI?

WANT TO JOIN THE ANGRY MOB?

I'VE GOT YOU COVERED!

COME ON DOWN TO ANTISQUEAKER'S PITCHFORK EMPORIUM!

I GOT 'EM ALL!

Traditional

---E

Left Handed

3---

Fancy

---{

I EVEN HAVE DISCOUNTED CLEARANCE FORKS!

---F

---L

---e

NEW IN STOCK. DIRECTLY FROM LICHTENSTEIN. EUROPEAN MODELS!

---€

---£

TORCHES NOW BOGO!

COME ONE COME ALL, DON'T GET LEFT BEHIND!
I require a pitchfork with build in storm bolter. Please have it ready when i come to pick it up.
 
  • Like
Reactions: Jhonon1

SeungRyul

Spreader of Truth / Master of Hamsters
Staff member
Donor
Oct 30, 2013
2,341
5,156
2,930
RSI Handle
Citizen404


Just accepted the invite and said hello :) Too bad entire chat was dead.
 
  • Like
Reactions: JBWill

NKato

Grand Admiral
Apr 25, 2014
1,202
1,207
960
RSI Handle
NKato
Ok so we're now using to logic and reason, I knew this day would come.

We don't like being called liars. :) They were the ones who decided to go this far to "categorically" deny everything and imply that we're lying for our own benefit.
 

SeungRyul

Spreader of Truth / Master of Hamsters
Staff member
Donor
Oct 30, 2013
2,341
5,156
2,930
RSI Handle
Citizen404
I stand with Citizen404!

I want to say though that we're winning this little skirmish fairly easily. I only with Goons and Imperium were here with us to play with these guys.
The goons were very helpful in the early days of research by suggesting it was nothing more than the fan-made api sites which although they can't pull the specific info in this case got me thinking about unsecured api calls. Imperium members have been cheering us on from the sidelines :P
 
Forgot your password?