OfficeHours:ProbablePrime:2021-11-23

From Neos Wiki
Jump to navigation Jump to search

Prime Time, ProbablePrime's Weekly office hours for Questions, Tutorials and Documentation and anything else that doesn't really fit.

Here are the notes from November 23rd 2021

These are rough notes typed by ProbablePrime. If there are errors please edit away!

Summary

Please do remember to check our Roadmaps as a lot of questions here are partially covered there. Do continue to ask them but the roadmaps are there for you to read:

Discussion about the Roadmap

Before and at the start of the office hours we had a small discussion about the roadmap. In the discussion users brough up some excellent feedback:

  1. The roadmap isn't updated a lot
  2. User's in-game can't or don't want to look at the roadmap
  3. GitHub is confusing for new users

This feedback is valid and understood. To provide some notes here's a response on each item above.

For 1, we understand how this might look this way, but do note that we update it as soon as we can. If you see an item in a column then it means that's what's happening. For example at the time of this session Neosine, was listed as "implementing" and that's exactly the state of Neosine. We're working on it. If we have updates, we'll talk about them and make changes to the roadmap.

We understand that this might be frustrating as there doesn't seem to be any progress but just know that the whole team is working on improving Neos and working on the items on the roadmap every single day.

For 2 & 3, We also understand. We have some items on our roadmap to surface these items in a better way. Until these are made we'll need you to use the GitHub and we understand that's a problem for some users. Unfortunately, stopping and making an in-game representation of our roadmap actually harms our roadmap by taking time away from other items. Once we can get onto these items we'll have better display of these things in the game for you.

Its a bit like a Chicken and Egg problem. We need eggs(time to develop tooling) to get Chickens(Roadmaps in game) but to get that we need to work on it so we've bought a Chicken from the store(GitHub) so that we have something to communicate with you the Community.

Standby and remember to check the GitHub's Roadmap we really are working as hard as we can!

Security Reporting Stuff

Following on from this we had a discussion about the security policy that also prompted some questions:

rampa_3: I bet people are scared that we are as big corpos - no one listening and then getting punished, or outright getting punished... Is it that hard to understand that Neos is community focused?

sls Q: can we get in trouble for violating the standard terms of service for the express intent of reporting security issues. ex: attaching decompiled code and explaining what the issue is in a security report.

sls Q: what is the neos team's stance on us attaching reasonable disclosure policy's to our security reports?

To answer basically all of these at the same time:

Our security policy exists to provide you the community with a way to report security issues properly. Provided it is followed we won't be applying account restrictions to you. The only time we apply account restrictions for security issues is when the policy is not followed.

Provided the security policy is followed you won't have account restrictions. All account restrictions are reviewed and audited by multiple team members.

Specifically on reasonable disclosure, we don't really have a policy regarding this at the moment. Our policy talks about your ability to disclose the issue once it is published and please respect that.

Reasonable disclosure however is usually a discussion between the service and the reporter though. Please include your request inside the security report and we can discuss it. If you fail to discuss us with it and talk about an issue too early without an agreement in place you might have account restrictions placed uppon yourself as this goes against the policy

Once an issue is resolved and a build has been released. You're free to talk about it wherever you'd like.

Just to reiterate, WE WILL NOT ban you for finding or reporting exploits. Its how you act once you have found one that determines what happens.

I do admit we've had some issues in the past with this area but they are now resolved. Any further rumour about this area is worrying and we'd like to hear about it. Consider filling in our anonymous feedback form with some details. Feel free to Direct Message me with any questions too. I'm happy to chat 1:1.

Earthmark: With the rise of impersonations and scams, are there concerns of in game exploits being crafted? It seems like they're doing classical exploits so far, but are there any plans for if attacks get more neos specific?

We have alerting and monitoring setup for our cloud based services and are constantly evaluating any issues that arise. I don't consider any software to be 100% secure so I do imagine issues will crop up at some point and we'll do our best to handle them.

Some users have asked us to have an official audit performed by a security company and this is something we're considering but that has not so far been carried out.

On all of our services we use secure connections and protocols with access controls and safeties in place.

If you find any issues please report them following the security policy.

General Security Stuff

Following on from this we then had a general discussion about other security stuff and in particular Neos account security etc. A disclaimer here must be made that my notes are up to date as of the time of release but that you should always do your own research.

I made it clear that 2FA was super important and to set it up on your Neos account. Seriously set it up!

I also spoke about other security keys such as UbiKeys and FidoKeys etc(There's a lot of abbreviations here)... don't quote me... which lead to Max: Q: Possible as a merch we can ask for a Security key for neosvr

  • I don't think we should sell anything security related as merch or whatever. Go to the source the company that makes them. These keys are really secure and I dont want to have any doubts.

Oh and: Zari Tenjin: on the 2FA ive had it happen before that a physical key died a watery death, what would be way to recover an account once physical 2FA is lost?

  • we don't have any official guidance here.
  • I do have an opinion though which is. If you don't have your backup codes you should lose your account.
  • backup codes are codes given to you during 2FA setup and you need to save them. YOU NEED TO SAVE THEM. IF YOU DON'T SAVE THEM I WILL SEND YOU AN ANGRY CAT GIF
  • On a serious note though, its common to provide account recovery using what are called "ties" which are basically items of proof about your account.
  • The more ties you have the more you can recover your account. In the real world this usually is something like:
    • A phone number
    • An address or letter
    • Secret details such as questions
    • Physical validation... you to go the company and speak to them
    • Etc. Things like that
  • its likely we'll come up with some regular stuff to do as a policy soon but for now SAVE YOUR BACKUP CODESSSSS!!!!!!!!!!!!!!!!!!!
  • SAVE THEM!

Questions

Then regular questions:

Rucio: Q: Evening, not sure if this was resolved in another chat but in September there was a Patreon message, I believe it was sent on the 14th informing thee NCR reward being halved, however it's nearing the end of the month and I don't think a Patreon message has gone out. Will NCR changes for Patreon reward be communicated through Patreon and will this be the standard moving forward?

  • Message should hit tommorrow. I apologize for the delay.

sls: as of late ive had a number of anonymous users violating harassment guidelines in my sessions, is there anything more i can do than kicking/baning them from my session?

  • you're empowered to ban and kick people for whichever reason you'd like.
  • You can also set your world to "Registered Users" which prevents unregistered users from joining your session.

AlphaWOLF: I just came across this awesome project recently and the European Union as a backer really interested me. Is there anything else you can say about this or are you under NDAs? Thank you ser, absolutely love everything you're doing with this especially the medical aspect

  • I can't really speak about this that much, it was a long time ago and I'm not sure if we're still in active communication with the EU.
  • Do remember this is the European Regional development fund and not the literal EU.
  • You can probably learn more about the fund via Google.

RaviidDidsdale: IS banning via discrimination taken into account?

  • I raised this up to the moderation team for an official answer.
  • For now, please follow all other guidelines but feel free to police your own session how you'd like provided you are following those.

rampa_3: Oh... I just have an idea! I saw more and more people asking for mac support. Was at least screen port debated?

  • I'm not sure but please make a Github issue.

Stefleff: Is there a way to interact with components generally with LogiX? As far as i know the only nodes there are are "set/get components enabled". For example are there ways to add/remove any component (with a data type) or get the slot a component is in?

  • This requires a feature called component access. Its on our roadmap but not yet implemented.

sls: are we allowed to use the unity sdk to build neos for other platforms eg xbox, mac, etc

  • This isn't recommended as its probably gonna break.
  • Follow all guidelines and have fun. But seriously, its gonna break.