This is going to be a long one… I apologize in advance. Some of you who follow me on Twitter saw some of my recent retweets, specifically this one…
Please see our latest news post at http://t.co/bFQGzVdSHl regarding recent issues regarding access tokens and alleged stealing of them
— ATLauncher (@ATLauncher) April 29, 2014
So what the heck does this mean and why does it tick some people off?
Earlier today we saw some tweets from the Mojang AB staff…
Reminder! ONLY enter username/passwords in the OFFICIAL Minecraft launcher! A number of other launchers are stealing login tokens 🙁
— Jens Bergensten (@jeb_) April 29, 2014
Remember tweetlings, custom launchers can (and some do, without you knowing) secretly steal info to log in as you whenever they want.
— Nathan Adams (@Dinnerbone) April 29, 2014
They were specifically referring to ATLauncher and how it handles Minecraft’s user authentication system. To be honest and upfront as possible, I have been aware of what the Astocky Team was doing in order to secure their launcher and based on my own dealings with them as well as looking at how the launcher itself works I’ve never personally had an issue with this. If you don’t feel like reading RyanTheAlmighty’s post is boils down to this: In order to prevent cracked/illegal logins (i.e. – pirates/hackers), Mojang uses a token system. When you log into the launcher, it sends your username and password and Mojang sends a token back to be used by Minecraft for various things, such as to log into multiplayer servers (which also authenticate it with Mojang if they’re in online mode). ATLauncher went a step further and double checked the token prior to allowing a user to login via their launcher, so the token would get forwarded to their server which would then double check it as well. That’s where the drama steps in.
Astocky Team has been a very great team in putting together a launcher that allows custom packs. They have been committed from the beginning in making sure every pack which uses their launcher has proper permissions for their mods and maintains a visible list of those permissions. They have also been committed to keeping non-customers (i.e. hackers and pirates, again) out of their ecosystem to both prevent potential abuse as well as to keep their own operating cost down. Right now, ATLauncher has a very impressive CDN behind it; this is not a cheap thing to maintain (rather, to keep the response time and flexibility that we enjoy is not cheap).
I felt, and and still do feel, that Astocky Team was right in what they did. They claim they never held on to the authentication tokens beyond their checking of them and I’m very much inclined to believe them. They made a decision, a decision that I honestly would of made too, to try and keep their costs down as well as promote a decent community. I also feel that once again Mojang has handled this in the absolute worst way possible… e-mail, IRC, Skype, etc. all exist so these things can be handled behind the scenes without causing drama. Maybe Mojang could have worked with Astocky Team as well as FTB, Technic, and many others to establish another layer of authentication and prevent such an accusation from being made. Instead, once again, Mojang’s developers decided to throw some lighter fluid into the already volatile mod community (it seems only a short time ago we had Jeb saying Let’s Plays were technically property of Mojang so they could dictate what happened in them; only some quick intervention from Notch keeping from turning into a nuclear war…).
Does this mean anything specifically for us? I can’t say. For me, personally, I find it increasingly hard to support a game whose developers seem to be hostile regarding the community I happen to enjoy being a part of. I like the people, I like most of the developers, and I’ve had a blast. There’s a lot happening in my life these days and maybe I would benefit from taking a step back. To be completely honest, I’m probably overdue for it but the decision itself should probably wait a few days (my grandmother died on Friday, so needless to say my decision making process for something like this is a little… skewed).
If I do decide to take a step back, I will talk it over with the other admin. What happens after that… I don’t know. We’ll either chose someone to keep maintaining the pack, just keep the server humming along where it is, or maybe call it a good game.