u/emmowo_dev

The implementation of Friends/P2P is a bit of a mess under the hood, and it looks like it wasn't made willingly (or at the very least was forced to release early) by Mojang.

I'll talk about the non-technical points first, but this is the weakest evidence to use:

• High Contrast does not have the correct graphics.
• Edit: The art is unusually 'bad' for these buttons. This might be another point suggesting the potential rushed update.
• Chat is broken, and somehow nobody tested it.
• There were zero signs this was coming before it was shadowdropped, completely unlike Vulkan which was known to be coming before the snapshots.
• It integrates Xbox into Java Edition's multiplayer, clearly setting a new precedent as for what is the 'microsoft' side of Minecraft.

And to clear something up, Microsoft itself does not listen to your connection, but it negotiates it for you with your friend(s). This doesn't really mean much since they have chat reporting and telemetry anyways.

However, I'm not sure if this is a problem with most VPNs nowadays, but WebRTC gives your IP address to everyone who is connected to you (and vice versa).

It used to be able to leak your actual (not tunneled) IP address if you were behind a VPN because of how the connections worked. Again, I don't know if this applies here or not anymore, but it could be more risky than connecting to a random minecraft server.

Now for the code stuff! You don't have to read this part, but please don't make crazy assumptions if you don't understand what I'm saying, and I'm mainly just picking out some odd things they did:

First of all, the code itself reads like AI generated code for a Fabric mod instead of being consistent with Mojang's own naming of loggers. The new code for WebRTC manually adds the [P2P] prefix to the logger statements, which reads like the Fabric Loader/Api's usage of loggers.

The loggers also use unicode symbols. Why would you hunt down the unicode arrows instead of writing '->' unless you were making a CLI application? Not many people will bother to read the logs, and the other logger messages don't do this. I'm pretty sure not even the server CLI has any.

Internally these are just supposed to be the name of the thread, and I don't see a reason to make these message even more unique.

What's even more strange is how [P2P] is not added to any of the actual 'p2p' code under the literal multiplayer.p2p package. Not even in the WebRTC code in the p2p package. It is only in the network.webrtc package, and oddly, the FriendJoinHandler class of p2p. I'm only really suspicious because of what Microsoft's AI policy is like.

Minecraft now has two 'Json RPC' listeners in the codebase which work completely differently. One (server) listens for requests to join using NIO and SSL, the client one is seemingly a raw http stream to one of two middle-man servers hosted at the (seemingly new?) domain minecraft-services.net. This is just odd in general.

Your session ID is sent there, so hopefully it's as secure as the main auth servers.

Finally, and the biggest part of all this, is that Xbox accounts were entirely unnecessary for this. XUID's aren't used at all for joining people, so there really wasn't a point to using Xbox at all.

The system actually just operates off of player UUIDs, so this could've been done without Microsoft's involvement at all. This could've worked with even unmigrated Mojang accounts, or even offline accounts if mojang didn't check for session ids.

Some Edits:

• The style of code is apparently similar to how Bedrock Edition developers do things, which explains why it looked so 'off'. Whether or not that's because they use AI is something I'm not sure of.
• Going off the RDAP records, this feature likely had work begun on it from about halfway between now and Chaos Cubed's announcement (Snapshot 3). It may have involved bedrock devs, but this makes the lack of XUID usage more confusing. The 'signalling server' is hosted on Azure.
• minecraft-services.net is not a particularly new domain (2020), but seems to have only been put into real use now. Maybe it was used back then/today by Bedrock Edition?
• Nothing else seems odd, so there may have been two teams working on this? It would make sense as I feel this update is a lot lower than the Java team's standard of quality. The only time I remember something being this poorly done on introduction was ironically chat reporting.
• And again, the seemingly parallel development process that the RDAP (and honestly, sheer mass of changes) suggests further supports this. >!it would be really funny if the lack of content was being addressed by summoning Bedrock developers to deal with it!<

What they could've done (and honestly should have) is just create a 'world code' that someone can join freely, which would've been a lot better for hosting events.

But, we have to deal with this instead, which might have concerning implications given how some countries are hell-bent on restricting multiplayer access in games.

Since we have a couple hundred members already, you guys might want more clarification on some stuff (like what's allowed), so lmk if you have any questions. There might not be much to ask considering the point of this sub tho.

if you're slightly insane you can apply at: https://www.reddit.com/r/beastthefeed/application/

Hi guys!

I don't actually want (or even know how) to be a reddit mod, so I kinda need ur help here 💀

But if this does actually become a thing, I want to focus more on actual human content, so that means AI use is discouraged (but not entirely banned). My ideas are:

- let people make project posts once a day (since everyone ignores that rule tbh)

- draw lines in the sand immediately instead of having to get everyone arguing

- let memes be kinda allowed (not really trying to mess with r/feedthememes). Maybe only memes of a specific kind?

The other AI content ban post seemed to die out, and I wanted to add to the conversation after decompiling a seemingly generic AI generated mod that quickly turned out to be one of TWO mods which injected DLLs into the JVM in order to seize control and run the game as... they(?) intended it.

The arbitrary program ran as a remote process, and quite literally force unloaded any class that touched their mod's stuff (unless it had a package that matched a 'whitelist' prefix), which inevitably corrupted people's worlds whenever a disallowed mod tried to get involved.

Their wording also made it sound like this was an optional 'feature', when it was copied out, and then actually loaded internally from the jar itself, not dissimilar to an actual trojan. And this made its way onto Modrinth.

Regardless of if this was harmful in of itself is subjective. What it actually did was something no developer would ever want to do. ACE is a massive security vulnerability, and writing native windows x86 code for a mod defies the purpose of Java to begin with. There are like 5 mods which can justify doing any of this, but the AI was just told to stop all attempts to modify the mod's behavior, and so it did.

And even earlier, there was a vibecoded 'minecraft wrapped' mod which was poorly designed and leaked user information all the while only using HTTP even for things like session IDs. This mod seems to have been taken down/rejected by Modrinth, though.

What I'm trying to say is that vibecoding makes people very confident in their abilities to make a mod, without understanding what they're actually doing. If people want to share it with their friends, they can, but AI generated mods introduce a huge security and mod compatibility risk.

AI will very likely take the path that all the online examples follow, which is exactly what can make it so dangerous. HTTP is fine when it's just generic information. It is not fine if you go to somewhere (hotels, schools, etc) with shared wifi and handle personal information insecurely.

I am saying this to express what I think should be done here:

- Posts that make use of AI, or that are AI-translated should be flaired for clarity. Some developers use AI and I'm fine with that as long as they can understand their own code.

- mod posts should be put under increased scrutiny in some way, because of the much larger risk of damaging someone's worlds, or worse, computer. Fully AI mod posts (description is ai for no reason), or mods that show obvious signs of complete vibecoding should be taken down.

- mod posts might be better off also linking to source code, although this can be used misleadingly.

The lengths these AI mods are increasingly going towards are getting incredibly concerning, and it's only a matter of time before someone with actual malicious intent realizes they can just ask AI to write some niche malware, post here, and infect actual people.

I worry that we never learned from the Fractureiser malware incident 3 years ago.

EDIT: I'm noticing many people saying that this is a cybersecurity issue instead of an AI one. It is absolutely both. Yes, content moderation systems have flaws right now, but AI not only increases the workload of reviews required by staff, it also lowers the knowledge requirements to write malware down to basically zero. There are automated systems to check hashes of known malware, but with AI you can make unique malware constantly without having to rely on any developer.

The reduced capacity for moderation, alongside the proliferation of tools to effortlessly make malware is the actual danger.

I used to enjoy playing with a mod trio like True Darkness + No Tree Punching + TAN, since it slows down the early game and forces you to plan around base design the day/night cycle, which saves my stupid ADHD from making me never actually settle down.

But nowadays, both True Darkness and No Tree punching aren't maintained, and I also feel like No Tree Punching could've been more complex to force you to diversify with vanilla mechanics (but not as complex as TFC lol). I could suck it up and play older MC, or I could do the even dumber option of trying to do my own thing. Obviously I'm not dumb, so...

---

I've implemented a few of these ideas already, but what I find fun (borderline masochism!) is probably not what most people enjoy. Also, this is on 1.21.1 for... certain... reasons...

My current planned changes are (some of which are inspired by my other mods):

• Flint tools are quicker to obtain and just simplified to a hand axe since this isn't very 'fun' past the first few times,

• Smelting requires making a kiln setup, which involves drying bricks (more uses for clay) and is slow to smelt cobblestone into regular stone now required for a furnace (forcing other ways of obtaining food). I don't know if it should be a multiblock setup or not.

• All raw food can give hunger, and has a higher chance than before. Campfires are the only source of earlygame heat/fire for cooking.

• Fishing is now possible to automate via fishing baskets, as long as 'bait' (like crumbled bread or meat) is supplied

Things that might be a bit much but are still cool:

• Possibly adding cheaper alternative recipes for String, Shears and Buckets?

• Raising the time it takes for Sweet Berries to grow and making wheat produce 2x as much while taking 3x as long to grow?

• Herds all flee when attacked/flee when they 'smell' a player's scent carried downwind (to encourage alternative methods to get food)

• Food rot, occurring faster based on climate or without proper containment structures.

Some more intrusive things (like forcing people to make bread through Create millstones or cooking) might be better off just being a modpack?

Anyways, I'd really like to hear your advice. I'm decently confident that I can implement things nicely enough as long as it doesn't call for a detailed model/lots of art.

I've always hosted modded servers for friends for ages with the generic java -jar -Xmx4G server.jar, but my recent obsession with managing stuff (among other things) has made me want to do this "properly" for once. ESPECIALLY because I've been extremely unlucky with disks dying before I remember to transfer backups off of them.

I'm wondering, do people actually automate their servers (i.e. restarts, backups to other media, and modpack downloading and updating), and is this done through random scripts, manual labor, or some docker container with a management tool?

I was considering just writing a dumb web wrapper for all of this, but it's not really worth the effort if someone has made a better solution.

Or... maybe I'm just crazy and everyone just logs in to run /stop after leaving ssh and uses a sftp mount to replace mod files for this kind of server.