| Author |
Topic |
LtCol Laurentius
Caldari
Digital Fury Corporation
Northern Coalition. |
Posted - 2011.04.10 14:52:00 - [ 331]
 Originally by: Miilla
Whistleblower? Whistleblowers talk about the problem, they dont EXPLOIT the problem.
I would probably have given you a reasonable response if it was apparent that you had at least SOME clue of what you are talking about. But since you dont, I wont care. |
dexington
Caldari
Baconoration |
Posted - 2011.04.10 14:53:00 - [ 332]
Originally by: CCP Sreegs
I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.
If i remember correct the "EVE Technology Lab" forums had posts with people posting links to 3 party tools, and with people being able to edit all posts it would be possible to change the links without the users downloading the tools noticing the change. Have you been able to verify that no data tempering was going on while the forums was online, else everyone who download any program using links from the forums could potentially be at risk of running modified versions. |
Darth Vapour |
Posted - 2011.04.10 14:53:00 - [ 333]
Quote:
We've also said there will be a blog which will detail what occurred and what was wrong.
How about a blog that explains what steps are taken to make sure it does not happen again ? |
Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island |
Posted - 2011.04.10 14:54:00 - [ 334]
Edited by: Helicity Boson on 10/04/2011 14:54:40You're also being lied to. While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk. Saying we were completely safe is, demonstrably, FALSE. I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world. |
Grimpak
Gallente
Midnight Elites
Echelon Rising |
Posted - 2011.04.10 14:55:00 - [ 335]
Originally by: Miilla
Originally by: Grimpak
Originally by: Miilla
Whistleblower? Whistleblowers talk about the problem, they dont EXPLOIT the problem.
in all fairness, while he could do something much more malicious than he did and while I can understand why he did it (concern that an email simply wouldn't suffice), the means were also not the most correct.
should we thank him? yes. but punishment still must be served. A tempban in my view would probably be the most correct approach.
He could publish his findings anonymously instead of exploiting it for his (ego) gain.
Tough, he went about it in the wrong way.
in the end there was no harm done to nobody. still, rules must be followed, and not punishing him would give a very bad precedent, even if his goal was just to rush the process a bit and/or ego boosting. not condoning what he has done. it was still wrong even if it was done with good and understandable intentions. |
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.10 14:56:00 - [ 336]
Edited by: Miilla on 10/04/2011 14:56:57 Originally by: Helicity Boson
Edited by: Helicity Boson on 10/04/2011 14:54:40
You're also being lied to.
While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk.
Saying we were completely safe is, demonstrably, FALSE.
I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592
After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.
Can I have my Hulkageddon 4 Medal before you go please? |
Calathea Sata
State War Academy |
Posted - 2011.04.10 14:59:00 - [ 337]
Originally by: Helicity Boson
Edited by: Helicity Boson on 10/04/2011 14:54:40
You're also being lied to.
While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk.
Saying we were completely safe is, demonstrably, FALSE.
I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592
After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.
You are not alone in the escape pod. Get onboard before the failboat sinks! |
Grimpak
Gallente
Midnight Elites
Echelon Rising |
Posted - 2011.04.10 15:06:00 - [ 338]
Originally by: Helicity Boson
Edited by: Helicity Boson on 10/04/2011 14:54:40
You're also being lied to.
While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk.
Saying we were completely safe is, demonstrably, FALSE.
I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592
After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.
I can't believe you just soooo went there. good luck \o |
Tippia
Caldari
Sunshine and Lollipops
|
Posted - 2011.04.10 15:07:00 - [ 339]
Originally by: Helicity Boson
I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592
Thumbed. (Who needs likes? We already have that functionality.) |
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.10 15:08:00 - [ 340]
I think everybody is overreacting and making a mountian out of a molehill.
DON'T PANIC!!!
|
Grimpak
Gallente
Midnight Elites
Echelon Rising |
Posted - 2011.04.10 15:17:00 - [ 341]
Originally by: Miilla
I think everybody is overreacting and making a mountian out of a molehill.
DON'T PANIC!!!
tbh no need to panic now, since the security break has been closed. being worried on how this has come to pass and if it has a chance of happening again however, is something that is valid. |
Bhattran |
Posted - 2011.04.10 15:17:00 - [ 342]
Originally by: Helicity Boson
Edited by: Helicity Boson on 10/04/2011 14:54:40
You're also being lied to.
While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk.
Saying we were completely safe is, demonstrably, FALSE.
I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592
After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.
Thank you pilot. |
Neo Gabriel
Gallente
Percussive Diplomacy
The Phoenix. Consortium |
Posted - 2011.04.10 15:22:00 - [ 343]
I don't play this game for a couple of days, stay awake into the morning playing assassins creed brotherhood (yeah eve is really starting to feel like sh!t compared to fun, new games) then go check scrapheap/eve24 for eve news...
Scrapheap is down, eve24 has an article on ccp failed to make forums and some dude pulled a prank and got banned and ccp pulled a massive fail.
So go to failheap and kuqgu to check for info. Kuqgu i guess only posts important stuff on the ultrarich faqgs section so deleting the bm. While looking at the failheap posts i see the eve24 gif links and comments. Ok, read up time.
...
So GMs giving away BPOS is ok, Monkeysphere injecting python is ok, but some dude reporting MASSIVE security flaws in your failure of a forum, then being ignored and pulling a small prank gets him insta-banned.
How is this for for you as a deal? I am cancelling all my 3 accounts as of now until you un-ban the guy that exposed your failure (hopefully before someone was able to steal account ids off everyone that posted and stated cross referencing passwords from other forums).
I have put up with your failure to maintain the game that I play for years. No interactions in lowsec and facwar and then all you cumulative failures of judgement have pushed me into a corner. Only thing you care about is money, and mine you will have no longer.
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.10 15:24:00 - [ 344]
Edited by: Miilla on 10/04/2011 15:24:35 Originally by: Grimpak
tbh no need to panic now, since the security break has been closed.
being worried on how this has come to pass and if it has a chance of happening again however, is something that is valid.
Hanging Lady: Nervous? Ted Striker: Yes. Hanging Lady: First time? Ted Striker: No, I've been nervous lots of times. |
Kerfira
Kerfira Corp |
Posted - 2011.04.10 15:32:00 - [ 345]
Edited by: Kerfira on 10/04/2011 15:38:59
What's all this talk of 72000 or 75000 man hours to build the new forums?
That's about ~45 MAN YEARS (which is several hundred miles beyond ridiculous for a forum)!!!
EDIT: Thumbs up to Helicity Boson for that blog post! Things needed to be said! |
Grimpak
Gallente
Midnight Elites
Echelon Rising |
Posted - 2011.04.10 15:33:00 - [ 346]
Originally by: Miilla
Edited by: Miilla on 10/04/2011 15:24:35
Originally by: Grimpak
tbh no need to panic now, since the security break has been closed.
being worried on how this has come to pass and if it has a chance of happening again however, is something that is valid.
Hanging Lady: Nervous?
Ted Striker: Yes.
Hanging Lady: First time?
Ted Striker: No, I've been nervous lots of times.
 |
Tippia
Caldari
Sunshine and Lollipops
|
Posted - 2011.04.10 15:40:00 - [ 347]
Originally by: Kerfira
What's all this talk of 72000 or 75000 man hours to build the new forums?
That's about ~45 MAN YEARS (which is several hundred miles beyond ridiculous for a forum)!!!
I seem to recall that it was a figure mentioned at one of the fanfest presentations. It also kind of makes sense: they started mumbling about new forums just over a year ago, and apparently, the web team consists of 40 ppl. So if that last number is correct, the man hour count seems reasonable as well. |
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.10 15:44:00 - [ 348]
Originally by: Tippia
Originally by: Kerfira
What's all this talk of 72000 or 75000 man hours to build the new forums?
That's about ~45 MAN YEARS (which is several hundred miles beyond ridiculous for a forum)!!!
I seem to recall that it was a figure mentioned at one of the fanfest presentations.
It also kind of makes sense: they started mumbling about new forums just over a year ago, and apparently, the web team consists of 40 ppl. So if that last number is correct, the man hour count seems reasonable as well.
All companies and employees huff hot air to make them awesome, when infact they are just cogs doing production. |
Gnulpie
Minmatar
Miner Tech |
Posted - 2011.04.10 15:44:00 - [ 349]
Originally by: CCP Sreegs
I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.
What do you say about that the "new forums" allowed the injection of any code (depending on the users computer configuration, even keyloggers and other nasty stuff) which would be then executed by the forum users? Wouldn't you agree that this is not a huge risk of your customers? You didn't risk your customers data on your internal servers, no. Far WORSE, you risked your customers security as whole. Do you think it is the right step to downplay this incredible risk? And what do you say to the rumours that these gaping security holes were all reported in the testing BEFORE the forums went public? Is that true or not? |
Kerfira
Kerfira Corp |
Posted - 2011.04.10 15:48:00 - [ 350]
Originally by: Tippia
Originally by: Kerfira
What's all this talk of 72000 or 75000 man hours to build the new forums?
That's about ~45 MAN YEARS (which is several hundred miles beyond ridiculous for a forum)!!!
I seem to recall that it was a figure mentioned at one of the fanfest presentations.
It also kind of makes sense: they started mumbling about new forums just over a year ago, and apparently, the web team consists of 40 ppl. So if that last number is correct, the man hour count seems reasonable as well.
Ok, so it's probably for the entire evebook farce... Maybe a bit more reasonable, but not by much... My guess is that being married to Micro$oft's architecture carries a steep price in development hours... |
Vaerah Vahrokha
Minmatar
Vahrokh Consulting
|
Posted - 2011.04.10 15:52:00 - [ 351]
Support! |
Cletus Graeme
North Eastern Swat
Pandemic Legion |
Posted - 2011.04.10 16:01:00 - [ 352]
Originally by: Grimpak
in the end there was no harm done to nobody. still, rules must be followed, and not punishing ccp would give a very bad precedent, even if their goal was just to rush the process a bit and/or ego boosting.
not condoning what ccp has done. it was still wrong even if it was done with good and understandable intentions.
fyp also, what the hell is wrong with the current forums anyway? if it ain't broken.... |
Baihuigau
Gallente
Skull Brigade
|
Posted - 2011.04.10 16:04:00 - [ 353]
To be honest im actually liking skreegs more and more, like others have said its not his job to poor over every single line of code to make sure the forums were secure hes not a coder, hell alot of IT guys hate coding, but hes doing his job now reacting to a security matter kudos to you man..........on the other hand i dident like the whole IP banning of the guy that pointed out the exploit, that left me with extreme sour grapes about ccp just like the t20 incident, not to mention since it was not a account man but ip ban, there is this thing called a dynamic ip.....its almost like someone freaked out and pushed the ban button without knowing how to do a propper ban. |
CCP Sreegs
 |
Posted - 2011.04.10 16:15:00 - [ 354]
Edited by: CCP Sreegs on 10/04/2011 16:20:34 Originally by: Helicity Boson
Edited by: Helicity Boson on 10/04/2011 14:54:40
You're also being lied to.
While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk.
Saying we were completely safe is, demonstrably, FALSE.
I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592
After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.
There are 3 problems with your post. A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions. B) We are in the process of conducting an investigation, but thus far it appears that nobody was doing anything that could put even people's cookies at risk, much less key logging. C) We don't ban people for having opinions. Even when they're wrong. (or rude) |
Calathea Sata
State War Academy |
Posted - 2011.04.10 16:16:00 - [ 355]
Originally by: Calathea Sata
Originally by: Dogo Duma
Originally by: Akita T
Originally by: CCP Sreegs
My job is security therefore that's what I blog about. The reason we shut down the forums was security related.
That aside, which version are you more comfortable using personally, this one or the "new" one ? 
And why ?
Originally by: CCP Sreegs
Originally by: Titus Phook
Well if he passed the new forum as fit for use, and lets face it he's the security guy and it was a security issue, he's probably busy trying to get the egg off his face.
My job is response, not reviewing every single line of code that gets written.
Hm.
CCP Sreegs has some explainations to do.
|
CCP Sreegs
|
Posted - 2011.04.10 16:18:00 - [ 356]
Edited by: CCP Sreegs on 10/04/2011 16:23:05 Originally by: Baihuigau
To be honest im actually liking skreegs more and more, like others have said its not his job to poor over every single line of code to make sure the forums were secure hes not a coder, hell alot of IT guys hate coding, but hes doing his job now reacting to a security matter kudos to you man..........on the other hand i dident like the whole IP banning of the guy that pointed out the exploit, that left me with extreme sour grapes about ccp just like the t20 incident, not to mention since it was not a account man but ip ban, there is this thing called a dynamic ip.....its almost like someone freaked out and pushed the ban button without knowing how to do a propper ban.
Nobody who has ever come forward with a legitimate security concern, with full details of what the exploit was, that they were not actively exploiting themselves, has ever been actioned against by us. There is a right way and a wrong way to report things, as I've said. It's against policy to discuss the any detail whatsoever about an ban so I'm not allowed to do so. I can say that you don't have access to determine how any ban in our system was instituted. |
Akita T
Caldari Navy Volunteer Task Force
|
Posted - 2011.04.10 16:19:00 - [ 357]
Edited by: Akita T on 10/04/2011 16:25:04 Originally by: Baihuigau
To be honest im actually liking skreegs more and more [...snip...]
CCP Sreegs being a pretty decent guy and trying his best to sort out problems still doesn't make " CCP, the enterprise" any less exasperating considering what's happening nowadays. Originally by: Calathea Sata
[bigsnip]
Quote:
CCP Sreegs has some explainations to do.
The answer is simple : his job is to respond to security issues, no ?  EDIT : in after Sreegs  Back on topic : Sreegs, security issues and your job title and all those things aside... ...which version are you more comfortable using personally, this one right here or the "new" (now closed) one ? And why ? |
Elyssa MacLeod |
Posted - 2011.04.10 16:20:00 - [ 358]
Edited by: Elyssa MacLeod on 10/04/2011 16:26:34 Originally by: TigerXtrm
I liked the new forums, I don't know what everyone is complaining about when it comes to the layout or bleeding eyes. Do any of you people go to other websites than this one? This forum is stuck in the bloody 1980's... there is absolutely NO useability at all.
Epic troll Originally by: Grimpak
Originally by: Better Than You
So basically what you are saying is if we used the new forums, our account details were exposed? Including credit card information?
Yeah ok. Between the anomaly nerf and CCP exposing everyone's account details including credit cards, I quit. This is just unacceptable. Great job CCP. I trusted you and this is how you treat your customers.
Time to spend my money on another game that doesn't expose my information.
not quite.
the security holes themselves didn't go past the forum cookies, that don't store any password information. eveGate and account management themselves were secure since the cookies didn't "transport" from one place to another. At most all you could do was impersonating people in the forums.
now, IF someone less scrupulous posted html code in the 6000-character limited post and/or the 500-character limited signature to inject malicious code or any kind of malware, now there's a good chance that you could get your own computer's security compromised.
so yes, the main security hole wasn't the cookies, but the fact that the forums didn't sanitize html code.
better safe than sorry tho, so I changed passwords.
Wasnt there a ISD guy that got said info and went an posted it on SHC and kugu's boards shortly after the T20 debacle? So its not like its never happened here before. |
Nikita Alterana
Kumiho's Smile
|
Posted - 2011.04.10 16:26:00 - [ 359]
Originally by: Helicity Boson
Edited by: Helicity Boson on 10/04/2011 14:54:40
You're also being lied to.
While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk.
Saying we were completely safe is, demonstrably, FALSE.
I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592
After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.
I salute you brave forum warrior o7 |
Baihuigau
Gallente
Skull Brigade
|
Posted - 2011.04.10 16:26:00 - [ 360]
Originally by: Akita T
Edited by: Akita T on 10/04/2011 16:21:53
Originally by: Baihuigau
To be honest im actually liking skreegs more and more, like others have said its not his job to poor over every single line of code to make sure the forums were secure hes not a coder, hell alot of IT guys hate coding, but hes doing his job now reacting to a security matter kudos to you man..........on the other hand i dident like the whole IP banning of the guy that pointed out the exploit, that left me with extreme sour grapes about ccp just like the t20 incident, not to mention since it was not a account man but ip ban, there is this thing called a dynamic ip.....its almost like someone freaked out and pushed the ban button without knowing how to do a propper ban.
CCP Sreegs being a pretty decent guy and trying his best to sort out problems still doesn't make "CCP, the enterprise" any less exasperating considering what's happening nowadays.
I agree with you on that akita, to be honest i just dont know anything we could do to change that, in the past month i have read alot of stuff about internal procedures of ccp mostly from disgruntled employees around the net and it does paint a picture of management being rather incompetent and full of themselves, but thats not anything new when companies get big. |
All Channels
EVE General Discussion