Posted - 2011.04.10 16:57:00 - [391]

 

Originally by: CCP Sreegs

---

I'm saying exactly what I said.

---

you're damned if you do, damned if you don't mate.

I don't believe for one second your "review" will ever yield any result other than "no we were safe".

Especially since via-via-via-IM I was showing you how the night before and you didn't get it.

You'd never own up to the site being vulnerable anyways, and it's that fact that makes me shudder with revulsion.

Terrible coding practices combined with a willingness to lie make for a grim picture indeed.

Posted - 2011.04.10 16:59:00 - [393]

 

Originally by: CCP Sreegs

---

Originally by: Bomberlocks

---

......

---

We don't discuss administrative actions. At all. Ever. No matter how many times you ask, demand or otherwise say the same thing over and over and over again. Our policy is simply that we don't, and to be fair you only have access to enough information to speculate.

I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.

---

Your policy of not discussing administrative actions is one thing (and IMO is currently being used to shield CCP from public humiliation), but if you read the post on Helicity's blog, you'll see that what you are saying with respect to the vulnerability is demonstrably false. If you do not honestly address the issues in at least the same detail Helicity did, then I think it's time to take this to the media, because, as it currently stands, there is no good reason to believe anything you are saying, but there are a lot of good reasons to not believe anything you say.

In short: Customer data was in danger through code injected into the signature. CCP did ignore the warnings of numerous people. You are trying to avoid admitting to your errors. Prove me wrong and I'll happily apologise, but simply claiming I'm wrong without proof is simply not good enough.

Posted - 2011.04.10 17:00:00 - [395]

 

Originally by: CCP Sreegs

---

Originally by: Sullen Skoung

---

Originally by: CCP Sreegs

---

I'm sure a lot of people work for a lot of good companies. What I was stating was that if anyone has an actual evidence of the malfeasance that was suggested they're welcome to email it to me.

---

love the defense by way of "prove we got the emails" when theres no way you actually can do that short of working at CCP.

---

I said if you have evidence send it to me. I never said prove we got them. If you're going to try to reword a post you should probably not do so with the complete text of the statement quoted.

---

Still a crap defense man, we CANT get the emails from your site so theres no way TO prove that we sent them. Its a stupid defense when all you have to do is get whoever browses ccp@security email FOR those emails, assuming that isnt you. Unless of course you cant send them an email or talk to them or something. Which would be a ****ty way to run a company tbh

Posted - 2011.04.10 17:03:00 - [397]

 

Edited by: Bomberlocks on 10/04/2011 17:04:51

Originally by: CCP Sreegs

---

....

Nobody who has ever come forward with a legitimate security concern, with full details of what the exploit was, that they were not actively exploiting themselves, has ever been actioned against by us. There is a right way and a wrong way to report things, as I've said.

---

If that is the case, why did CCP ignore Virtuozzo's and Helicity's attempts to warn you?

Quote:

---

It's against policy to discuss the any detail whatsoever about an ban so I'm not allowed to do so. I can say that you don't have access to determine how any ban in our system was instituted.

---

In fact we do. We can just ask Cat. I'm more inclined to believe him than you tbqFh.

Posted - 2011.04.10 17:05:00 - [399]

 

Edited by: Elyssa MacLeod on 10/04/2011 17:09:06

Originally by: CCP Sreegs

---

I don't blog about forums so lets see where the investigation takes us and we'll figure out if you have a reason to be mad at me after I've actually finished the work :)

---

you realize yer talking in circles right? You earlier stated it was a security issue that brought down the forums and now youre saying you dont blog about forums.
That blog is gonna be pretty thin then if its not about this fiasco.

Hey helicity, how you know his name? Sreegs: An whats all this about you not having ppl on yer IM anymore?

lol these ppl are all closer than we think they are...

Posted - 2011.04.10 17:07:00 - [401]

 

Originally by: CCP Sreegs

---

Edited by: CCP Sreegs on 10/04/2011 16:34:23

Originally by: Helicity Boson

---

Originally by: CCP Sreegs

---

There are 3 problems with your post.

A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.

---

Horsedung. And you know it. Javascript and CSS were confirmed to work.

I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.

---

If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.

Everything's not some shadowy conspiracy. I appreciate that you feel wronged somehow and I can't change that. I have no need whatsoever to save anyone's face, my job is to determine and respond to the problem. Honestly.

:Edit: to respond to the rest, I can say that we have internal procedure which include peer review and pen testing. Part of the investigation will be to determine if that was done and if not why, etc... That's probably mostly going to be internal, but it's not something I'm not thinking about.

---

You'd trust the people who made the mistake in the first place more than the people who tried to warn you about it?

Posted - 2011.04.10 17:12:00 - [405]

 

Originally by: CCP Sreegs

---

or there's a really really hilarious miscommunication chain here.

---

It's that. But in the scheme of thing this is moot.

Posted - 2011.04.10 17:15:00 - [411]

 

Originally by: CCP Sreegs

---

Originally by: Bomberlocks

---

You'd trust the people who made the mistake in the first place more than the people who tried to warn you about it?

---

Who said it was them that I asked?

---

not fused about all this smack.

can you close these new pile of crap forums down forever? i hope you have that power cos they suck

Posted - 2011.04.10 17:16:00 - [413]

 

Originally by: CCP Sreegs

---

Originally by: Bomberlocks

---

Originally by: CCP Sreegs

---

Originally by: Bomberlocks

---

......

---

We don't discuss administrative actions. At all. Ever. No matter how many times you ask, demand or otherwise say the same thing over and over and over again. Our policy is simply that we don't, and to be fair you only have access to enough information to speculate.

I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.

---

Your policy of not discussing administrative actions is one thing (and IMO is currently being used to shield CCP from public humiliation), but if you read the post on Helicity's blog, you'll see that what you are saying with respect to the vulnerability is demonstrably false. If you do not honestly address the issues in at least the same detail Helicity did, then I think it's time to take this to the media, because, as it currently stands, there is no good reason to believe anything you are saying, but there are a lot of good reasons to not believe anything you say.

In short: Customer data was in danger through code injected into the signature. CCP did ignore the warnings of numerous people. You are trying to avoid admitting to your errors. Prove me wrong and I'll happily apologise, but simply claiming I'm wrong without proof is simply not good enough.

---

I'm not trying to avoid anything. It seems a bit silly to say YOUR WRONG PROVE ME YOUR RIGHT, then make the opposite assertion with less burden. At this point in time the only thing we can do is point fingers at each other and that's not very productive. Nevermind the fact that you're just rehashing a conversation I responded to not 30 minutes ago.

---

Bolded the part you seem to have missed.

But whatever, Screegs. I don't want to jump on your case. I've cancelled my credit card and I doubt that I'll be renewing that data with CCP unless CCP post a very honest and open discussion on how they will not in future endanger my computer, or the data I entrust them with. A broken game is one thing, but bad security has repercussions in the real world.

Posted - 2011.04.10 17:17:00 - [415]

 

Originally by: CCP Sreegs

---

I never said I didn't have those mails....

I said that if you have any evidence that someone within the company is doing something wrong as was intimated by the original post, then that was the address to send it to... that was the entirety of what I was trying to state. I don't know how that got twisted into this.

---

cause we work for CCP Internal affairs and can provide this proof? Again, using the defence of "prove it to me" when we dont have access to internal CCP documents isnt a defense

Posted - 2011.04.10 17:18:00 - [417]

 

Originally by: Neo Gabriel

---

[...] but some dude reporting MASSIVE security flaws in your failure of a forum, then being ignored and pulling a small prank gets him insta-banned.

---

This is the real problem. I mean, we're not talking about some ingame bug that makes you a billionaire instantly - which would be bad enough but hurts no one outside the game.

We're talking about a glaring security hole that puts every forum user in the risk of having his computer hacked/infected.

Cat (and potentially others) shouldn't have been punished and banned for this. They should have been rewarded with a free life time subscription instead. And I remind you that Cat reported the issue first and then - when his warning got ignored - demonstrated it for all to see. This was the time CCP finally got the message and pulled the plug.

Posted - 2011.04.10 17:19:00 - [419]

 

Edited by: Sullen Skoung on 10/04/2011 17:21:43

Originally by: Hel O'Ween

---

And I remind you that Cat reported the issue first and then - when his warning got ignored - demonstrated it for all to see. This was the time CCP finally got the message and pulled the plug.

---

I think this is the part that Sreegs is trying to get us to prove

Originally by: Gnulpie

---

Man, jeez, give them folks at CCP some time to investigate what exactly happend, where the vulnerabilities are, what communication channels failed (if they failed) etc.

This takes time and such things can't be properly done in few hours!

You guys want thorough investigation and at the same time you want results, blogs and whatnot already yesterday. That's not working!

If there is still no public reply in a few days, THEN is the time to make a huge uproar, but for now let them do their work.

Ranting, venting anger and frustration is good and fine, but after that, let it go and calm down.

---

no offense, but look at the player base youre talking to...
the phrase "falling on deaf ears" comes to mind