open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: [1] 2 3 4 5 6 7 8 9

Author Topic

CCP Zymurgist


Gallente
C C P
Posted - 2011.04.11 22:58:00 - [1]
 

As many of you know we had to temporarily take down the new forums due to some security issues. CCP Sreegs has been on the case since Friday and brings us a new dev blog talking about the current situation. You can read his blog here.

Marconus Orion
D00M.
Northern Coalition.
Posted - 2011.04.11 23:03:00 - [2]
 

First in a soon to be rage thread.

Akita T
Caldari Navy Volunteer Task Force
Posted - 2011.04.11 23:07:00 - [3]
 

Edited by: Akita T on 12/04/2011 13:50:55

Am I somewhat of a jerk for putting this below here ?
To some degree, yes. But I feel it is necessary.
Disclaimer : I still love the GAME, and I still love most of the individual devs at CCP.
My problem is with the company policy, dictated by a few people that might not even have ANYTHING to do with game design at all.
___

This was just a more visible symptom of a much deeper seated problem at CCP, namely that stuff HAS to be rushed to meet an unrealistic deadline, and damn the consequences, because the people responsible for the money are getting too antsy.
When you have public CCP figures flat-out telling the community that market research indicates that just about any new content helps sales better than getting it really right... when the same company touts words like "Excellence" and similar as their latest buzzword... you just KNOW you're heading for a world of hurt.

CCP LEADERSHIP MENTALITY NEEDS TO CHANGE FAST !
"New junky features sell, old polished content doesn't" ?
KILL IT WITH FIRE.
_

Funny (to me) translated and slightly adapted tidbit from my brother (who's a .Net/C#/whatever codemonkey)... if this is not accurate, I have no clue... this was from way before the blog came up...

"I don't get it, how did they manage to make the signature f-up, in .Net you have the .HTMLEncode() method, and then everything is magically secure from cross-site scripting. That's all they had to do. 1 line.
Also, .Net has built-in safeguards for cross site scripting, which you specifically need to disable by hand... guess what? they probably effin' did, because otherwise you couldn't enter HTML code in text boxes.
HTMLEncode(), that's all they needed to do, as in, REALLY.
Item.Signature.Text = HTMLEncode(Item.Signature.Text) ... or something like that, and that's it.
... from http://msdn.microsoft.com/en-us/library/w3te6wfz.aspx ...
HTML encoding makes sure that text is displayed correctly in the browser and not interpreted by the browser as HTML. For example, if a text string contains a less than sign (<) or greater than sign (>), the browser would interpret these characters as the opening or closing bracket of an HTML tag. When the characters are HTML encoded, they are converted to the strings < and >, which causes the browser to display the less than sign and greater than sign correctly.
HttpServerUtility.HtmlEncode()
..."

...

Well, APPARENTLY, this does not really apply quite so verbatim anymore, since you mention in your post that you DID (sort of) sanitize the output to SOME degree.
It still raises the question though : IF you were aware of how to sanitize THAT particular output in such a way, then why bother running so many scripts as you type that slow everything down, why not sanitize it just when the "post" button is pressed ?
And why couldn't you also sanitize HTML in signatures the same way ?
_

Anyway... security issues aside (which were mistakes APPARENTLY so basic that one has to wonder if CCP even _had_ a QA team worth mentioning working on them), there were so many other issues with the new forums that it would take more than one full post to list, most of those issues having been presented in public on the previous two test runs (only to be almost completely ignored).

The new forums were in such a sorry state FROM SO MANY different viewpoints that THE MIND BOGGLES how in the world anybody at CCP could even consider NOT ONLY putting them live, BUT ALSO closing down the old forums.

And most importantly : WHY IN THE WORLD WOULD YOU NOT MIGRATE ALL POST DATA TO THE NEW FORUMS ?!?
Or why not let BOTH of them run for a while ?

BTW, all caps were perfectly justified. I was screaming inside my head while typing them.

Marconus Orion
D00M.
Northern Coalition.
Posted - 2011.04.11 23:12:00 - [4]
 

I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.

Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.

The question on everyones mind is; When will you be unbanning them?

Baihuigau
Gallente
Skull Brigade
Posted - 2011.04.11 23:13:00 - [5]
 

Edited by: Baihuigau on 11/04/2011 23:14:10
Rofl Akita, yes we already know ccp web devs need some professional development :P, not their fault ccp probably does not have a incentive program to develop their skills further, to Sreegs that was a good blog, i agree with you in not devulging internal processes, i dont think we need absolute reproduction steps either more of a follow up of did you whip the web dev team and slap them in the face, and if you found the fix

for the new forums........ooh and tell us if multiboxing programs are allowed :P, your communication skills have improved alot though, the one thing i dident like is the fact no one else from ccp apologised, i mean you did but i think someone higher up should say something or we might think this all fell on def ears.

Yuki Kulotsuki
Posted - 2011.04.11 23:14:00 - [6]
 

Quote:
Hey I just wanted to let you know how much you smell terrible and also how bad your posts are.
Seems like perfectly reasonable criticism leveled at CCP Sreegs.

Other than that, good blog.

CCP Sreegs

Posted - 2011.04.11 23:15:00 - [7]
 

Originally by: Marconus Orion
I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.

Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.

The question on everyones mind is; When will you be unbanning them?


We do not discuss administrative actions with anyone whatsoever. I can tell you that I have detailed quite clearly in the blog how to "warn" us without risking your account. I also gave a bit of insight into why it is that way. That's the only response I'm going to be able to give you on this subject.

Marconus Orion
D00M.
Northern Coalition.
Posted - 2011.04.11 23:17:00 - [8]
 

Originally by: CCP Sreegs
Originally by: Marconus Orion
I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.

Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.

The question on everyones mind is; When will you be unbanning them?


We do not discuss administrative actions with anyone whatsoever. I can tell you that I have detailed quite clearly in the blog how to "warn" us without risking your account. I also gave a bit of insight into why it is that way. That's the only response I'm going to be able to give you on this subject.


Well, I guess its a good thing we all were briefed on the proper way to file a petition regarding security issues with your forums before you released them. Rolling Eyes

Mental note: Be sure to add hugs and kisses to the bottom of all petitions to insure said petition does not get you banned.

Liang Nuren
Posted - 2011.04.11 23:19:00 - [9]
 

Interesting. Can I ask how you're rewarding the people that helped you out (Helicity Boson, for example) without exploiting the system? :)

-Liang

Xercodo
Amarr
Xovoni Directorate
Posted - 2011.04.11 23:21:00 - [10]
 

first page on a soon to be whine thread? =D

CCP Sreegs

Posted - 2011.04.11 23:22:00 - [11]
 

Originally by: Liang Nuren
Interesting. Can I ask how you're rewarding the people that helped you out (Helicity Boson, for example) without exploiting the system? :)

-Liang


I don't want to really say at this point because I don't want to appear to be establishing a system or making any promises. We'll have a program up pretty quickly and then we'll answer this particular question.

Lubomir Penev
Dark Nexxus
S I L E N T.
Posted - 2011.04.11 23:24:00 - [12]
 

The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.

Liang Nuren
Posted - 2011.04.11 23:24:00 - [13]
 

Alright, well... I hope it's actually awesome. :)

-Liang

Kerfira
Kerfira Corp
Posted - 2011.04.11 23:27:00 - [14]
 

As expected... CCP is pretending that the only problems with the new forums were small security matters, not that the forums themselves were a serious step down in functionality, readability AND a giant step up in bandwidth use compared to the old ones...

CCP Sreegs

Posted - 2011.04.11 23:27:00 - [15]
 

Originally by: Lubomir Penev
The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.


The blog never said there wasn't an audit. The blog also said you couldn't insert script. That being said, it's clear that people were able to perform actions on the forums that were not meant to be done. I'm not the kind of person to pretend I know everything. Therefore, it is only prudent to not take the worldview that everyone who isn't me is a liar, but rather that other people may have knowledge that I do not. If you have said knowledge share it.

Shar Tegral
Posted - 2011.04.11 23:28:00 - [16]
 

Originally by: CCP Sreegs
That's the only response I'm going to be able to give you on this subject.
It was suitable to the occasion. Good read and thank you for it.

<cracks whip>

Go to bed, get some sleep, get back at in the morning.

William Loire
State War Academy
Posted - 2011.04.11 23:28:00 - [17]
 

I'm sure Catari's petition went something like this:

"CCP you're all a bunch of f**kheads. I'm in yer base killing your doods." Right?

Did he forget to add the prerequisite "speaking of which, Luv yoo, xx!"?

CCP Sreegs

Posted - 2011.04.11 23:28:00 - [18]
 

Originally by: Kerfira
As expected... CCP is pretending that the only problems with the new forums were small security matters, not that the forums themselves were a serious step down in functionality, readability AND a giant step up in bandwidth use compared to the old ones...



I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.

Eclorc
Posted - 2011.04.11 23:29:00 - [19]
 


" No matter what you post it comes out as garbage "
hehe, this happens with my posts all the time I think Very Happy

Seriously tho, having read that threadnought over the weekend, Sreegs needs to be thanked too for his time and patience. I woulda been effing and blinding by even halfway through that lot tbh.

Returning to this forum again did feel like a homecoming... Sure the search sucks and the 2 minute timer, but it works well enough for all that, and the navigation bar at the side was noticeably missing from the new one. I'd dearly love to know how much of the root causes of problems the new one had could be attributed to .NET/ASP, and MS's insistence on job security through obscurity, rambling disjointed libraries etc. and having to write special spaghetti code to even get anything to work without a 10 year MS certification training course. Not a fan of .NET (can u tell?).



Jovan Geldon
Gallente
Lead Farmers
Kill It With Fire
Posted - 2011.04.11 23:29:00 - [20]
 

Getting in on the ground floor in an epic nerd rage thread.

Kerfira
Kerfira Corp
Posted - 2011.04.11 23:32:00 - [21]
 

Sreegs....

Say that one was to discover how to do the same thing again, i.e. inject HTML code (or scripting for that matter) into someone else's post. Or some other way of exploiting the forum (or in-game features)...

Would it be OK to do this as an EXAMPLE (non-damaging) between two of one's own characters and then pass a reference to the post(s) in any petition/mail?

Of course after the example, one shouldn't do it again...

What I'm getting at is that it is sometimes difficult to explain something like this, but utterly simple if one can exemplify it...

CCP Sreegs

Posted - 2011.04.11 23:33:00 - [22]
 

Edited by: CCP Sreegs on 11/04/2011 23:34:01
Originally by: Kerfira
Sreegs....

Say that one was to discover how to do the same thing again, i.e. inject HTML code (or scripting for that matter) into someone else's post. Or some other way of exploiting the forum (or in-game features)...

Would it be OK to do this as an EXAMPLE (non-damaging) between two of one's own characters and then pass a reference to the post(s) in any petition/mail?

Of course after the example, one shouldn't do it again...

What I'm getting at is that it is sometimes difficult to explain something like this, but utterly simple if one can exemplify it...



That would be precisely the right way to do it and precisely how others have.

:edit: Though one should send the reproduction steps in the email as well. :)

Akita T
Caldari Navy Volunteer Task Force
Posted - 2011.04.11 23:34:00 - [23]
 

Edited by: Akita T on 11/04/2011 23:35:57
Originally by: CCP Sreegs
I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.

So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ?
...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent.
Right ? Twisted Evil

P.S. If your unofficial guess is "never", then please don't post a picture of a pink elephant in your reply.

CCP Sreegs

Posted - 2011.04.11 23:35:00 - [24]
 

Originally by: Akita T
Originally by: CCP Sreegs
I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.

So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ?
...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent.
Right ? Twisted Evil


I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?

StevieTopSiders
M. PIRE
Posted - 2011.04.11 23:36:00 - [25]
 

Well, glad to know that you guys can react, if not prevent.

I'm more interested in something else, however. Where is the apology for lying to us?

Wait, lying, what do you speak of, Stevie?

I mean lying about the development of the forum. Supposedly, you all were building a brand new forum, completely in-house. What we see here is you all using Yet Another Forum with some sloppy patching to allow Character log-ins. Seriously? Modifying open source software with an Eve theme and slightly different log-in system is not in-house development. This is a case of blatant untruths being spoken to the community. We all deserve a formal apology. And soon.

Yuki Kulotsuki
Posted - 2011.04.11 23:37:00 - [26]
 

Originally by: CCP Sreegs
Originally by: Akita T
Originally by: CCP Sreegs
I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.

So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ?
...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent.
Right ? Twisted Evil


I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?
Totally.

Akita T
Caldari Navy Volunteer Task Force
Posted - 2011.04.11 23:38:00 - [27]
 

Edited by: Akita T on 11/04/2011 23:38:54
Originally by: CCP Sreegs
I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?

Hasn't that been the official public CCP policy for at least 2 years now ? Laughing
Nah, what would make me happy is if the entire new forum code and all backups of it got lost in an accidental office fire :wink:,:wink:.

CCP Sreegs

Posted - 2011.04.11 23:39:00 - [28]
 

Originally by: Yuki Kulotsuki
Originally by: CCP Sreegs
Originally by: Akita T
Originally by: CCP Sreegs
I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.

So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ?
...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent.
Right ? Twisted Evil


I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?
Totally.


January 17th, 2015

CCP Sreegs

Posted - 2011.04.11 23:39:00 - [29]
 

Originally by: StevieTopSiders
Well, glad to know that you guys can react, if not prevent.

I'm more interested in something else, however. Where is the apology for lying to us?

Wait, lying, what do you speak of, Stevie?

I mean lying about the development of the forum. Supposedly, you all were building a brand new forum, completely in-house. What we see here is you all using Yet Another Forum with some sloppy patching to allow Character log-ins. Seriously? Modifying open source software with an Eve theme and slightly different log-in system is not in-house development. This is a case of blatant untruths being spoken to the community. We all deserve a formal apology. And soon.


I really can't comment on that as it's not my area. I'll make sure the post gets pointed out though.

Sevarus James
Minmatar
Meridian Dynamics
Posted - 2011.04.11 23:40:00 - [30]
 

Originally by: Akita T
Edited by: Akita T on 11/04/2011 23:38:54
Originally by: CCP Sreegs
I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?

Hasn't that been the official public CCP policy for at least 2 years now ? Laughing
Nah, what would make me happy is if the entire new forum code and all backups of it got lost in an accidental office fire :wink:,:wink:.


+1 to this...completely. Idea


Pages: [1] 2 3 4 5 6 7 8 9

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only