open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 [2] 3 4 5 6 7 8 9

Author Topic

Akita T
Caldari Navy Volunteer Task Force
Posted - 2011.04.11 23:42:00 - [31]
 

Originally by: CCP Sreegs
January 17th, 2015

LIAR ! Nobody blogs on a Saturday ! Razz

Lubomir Penev
Dark Nexxus
S I L E N T.
Posted - 2011.04.11 23:52:00 - [32]
 

Originally by: CCP Sreegs
Originally by: Lubomir Penev
The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.


The blog never said there wasn't an audit. The blog also said you couldn't insert script.


I wasn't even critical, just commenting on the fact we got no choice but believe you as the particular forum version will never see the light of day again.

As for the audit that's the worrying part, if there was one, how could it miss two very classical OWASP top 10 vulns (this is actually generous, they are OWASP top 3 vulns)... It's not like the forum had so many entry points for possible XSS injection that exhaustive testing was impossible or even hard. Nobody used ground breaking stuff to break the new toy open, it was one guy with an hour to spare and an XSS cheat sheet (the injection part). So yes, as someone that was in the field pretty recently, I wonder how the forums passed a security audit if there was one. But yes, I know sometime the obvious escape the prying eyes of seasoned professionals, happens to everyone, even happened to me. But the sheer amount of uncaught stuff looks odd to me.

Gavjack Bunk
Gallente
Genos Occidere
HYDRA RELOADED
Posted - 2011.04.11 23:56:00 - [33]
 

Sounds like somebody needs some "me time" in the Angry Dome.

CCP Sreegs

Posted - 2011.04.11 23:57:00 - [34]
 

Originally by: Lubomir Penev
Originally by: CCP Sreegs
Originally by: Lubomir Penev
The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.


The blog never said there wasn't an audit. The blog also said you couldn't insert script.


I wasn't even critical, just commenting on the fact we got no choice but believe you as the particular forum version will never see the light of day again.

As for the audit that's the worrying part, if there was one, how could it miss two very classical OWASP top 10 vulns (this is actually generous, they are OWASP top 3 vulns)... It's not like the forum had so many entry points for possible XSS injection that exhaustive testing was impossible or even hard. Nobody used ground breaking stuff to break the new toy open, it was one guy with an hour to spare and an XSS cheat sheet (the injection part). So yes, as someone that was in the field pretty recently, I wonder how the forums passed a security audit if there was one. But yes, I know sometime the obvious escape the prying eyes of seasoned professionals, happens to everyone, even happened to me. But the sheer amount of uncaught stuff looks odd to me.



It looks odd to me too. This is why we have internal investigations. :) I had them do some pretty extensive testing to verify that we were properly filtering the script tags today, which was why the blog was delayed. Were we not filtering it I'd have said so.

Akita T
Caldari Navy Volunteer Task Force
Posted - 2011.04.11 23:58:00 - [35]
 

Originally by: Gavjack Bunk
Sounds like somebody needs some "me time" in the Angry Dome.

Does the "Angry Dome" have life-like replicas of CCP management with loads of stickers saying "Excellence" on them, and a wide variety of hurty implements in it ?

Dacil Arandur
Habitual Euthanasia
Pandemic Legion
Posted - 2011.04.11 23:59:00 - [36]
 

I think the only real purpose of the new forum is an elaborate attempt at getting rid of Akita T's predictions about the complete failure of the moon mineral rebalance...

In not copying over the old forum posts, of all people Akita T has the most to lose!

Madner Kami
Gallente
Durendal Ascending
Gentlemen's Interstellar Nightclub
Posted - 2011.04.12 00:03:00 - [37]
 

Edited by: Madner Kami on 12/04/2011 00:03:58
Originally by: Akita T
Originally by: Gavjack Bunk
Sounds like somebody needs some "me time" in the Angry Dome.

Does the "Angry Dome" have life-like replicas of CCP management with loads of stickers saying "Excellence" on them, and a wide variety of hurty implements in it ?


Please visit your user settings to re-enable images.

Steve Thomas
Minmatar
Sebiestor Tribe
Posted - 2011.04.12 00:07:00 - [38]
 

Originally by: CCP Sreegs
Originally by: Lubomir Penev
Originally by: CCP Sreegs
Originally by: Lubomir Penev
The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.


The blog never said there wasn't an audit. The blog also said you couldn't insert script.


I wasn't even critical, just commenting on the fact we got no choice but believe you as the particular forum version will never see the light of day again.

As for the audit that's the worrying part, if there was one, how could it miss two very classical OWASP top 10 vulns (this is actually generous, they are OWASP top 3 vulns)... It's not like the forum had so many entry points for possible XSS injection that exhaustive testing was impossible or even hard. Nobody used ground breaking stuff to break the new toy open, it was one guy with an hour to spare and an XSS cheat sheet (the injection part). So yes, as someone that was in the field pretty recently, I wonder how the forums passed a security audit if there was one. But yes, I know sometime the obvious escape the prying eyes of seasoned professionals, happens to everyone, even happened to me. But the sheer amount of uncaught stuff looks odd to me.



It looks odd to me too. This is why we have internal investigations. :) I had them do some pretty extensive testing to verify that we were properly filtering the script tags today, which was why the blog was delayed. Were we not filtering it I'd have said so.
:Icouldahadav8headsmacksmilycon: ok that was what I was missing when I did a bit of testing with a modified YAF forum, because I had to strip the Scriptblock to get HTML to work the way some people were saying was posible.

and even then it was older brousers (IE7 older versions of crome and Firefox) that did not even blink at what I was doing. (IE 9 and the newest crome both threw a royal hissyfit over a scrip trying to install a Danceing chipmonk on my desktop, the others either just blocked it or gave me popup warnings or simply crashed out the brouser and sent me back to my homepage)

CCP Sreegs

Posted - 2011.04.12 00:17:00 - [39]
 

Originally by: Steve Thomas


It looks odd to me too. This is why we have internal investigations. :) I had them do some pretty extensive testing to verify that we were properly filtering the script tags today, which was why the blog was delayed. Were we not filtering it I'd have said so.
:Icouldahadav8headsmacksmilycon: ok that was what I was missing when I did a bit of testing with a modified YAF forum, because I had to strip the Scriptblock to get HTML to work the way some people were saying was posible.

and even then it was older brousers (IE7 older versions of crome and Firefox) that did not even blink at what I was doing. (IE 9 and the newest crome both threw a royal hissyfit over a scrip trying to install a Danceing chipmonk on my desktop, the others either just blocked it or gave me popup warnings or simply crashed out the brouser and sent me back to my homepage)


I'm pretty sure you have to enable it in a config somewhere.

Mibad
Caldari
Posted - 2011.04.12 00:19:00 - [40]
 

Woot CCP Sreegs thunderdome!

Really though, tough work you guys do. The community may appear bloodthirsty at times, but we all love eve and the guys that make the game work.

Do you guys have any plans to "campaign" your security reward program? In game ads etc? I would guess more public awareness the better.

J Kunjeh
Gallente
Posted - 2011.04.12 00:34:00 - [41]
 

A very solid Dev blog. Appreciate the details and the followup. Can't wait to read more. I for one appreciate all efforts being made on this front.

Unfotunately, as usual, Akita jumped in and vomited all over this thread...it's getting really old. Rather like a broken record. Rolling Eyes

Myra2007
Millstone Industries
Posted - 2011.04.12 00:35:00 - [42]
 

Nice blog thanks for all your hard work in the past few days.

However I'm with the guys who think a blog from management or something would be really nice. Obviously some things need to stay internal and I'm sure everyone understands. On the other hand I hope that CCP understands that this incident not only raises questions about the security issues (which you have covered quite nicely) but also erodes trust and confidence in their ability to do it 'right'.

If you cannot (understandably...) give more specific information about the lessons CCP learned then how are we to trust that future features will not exhibit such vulnerabilities? Or at least that *something* is done to prevent it. I understand you said you were going to follow up internally and I do believe you. But as you said yourself: you're the security guy. You cannot actually "make it happen" despite your good intentions. So to hear from someone who can would be great.

Pedro Carnicero
Amarr
Hartes Beton
Posted - 2011.04.12 00:38:00 - [43]
 

Hey sreegs, just to clarify: I know, the big security holes in the forums had nothing to do with the place where our credit card information is stored.
But for many people, that wasnt the point. The point is, that some of us are a little bit concerned about the security of our data, after we've seen the, well, the garbage your web developers recently threw at us.
I really dont know anymore if I can trust you with such delicate information.
Greetings

CCP Sreegs

Posted - 2011.04.12 00:43:00 - [44]
 

Originally by: Myra2007
Nice blog thanks for all your hard work in the past few days.

However I'm with the guys who think a blog from management or something would be really nice. Obviously some things need to stay internal and I'm sure everyone understands. On the other hand I hope that CCP understands that this incident not only raises questions about the security issues (which you have covered quite nicely) but also erodes trust and confidence in their ability to do it 'right'.

If you cannot (understandably...) give more specific information about the lessons CCP learned then how are we to trust that future features will not exhibit such vulnerabilities? Or at least that *something* is done to prevent it. I understand you said you were going to follow up internally and I do believe you. But as you said yourself: you're the security guy. You cannot actually "make it happen" despite your good intentions. So to hear from someone who can would be great.


In incident response the internal process examination to determine why something occurred or what went wrong is typically the next-to-last step. I can't make any promises regarding whether anyone else will say anything because I honestly don't know, but I can say that regardless one could expect it to take more than the one business day we've had so far to sort it out.

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 00:43:00 - [45]
 

awesome Sreegs. now crack some whips and set the guilty ones on fire.

also, an assurance that CCP at the very least noticed that their QA management needs some serious reworking would be nice, altho that's not your department (do tell them that tho).

Originally by: J Kunjeh
Unfotunately, as usual, Akita jumped in and vomited all over this thread...it's getting really old. Rather like a broken record. Rolling Eyes


while I don't agree with Akita in many things and I sometimes think he's too much vocal, he does have a point, even if he usually posts it in a very... "exuberant" and extremist way.

Akita T
Caldari Navy Volunteer Task Force
Posted - 2011.04.12 00:47:00 - [46]
 

Originally by: J Kunjeh
Unfotunately, as usual, Akita jumped in and vomited all over this thread...it's getting really old. Rather like a broken record. Rolling Eyes

Pot, kettle, black.

J Kunjeh
Gallente
Posted - 2011.04.12 00:52:00 - [47]
 

Originally by: Grimpak

Originally by: J Kunjeh
Unfotunately, as usual, Akita jumped in and vomited all over this thread...it's getting really old. Rather like a broken record. Rolling Eyes


while I don't agree with Akita in many things and I sometimes think he's too much vocal, he does have a point, even if he usually posts it in a very... "exuberant" and extremist way.


Oh, posting in a passionate way is fine by me, it's the fact that Akita has been beating a dead horse in every thread possible since the new forums were released. I mean, we've heard your opinion on the matter, move on.

Myra2007
Millstone Industries
Posted - 2011.04.12 00:56:00 - [48]
 

Originally by: CCP Sreegs

In incident response the internal process examination to determine why something occurred or what went wrong is typically the next-to-last step. I can't make any promises regarding whether anyone else will say anything because I honestly don't know, but I can say that regardless one could expect it to take more than the one business day we've had so far to sort it out.


Obviously.

CCP Sreegs

Posted - 2011.04.12 00:57:00 - [49]
 

Originally by: Pedro Carnicero
Hey sreegs, just to clarify: I know, the big security holes in the forums had nothing to do with the place where our credit card information is stored.
But for many people, that wasnt the point. The point is, that some of us are a little bit concerned about the security of our data, after we've seen the, well, the garbage your web developers recently threw at us.
I really dont know anymore if I can trust you with such delicate information.
Greetings


I can understand this sentiment from an outsider's perspective. Since the post-mortem is nowhere near complete what I can assume is that we did not apply the same rigor to a new forum system as we have with our longstanding back-end billing systems. I guess some could find it understandable given the obvious differences depending on one's perspective.

Diomedes Calypso
Aetolian Armada
Posted - 2011.04.12 00:57:00 - [50]
 

Leaving calling cards to prove a vulnerability strikes me as a very appropriate action:

It immediately calls a problem to an escalation phase rather than filtering through a slower tiered response process ... it would certainly skip to the top of the concern queue within minutes, not hours, probably give someone the "cover their butt" coverage to actually call a top supervisor and wake him up during the middle of the night.

A employee can't make that sort of call all the time based on a personal assessment of the possible risks or he would irritate the hell out of his supervisor and call into question his professional abilty to work independently (and on a very serious personal level, the employees scale of his livelihood)

Certainly, someone messing visibly with the forums skipped from the "letís think about it stage".

The public nature of messing with the forums is also a very important tool because it sends a message to the community that there is a current problem and the message and emotional "getting" of the message by people who might otherwise let the thing glaze over as "some technical thingy that happend a couple weeks ago .. yawn")

It hits community members over the head and perhaps supports a larger point that the outraged person discovering the threat feels like they need to make: more is needed than a fix of the individual fixÖother players should be vigilant in the same way looking for future problems and all players should in a united way demand more polish on released material (Iím assuming that was the personís point).

Now, I do agree 100% with you on one thing. Delaying calling attention to a fault and spending a day or two perusing internal forums is a criminal sort of act that has little basis in terms of ideals of consumer protection. Some-one stealing other players game assets (without contracting them back or something) or infecting their computers would also be an unacceptable form of protest.

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 00:58:00 - [51]
 

Edited by: Grimpak on 12/04/2011 01:00:24
Originally by: J Kunjeh
Originally by: Grimpak

Originally by: J Kunjeh
Unfotunately, as usual, Akita jumped in and vomited all over this thread...it's getting really old. Rather like a broken record. Rolling Eyes


while I don't agree with Akita in many things and I sometimes think he's too much vocal, he does have a point, even if he usually posts it in a very... "exuberant" and extremist way.


Oh, posting in a passionate way is fine by me, it's the fact that Akita has been beating a dead horse in every thread possible since the new forums were released. I mean, we've heard your opinion on the matter, move on.
it's CCP we're talking about here. beating the dead horse at the very least raises visibility on the issue.

annoying yes. I myself, have moderated myself typing about this issue more and more, but that's because I have posted enough from my part.
Akita is better versed in forum warrioring than me so he's doing a better job in making issues visible, short of invading CCP HQ and slapping post-its on every CCP dev, GM and admin board member' forehead.

CCP Sreegs

Posted - 2011.04.12 01:03:00 - [52]
 

Originally by: Diomedes Calypso


A employee can't make that sort of call all the time based on a personal assessment of the possible risks or he would irritate the hell out of his supervisor and call into question his professional abilty to work independently (and on a very serious personal level, the employees scale of his livelihood)




I'm not ignoring the rest of this post, but if there's a very real threat we can very much make this call. I can understand how it could be a problem if you're a guy who's constantly crying wolf, but if you have good people in the right places it tends not to be a problem. One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.

Daneo Mistry
Posted - 2011.04.12 01:12:00 - [53]
 

Have to say Sreegs, im impressed with the way you been replying to particular issues on this thread. It nice to see particular statements answered, rather then a broad statement, with some update.

Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
Posted - 2011.04.12 01:14:00 - [54]
 

I am somewhat content with your blog sreegs, I still think you're being a bit too kind as to how much of a risk this sort of gaffe presents, but we will just need to agree to disagree on that.

I know you've taken a lot of flak despite not being responsible for this debacle (including from me) and I would urge players to not direct their (justified) anger at this "72,000 hour" project at CCP Sreeg, it's not his job to read every line of code or even to audit it; he is response.

The responsibility for the integrity of the security here lies with the webcell, and I hope that we can have some sort of statement from management detailing what is being done, 72,000 man hours represents well over a million euros; I think for that money we all expected a little more than a reskinned YAF with busted security.

Thank you for your blog Sreegs, I hope you don't catch too much more flak.
I do hope you will at least consider that Catari didn't do anything intentionally malicious, even if his...uhm "means" of contacting you was not quite up to standards.

I had a very long, and very productive discussion with CCP Manifest earlier today about the mood of the community as a whole, yeah they're pretty p-ed off about this, but most of the rage (including mine) is not so much because of this one thing (even if it was pret-ty bad).

It's just the straw, as they say.

Hopefully this will have shocked some higher ups awake which will lead to more healthy procedures so that graphic design guys with some coding skill get the backup they need from proper coders with no photoshop mojo to prevent further calamities.

We all love EVE, even if we sometimes don't love CCP very much anymore, but as long as there is people that care on either side of the fence (like CCP Manifest) all is not lost.

Andrea Griffin
Posted - 2011.04.12 01:18:00 - [55]
 

In this thread: Sreegs shows his gigantic cajones. He could have just dropped the blog and left it at that, but he's willingly walking into the lion's den here. Try not to kill the messenger.

I do appreciate the level of transparency here as always. So many other companies would cut off all communication over the issue and ban anyone who brought it up. The whole thing shouldn't have happened of course, but it did, and I think it was handled pretty well overall.

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 01:22:00 - [56]
 

Originally by: Helicity Boson
I am somewhat content with your blog sreegs, I still think you're being a bit too kind as to how much of a risk this sort of gaffe presents, but we will just need to agree to disagree on that.

I know you've taken a lot of flak despite not being responsible for this debacle (including from me) and I would urge players to not direct their (justified) anger at this "72,000 hour" project at CCP Sreeg, it's not his job to read every line of code or even to audit it; he is response.

The responsibility for the integrity of the security here lies with the webcell, and I hope that we can have some sort of statement from management detailing what is being done, 72,000 man hours represents well over a million euros; I think for that money we all expected a little more than a reskinned YAF with busted security.

Thank you for your blog Sreegs, I hope you don't catch too much more flak.
I do hope you will at least consider that Catari didn't do anything intentionally malicious, even if his...uhm "means" of contacting you was not quite up to standards.

I had a very long, and very productive discussion with CCP Manifest earlier today about the mood of the community as a whole, yeah they're pretty p-ed off about this, but most of the rage (including mine) is not so much because of this one thing (even if it was pret-ty bad).

It's just the straw, as they say.

Hopefully this will have shocked some higher ups awake which will lead to more healthy procedures so that graphic design guys with some coding skill get the backup they need from proper coders with no photoshop mojo to prevent further calamities.

We all love EVE, even if we sometimes don't love CCP very much anymore, but as long as there is people that care on either side of the fence (like CCP Manifest) all is not lost.

I pretty damn well hope so.

El'Niaga
Minmatar
Republic Military School
Posted - 2011.04.12 01:28:00 - [57]
 

While I appreciate the dev blog and the followup thus far, I have to approach it with skepticism. CCP has many times claimed they would followup and then dropped the ball, in fact that's their MO in every previous incident.

Truth is this should never have happened. There had to be failures on multiple levels really. Project manager obviously failed to lead, anyone serving on the forum team failed to live up to their duties, and quality control for the project was nonexistent to miss such exploits.

We've had promises before that CCP would improve internal practices. Most famously after the T20 incident and then after the boot.ini incident. That's what is concerning of this issue, there seems to be a culture where no one is held accountable and thus no one in CCP feels accountable for anything therefore it keeps happening time and again. Something is rotten in the core.

However if you fail to fix it as a corporation you jeopardize everything, EVE, DUST, WoD, everything. How you handle this incident could well determine the fate of the future for CCP and all its projects.

CCP Sreegs

Posted - 2011.04.12 01:28:00 - [58]
 

Originally by: Helicity Boson
I am somewhat content with your blog sreegs, I still think you're being a bit too kind as to how much of a risk this sort of gaffe presents, but we will just need to agree to disagree on that.

I know you've taken a lot of flak despite not being responsible for this debacle (including from me) and I would urge players to not direct their (justified) anger at this "72,000 hour" project at CCP Sreeg, it's not his job to read every line of code or even to audit it; he is response.

The responsibility for the integrity of the security here lies with the webcell, and I hope that we can have some sort of statement from management detailing what is being done, 72,000 man hours represents well over a million euros; I think for that money we all expected a little more than a reskinned YAF with busted security.

Thank you for your blog Sreegs, I hope you don't catch too much more flak.
I do hope you will at least consider that Catari didn't do anything intentionally malicious, even if his...uhm "means" of contacting you was not quite up to standards.

I had a very long, and very productive discussion with CCP Manifest earlier today about the mood of the community as a whole, yeah they're pretty p-ed off about this, but most of the rage (including mine) is not so much because of this one thing (even if it was pret-ty bad).

It's just the straw, as they say.

Hopefully this will have shocked some higher ups awake which will lead to more healthy procedures so that graphic design guys with some coding skill get the backup they need from proper coders with no photoshop mojo to prevent further calamities.

We all love EVE, even if we sometimes don't love CCP very much anymore, but as long as there is people that care on either side of the fence (like CCP Manifest) all is not lost.



While it might be hard to see it sometimes depending on the level of vitriol I think that we as a company, and I personally, appreciate that the community and individuals within the community are very passionate about EVE because they love the game and I think it's an asset to us as a company to be honest. Regarding the risk, I'm not sure we disagree per se but we've gone through every scenario we've had brought before us and the results are what they are. You yourself raised an issue and I promised to look into it, and I did.

I understand why I'm getting a bit beat up but in reality in this respect it's my job to tell you guys what's going on and if that means I take a couple of bruises because people are angry, well that just kinda goes with the territory. At the end of the day I just want to make sure that at least from a security perspective you guys have the open channel in and the feedback loop out that you not only deserve, but that I feel is integral to having a good process.

At any rate thanks a lot duder.

CCP Sreegs

Posted - 2011.04.12 01:35:00 - [59]
 

Originally by: El'Niaga

We've had promises before that CCP would improve internal practices. Most famously after the T20 incident and then after the boot.ini incident. That's what is concerning of this issue, there seems to be a culture where no one is held accountable and thus no one in CCP feels accountable for anything therefore it keeps happening time and again. Something is rotten in the core.



I'm sorry that I'm selectively quoting and I REALLY don't want to appear to be defensive BUT... to my knowledge we haven't had another T20 or another boot.ini incident. I'm NOT saying you're wrong or right. But, in the interests of providing a differing perspective, companies, especially ones the size of CCP are going to make mistakes. While this was a really bad mistake and you have every single right to be mad about it I'm not sure one should make a comparison to incidents involving completely unrelated areas of the company that occurred over... 5-7 years ago and haven't been repeated since.

I'm just not sure I personally get the comparison is all.

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 01:38:00 - [60]
 

Originally by: CCP Sreegs
I'm just not sure I personally get the comparison is all.


I think he meant that the cookie-derp incident has a comparable scope to those two.


Pages: 1 [2] 3 4 5 6 7 8 9

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only