open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 3 4 5 6 [7] 8 9

Author Topic

Jimmae
Posted - 2011.04.12 14:14:00 - [181]
 

Edited by: Jimmae on 12/04/2011 14:14:24
Originally by: Qordel

Having the server verify it isn't enough, either. That would still be a sloppy solution. The real solution that they should have deployed (and which is pretty much Cookies/sessions-101) would be that the cookie should have contained NOTHING except a single salted hash key, so that even someone looking at the cookie would have no idea what data it contains. Not even the username or UID that it is regarding.

Then it's dead simple to match that hash key against the database of non-expired sessions and get any data you could possibly require on the server side.

I could see someone like myself who doesn't do webdev for a living making a mistake like that. Ignorance and all, you know (though almost any reference to how to handle sessions on the internet should explain it to a newbie). Professional web developers, however, should never ever make that mistake. That shoudn't be an after-release "oops". That should be a fundamental flaw that doesn't make it past the rough white-board sketch.


Couldn't help but notice that the session cookie (on this forum, so probably not on the new on either) is not HTTP-ONLY. That is one very basic but also very effective measure against session highjacking.

Qordel
Caldari
School of Applied Knowledge
Posted - 2011.04.12 14:21:00 - [182]
 

Edited by: Qordel on 12/04/2011 14:30:14
Edited by: Qordel on 12/04/2011 14:22:17
Originally by: Mynas Atoch
Edited by: Mynas Atoch on 12/04/2011 09:08:00

I hadn't seen it all in one place before, but its really quite surprising that

a. CCP claim to have invested 72,000 man.hours...

b. to implement an off the shelf open source gplv2'd forum software YAF.net by adding an eve skin and their own account security, ...



The numbers seem inflated to me, also. 72,000 hours is 35 years of 40hr weeks. Before I started a career as a software engineer, I started a very popular and complex website that operated for over a dozen years and served over 100k worth of regular members with millions of dollars in transactions and almost a million transactions and another million forum messages.

To put it into perspective, it didn't take me 35 years worth of full time effort to produce something significantly more complex than modifying an open source forum application. It took me about six months, to go from having nearly zero knowledge and experience, to:

* Learn Perl.
* Learn Apache.
* Learn mod_perl for Apache.
* Learn SQL. Specifically, Postgres.
* Write the following software and functionality entirely from scratch:
+---- Registration, login, authentication session system.
+---- Account management system.
+---- Private messaging system.
+---- Forum system (including threaded discussions).
+---- Market and transaction system for users to post and conduct transactions between each other as well as manage all of their transactions.
+---- User feedback system (think eBay/Amazon auctions).
+---- A bug reporting, tracking, and management system.
+---- An image upload, editing, and archiving system.
+---- A user profile/blog system.
+---- An automated backup system.
* Design the entire web interface.
* Build a high-scale, high-availability 1U rackmount Debian-based server.
* Deploy everything to a colo 600 miles south, in California.

I had zero security incidents and no additional personnel to help build or test any of this. I know that CCP's userbase is probably double or triple that size, but they also have far more resources and actual professionals who do for a living what I had no prior experience with at the time.

So, while I sympathize with situations like this from the developer side and also understand the anger and frustration and paranoia from the user side . . . I have to say that I am, ultimately, just completely baffled with how so much made it through to the final released product. Things that should have been caught on the drawing board, before a single line of code was written or added/modified. Much less, 72,000 man hours later.

Of course, I have no idea about anything within CCP. I don't assume to know what or how anything is done within the company and I'm not a professional web developer, so I'm balking from an armchair, essentially. I appreciate the hard working men and women and know that whatever the ultimate blame for the failure here, nobody has anything but the best intentions for the success and enjoyment of the game. **** happens, you react, you figure out how to avoid it again. Not much more I can ask for than that, frankly. Looking forward to whatever they share with us after everything falls out and is sorted.

Natalia Kovac
Minmatar
Stimulus
Rote Kapelle
Posted - 2011.04.12 14:33:00 - [183]
 

Thanks Sreegs, that was a good blog. Yes the forum security was apparently terrible, but it's done now, and you have owned up and apologised.

What matters now is that we move forward, and you move forward, sort out the security issues, and this is important- listen to the community testing that was done and may be done in the future. Take as long as you need to test the system to destruction, and don't release the forums for general use as long as you are as absolutely certain as you can be that they are secure.

Cheers.

Qordel
Caldari
School of Applied Knowledge
Posted - 2011.04.12 14:38:00 - [184]
 

Originally by: Natalia Kovac
Thanks Sreegs, that was a good blog. Yes the forum security was apparently terrible, but it's done now, and you have owned up and apologised.

What matters now is that we move forward, and you move forward, sort out the security issues, and this is important- listen to the community testing that was done and may be done in the future. Take as long as you need to test the system to destruction, and don't release the forums for general use as long as you are as absolutely certain as you can be that they are secure.

Cheers.


If there's one thing the EVE community does well, it's let bygones be bygones and get over perceived failures and slights. I'm sure this won't be an event that gets dragged out every day for the next six years. :)

Natalia Kovac
Minmatar
Stimulus
Rote Kapelle
Posted - 2011.04.12 14:45:00 - [185]
 

Originally by: Qordel
Originally by: Natalia Kovac
Thanks Sreegs, that was a good blog. Yes the forum security was apparently terrible, but it's done now, and you have owned up and apologised.

What matters now is that we move forward, and you move forward, sort out the security issues, and this is important- listen to the community testing that was done and may be done in the future. Take as long as you need to test the system to destruction, and don't release the forums for general use as long as you are as absolutely certain as you can be that they are secure.

Cheers.


If there's one thing the EVE community does well, it's let bygones be bygones and get over perceived failures and slights. I'm sure this won't be an event that gets dragged out every day for the next six years. :)


****ing Band of Developers amirite? Wink

Gowan Hard
Posted - 2011.04.12 15:10:00 - [186]
 

Originally by: CCP Sreegs
Originally by: Marconus Orion
I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.

Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.

The question on everyones mind is; When will you be unbanning them?


We do not discuss administrative actions with anyone whatsoever. I can tell you that I have detailed quite clearly in the blog how to "warn" us without risking your account. I also gave a bit of insight into why it is that way. That's the only response I'm going to be able to give you on this subject.


Ban CCP Sreegs. He doesn't help solve things he's just a troll and a bad representation of CCP as a whole.

CCP Sreegs

Posted - 2011.04.12 15:14:00 - [187]
 

Originally by: Gowan Hard
Originally by: CCP Sreegs
Originally by: Marconus Orion
I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.

Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.

The question on everyones mind is; When will you be unbanning them?


We do not discuss administrative actions with anyone whatsoever. I can tell you that I have detailed quite clearly in the blog how to "warn" us without risking your account. I also gave a bit of insight into why it is that way. That's the only response I'm going to be able to give you on this subject.


Ban CCP Sreegs. He doesn't help solve things he's just a troll and a bad representation of CCP as a whole.


Now that's just hurtful. :(

Qordel
Caldari
School of Applied Knowledge
Posted - 2011.04.12 15:23:00 - [188]
 

Edited by: Qordel on 12/04/2011 15:23:15
Originally by: Gowan Hard

Ban CCP Sreegs. He doesn't help solve things he's just a troll and a bad representation of CCP as a whole.


That's a great attitude to keep CCP willing to discuss anything with the public. I know that kind of response would really entice me to spend my late nights on a message board corresponding with people about something I have only limited input and/or control over as, you know, not the absolute ruler of CCP and all.

Mag's
the united
Negative Ten.
Posted - 2011.04.12 15:29:00 - [189]
 

I know you point out that there are good and bad ways, to report an exploit. I also understand the stance, of not discussing administrative actions.

That being said, one person did petition the issue at hand with details. The forum was taken down, only for it to go back up again, in the same sorry state.
It was only a post from said banned person after this, that meant the forums were taken down again.
Although he did break rules, it was in your best interest that he did.

Does this make it right, well no.
But you all seemed so caught up with getting them back on asap, that you missed the point completely. He did want he deemed was the fastest most direct way, of pointing out that you had failed to heed the warnings.

How can we have any faith in the petition system, that this won't happen again? Many, many petitions get answered with a copy & paste reply, without the content seemingly even being read.


Mara Villoso
Posted - 2011.04.12 15:36:00 - [190]
 

When the forums come back up, will all our posts be deleted? I put quite a bit of work into the Shops and Services thread in the Sell Forums. It would be aggravating to have to reproduce it. I didn't get a chance to copy them before the forums were taken down. Thanks for any help/info you can provide.

CCP Sreegs

Posted - 2011.04.12 15:39:00 - [191]
 

Originally by: Mag's
I know you point out that there are good and bad ways, to report an exploit. I also understand the stance, of not discussing administrative actions.

That being said, one person did petition the issue at hand with details. The forum was taken down, only for it to go back up again, in the same sorry state.
It was only a post from said banned person after this, that meant the forums were taken down again.
Although he did break rules, it was in your best interest that he did.

Does this make it right, well no.
But you all seemed so caught up with getting them back on asap, that you missed the point completely. He did want he deemed was the fastest most direct way, of pointing out that you had failed to heed the warnings.

How can we have any faith in the petition system, that this won't happen again? Many, many petitions get answered with a copy & paste reply, without the content seemingly even being read.




The forums were actually brought back up in a different sorry state.

I can't discuss administrative actions means I can't discuss administrative actions, which means I can't discuss your speculation.

You can have faith in the fact that if you follow the procedures I outlined you'll never get into any trouble and I will see and action on your problem. I specifically gave the email because I'm still working on making sure things like this don't get lost in the petition system.

CCP Sreegs

Posted - 2011.04.12 15:40:00 - [192]
 

Originally by: Mara Villoso
When the forums come back up, will all our posts be deleted? I put quite a bit of work into the Shops and Services thread in the Sell Forums. It would be aggravating to have to reproduce it. I didn't get a chance to copy them before the forums were taken down. Thanks for any help/info you can provide.


I really can't be certain about that at this point in time. I'm not involved in that process but hopefully those who are, are reading this thread and will be prepared to answer it when we're ready to discuss a relaunch.

Mag's
the united
Negative Ten.
Posted - 2011.04.12 15:51:00 - [193]
 

Originally by: CCP Sreegs
The forums were actually brought back up in a different sorry state.

I can't discuss administrative actions means I can't discuss administrative actions, which means I can't discuss your speculation.

You can have faith in the fact that if you follow the procedures I outlined you'll never get into any trouble and I will see and action on your problem. I specifically gave the email because I'm still working on making sure things like this don't get lost in the petition system.

Thanks for the reply. I wasn't wanting you to talk about admin stuff, it was more of a back lot to my point.

While having your email is great and dandy, many players don't frequent the forums as much, if ever. Their first recourse, would be the petition system. While this issue may not have affected that type of player, it still looks bad in regards to future issues.
I do hope that your work will shake up and improve greatly, that system.

mazzilliu
Caldari
Sniggerdly
Pandemic Legion
Posted - 2011.04.12 15:51:00 - [194]
 

Originally by: CCP Sreegs
Originally by: Mag's
I know you point out that there are good and bad ways, to report an exploit. I also understand the stance, of not discussing administrative actions.

That being said, one person did petition the issue at hand with details. The forum was taken down, only for it to go back up again, in the same sorry state.
It was only a post from said banned person after this, that meant the forums were taken down again.
Although he did break rules, it was in your best interest that he did.

Does this make it right, well no.
But you all seemed so caught up with getting them back on asap, that you missed the point completely. He did want he deemed was the fastest most direct way, of pointing out that you had failed to heed the warnings.

How can we have any faith in the petition system, that this won't happen again? Many, many petitions get answered with a copy & paste reply, without the content seemingly even being read.




The forums were actually brought back up in a different sorry state.

I can't discuss administrative actions means I can't discuss administrative actions, which means I can't discuss your speculation.

You can have faith in the fact that if you follow the procedures I outlined you'll never get into any trouble and I will see and action on your problem. I specifically gave the email because I'm still working on making sure things like this don't get lost in the petition system.


confirming the security email is the way to go. issues ive reported in the past got addressed and the fact that i'm not banned does say something.

Ban Doga
Posted - 2011.04.12 16:25:00 - [195]
 

Edited by: Ban Doga on 12/04/2011 16:26:24
Originally by: CCP Sreegs
Originally by: Ban Doga
Edited by: Ban Doga on 12/04/2011 07:38:59
Not too disappointed I wasn't wrong.

I find it a bit odd that you cast away that "the method by which your information would have been at risk would have been in the form of malware, session theft or keylogging of your local machine" with "it's always a best practice to keep your computers safe".
If that's the stance on security could you please get someone to get rid of the "You are leaving CCP-land. Evil people might be trying to attack your computer." warning when following links in the forum. It's the same thing and you said "I'm stating outright that customer data was never at risk.".
So I guess we don't need that warning...


I'm also wondering about your two example mails to report vulnerabilities.
None of them state "I will continue" or "I will stop", yet you seem to imply the first one will continue but the second won't.
What's the magic word/phrase/indicator here?


Do you also agreed that one has to make actual use of a (potential) exploit at least once to confirm it is there?


I'm really not quite sure what you're trying to say here aside from what appears to be a questioning of my honesty without any meat. While I'll be the first to admit I don't know everything there is to know in this world, I've put my cards on the table. If you're going to insinuate that I am incorrect I'd ask that you at least spend the time to say how instead of "your a liar".

Responsible exploit testing insinuates that you verify its existence then report it rather than continuing to abuse it. That's the line. If that's not clear enough or if you're uncertain as to your ability to draw that line then I'd posit that perhaps you're not in a position where you should be doing such things.


I didn't call you a liar, neither indirectly nor directly. At least it was not intended and I'm sorry if you thought so (and I'd certainly like to know what made you think so).
I can assure you that I'd have no problem to call anyone a liar if I thought this was the case.
I was merely saying that your blog did not contain anything that wasn't already known before. I don't see how that insinuates that anything you wrote is incorrect.

Of course you are welcome to speculate about my intentions, abilities and actions, but that doesn't really have anything to do with the issue at hand.

I think this is quite a unique opportunity for CCP and especially you:
We have quite a case of "Derp" (if I may borrow your title) and people are looking at you, asking "How do we handle this in the future?".
Don't assume everyone's out to prove you wrong, but maybe try to see this as a chance to create a set of rules for approaching situations like these.

I'm sure it's not an easy process at all and I'm also sure some other work you should be doing right now is not getting done. But eventually this will/can lead to "CCP Sreegs said this is wrong - so it is!" and the more things you/we can get down to easy to understand/follow rules the easier it will become for everyone.
(No, I'm not saying please explain "That's the line." in simple terms for me again right now)

CCP Sreegs

Posted - 2011.04.12 16:29:00 - [196]
 

Originally by: Ban Doga

I didn't call you a liar, neither indirectly nor directly. At least it was not intended and I'm sorry if you thought so (and I'd certainly like to know what made you think so).
I can assure you that I'd have no problem to call anyone a liar if I thought this was the case.
I was merely saying that your blog did not contain anything that wasn't already known before. I don't see how that insinuates that anything you wrote is incorrect.

Of course you are welcome to speculate about my intentions, abilities and actions, but that doesn't really have anything to do with the issue at hand.

I think this is quite a unique opportunity for CCP and especially you:
We have quite a case of "Derp" (if I may borrow your title) and people are looking at you, asking "How do we handle this in the future?".
Don't assume everyone's out to prove you wrong, but maybe try to see this as a chance to create a set of rules for approaching situations like these.

I'm sure it's not an easy process at all and I'm also sure some other work you should be doing right now is not getting done. But eventually this will/can lead to "CCP Sreegs said this is wrong - so it is!" and the more things you/we can get down to easy to understand/follow rules the easier it will become for everyone.
(No, I'm not saying please explain "That's the line." in simple terms for me again right now)


In general I really couldn't understand your original post so I guessed at its meaning.

I'm well aware of the opportunity for improvement and have even alluded to it in my blog and in subsequent postings. It's a healthy part of any incident response to determine what caused the failure and identify steps to improve the process. Sorry for the misunderstanding.

Herschel Yamamoto
Agent-Orange
Nabaal Syndicate
Posted - 2011.04.12 16:34:00 - [197]
 

Originally by: Super Whopper
Sreegs, thank you very much for engaging the community like this. While I am usually (rightly) negative about CCP, I'd like to commend you for taking the time to respond to all these concerns. Also you are to be commended for trying to explain, albeit in basic details, how the flaw worked and the security of the new forums.

I would like to know whether the new forums allow the scaling of frames to fit all resolutions or whether they've been designed to fit 1280x1024 only.


I read forums on a 1280x1024 monitor, and I can say with confidence that they're actually designed for 1024x768.

Originally by: Qordel
Having the server verify it isn't enough, either. That would still be a sloppy solution. The real solution that they should have deployed (and which is pretty much Cookies/sessions-101) would be that the cookie should have contained NOTHING except a single salted hash key, so that even someone looking at the cookie would have no idea what data it contains. Not even the username or UID that it is regarding.

Then it's dead simple to match that hash key against the database of non-expired sessions and get any data you could possibly require on the server side.

I could see someone like myself who doesn't do webdev for a living making a mistake like that. Ignorance and all, you know (though almost any reference to how to handle sessions on the internet should explain it to a newbie). Professional web developers, however, should never ever make that mistake. That shoudn't be an after-release "oops". That should be a fundamental flaw that doesn't make it past the rough white-board sketch.


Webdev isn't my thing either, so I don't know what really good security looks like. But I'm pretty sure that if the lastSelectedCharacter thing was limited to picking between the characters on the account you're logged in as, it wouldn't be a serious vulnerability, even if it was suboptimal.

Originally by: mazzilliu
the fact that i'm not banned does say something.


That CCP is deaf, dumb, and blind? Wink

Infinion
Caldari
Awesome Corp
Posted - 2011.04.12 17:05:00 - [198]
 

Hey CCP Sreegs, is security@ccpgames.com specifically meant to report possible vulnerabilities or can it be used to offer suggestions to improve security?

I'm not sure which devs look at features and ideas so I wanted to know what the best medium would be to best communicate suggestions, be it the CSM, features and ideas, general discussion or security@ccpgames.com.

CCP Sreegs

Posted - 2011.04.12 17:12:00 - [199]
 

Originally by: Infinion
Hey CCP Sreegs, is security@ccpgames.com specifically meant to report possible vulnerabilities or can it be used to offer suggestions to improve security?

I'm not sure which devs look at features and ideas so I wanted to know what the best medium would be to best communicate suggestions, be it the CSM, features and ideas, general discussion or security@ccpgames.com.


The email goes to me, and at the moment security stuff is probably best channeled that way.

El'Niaga
Minmatar
Republic Military School
Posted - 2011.04.12 17:42:00 - [200]
 

I sincerely hope they've taken this whole thing back to the drawing board. I don't believe folks will trust them if they are put up in the next week or month. Delayed launch of the new forums for probably at least 6 months should be expected.

Hopefully they rigorously test the new forums before they are ever up again.

I'd like to say something about them in the time they were up. They were less functional than the existing forums. They needed a lot of work and honestly I'd drop the like feature that's just going to lead to more troll posting as it does in every forum that uses it just to run up perceived status.

I had posted some mostly in features and ideas, but honestly looking at them I could see spending a lot less time on them and posting than I have in the past. Perhaps a good use for the CSM might be to get their ideas on the forums before they are put up for general use again.

darius mclever
Posted - 2011.04.12 17:50:00 - [201]
 

Originally by: Bargealta McSpacebuxx
So are you going to post how the exploit worked after it's fixed for the curious, or no?

Originally by: DTson Gauur
You're using a GPL'd (GPLv2 license actually) software, so have you guys actually read the license and understand what it means?

Pretty sure GPLv2 still has that web service loophole that basically lets you ignore it for web-hosted apps.


thats why you use Affero GPL if you want to get all modifications ;)

Tipsy
Gallente
X-Factor Industries
Synthetic Existence
Posted - 2011.04.12 18:04:00 - [202]
 

What worries me is the potential that someone could insert and style an HTML form demanding a username and password and appear to run a phishing scam on a trusted website. Can we have a specific response on this point, at least as part of whatever report there is after the investigation?
Originally by: CCP Sreegs
Even were someone able to have injected script the method by which your information would have been at risk would have been in the form of malware, session theft or keylogging of your local machine rather than some window into our secure environment.

I think this was meant to be reassuring, but at the point where a trusted website is offering a keylogger for download we're about two badly-judged clicks away from handing over our usernames, passwords and credit card details. Once that's happened, someone emptying my in-game account of ISK is far from my biggest concern.

For what it's worth, braving the flames and appearing to be forthcoming on this like you are will help CCP to retain the confidence of the community. I hope CCP as a whole will (rather belatedly) adopt this approach - it would've saved them a lot of pain in the past.
Originally by: Qordel
If there's one thing the EVE community does well, it's let bygones be bygones and get over perceived failures and slights. I'm sure this won't be an event that gets dragged out every day for the next six years. :)
Laughing

Ranger 1
Amarr
Ranger Corp
Posted - 2011.04.12 18:09:00 - [203]
 

Originally by: El'Niaga
I sincerely hope they've taken this whole thing back to the drawing board. I don't believe folks will trust them if they are put up in the next week or month. Delayed launch of the new forums for probably at least 6 months should be expected.

Hopefully they rigorously test the new forums before they are ever up again.

I'd like to say something about them in the time they were up. They were less functional than the existing forums. They needed a lot of work and honestly I'd drop the like feature that's just going to lead to more troll posting as it does in every forum that uses it just to run up perceived status.

I had posted some mostly in features and ideas, but honestly looking at them I could see spending a lot less time on them and posting than I have in the past. Perhaps a good use for the CSM might be to get their ideas on the forums before they are put up for general use again.


I would say the time frame for a re-launch should be determined by when the bugs are fixed and tested properly, not based on an arbitrary length of "time to heal from this traumatic (dramatic?) experience". I say this in an attempt to be realistic, despite the fact that these horrific events have left me an emotionally scarred shell of my former self.

War Kitten
Panda McLegion
Posted - 2011.04.12 18:24:00 - [204]
 

Originally by: Mag's

That being said, one person did petition the issue at hand with details. The forum was taken down, only for it to go back up again, in the same sorry state.
It was only a post from said banned person after this, that meant the forums were taken down again.
Although he did break rules, it was in your best interest that he did.

Does this make it right, well no.



At least you understand that part - he did it wrong.

You don't point out that the Emperor's New Clothes are a fraud by shooting the emperor.

It may be the most direct method, but it wasn't the right one. He's not a hero, he's just impatient.

Spyke BlackIce
Minmatar
Posted - 2011.04.12 18:37:00 - [205]
 

Edited by: Spyke BlackIce on 12/04/2011 18:53:19
Well written blog CCP Sreegs, and the way you've been handling the responses here is admirable to put it mildly. Hopefully, your attention to this will set a precedence for the rest of CCP. Kudos to you.

What I find disturbing is that no one else involved in this fiasco (and I'm referring to the new forums as a whole here, not just the security issues) has so much as uttered a peep here or anywhere else. The person responsible for heading the webteam, the person responsible for overseeing the new forums' development and deployment, and especially, the person or persons in upper management who set and drove the timeline and deadline for the forums are all apparently content to sit back and let you take the flak that is rightfully theirs to take. The longer they hide behind you without comment, the worse it makes them look.

Since this thread is directly related to the security issues, I won't go into the overall mess that the forums were/are (a reskinned YAF forum with half of the features disabled and even using the basic editor instead of taking the time to install a more robust, freely available editor, not to mention the total disregard of the user feedback from the two public test runs). Instead, I'd like to know how a web team could make such a glaring mistake as to allow cookies with plain text IDs. As has been asked here in this thread, how in hell did that make it past the whiteboard, let alone past the actual coding, the third-party testing, and the internal audit (if it did in fact actually occur)?

I'm no code cruncher by any stretch of the imagination, but I have looked at my share of cookies and almost never is there any readable text in them let alone a user's ID. This just simply, flat out, should never have happened and is totally unacceptable no matter what the excuse. It just boggles the mind that it did happen. Is the web team made up of certifiable web developers or was the team for the forums patched together from members of other teams with specialties in other fields and a smattering of web development knowledge? If the former, they have lied about their credentials (or cheated to get them). If the latter, the person who was responsible for putting the team together in that manner needs to be replaced pronto.

There. I've let off my share of the steam and did my share of the whining. CCP Sreegs, keep up the good work. For what it's worth (which probably isn't much admittedly) your blog and your replies in this thread has moved you to the top layer of CCP employees whom I deem trustworthy and competent at this point in time, and that list unfortunately is getting pretty dammed short.


JitaPriceChecker2
Posted - 2011.04.12 18:40:00 - [206]
 

We didnt want new forums anyway !!!

Seriosuly they sucked.

Herschel Yamamoto
Agent-Orange
Nabaal Syndicate
Posted - 2011.04.12 19:00:00 - [207]
 

Originally by: JitaPriceChecker2
We didnt want new forums anyway !!!

Seriosuly they sucked.


But not as much as these ones. Srsly CCP, just buy a vBulletin license.

Duvida
Gallente
The Scope
Posted - 2011.04.12 19:06:00 - [208]
 

I'll also give props to CCP Sreegs for maintaining a dialogue with the forum users/playerbase. The trolling hasn't been too bad, but I'm sorry you had to deal with what there has been.

Something occurred to me as I was reading this, was that a LOT of player attention is now on this thread. Some rather constructive player/staff dialogue has happened here, which hopefully will be useful to CCP and if continued and results in substance, can rebuild trust in the playerbase. CCP Sreegs, by weathering some of this storm with us, you've actually laid some good ground here for other team members to come into the forum and get a more civilized dialogue as well. For example, CCP Hillmar might take more of a chance to post and then, followup on the responses, now that the 'forum trolling' has been presented as the unconstructive waste of time and potential game-worsener that it can be. It may be useful.

Anyway, fly safe!

Mag's
the united
Negative Ten.
Posted - 2011.04.12 19:08:00 - [209]
 

Originally by: War Kitten
Originally by: Mag's

That being said, one person did petition the issue at hand with details. The forum was taken down, only for it to go back up again, in the same sorry state.
It was only a post from said banned person after this, that meant the forums were taken down again.
Although he did break rules, it was in your best interest that he did.

Does this make it right, well no.



At least you understand that part - he did it wrong.

You don't point out that the Emperor's New Clothes are a fraud by shooting the emperor.

It may be the most direct method, but it wasn't the right one. He's not a hero, he's just impatient.

Indeed, I think he did step over the line in certain areas and could have maybe approached the whole thing a little more carefully. I've never once called him a hero, you missed my point with your bad analogy. But he was willing to burn his bridges and that was his choice, no matter how we feel about it.

People had been using as many forms of communication they had available, all to get the message across. Helicity Boson can attest to that.
But even in this situation, CCP didn't take on board all the issues at hand. seemingly desperate to rush out the forums again, after messing with them a little.

It will be interesting to see if this was indeed bug reported/petitioned in the first and second round of testing.

Cyaxares II
Posted - 2011.04.12 20:07:00 - [210]
 

Originally by: War Kitten
He's not a hero, he's just impatient.

just take care you don't confuse a hero with an hero...


Pages: 1 2 3 4 5 6 [7] 8 9

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only