open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 3 4 5 6 7 [8] 9

Author Topic

Kern Hotha
Posted - 2011.04.12 20:11:00 - [211]
 

CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.

JitaBUGz TheGreat
Caldari
Science and Trade Institute
Posted - 2011.04.12 20:17:00 - [212]
 

Originally by: Natalia Kovac
Thanks Sreegs, that was a good blog. Yes the forum security was apparently terrible, but it's done now, and you have owned up and apologised.

What matters now is that we move forward, and you move forward, sort out the security issues, and this is important- listen to the community testing that was done and may be done in the future. Take as long as you need to test the system to destruction, and don't release the forums for general use as long as you are as absolutely certain as you can be that they are secure.

Cheers.


yup yupVery Happy

And cant wait for the re-launch of the new forums!!

Jenna Alduin
Posted - 2011.04.12 20:21:00 - [213]
 

Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.

QFT.

o7

Nai Sethanas
Posted - 2011.04.12 21:00:00 - [214]
 

Quote:
Playing loose with security-related functionality puts both CCP and you at risk and that is completely unacceptable. This episode should never have occurred and despite being rather humiliating if we're to look on the bright side it did teach us some rather poignant lessons from which we'll be drawing in the coming days and weeks.


^ Respect for finally getting a "confession" of sorts, But this was a terrible screwup, many users will never know just how at risk they actually were in all this, I would be embarrassed enough to die had I pushed out something so incredibly flawed.

But hey, if CCP can learn from this and end up being better in the end then at least they'll have proved that they can improve which is already more than can be said for some other game developers.

Glad things didn't get too dangerous,

PS: Anyone who was on the forums that day might consider changing their passwords, not to be alarmist or anything but you can never be "too safe" am I right? It's good practice to change PWs every few months anyways (I know.. not a tempting thought) so why not profit from this situation to give yourselves a kick in the rear and change those over-used PWs to something really secure.

Kaahles
Deliverers of Pain
Posted - 2011.04.12 21:01:00 - [215]
 

Originally by: Jenna Alduin
Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.

QFT.

o7

This

I mean seriously you're all familiar with murphy's law. It can strike anybody anywhere. It shouldn't but it still does. Even with the most vigorous QA team something always slips through the cracks. Okay to be honest this one was as huge as the Grand Canyon obviously but the really important thing is that the canyon get's sealed of so that nobody falls down those particular cliffs again.

Can we now go back to pewpew related stuff in the game plz? I need targets Cool

Lubomir Penev
Dark Nexxus
S I L E N T.
Posted - 2011.04.12 21:03:00 - [216]
 

Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.



You're embarrassing yourself. Is it so hard if you don't know what an iframe is (which in itself mean you have no right to pipe up on web security) to look it up?

Lubomir Penev
Dark Nexxus
S I L E N T.
Posted - 2011.04.12 21:20:00 - [217]
 

Originally by: Ranger 1

I would say the time frame for a re-launch should be determined by when the bugs are fixed and tested properly, not based on an arbitrary length of "time to heal from this traumatic (dramatic?) experience".



The word you were looking for was "hilarious".

Che Biko
Humanitarian Communists
Posted - 2011.04.12 21:48:00 - [218]
 

First, Sreegs, if you thought that doing another scan and password change would be a good idea 'just in case' than I would have liked to know that earlier (say, in a MOTD).

I'll go a tat off-topic now. I send some mails to security a while ago about some mails I suspected of being phishy. I got no response to that, not even a short "you are mistaken." or a "Yikes, lotsa ansjophish!" Is there a better way to find out out if these mails were legit or not?

Herschel Yamamoto
Agent-Orange
Nabaal Syndicate
Posted - 2011.04.12 22:35:00 - [219]
 

Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.


You know he used to run Goonswarm, right? Having to deal with the Eve playerbase as a whole is his reward.

Servilia Junii
Posted - 2011.04.12 22:45:00 - [220]
 

I love this dev! First one in a good clip to give real feedback to the forum warriors of eve.

<3 CCP Sreegs

Hel O'Ween
Men On A Mission
EVE Trade Consortium
Posted - 2011.04.12 23:44:00 - [221]
 

Originally by: War Kitten

He's not a hero, he's just impatient.



When it comes to security, impatience is a virtue. The faster the issue is dealt with, the better.

Instead of CCP sensibly acting and taking down the forum and deeply investigate the issue (as they do now), they made a business decision (at least that's how it looks like to me): "We need a forum, but we locked the old forums, we hurrayed the new ones, so bring the new one up as fast as possible."

And while CCP Screegs does his best to damage control the whole issue, I personaly don't accept the apology in his blog. You know, that's econ 101: "Words are cheap, apologize often and in public - and keep your earned profits. Twisted Evil".

I'd say put your money were your mouth is. And no, I'm not talking about free SP or game time for all. Donate a recognizable amount to a charitable cause to show you're really sorry about this terrible case.

CCP Sreegs

Posted - 2011.04.13 00:03:00 - [222]
 

Originally by: Che Biko
First, Sreegs, if you thought that doing another scan and password change would be a good idea 'just in case' than I would have liked to know that earlier (say, in a MOTD).

I'll go a tat off-topic now. I send some mails to security a while ago about some mails I suspected of being phishy. I got no response to that, not even a short "you are mistaken." or a "Yikes, lotsa ansjophish!" Is there a better way to find out out if these mails were legit or not?


Unfortunately I get so many phishing related emails that I simply shut the sites down and I can't reply to everyone. They probably were phishing emails and I probably had the site removed from the internet. Sorry I can't respond to them all.

Ebbytingizotay
Minmatar
Pator Tech School
Posted - 2011.04.13 01:14:00 - [223]
 

Originally by: Herschel Yamamoto
Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.


You know he used to run Goonswarm, right? Having to deal with the Eve playerbase as a whole is his reward.



Annndddd.... that little fact does not worry anyone?

Yuki Kulotsuki
Posted - 2011.04.13 01:47:00 - [224]
 

Originally by: Ebbytingizotay
Annndddd.... that little fact does not worry anyone?
Not any more than CCP Soundwave being a former goon director in charge of spying.

Ambein Flambein
352 Industries
Posted - 2011.04.13 02:10:00 - [225]
 

Originally by: Ebbytingizotay
Originally by: Herschel Yamamoto
Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.


You know he used to run Goonswarm, right? Having to deal with the Eve playerbase as a whole is his reward.



Annndddd.... that little fact does not worry anyone?


did oyu not get the memo that said goosn have giving up on ingame spying, and are jsut going to infiltrate ccp instead. the 3 goons on the csm are there to get progress reports which will be covered under the nda, so they can deny they took place and get away with it.
its all part of thier plan to take over eve. they are just doing it directly now

i for one welcome our new goon dev overloards

sreegs, keep up the good work

CCP Sreegs

Posted - 2011.04.13 02:29:00 - [226]
 

Originally by: Lubomir Penev
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.



You're embarrassing yourself. Is it so hard if you don't know what an iframe is (which in itself mean you have no right to pipe up on web security) to look it up?


As I said Iframes were filtered.

Ebbytingizotay
Minmatar
Pator Tech School
Posted - 2011.04.13 02:30:00 - [227]
 

Glad you cleared that up. I was aware of the GSM just voted in (Goon Stellar Management for the unaware) but thought the ex-goon in charge of security was over the top.

Ebbytingizotay!!!! Laughing

Thaylon Sen
Minmatar
Posted - 2011.04.13 04:01:00 - [228]
 

I have to say CCP Sreegs is doing an awesome job of dealing with the community and providing clear, objective, and to the point feed back. +1 Internets to u sir o7

Herschel Yamamoto
Agent-Orange
Nabaal Syndicate
Posted - 2011.04.13 04:40:00 - [229]
 

Originally by: Ebbytingizotay
Originally by: Herschel Yamamoto
Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.


You know he used to run Goonswarm, right? Having to deal with the Eve playerbase as a whole is his reward.


Annndddd.... that little fact does not worry anyone?


Why would it? He's got experience at organizing a group of highly-educated professionals who act pants-on-head all the time into a cohesive and effective group. Sounds like he's better-qualified to work at CCP than half of the management.

Ambein Flambein
352 Industries
Posted - 2011.04.13 05:19:00 - [230]
 

Originally by: Herschel Yamamoto
Originally by: Ebbytingizotay
Originally by: Herschel Yamamoto
Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.


You know he used to run Goonswarm, right? Having to deal with the Eve playerbase as a whole is his reward.


Annndddd.... that little fact does not worry anyone?


Why would it? He's got experience at organizing a group of highly-educated professionals who act pants-on-head all the time into a cohesive and effective group. Sounds like he's better-qualified to work at CCP than half of the management.


plus as a former goon he clearly has the thick skin required to interact with the eve player base. his posting is surprisingly non goon-like though

Makko Gray
Pheno-Tech Industries
Crimson Wings.
Posted - 2011.04.13 06:08:00 - [231]
 

Originally by: CCP Sreegs
Originally by: Makko Gray
I find it interesting that HTML could be injected into a signature but not script and really hope you do not look at the use of the script tag as the only indicator of script injection as it can also occur on HTML attributes and through various encoding techniques (some browser specific).

There are some good XSS cheat sheets you can check against for testing cross site scripting vectors such as this one: http://ha.ckers.org/xss.html

Also .NET & C# rocks as long as you know what your doing (ASP.NET WebForms is a bit sucky though).


In essence there was only an allowed subset of HTML rather than a disallowed subset.

We're aware of this website and I've used it myself in the past. Thanks for the tip though!


Great stuff, good to know. White listing rather than black listing is definately the safest and most cautious way to go but still can be tricky doing checks on attributes like src if your using image tags for example.

Fortunately Microsoft do provide some great open source libraries to help those on a deadline such as the Web Protection Library which contains the AntiXSS: http://wpl.codeplex.com/

Hope things get better for you. As a developer working primarily in .NET myself would love a blog or post detailing some of the technical stuff and underlying architecture when things calm down.

Smagd
Encina Technologies
Namtz' aar K'in
Posted - 2011.04.13 08:44:00 - [232]
 

Originally by: Jenna Alduin
Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.

QFT.

o7


No kidding. That's some quality community work right there.

Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
Posted - 2011.04.13 10:07:00 - [233]
 

Originally by: Smagd
Originally by: Jenna Alduin
Originally by: Kern Hotha
CCP Sreegs should receive a medal for patiently dealing with a bleating mob of self-righteous pricks.

QFT.

o7


No kidding. That's some quality community work right there.


He even made me slightly less furious (I am now merely outraged).

No small feat.


Lederstrumpf
Posted - 2011.04.13 16:01:00 - [234]
 

Originally by: CCP Zymurgist
As many of you know we had to temporarily take down the new forums due to some security issues.



Oh! I was mistaken in thinking you took it down because it just sucked in regards to being usable!

So you didn't only deliver crap, but you in fact did deliver total crap including security holes?

Way to excellence, CCP!

Lederstrumpf
Posted - 2011.04.13 16:07:00 - [235]
 

Originally by: Kaahles
Even with the most vigorous QA team something always slips through the cracks.


That's a basic lesson yet to be learned by CCP. Only amateurs do schedule major version/functionality shifts right before weekends...

Lederstrumpf
Posted - 2011.04.13 16:16:00 - [236]
 

Originally by: Akita T
WHY


There's only one possible answer: Because they can.

Quasi monopoly status in this game segment with people obviously not required to honor every single dollar anymore...

Crazy Dave
Caldari
SCAVENGERS
Posted - 2011.04.13 16:36:00 - [237]
 

The nerve of those evil doers. Hunt them down and keel haul them. Then drop kick them out the nearest airlock and tell them to hold their breath.

Experiment H197
Posted - 2011.04.13 17:51:00 - [238]
 

Just wanted to say thanks for posting the dev blog. I knew something was up when the old forum was back. It feels good to know that you all acknowledge having a more tech savvy user base and didn't just spoon feed us some vague crap. Kudos. Cool

Siiee
Recycled Heroes
Posted - 2011.04.13 20:31:00 - [239]
 

Originally by: Lederstrumpf

That's a basic lesson yet to be learned by CCP. Only amateurs do schedule major version/functionality shifts right before weekends...


That's another part of the funny bit, it was scheduled to be released Wednesday, but was delayed Laughing There must have been a typo in one of the pages somewhere to warrant a 2 day delay, given how much this web team seems to get done.

Bomberlocks
Minmatar
CTRL-Q
Posted - 2011.04.13 20:53:00 - [240]
 

@CCP Sreegs: Thanks a lot for this blog and your replies. It is really refreshing to have someone at CCP actually talk to us instead of delivering some patronising blog trying to make light of a serious subject with poor humour. I think it is obvious that a fair amount of the rage over this issue is justified, but also enhanced because of the continuing frustrations players feel in trying to get a response from CCP over their concerns.

I was also concerned that the blog was attempting to brush off client side security as being outside CCP's remit, but I see from your clarification that you were discussing this from a security standpoint.

However, there is one point where we will have to agree to disagree it seems: the ability to inject scripts. From posts on SHC's successor site, FHC and from what I saw of the forums before they were taken down, it was indeed possible to inject scripts using jquery. The ability of a script with html and css to forge a log in might have been possible, but it seems it would have been possible to collect login keystrokes by rebinding eventlisteners via jquery. Such a script would have had a number of opportunities to pass that information across to another domain, even with modern browsers, and would not have had to rely on the by now fairly well known iframe.

The reason that I am again raising this issue is that anyone with access to someone's forum account would have had automatic access to that person's user account. While this would not have given access to their credit card, it would have been a field day for phishers and RMT'ers.

I urge you to make sure that this is very carefully audited in any future iteration of the new forums. Finally, although is not your remit (area) to be responsible for the usability of the new forums, the fact that you are about the only person from CCP speaking to the players on a regular basis might make you a target for user anger if the new forums surface again with the same shoddy lack of attention to detail and lack of response to players wishes and concerns. It might be in your own vested interests to raise an internal "sh*t storm" if that happens.

BTW, off topic, props to your anti-botting efforts. It looks there is definitely something happening there.


Pages: 1 2 3 4 5 6 7 [8] 9

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only