open All Channels
seplocked EVE Information Portal
blankseplocked Official Feedback thread, Live Dev Blog: Customer Support and Security
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: [1] 2

Author Topic

CCP Shadow


C C P
C C P Alliance
Posted - 2011.05.27 07:36:00 - [1]
 

Hello capsuleers,

We hope you enjoyed the May 26th Live Dev Blog on Customer Support and Security, with some insights from CCP Sreegs, GM Nova, and GM Nythanos.

We're interested in whatever constructive feedback you have that will help us improve future Live Dev Blogs. Please let us know what you think in this thread. We'll be keeping an eye on this Feedback thread and taking your views into account as we move forward with our Live Dev Blogs.

-- Shadow

DeBingJos
Minmatar
Goat Holdings
Posted - 2011.05.27 07:39:00 - [2]
 

Blog was good, better than the previous one. Sound quality was better and the anwers were better.

Not so much 'I'm not allowed to talk about that'.

Orbington
Posted - 2011.05.27 07:51:00 - [3]
 

Any way to listen to it if i missed it?

Ophelia Ursus
Posted - 2011.05.27 07:58:00 - [4]
 

Originally by: Orbington
Any way to listen to it if i missed it?

CCP Guard


C C P
C C P Alliance
Posted - 2011.05.27 08:11:00 - [5]
 

We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.

We will have it ready for you as soon as possible and we'll announce it so you can't miss it.

Strazdas Unstoppable
Posted - 2011.05.27 08:26:00 - [6]
 

it was quite interesting, even though one always wish he gets more details out of such things. it was pretty short though, 46 minutes. too bad i didnt get to ask anything as eve forums went down right at the time it started, at least the audio stayed on so it was all good.

Sedontane
Posted - 2011.05.27 08:41:00 - [7]
 

Originally by: CCP Guard
We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.

We will have it ready for you as soon as possible and we'll announce it so you can't miss it.


Can I play it loud from my office stereo or is that stipulation limited to cars?

CCP Guard


C C P
C C P Alliance
Posted - 2011.05.27 09:11:00 - [8]
 

Originally by: Sedontane
Originally by: CCP Guard
We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.

We will have it ready for you as soon as possible and we'll announce it so you can't miss it.


Can I play it loud from my office stereo or is that stipulation limited to cars?


Play it as loudly as you can in your office stereo so your friends will have no choice but to start playing, yet without risking your income stream which you presumably use to pay for your EVE Online subscription. That would be my professional opinion on that subject.

CCP Guard


C C P
C C P Alliance
Posted - 2011.05.27 09:16:00 - [9]
 

Originally by: Strazdas Unstoppable
it was quite interesting, even though one always wish he gets more details out of such things. it was pretty short though, 46 minutes. too bad i didnt get to ask anything as eve forums went down right at the time it started, at least the audio stayed on so it was all good.


It was the first one I organize and I had so much fun during the show and after. The bonus was hanging around talking and goofing with players in the Live Dev Blog channel afterwards. Stick around next time, we'll do another one before too long. Smile

Iurnan Mileghere
Singularity Foundation
Posted - 2011.05.27 15:14:00 - [10]
 

For those who might have missed it and don't want to wait for the podcast, I put my notes up on my blog.

Andrea Griffin
Posted - 2011.05.27 18:02:00 - [11]
 

Originally by: Iurnan Mileghere
For those who might have missed it and don't want to wait for the podcast, I put my notes up on my blog.
Excellent notes, thank you for putting these up. However:
Originally by: Dev Blog Notes
GM Grave says he is the best GM.
You can only be the best GM if you like ponies. Does he like ponies? I demand proof in the form of pictures. I fully expect his desk area to be full of ponies.

Mynas Atoch
Eternity INC.
Goonswarm Federation
Posted - 2011.05.27 19:05:00 - [12]
 

Originally by: CCP Guard
We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.

We will have it ready for you as soon as possible and we'll announce it so you can't miss it.
The average leader speech for a large power block in EVE is posted in multiple locations within thirty minutes. Are you in need of technical assistance from the community?

delonewolf
Posted - 2011.05.27 20:41:00 - [13]
 

If you don't want to wait for the podcast you can listen to the live dev blog on youtube here:

youtube

now you can't edit out the confirmation that finding hacked accounts involves a tub of water, a compass and a monkey Twisted Evil

Miilla
Minmatar
Hulkageddon Orphanage
Posted - 2011.05.28 13:20:00 - [14]
 




RSA key SEED database compromised.

http://www.teamshatter.com/topics/database-security/rsa-warns-customers-after-company-is-hacked/

Now Lockheed Martin hacked with DUPLICATED RSA securId keys

http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/



The Eve Online RSA dongles are using RSA seeds allocated to the manufacturer of the keys

Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?

I assume they are to be on the safe side.

After all hacking Loockheed Martin with duplicated keys (with known SEEDs) was easy, CCP should be easier.



Since CCP stated in their last Live Dev blog chat they wanted this to be an item they wanted "to make a profit on" in their own words.

I see this as nothing more than security profit theater if the seeds are compromised.


Ariz Black
Posted - 2011.05.28 16:39:00 - [15]
 

Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:

Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient.
Please can we have an answer here?

Miilla
Minmatar
Hulkageddon Orphanage
Posted - 2011.05.28 16:58:00 - [16]
 

Originally by: Ariz Black
Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:

Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient.
Please can we have an answer here?


May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.

CCP Sreegs

Posted - 2011.05.28 17:40:00 - [17]
 

Originally by: Miilla
Originally by: Ariz Black
Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:

Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient.
Please can we have an answer here?


May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.



This wouldn't be true even if RSA was our vendor, which they're not.

CCP Sreegs

Posted - 2011.05.28 17:43:00 - [18]
 

Originally by: Ariz Black
Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:

Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient.
Please can we have an answer here?


I didn't ignore this on purpose I actually never saw this question. We'll be looking into it but it may not be a part of the initial deployment. As soon as I have something solid I'll let you know.

CCP Sreegs

Posted - 2011.05.28 17:45:00 - [19]
 

Originally by: Miilla



RSA key SEED database compromised.

http://www.teamshatter.com/topics/database-security/rsa-warns-customers-after-company-is-hacked/

Now Lockheed Martin hacked with DUPLICATED RSA securId keys

http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/



The Eve Online RSA dongles are using RSA seeds allocated to the manufacturer of the keys

Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?

I assume they are to be on the safe side.

After all hacking Loockheed Martin with duplicated keys (with known SEEDs) was easy, CCP should be easier.



Since CCP stated in their last Live Dev blog chat they wanted this to be an item they wanted "to make a profit on" in their own words.

I see this as nothing more than security profit theater if the seeds are compromised.




We said we probably wouldn't make a profit on it. I'd really appreciate it if we wouldn't fearmonger or misrepresent what was actually quite clearly stated. Thanks!

Miilla
Minmatar
Hulkageddon Orphanage
Posted - 2011.05.28 18:30:00 - [20]
 

Edited by: Miilla on 28/05/2011 18:34:04

Originally by: CCP Sreegs
Originally by: Miilla



RSA key SEED database compromised.

http://www.teamshatter.com/topics/database-security/rsa-warns-customers-after-company-is-hacked/

Now Lockheed Martin hacked with DUPLICATED RSA securId keys

http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/



The Eve Online RSA dongles are using RSA seeds allocated to the manufacturer of the keys

Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?

I assume they are to be on the safe side.

After all hacking Loockheed Martin with duplicated keys (with known SEEDs) was easy, CCP should be easier.



Since CCP stated in their last Live Dev blog chat they wanted this to be an item they wanted "to make a profit on" in their own words.

I see this as nothing more than security profit theater if the seeds are compromised.




We said we probably wouldn't make a profit on it. I'd really appreciate it if we wouldn't fearmonger or misrepresent what was actually quite clearly stated. Thanks!


Im just saying what I heard on the audio which was choppy, not my fault the audio feed bounced about with a difficult accent to hear on low quality audio bandwidth. It was not CLEARLY stated on the receiving end, maybe on your uber bandwidth server but not on EDGE/GPRS bandwidth.

Im not fear mongering, just saying what I heard. If that is the case fine. There is still the issue about the seeds that is a concern.


Miilla
Minmatar
Hulkageddon Orphanage
Posted - 2011.05.28 18:33:00 - [21]
 

Edited by: Miilla on 28/05/2011 18:58:28


Originally by: CCP Sreegs
Originally by: Miilla
Originally by: Ariz Black
Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:

Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient.
Please can we have an answer here?


May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.



This wouldn't be true even if RSA was our vendor, which they're not.


No, RSA's vendor is to the manufacturers that license the technology.

RSA License the technology and contain manufacturer seeds in their databases.


I never once said RSA was your vendor.

I will quote what i said here "Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?"

Did I say RSA was your vendor? we all know its not, but it uses RSA licensed technology and THEIR database was raided.


Why wouldnt it be true if they grabbed the manufacturer seeds and data that RSA sell to the manufacturers of your keys?

Can you explain WHY it wouldnt be true, you know more about this technology than me.

Please, make us feel confident in the security keys. Explain to us how it works with seeds and the manufacturer the RSA Licensee and RSA the technology licenser.

CCP Sreegs

Posted - 2011.05.28 19:52:00 - [22]
 

Originally by: Miilla
Edited by: Miilla on 28/05/2011 18:58:28


Originally by: CCP Sreegs
Originally by: Miilla
Originally by: Ariz Black
Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:

Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient.
Please can we have an answer here?


May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.



This wouldn't be true even if RSA was our vendor, which they're not.


No, RSA's vendor is to the manufacturers that license the technology.

RSA License the technology and contain manufacturer seeds in their databases.


I never once said RSA was your vendor.

I will quote what i said here "Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?"

Did I say RSA was your vendor? we all know its not, but it uses RSA licensed technology and THEIR database was raided.


Why wouldnt it be true if they grabbed the manufacturer seeds and data that RSA sell to the manufacturers of your keys?

Can you explain WHY it wouldnt be true, you know more about this technology than me.

Please, make us feel confident in the security keys. Explain to us how it works with seeds and the manufacturer the RSA Licensee and RSA the technology licenser.


I didn't selectively quote your statement and that was the statement I was responding to. At a more appropriate time (Like, nearer to deployment) I'll be happy to discuss the security ins and outs of our specific implementation. In the meantime feel free to research the subject yourself at:

www.rsa.com
www.vasco.com
http://en.wikipedia.org/wiki/Two-factor_authentication

Adrian Idaho
Posted - 2011.05.28 20:11:00 - [23]
 

Edited by: Adrian Idaho on 28/05/2011 20:11:27
Originally by: Miilla
The usual...

Dude, you just don't troll Sreegs. Ever. Shocked

Miilla
Minmatar
Hulkageddon Orphanage
Posted - 2011.05.29 09:54:00 - [24]
 

Originally by: Adrian Idaho
Edited by: Adrian Idaho on 28/05/2011 20:11:27
Originally by: Miilla
The usual...

Dude, you just don't troll Sreegs. Ever. Shocked


Want a lollipop?


Mara Rinn
Posted - 2011.05.30 02:19:00 - [25]
 

Originally by: Miilla
Please, make us feel confident in the security keys. Explain to us how it works with seeds and the manufacturer the RSA Licensee and RSA the technology licenser.


To associate a SecureID authenticator (as used by Blizzard for WoW, and shortly CCP for EVE) with an account, you have to submit the serial number of the key and two consecutive generated codes. This establishes the sequence of generated codes that the key will use.

To guess the next code your key generates, an attacker will need to know the serial number of your key and at least one (timestamped) code generated by that key in the recent past, based on the assumption that the seeds for that key are known. The simple means of avoiding this attack is for the user and service provider to never release the key's serial number to anyone. Depending on your level of paranoia, you may decide to throw out the keyfob and get a new one based on a fresh key. Given the assumption that the keyfob will not defend against determined attackers, a more pragmatic user will simply rely on the serial number never being revealed, and ensure that procedures are in place for a customer to report a keyfob as being lost/stolen.

A more likely attack scenario is the one that has been successfully used against World of Warcraft, where a virus/trojan infects the victim's computer with a "man in the middle" attack, intercepting the username, password and current key value. The MITM attack sends an incorrect security code to the server on behalf of the victim, but routes the correct code to the attacker's systems where they can now log in as that user, strip all resources of value from the account, and abandon it.

There is some further reading about the RSA seed compromise here.

So, what attacks will the keyfob defend against when working correctly with secret seeds?

Only the one where the attacker doesn't have access to the current code on your RSA SecureID key (or the serial number of that key and a timestamped record of any key it has generated in the past).

Thus the keyfob will protect you from the miscreant trying to brute force their way into your account (guessing your username/password, for example), end of story.

The two main vectors for attacks against EVE Online accounts secured by keyfobs are going to be phishing the users, or compromising their computers to insert MITM attacks. A phishing or MITM attack will have a window of opportunity of up to 30 seconds (the refresh interval for the SecureID token), so using the keyfob will restrict the range of phishing attacks to only those that occur in real-time (i.e.: all phishing attacks will be done real-time)

TL;DR:

  • Given the seeds, the attackers still need your serial number and at least one generated code (unless the algorithm behind the system is particularly broken)

  • Even when working, the SecureID system only protects against certain attacks

  • SecureID does not protect against MITM attacks (e.g.: shady Internet café or infected home computer)

  • SecureID does not protect against live phishing attacks (e.g.: malicious website)

  • No system of authentication can protect the service from stupid users



Lederstrumpf
Posted - 2011.05.31 14:52:00 - [26]
 

Edited by: Lederstrumpf on 31/05/2011 15:08:28
Originally by: CCP Shadow
We're interested in whatever constructive feedback you have


How much are you willing to pay?

Vincent Athena
Posted - 2011.05.31 15:25:00 - [27]
 

I'm somewhat disappointed that you did not get to my questions. Any possibility of my getting some sort of replies?

Miilla
Minmatar
Hulkageddon Orphanage
Posted - 2011.06.01 13:07:00 - [28]
 

Edited by: Miilla on 02/06/2011 11:05:15

Originally by: Mara Rinn
Originally by: Miilla
Please, make us feel confident in the security keys. Explain to us how it works with seeds and the manufacturer the RSA Licensee and RSA the technology licenser.


To associate a SecureID authenticator (as used by Blizzard for WoW, and shortly CCP for EVE) with an account, you have to submit the serial number of the key and two consecutive generated codes. This establishes the sequence of generated codes that the key will use.

To guess the next code your key generates, an attacker will need to know the serial number of your key and at least one (timestamped) code generated by that key in the recent past, based on the assumption that the seeds for that key are known. The simple means of avoiding this attack is for the user and service provider to never release the key's serial number to anyone. Depending on your level of paranoia, you may decide to throw out the keyfob and get a new one based on a fresh key. Given the assumption that the keyfob will not defend against determined attackers, a more pragmatic user will simply rely on the serial number never being revealed, and ensure that procedures are in place for a customer to report a keyfob as being lost/stolen.

A more likely attack scenario is the one that has been successfully used against World of Warcraft, where a virus/trojan infects the victim's computer with a "man in the middle" attack, intercepting the username, password and current key value. The MITM attack sends an incorrect security code to the server on behalf of the victim, but routes the correct code to the attacker's systems where they can now log in as that user, strip all resources of value from the account, and abandon it.

There is some further reading about the RSA seed compromise here.

So, what attacks will the keyfob defend against when working correctly with secret seeds?

Only the one where the attacker doesn't have access to the current code on your RSA SecureID key (or the serial number of that key and a timestamped record of any key it has generated in the past).

Thus the keyfob will protect you from the miscreant trying to brute force their way into your account (guessing your username/password, for example), end of story.

The two main vectors for attacks against EVE Online accounts secured by keyfobs are going to be phishing the users, or compromising their computers to insert MITM attacks. A phishing or MITM attack will have a window of opportunity of up to 30 seconds (the refresh interval for the SecureID token), so using the keyfob will restrict the range of phishing attacks to only those that occur in real-time (i.e.: all phishing attacks will be done real-time)

TL;DR:

  • Given the seeds, the attackers still need your serial number and at least one generated code (unless the algorithm behind the system is particularly broken)

  • Even when working, the SecureID system only protects against certain attacks

  • SecureID does not protect against MITM attacks (e.g.: shady Internet café or infected home computer)

  • SecureID does not protect against live phishing attacks (e.g.: malicious website)

  • No system of authentication can protect the service from stupid users





"To guess the next code your key generates, an attacker will need to know the serial number of your key"

>> You mean the pictures of keyfobs showing the serial numbers that fanfest participants released onto the internet showing them off?


That brings up another potential issue..

Locking player's accounts out by repeatidly attempting to guess codes and passwords.

What is CCP's account lock out policy to prevent Denial Of Service on players by rage of other players?

Is there a timer for progressively delaying attemps? Is there a re-authentication process to "unlock" accounts after so many attempts?


Xtoveruss
Posted - 2011.06.02 14:38:00 - [29]
 

would be nice if u finlay fixed eve voice so all eve players can use it

John'eh
Gallente
Asteroid Belt Protection Services
Posted - 2011.06.06 09:13:00 - [30]
 

Edited by: John''eh on 06/06/2011 09:15:26
Originally by: CCP Shadow
We're interested in whatever constructive feedback you have


And yet history shows you don't actually listen to it.

From a security standpoint, you have had multiple people attempt to help CCP with the different security issues Eve has over the years. I'm one of them; I constantly do what I cant to help and I am mostly ignored. Emails just go the void, forums posts are ignored, or worse, censored by support staff who may be on the take from people explioting the flaws for money in the real world.

I dont feel like any of the constructive feedback - and valuable information that otherwise you would have spent money on getting from a paid consultant - that you have gotten from your customer base has actually been listened to, as many of these issues STILL EXIST today.

So basically the best feedback I can give you here is you guys need to stop acting like your listening and actually DO listen, instead of getting butt-hurt and ignoring people who are trying to help you.


Pages: [1] 2

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only