open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 [3] 4 5 6 7 8 9

Author Topic

Diomedes Calypso
Aetolian Armada
Posted - 2011.04.12 01:39:00 - [61]
 

Originally by: CCP Sreegs
Originally by: Diomedes Calypso


…..)




I'm not ignoring the rest of this post, but if there's a very real threat we can very much make this call. I can understand how it could be a problem if you're a guy who's constantly crying wolf, but if you have good people in the right places it tends not to be a problem. One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.



There’s a big difference between "A player has reported that he thinks he can access the forums by looking at some cookies" and "Mayday! Mayday!, there are people altering the forums now" The first might take an hour or so or get shoved aside for some other squeaking wheel explosion.

I do trust that once people are certain there is a problem that you are all competent and confident enough to act immediately. I do give you lots of credit there. I know you’re hard working, competent guys doing your best.

As working adults though we understand how institutions operate, there is always the danger of “slipping between the cracks” is something people in all businesses, (banking , insurance etc, ). As a real estate broker, there are times when if I need a deal to close by a given date, I cannot trust that going through the normal process will work. I need to assume that the normal process might fail and end run to a higher level to assure that it does (how you do an end-run will vary on the circumstance…I might even show up in person on someone’s doorstep to make sure it happens as they know that’s the only way to make me go away…)

I also give you personal credit for stating that you believe that there was a serious failure at the institutional process structure level, beyond a human mistake in performance.
I think that is the real point.... I'm not a technical person so I can’t fairly gauge the level of mistake in this case, but I've seen similar mistakes on the game dynamics level (implementation of the PI discontinuation of npc goods, player insistence from the very first anouncment of a new character editor in process that players would need a way to save work and be able to accurately see the actual results before a commitment—which needed to be corrected the week after it was released with all sorts of *****ing moaning and customer service time wasted on it) .
Something about the vetting process is amiss on many many levels when astute players see a problem coming before release but it can't win enough support internally (or people with doubts will be castigated for not being team players etc)
The pattern seems to extend beyond the security department. Players who love playing the game and see a train-wreck coming are getting trained that only with huge explosions of demonstration can catch the eyes of people in charge at a level that they can stop the momentum of something in process long enough to objectively consider the concerns being raised.

Siiee
Recycled Heroes
Posted - 2011.04.12 01:40:00 - [62]
 

Originally by: CCP Sreegs
One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.


I don't think that anyone who's not trolling doubts the speed of your response once notified. The question lies in how you got notified in the first place. Was it a GM that read the exploit petition and passed it along? Was it a moderator that noticed brewing anarchy? It's the delay that we all expect exists due to the petition system (which previously was the only well known official way to pass on this sort of information). If the earliest petition about this exploit was what brought out your response then it's open and shut, but I don't think that many believe that to be the case which is what's fueling the attitude towards the circumstances.

The security email is a great thing and it's really good that you keep pushing it. That will help alot of these problems.

CCP Sreegs

Posted - 2011.04.12 01:42:00 - [63]
 

Originally by: Grimpak
Originally by: CCP Sreegs
I'm just not sure I personally get the comparison is all.


I think he meant that the cookie-derp incident has a comparable scope to those two.


Ok, that makes it a bit more clear. I think in general my perspective on that is that it's a large company and none of those incidents involved the same areas of the company. So while the failures could appear to create a pattern, one could also consider that the fact that those mistakes haven't been repeated is also a pattern?

Mitchello
B O R G
Posted - 2011.04.12 01:42:00 - [64]
 

Originally by: CCP Sreegs
Originally by: El'Niaga

We've had promises before that CCP would improve internal practices. Most famously after the T20 incident and then after the boot.ini incident. That's what is concerning of this issue, there seems to be a culture where no one is held accountable and thus no one in CCP feels accountable for anything therefore it keeps happening time and again. Something is rotten in the core.



I'm sorry that I'm selectively quoting and I REALLY don't want to appear to be defensive BUT... to my knowledge we haven't had another T20 or another boot.ini incident. I'm NOT saying you're wrong or right. But, in the interests of providing a differing perspective, companies, especially ones the size of CCP are going to make mistakes. While this was a really bad mistake and you have every single right to be mad about it I'm not sure one should make a comparison to incidents involving completely unrelated areas of the company that occurred over... 5-7 years ago and haven't been repeated since.

I'm just not sure I personally get the comparison is all.


Don't think he is really making a comparison, but sketching what is more something of a perception challenge.

The currency is trust, the case is not about data but about perception, which has a push/pull effect on word of mouth, the same word of mouth which once grew EVE, etc etc.

What you're saying is understood, he's just coming from a different angle. Perception management, basically.

Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
Posted - 2011.04.12 01:43:00 - [65]
 

Originally by: Grimpak
Originally by: CCP Sreegs
I'm just not sure I personally get the comparison is all.


I think he meant that the cookie-derp incident has a comparable scope to those two.


I think that is pretty much how it is perceived by the players, to us it doesnt matter that points A and B were resolved, when C happens our minds immediately group A+B+C.

This human, and it's not wrong (even Sreegs can do nothing about it).

The currency is trust, and it's a finite resource that only regrows slowly and is expended in ever larger amounts with each new error.

But this is not news to CCP, they know this, hopefully they will soon show us how they intend to regain a full(er) wallet of trust with us. I really do hope so anyways.

Siiee
Recycled Heroes
Posted - 2011.04.12 01:45:00 - [66]
 

Originally by: Grimpak

I think he meant that the cookie-derp incident has a comparable scope to those two.


The scope of an incident and the process that allows it to happen have very little if anything in common. You just can't make that comparison with a straight face. There is no system to prevent all "big" issues from happening, you can only work on the process and deal with the outcome as it comes.

CCP Sreegs

Posted - 2011.04.12 01:45:00 - [67]
 

Originally by: Diomedes Calypso
Originally by: CCP Sreegs
Originally by: Diomedes Calypso


…..)




I'm not ignoring the rest of this post, but if there's a very real threat we can very much make this call. I can understand how it could be a problem if you're a guy who's constantly crying wolf, but if you have good people in the right places it tends not to be a problem. One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.



There’s a big difference between "A player has reported that he thinks he can access the forums by looking at some cookies" and "Mayday! Mayday!, there are people altering the forums now" The first might take an hour or so or get shoved aside for some other squeaking wheel explosion.

I do trust that once people are certain there is a problem that you are all competent and confident enough to act immediately. I do give you lots of credit there. I know you’re hard working, competent guys doing your best.

As working adults though we understand how institutions operate, there is always the danger of “slipping between the cracks” is something people in all businesses, (banking , insurance etc, ). As a real estate broker, there are times when if I need a deal to close by a given date, I cannot trust that going through the normal process will work. I need to assume that the normal process might fail and end run to a higher level to assure that it does (how you do an end-run will vary on the circumstance…I might even show up in person on someone’s doorstep to make sure it happens as they know that’s the only way to make me go away…)

I also give you personal credit for stating that you believe that there was a serious failure at the institutional process structure level, beyond a human mistake in performance.
I think that is the real point.... I'm not a technical person so I can’t fairly gauge the level of mistake in this case, but I've seen similar mistakes on the game dynamics level (implementation of the PI discontinuation of npc goods, player insistence from the very first anouncment of a new character editor in process that players would need a way to save work and be able to accurately see the actual results before a commitment—which needed to be corrected the week after it was released with all sorts of *****ing moaning and customer service time wasted on it) .
Something about the vetting process is amiss on many many levels when astute players see a problem coming before release but it can't win enough support internally (or people with doubts will be castigated for not being team players etc)
The pattern seems to extend beyond the security department. Players who love playing the game and see a train-wreck coming are getting trained that only with huge explosions of demonstration can catch the eyes of people in charge at a level that they can stop the momentum of something in process long enough to objectively consider the concerns being raised.



heh, I'm "the security department" in the post! You are correct that we need more to go on to isolate the problem but in this case once we were aware of what we should be looking for we got on it pretty quickly. It's late now but maybe tomorrow I'll give you guys a bit more of an understanding of the timeline.

CCP Sreegs

Posted - 2011.04.12 01:47:00 - [68]
 

Originally by: Siiee
Originally by: CCP Sreegs
One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.


I don't think that anyone who's not trolling doubts the speed of your response once notified. The question lies in how you got notified in the first place. Was it a GM that read the exploit petition and passed it along? Was it a moderator that noticed brewing anarchy? It's the delay that we all expect exists due to the petition system (which previously was the only well known official way to pass on this sort of information). If the earliest petition about this exploit was what brought out your response then it's open and shut, but I don't think that many believe that to be the case which is what's fueling the attitude towards the circumstances.

The security email is a great thing and it's really good that you keep pushing it. That will help alot of these problems.


Yeah, I'm glad that gets noticed. It's something I talked about in the presentation at Fanfest as well which is that, for us to be really good at "security" we need to ensure that we have good feedback loops, which might mean tearing down some artificial barriers or instituting new systems to ensure that we're getting information in a timely fashion. The email address being public is a first step in that direction.

Mister Short
Posted - 2011.04.12 01:50:00 - [69]
 



So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ?
...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent.
Right ? Twisted Evil

ladies and gentleman, the new incarna release date :P

I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?
Totally.


January 17th, 2015

ladies and gentleman, the new incarna release date

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 01:50:00 - [70]
 

Edited by: Grimpak on 12/04/2011 01:54:16
Originally by: CCP Sreegs
Originally by: Grimpak
Originally by: CCP Sreegs
I'm just not sure I personally get the comparison is all.


I think he meant that the cookie-derp incident has a comparable scope to those two.


Ok, that makes it a bit more clear. I think in general my perspective on that is that it's a large company and none of those incidents involved the same areas of the company. So while the failures could appear to create a pattern, one could also consider that the fact that those mistakes haven't been repeated is also a pattern?
well all these three incidents really don't have a visible pattern between them.

T20 incident was a dev intervening directly on the game by spawning ingame items for benefit. while the answer of CCP on this issue is debatable, they did react and created the IA department because of it.

boot.ini incident was, for the most part, a very, very simple and basic mistake that even the best can let slip from time to time. Granted it created quite the panic, and many people did had damage done to their computers. CCP's reaction to this was to change their boot.ini to another name.

cookie-derp incident, at least for now, it seems that it was a mixture of events that started in one department, went thru a few others and escalated into the incident proper, thus raising questions about how effective CCP's QA is really.


each and every one of these embarrassing incidents only really have in common the public exposure.

El'Niaga
Minmatar
Republic Military School
Posted - 2011.04.12 01:50:00 - [71]
 

Originally by: CCP Sreegs
Originally by: El'Niaga

We've had promises before that CCP would improve internal practices. Most famously after the T20 incident and then after the boot.ini incident. That's what is concerning of this issue, there seems to be a culture where no one is held accountable and thus no one in CCP feels accountable for anything therefore it keeps happening time and again. Something is rotten in the core.



I'm sorry that I'm selectively quoting and I REALLY don't want to appear to be defensive BUT... to my knowledge we haven't had another T20 or another boot.ini incident. I'm NOT saying you're wrong or right. But, in the interests of providing a differing perspective, companies, especially ones the size of CCP are going to make mistakes. While this was a really bad mistake and you have every single right to be mad about it I'm not sure one should make a comparison to incidents involving completely unrelated areas of the company that occurred over... 5-7 years ago and haven't been repeated since.

I'm just not sure I personally get the comparison is all.


You mean like the fatal security system of your current forum fiasco....and yes I'd put that right up there with boot.ini. Also its well known T20 was not the only individual to cheat in a position of power, though I believe the other was a GM not a dev, maybe even 2 GMs did....

Patient 2428190
DEGRREE'Fo'FREE Internet Business School
Posted - 2011.04.12 01:54:00 - [72]
 

Has there been any investigation into the rest of EVE-Gate to see where it stands security wise? I'd imagine the same team responsible for the forums have worked on EVE gate.

Herschel Yamamoto
Agent-Orange
Nabaal Syndicate
Posted - 2011.04.12 01:54:00 - [73]
 

I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.

Mitchello
B O R G
Posted - 2011.04.12 01:55:00 - [74]
 

Originally by: Herschel Yamamoto
I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.



Cool

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 01:58:00 - [75]
 

Originally by: Herschel Yamamoto
I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
pete's sake that one will haunt CCP for time everlastingLaughing

well Sreegs isn't at fault with it really. I don't even think he would've thought he would be working for CCP when it happenedLaughing

Diomedes Calypso
Aetolian Armada
Posted - 2011.04.12 01:59:00 - [76]
 

Edited by: Diomedes Calypso on 12/04/2011 02:10:31
Originally by: Herschel Yamamoto
I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.


I think people are trying to say that his eyes need to be on something more than what specifically went wrong in this case and that perhaps managment outside of security needs to examine if problems stem from company process structure (scrum stuff?)

I also think that the t20 stuff is not at all pertinent though as it was an entirely different sort of bad judgment thatn releasing unfinished work.

Kasriel
Posted - 2011.04.12 02:00:00 - [77]
 

interesting, I'll have to check tomorrow to read more of this buy at the moment all I can really add is very good on you Sreegs, you will probably get many people complaining and venting their frustration at you, I'll leave the matter of it being justified or not to other more vocal people than myself, the only thing I wish to add is judging from the (mainly) positive feedback you've received for your actions talking to the community it may be a good idea for this to be more commonplace?

Also while internal matters need to be taken care of internally - and I don't doubt that the vast majority of the player base understands this - when matters affect the players directly they cease to be internal and some feedback and transparency can go a long way, especially if the reports that (for this particular example) during the testing round many issues were raised with the security and functionality of the "new" forums were raised and yet ignored prove to be true, for me at least that is the troubling matter and what has caused the largest loss of trust on my part, if we can't trust CCP to believe their users saying "this is broken" what can we trust?

Mihara Shiharu
Posted - 2011.04.12 02:01:00 - [78]
 

I blame it on using .NET (damn microsoft), why couldn't you just use python? you know it works so damn good, so why bother with and pay for .NET? WHY?

Ven Dak
Posted - 2011.04.12 02:01:00 - [79]
 

Originally by: Herschel Yamamoto
I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.


Goons did T20

CCP Sreegs

Posted - 2011.04.12 02:05:00 - [80]
 

Off to bed for the night I'll followup again tomorrow morning.

Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
Posted - 2011.04.12 02:06:00 - [81]
 

Originally by: CCP Sreegs
Off to bed for the night I'll followup again tomorrow morning.


left you a message ;)

sleep tight duder.

Catheryn Martobi
Posted - 2011.04.12 02:21:00 - [82]
 

Seems like there is a bright side to all this. With all the harassment CCP is getting for this screw-up, this aught to make them take at least a cursory look inward at their current strategy of setting unmeetable deadlines with sub-par products.

ModeratedToSilence
Posted - 2011.04.12 02:24:00 - [83]
 

Is this a good thread to discuss the merit of snorting wasabi?

Dr BattleSmith
PAX Interstellar Services
Posted - 2011.04.12 02:38:00 - [84]
 

It's really very simple.

Your web team is blowing smoke up your ass.

They are fail.

Zastrow
GoonWaffe
Goonswarm Federation
Posted - 2011.04.12 02:38:00 - [85]
 

sreegs

Liang Nuren
Posted - 2011.04.12 02:42:00 - [86]
 

Originally by: Herschel Yamamoto
I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.



Laughing

Palovana
Caldari
Inner Fire Inc.
Posted - 2011.04.12 03:04:00 - [87]
 

Originally by: Patient 2428190
Has there been any investigation into the rest of EVE-Gate to see where it stands security wise? I'd imagine the same team responsible for the forums have worked on EVE gate.


I would hope all website-related material is given a security audit in light of this incident. Especially EVE-Gate for reasons you mentioned.

mazzilliu
Caldari
Sniggerdly
Pandemic Legion
Posted - 2011.04.12 03:12:00 - [88]
 

apparently the guy who first reported the issue and later got banned said that his initial exploit report was incomplete, but there was no ccp effort to get him to elaborate.

perhaps it would be an improvement to have some sort of followup for security related reports, in case the reporter does not understand how to properly demonstrate an exploit, to try to get him to communicate clearly, rather than brush them off as another incomplete bug report or potential troll. i think if that happened the forums might have gone down some time sooner.

Kuroki Meisa Kennedy
Posted - 2011.04.12 03:31:00 - [89]
 

Originally by: mazzilliu
apparently the guy who first reported the issue and later got banned said that his initial exploit report was incomplete, but there was no ccp effort to get him to elaborate.

perhaps it would be an improvement to have some sort of followup for security related reports, in case the reporter does not understand how to properly demonstrate an exploit, to try to get him to communicate clearly, rather than brush them off as another incomplete bug report or potential troll. i think if that happened the forums might have gone down some time sooner.


+1 I also feel just killing the messenger is wrong and makes the P in CCP stand for police.

Misanth
RABBLE RABBLE RABBLE
Posted - 2011.04.12 03:39:00 - [90]
 

Originally by: Dacil Arandur
of all people Akita T has the most to lose!


No. The playerbase as a whole, has, if that monster of a forum comes back.


Pages: 1 2 [3] 4 5 6 7 8 9

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only