open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 3 4 5 6 7 8 [9]

Author Topic

CCP Sreegs

Posted - 2011.04.13 22:11:00 - [241]
 

Originally by: Bomberlocks
@CCP Sreegs: Thanks a lot for this blog and your replies. It is really refreshing to have someone at CCP actually talk to us instead of delivering some patronising blog trying to make light of a serious subject with poor humour. I think it is obvious that a fair amount of the rage over this issue is justified, but also enhanced because of the continuing frustrations players feel in trying to get a response from CCP over their concerns.

I was also concerned that the blog was attempting to brush off client side security as being outside CCP's remit, but I see from your clarification that you were discussing this from a security standpoint.

However, there is one point where we will have to agree to disagree it seems: the ability to inject scripts. From posts on SHC's successor site, FHC and from what I saw of the forums before they were taken down, it was indeed possible to inject scripts using jquery. The ability of a script with html and css to forge a log in might have been possible, but it seems it would have been possible to collect login keystrokes by rebinding eventlisteners via jquery. Such a script would have had a number of opportunities to pass that information across to another domain, even with modern browsers, and would not have had to rely on the by now fairly well known iframe.

The reason that I am again raising this issue is that anyone with access to someone's forum account would have had automatic access to that person's user account. While this would not have given access to their credit card, it would have been a field day for phishers and RMT'ers.

I urge you to make sure that this is very carefully audited in any future iteration of the new forums. Finally, although is not your remit (area) to be responsible for the usability of the new forums, the fact that you are about the only person from CCP speaking to the players on a regular basis might make you a target for user anger if the new forums surface again with the same shoddy lack of attention to detail and lack of response to players wishes and concerns. It might be in your own vested interests to raise an internal "sh*t storm" if that happens.

BTW, off topic, props to your anti-botting efforts. It looks there is definitely something happening there.


Thanks dude. Given the state that the forums were in I'm not dismissing completely the possibility of exploitable conditions that we are not yet aware of. What I am saying is that thus far, in every single instance where we've been given a solid example of where people felt script could be executed, it has not been possible. If anyone has any evidence to the contrary I'd really like to hear from them.

Bomberlocks
Minmatar
CTRL-Q
Posted - 2011.04.13 23:01:00 - [242]
 

Originally by: CCP Sreegs
....

Thanks dude. Given the state that the forums were in I'm not dismissing completely the possibility of exploitable conditions that we are not yet aware of. What I am saying is that thus far, in every single instance where we've been given a solid example of where people felt script could be executed, it has not been possible. If anyone has any evidence to the contrary I'd really like to hear from them.
Personally, I didn't have enough time to look at them in enough detail before they went down, I was just starting to look at them some 20 minutes or so before they went down. This is a highly irregular suggestion, but crowd sourcing via a clean copy with dummy accounts might help there. It might also be an idea for any new forum that comes up.

Che Biko
Humanitarian Communists
Posted - 2011.04.14 02:12:00 - [243]
 

Well, I guess when I ask slightly off-topic questions, I deserve to get slightly off-topic answers Wink, but in case you feel like answering this, I post it again anyway.Twisted Evil
Originally by: CCP Sreegs
Unfortunately I get so many phishing related emails that I simply shut the sites down and I can't reply to everyone. They probably were phishing emails and I probably had the site removed from the internet. Sorry I can't respond to them all.

I thought this would be the case, however you did not answer if there is a (better) way to find out if those mails were indeed phishy, like a petition or a mail to customer support (after I send them to you, of course). Especially in cases when the mail is legit, I would like to be told how I could tell it was legit.

I did not see the ones I send you listed in this thread. Is that any indication, or is that thread not updated with each and every phising mail shortly after it was send?

Liandra Xi
Amarr
The New Era
C0NVICTED
Posted - 2011.04.14 03:14:00 - [244]
 

First of all I'm really glad I didn't visit the forums while the completely unsecure "new" forums were actually up.

Second the dev blog does nothing to address the question of why these issues were raised during the beta test of the new forums, but CCP *ignored* those warnings and still put the system live with all inherent faults present, and only took it down 30 hours later after untold damage could have been caused.

Frankly I expect to hear who has been fired from CCP for this epic f**k up, as you say yourself it is completely unnaceptable for this to have ever happened, but then thats a line im used to hearing from CCP by now. How many times is enough to admit you have serious defficiences in your internal processes that can't be fixed by 1 person writing a dev blog to try and pacify the playerbase yet again.

Still considering you seem to have taken advice from HBGary in the past on security issues maybe I shouldn't be that surprised that you are so bad at it. (google it if you want to find what im talking about).

CCP Sreegs

Posted - 2011.04.14 03:50:00 - [245]
 

Originally by: Liandra Xi
First of all I'm really glad I didn't visit the forums while the completely unsecure "new" forums were actually up.

Second the dev blog does nothing to address the question of why these issues were raised during the beta test of the new forums, but CCP *ignored* those warnings and still put the system live with all inherent faults present, and only took it down 30 hours later after untold damage could have been caused.

Frankly I expect to hear who has been fired from CCP for this epic f**k up, as you say yourself it is completely unnaceptable for this to have ever happened, but then thats a line im used to hearing from CCP by now. How many times is enough to admit you have serious defficiences in your internal processes that can't be fixed by 1 person writing a dev blog to try and pacify the playerbase yet again.

Still considering you seem to have taken advice from HBGary in the past on security issues maybe I shouldn't be that surprised that you are so bad at it. (google it if you want to find what im talking about).


As I had thought I'd explained... The dev blog is not meant to address those issues. The dev blog addresses our findings in the response phase. After that comes the internal investigation into process and as a part of that would be what, if anything, was reported beforehand by both players and internal staff. You have to first establish IF there was anything to be ignored. We don't just get to decide these things. They require actual investigation and actual evidence. If you're aware of some reports that I'm not I'd welcome you to share them with me.

Frankly, people's employment status is a private matter and will remain that way.

We have never taken security advice from HBGary. You'd know that if you read the emails.

All in all there's plenty that went wrong to talk about without having to invent things. Let's stick to that.

Londo Cebb
Official Market Discussions Troll
Posted - 2011.04.14 08:53:00 - [246]
 

Edited by: Londo Cebb on 14/04/2011 09:19:59


I have a quick question.

I have always had signatures turned off on this forum. I did not spend enough time exploring the new forums to know if it was possible to turn them off.

So my question is:

Was, or will there be an option to disable/enable signatures per account on the new forums?

Also if that option exists, will the default setting be "signatures disabled"?

Qoi
Exert Force
Posted - 2011.04.14 10:17:00 - [247]
 

Originally by: Londo Cebb

Also if that option exists, will the default setting be "signatures disabled"?

This appear to be the default settings

Lusulpher
Gallente
Posted - 2011.04.14 10:27:00 - [248]
 

Edited by: Lusulpher on 14/04/2011 10:28:54
Saturday Apr. 11th, 2011, before work, about 30mins after laughing through the Catari thread, and watching SHC poster sacul name this "eve-gate Gate".[SHC was also deleted later, all mine baseLaughing]

I subtly named this new CCP incident Boot.ini 2.0 or "cookie-derp".

I hold in my hand, the copyright for that term. And I would like to trade it for +1 Internet from CCP, or a certain Jovian spacecraft.[maybe even unbanning political exile Catari]

I am very cereal...





Look ma! I'm e-famous! \Twisted Evil/


-Creative Customer Person[manual sig entry, you people just don't learnLaughing]

Majid Al'Amarr
Posted - 2011.04.14 11:38:00 - [249]
 

Can I suggest that folks use Google and type security issues then add any service delivered by the internet or with access to said. I honestly feel a touch of perspective is required here forum warriors.

ArsMalus Mortis
Caldari
Guns Rocks and Probes
Reverberation Project
Posted - 2011.04.14 12:00:00 - [250]
 

Edited by: ArsMalus Mortis on 14/04/2011 12:07:03
Edited by: ArsMalus Mortis on 14/04/2011 12:01:24
Originally by: Majid Al'Amarr
Can I suggest that folks use Google and type security issues then add any service delivered by the internet or with access to said. I honestly feel a touch of perspective is required here forum warriors.


I couldn't agree more. Anyone who claims to have written 100% secure code is full of it. The fact is exploits will continue to be discovered and fixed in any piece software. Just look at the changelog for darn near anything.

That being said a better procedure would have been to bring the new forums online and advertise that they are up for testing and content would be wiped before going live. Leaving the old forums in place for the average pilot. I'm sorry but for any project as large as a forum the footprint is just too great for internal or 3rd-party audits to do a sufficient job finding vulnerabilities. Sure you might loose some of the oohh shiny factor, but let's face it if the test forums had these major issues it would have been both non-disruptive and far less of a PR nightmare not to mention there wouldn't be so many pitchfork wielding crazies in this thread.. Use the free labor at your disposal.

kakmonstret
Posted - 2011.04.14 12:31:00 - [251]
 

Originally by: ArsMalus Mortis
Edited by: ArsMalus Mortis on 14/04/2011 12:07:03
Edited by: ArsMalus Mortis on 14/04/2011 12:01:24
Originally by: Majid Al'Amarr
Can I suggest that folks use Google and type security issues then add any service delivered by the internet or with access to said. I honestly feel a touch of perspective is required here forum warriors.


I couldn't agree more. Anyone who claims to have written 100% secure code is full of it. The fact is exploits will continue to be discovered and fixed in any piece software. Just look at the changelog for darn near anything.

That being said a better procedure would have been to bring the new forums online and advertise that they are up for testing and content would be wiped before going live. Leaving the old forums in place for the average pilot. I'm sorry but for any project as large as a forum the footprint is just too great for internal or 3rd-party audits to do a sufficient job finding vulnerabilities. Sure you might loose some of the oohh shiny factor, but let's face it if the test forums had these major issues it would have been both non-disruptive and far less of a PR nightmare not to mention there wouldn't be so many pitchfork wielding crazies in this thread.. Use the free labor at your disposal.


But these problems especially the cookie-derp is of a very basic nature. The cookie derp is not simply a implementation error. It is a error in the whole thinking around webprogramming. That clients are untrusted is one of the most important and basic things that any webprogrammer gets drilled with during training. This is what makes people so nervous if this mistake is done, what more much harder easier to do mistake are also done?

This is not about producing 100% secure code, this is about knowing the basic security problems in the relevant domain.

Ban Doga
Posted - 2011.04.14 17:30:00 - [252]
 

Originally by: Majid Al'Amarr
Can I suggest that folks use Google and type security issues then add any service delivered by the internet or with access to said. I honestly feel a touch of perspective is required here forum warriors.

A mistakes does not become any less severe just because more people make it...

Londo Cebb
Official Market Discussions Troll
Posted - 2011.04.14 20:19:00 - [253]
 

So CCP Sreegs, where are we at? Allot of have still not forgotten about this. Please don't leave us hanging. How will CCP be moving forward from here?

CCP Sreegs

Posted - 2011.04.15 01:08:00 - [254]
 

Originally by: Londo Cebb
So CCP Sreegs, where are we at? Allot of have still not forgotten about this. Please don't leave us hanging. How will CCP be moving forward from here?


Perhaps I didn't manage expectations well enough. The investigation is pretty much complete today. There will be a great deal of internal dialogue following that. What we discuss will have to be decided as a part of that process, which will likely take at least a few more days, then there's a holiday. In short, I don't expect to have any followup from this for at least 2 weeks. Our investigation and analysis will be done but figuring out how what needs to change and what can be discussed is a longer process than resolving an incident.

Zey Nadar
Gallente
Unknown Soldiers
Posted - 2011.04.15 07:29:00 - [255]
 

Thank you for the time of telling us all this. I always think that a sign for healthy MMO is devs willing to dialog with the players.

Qordel
Caldari
School of Applied Knowledge
Posted - 2011.04.15 08:56:00 - [256]
 

Edited by: Qordel on 15/04/2011 09:35:59
.

Qordel
Caldari
School of Applied Knowledge
Posted - 2011.04.15 09:36:00 - [257]
 

Originally by: ArsMalus Mortis
Edited by: ArsMalus Mortis on 14/04/2011 12:07:03
Edited by: ArsMalus Mortis on 14/04/2011 12:01:24
Originally by: Majid Al'Amarr
Can I suggest that folks use Google and type security issues then add any service delivered by the internet or with access to said. I honestly feel a touch of perspective is required here forum warriors.


I couldn't agree more. Anyone who claims to have written 100% secure code is full of it. The fact is exploits will continue to be discovered and fixed in any piece software. Just look at the changelog for darn near anything.


I'm sorry, but you can not compare developing systems with security in mind that are (as is often inevitable) eventually cleverly cracked and exploited to having a complete disregard for security and ignoring security entirely in the very design of your system. Security issues are uncovered and clever hacks and exploits found for systems and services and software every day, but nothing clever was required to circumvent security, here, because no security was employed.

This is a case of ignoring the most primary and fundamental cookie and session security standards that have been in practice since we invented cookies at Netscape, in the mid 1990s. It is a shameful and embarrassing oversight and a display of either incompetence or laziness.

Since CCP used APS.NET and is a Microsoft house, let's go ahead and look at the ASP.NET Cookie Security document on the Microsoft Developer Network site that is classified as Beginning Web Programmer level content. Stuff that any novice tutorial on cookies and session handling would cover.

  • The upshot is that you should never store secrets in a cookie no user names, no passwords, no credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie.


I sympathize with CCP. I respect CCP. I'm a fan of CCP. **** happens and we move on. At the same time, let's make sure we put the severity of this oversight into perspective so we don't do this all over again. Having access to post as another person with trivial effort on the forums is not the same as then gaining access to your actual account, but with such a clear demonstration of incompetence in simple design practices in one place, why would we expect them to uphold different standards elsewhere? Especially as this whole EveGate thing begins to encompass more of the provided services?

Londo Cebb
Official Market Discussions Troll
Posted - 2011.04.15 10:42:00 - [258]
 

Originally by: CCP Sreegs


Perhaps I didn't manage expectations well enough. The investigation is pretty much complete today. There will be a great deal of internal dialogue following that. What we discuss will have to be decided as a part of that process, which will likely take at least a few more days, then there's a holiday. In short, I don't expect to have any followup from this for at least 2 weeks. Our investigation and analysis will be done but figuring out how what needs to change and what can be discussed is a longer process than resolving an incident.


Fair enough.

Thank you for your response, and the work you have put into this so far.

V'eris Eclaire
Posted - 2011.04.15 11:18:00 - [259]
 

If you want us to help with exploits, why cant I write **********? Or did you mean player exploits only?

I am sorry but you (CCP) have a history of not acting on exploits. You take the "hands off" approach and act after a few days. We have seen this time after time. Players post on the forums about the exploit and you stand clear of the thread and do nothing.

You cant shut down the forums for every eve player that sends a bug report. If certain players did not do what had to be done to show you the severity of the issue, god only knows how long it would have taken for you to take down the forums. And have you any idea what kind of damage could have been done?

And you go and ban!?

Also do you realize what kind of a mistake this was!? Because its not on a "everyone makes mistakes" scale. And then you dare talk about excellence!?

It shows a level of incompetence that is far beyond unacceptable. It makes me wish you sold eve to some other company. If we cant have cool devs anymore, we at least want competence.

Bomberlocks
Minmatar
CTRL-Q
Posted - 2011.04.15 12:09:00 - [260]
 

Originally by: CCP Sreegs
Originally by: Londo Cebb
So CCP Sreegs, where are we at? Allot of have still not forgotten about this. Please don't leave us hanging. How will CCP be moving forward from here?


Perhaps I didn't manage expectations well enough. The investigation is pretty much complete today. There will be a great deal of internal dialogue following that. What we discuss will have to be decided as a part of that process, which will likely take at least a few more days, then there's a holiday. In short, I don't expect to have any followup from this for at least 2 weeks. Our investigation and analysis will be done but figuring out how what needs to change and what can be discussed is a longer process than resolving an incident.
Just make sure that you do come back to us on this, Sreegs. Forgetting about it, intentionally or not will only add to the pile of straws on the camel's back.

Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
Posted - 2011.04.15 16:01:00 - [261]
 

Originally by: Bomberlocks
Originally by: CCP Sreegs
Originally by: Londo Cebb
So CCP Sreegs, where are we at? Allot of have still not forgotten about this. Please don't leave us hanging. How will CCP be moving forward from here?


Perhaps I didn't manage expectations well enough. The investigation is pretty much complete today. There will be a great deal of internal dialogue following that. What we discuss will have to be decided as a part of that process, which will likely take at least a few more days, then there's a holiday. In short, I don't expect to have any followup from this for at least 2 weeks. Our investigation and analysis will be done but figuring out how what needs to change and what can be discussed is a longer process than resolving an incident.
Just make sure that you do come back to us on this, Sreegs. Forgetting about it, intentionally or not will only add to the pile of straws on the camel's back.


Yes, and it would make me angry. Nobody likes me when I'm angry.


CCP Sreegs

Posted - 2011.04.16 01:54:00 - [262]
 

Originally by: Bomberlocks
Originally by: CCP Sreegs
Originally by: Londo Cebb
So CCP Sreegs, where are we at? Allot of have still not forgotten about this. Please don't leave us hanging. How will CCP be moving forward from here?


Perhaps I didn't manage expectations well enough. The investigation is pretty much complete today. There will be a great deal of internal dialogue following that. What we discuss will have to be decided as a part of that process, which will likely take at least a few more days, then there's a holiday. In short, I don't expect to have any followup from this for at least 2 weeks. Our investigation and analysis will be done but figuring out how what needs to change and what can be discussed is a longer process than resolving an incident.
Just make sure that you do come back to us on this, Sreegs. Forgetting about it, intentionally or not will only add to the pile of straws on the camel's back.


Do I get my 2 weeks?

CCP Sreegs

Posted - 2011.04.16 01:56:00 - [263]
 

Edited by: CCP Sreegs on 16/04/2011 01:55:53
Originally by: V'eris Eclaire
If you want us to help with exploits, why cant I write **********? Or did you mean player exploits only?

I am sorry but you (CCP) have a history of not acting on exploits. You take the "hands off" approach and act after a few days. We have seen this time after time. Players post on the forums about the exploit and you stand clear of the thread and do nothing.

You cant shut down the forums for every eve player that sends a bug report. If certain players did not do what had to be done to show you the severity of the issue, god only knows how long it would have taken for you to take down the forums. And have you any idea what kind of damage could have been done?

And you go and ban!?

Also do you realize what kind of a mistake this was!? Because its not on a "everyone makes mistakes" scale. And then you dare talk about excellence!?

It shows a level of incompetence that is far beyond unacceptable. It makes me wish you sold eve to some other company. If we cant have cool devs anymore, we at least want competence.



How about you discuss or have an opinion on the topic of this thread and I'll be happy to respond.

Rose Nye
Posted - 2011.04.16 07:10:00 - [264]
 

Quote:
How about you discuss or have an opinion on the topic of this thread and I'll be happy to respond.


^ nice customer service skills there. Can of rage anyone?

Just a wee point about how to write a exploit report. Pay them. They are obviously able to perform a duty where those that are getting paid by CCP, are not.

Deviana Sevidon
Gallente
Panta-Rhei
Butterfly Effect Alliance
Posted - 2011.04.16 12:50:00 - [265]
 

The most important point of the investigation is not at pointing fingers at CCP or staff members, but to find out, when and where the mess started. Where the reports not properly filed and escalated? Was it a management decisision to ignore the feedback and push it regardless of consequences, or did the development team ignore the feedback?

I think some of the problems come from extra thight development schedules, with two expansions in every year the teams responsible are at under a lot of pressure and don't have the extra time to implement major changes having to choose between two bad options:

1. Blow the budget, assign additional time/manpower to the project.
2. Keep the deadline at any cost, cutting corners whenever possible and hope that not too many problems arise and you have the ressources to patch the thing later.

The second option is where CCP is going most of the time. Also far too often features become orphaned, while being still incomplete the effective development is halted in favor of other projects.

From a personal point of view I would recommend to step back and take a look at the past expansions, look where additional work is required. Scrap features that obviously don't work (Tyrannis? Lol! See how I ruthlessly oppress the dots on a globe.. wait, you can't. There is nothing to build, nothing to rule, just some dots to connect)

mkint
Posted - 2011.04.17 19:48:00 - [266]
 

Originally by: Deviana Sevidon

...having to choose between two bad options:

1. Blow the budget, assign additional time/manpower to the project.
2. Keep the deadline at any cost, cutting corners whenever possible and hope that not too many problems arise and you have the ressources to patch the thing later.



Well the really upsetting thing is that they reportedly put in enough man-hours to put out a full length feature film, but only actually did a day's worth of work. They used pre-made forum software, broke it, and pushed it out. Hell, I've done that on my own in less time without a huge corporate sponsorship. Pre-made forums are DESIGNED to be easily implemented by the random idiot off the street. Definitely looks like a case of incompetent guys milking a paycheck.

Catheryn Martobi
Posted - 2011.04.18 06:25:00 - [267]
 

>> Full length feature film

MFW

Lusulpher
Gallente
Posted - 2011.04.18 07:31:00 - [268]
 

Originally by: mkint
Originally by: Deviana Sevidon

...having to choose between two bad options:

1. Blow the budget, assign additional time/manpower to the project.
2. Keep the deadline at any cost, cutting corners whenever possible and hope that not too many problems arise and you have the ressources to patch the thing later.



Well the really upsetting thing is that they reportedly put in enough man-hours to put out a full length feature film, but only actually did a day's worth of work. They used pre-made forum software, broke it, and pushed it out. Hell, I've done that on my own in less time without a huge corporate sponsorship. Pre-made forums are DESIGNED to be easily implemented by the random idiot off the street. Definitely looks like a case of incompetent guys milking a paycheck.


Thank you. This screw-up is also the flag we can wave at any clearly broken feature in EvE. And in that 2 weeks of investigation, I hope to have confirmation that those Devs returned their paychecks, or delivered on their forum coding, WITHOUT pay.[can't ask to have people fired for incompetenceRolling Eyes No srs bsns allowed.]

I'd expect nothing less from a contracted handyman.

Fiona Frenze
Posted - 2011.04.30 09:27:00 - [269]
 

its been 2 weeks. any updates for us at all?

VERY egar to hear as much as you can tell us

Londo Cebb
Official Market Discussions Troll
Posted - 2011.05.02 07:57:00 - [270]
 

Edited by: Londo Cebb on 03/05/2011 06:20:33
Originally by: Fiona Frenze
its been 2 weeks. any updates for us at all?

VERY egar to hear as much as you can tell us



I was wondering the same thing myself.

[Edit] Just found the new Dev blog



Pages: 1 2 3 4 5 6 7 8 [9]

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only