Pages: [1] 2 3 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 5 post(s) |
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.25 04:46:00 -
[1]
http://code.google.com/p/eveprivateaddressbook/
Very simple short little script to allow you to manage your own private addressbook.
Due to the release of EveGate users private contact data is no longer private.
EveGate has and always will contain bugs and security exploits. These exploits currently allow users to add themselves to your blue standings and gain access to your addressbook.
If and when those exploits are patched the site will always be a target for social engineering, alts will ask for blue standings so that your enemy can get full intel with very little effort.
The only true solution is to delete all contacts from Eve and instead use a system that isn't attached to EveGate.
|
|
CCP Sisyphus
|
Posted - 2010.03.25 06:54:00 -
[2]
Hi there.
Can you please explain how you can add yourself to another player's blue list?
That shouldn't be possible and is an exploit.
|
|
|
CCP Karuck
|
Posted - 2010.03.25 08:18:00 -
[3]
Originally by: Dr BattleSmith
EveGate has and always will contain bugs and security exploits.
This is an alpha version, it's still in development.
|
|
Evan Batarr
|
Posted - 2010.03.25 12:47:00 -
[4]
Originally by: CCP Karuck
Originally by: Dr BattleSmith
EveGate has and always will contain bugs and security exploits.
This is an alpha version, it's still in development.
That DOES NOT MATTER!
Your statement implies that the 'finished' version will be 100% secure.
That's a lie!
Every web based app ever released had security exploits. EVE Gate will be no exception. And you even force people to participate - that's the real bad thing. If EVE Gate was something optional....but unfortunately it isn't. Even showing the data everyone can see ingame is TOO MUCH. You will never be able to get anywhere near the ingame security.
Make EVE Gate completely OPT-IN!
|
Nova Lux
Gallente TalCorp Enterprises Einherjar Alliance
|
Posted - 2010.03.25 13:09:00 -
[5]
It'd certainly be very nice to have the option to opt-out.
|
Hel O'Ween
Men On A Mission
|
Posted - 2010.03.25 13:46:00 -
[6]
Originally by: Evan Batarr
Your statement implies that the 'finished' version will be 100% secure.
That's a lie!
Every web based app ever released had security exploits. EVE Gate will be no exception.
And if it's not the app itself, it's the underlying web server ... or framework ... or language ... or database ... or library ... or config (human error).
Quote:
Make EVE Gate completely OPT-IN!
Can't agree more. And to be honest, I'm really afraid of developers/employees at a software company (like CCP Karuck) even hinting otherwise. This kind of thinking is the very first step towards a glaring security hole. -- EVEWalletAware - an offline wallet manager |
Captain Greeneyes
|
Posted - 2010.03.25 15:22:00 -
[7]
1) If you're going to release open-source software, at least have the decency to write up semantically correct HTML rather than the atrocious code that's currently there. It looks like the HTMl was made from a WYSIWYG editor. x_x
2) Instead of complaining and releasing something via third-party application, why don't you actually file a bug report. /facepalm OH SNAP, maybe that's what the bug report form is for! Unless you don't trust CCP to do something right, which brings me to my next point.
3) Why do you even play this game? All I've seen from you in the past few days is whine and complain about CCP and EVE Gate. It's a GAME -- you play it for fun. If you're playing it for any other reason, you're doing it wrong. Gate is ALPHA software, and most of the bugs will be ironed out. If you don't want people seeing your contact list, then don't set them to +10.
But I do agree with one thing, you should be able to opt-out of Gate. Opt-in is too strict and most people will never use it if you have to opt-in. However, if you have valuable data that you're so afraid of being made public, then you know who you are and thus you can take the time and opt-out and leave the rest of the game's popula
tl;dr: File a bug report.
|
Fortune Taker
Caldari
|
Posted - 2010.03.25 15:33:00 -
[8]
Edited by: Fortune Taker on 25/03/2010 15:33:58 if some of you took the time to actually look at evegate, there are account settings where you can hide your contact list
it isn't hidden by default, which it probably should be FT
if you see this you have read too far |
sanswork
|
Posted - 2010.03.25 15:36:00 -
[9]
Originally by: Evan Batarr
Every web based app ever released had security exploits. EVE Gate will be no exception. And you even force people to participate - that's the real bad thing. If EVE Gate was something optional....but unfortunately it isn't. Even showing the data everyone can see ingame is TOO MUCH. You will never be able to get anywhere near the ingame security.
Make EVE Gate completely OPT-IN!
Almost every app released has exploitable security flaws(not having them would be cost prohibitive for almost all cases). You can write "secure enough" web applications just as easily as any other type of application. The reason web development has a bad name at the moment is that it is full of people who are developers in name only and can't design a system properly regardless of security concerns and because in the big scheme of things its fairly new and most developers haven't had the standard attack vectors to watch for beaten into them yet.
10,20 even 30 years ago stack/buffer overflows were the big problem and exploitable holes were in everything. But over time developers were beaten into the most basic of checks/using safer functions and now a days finding them in anything professional(and public) is far and few between.
Now with the new generation of developers all seemingly taking to the web application space we have a new set of attack vectors that though understood by a lot of people aren't part of the standard knowledge of these developers. So we see lots of mistakes.
Was there secure software 20 years ago that wasn't liable to common overflow attacks? Yes. And there is web applications today that are not susceptible to the common web attack vectors. |
Kyra Felann
Gallente Neh'bu Kau Beh'Hude Ushra'Khan
|
Posted - 2010.03.25 19:26:00 -
[10]
Edited by: Kyra Felann on 25/03/2010 19:27:23 You act like EVE Gate is giving real-life people access to your real-life medical and financial records or something instead of what it may actually be doing: possibly giving people access to a list of people you had on your contact list as of two weeks ago in a video game about internet spaceships.
Though to be fair, it's what I expect from you by now: paranoia and complaining.
BTW, make sure you're wearing your tinfoil hat to block out CCP's mind-reading beams.
|
|
Narkhana
|
Posted - 2010.03.25 19:44:00 -
[11]
Edited by: Narkhana on 25/03/2010 19:44:35
Originally by: Captain Greeneyes
2) Instead of complaining and releasing something via third-party application, why don't you actually file a bug report. /facepalm OH SNAP, maybe that's what the bug report form is for! Unless you don't trust CCP to do something right, which brings me to my next point.
3) Why do you even play this game? All I've seen from you in the past few days is whine and complain about CCP and EVE Gate. It's a GAME -- you play it for fun. If you're playing it for any other reason, you're doing it wrong. Gate is ALPHA software, and most of the bugs will be ironed out. If you don't want people seeing your contact list, then don't set them to +10.
I for one applaud those who are being vocal about the security issues and design decisions that have opened up private character data to the public. What's the point of filing a bug report when the devs know the issues are there but don't address them. I originally posted a comment about the mutual contact list on 2010.03.23 20:33:00 (it's the first one I can find) and numerous other people have intimated they don't want this feature enabled by default. The devs still haven't changed it. Making comments about the data being 2 weeks old won't mean much to the spymaster who worked for years to build his network, it only takes one person to see that addressbook and his network is toast.
What most people aren't realizing is that the data on Sisi isn't up-to-date productional data, but it's productional data regardless. If they were using TEST data that wasn't associated with active accounts then there wouldn't be an issue and your claim of it being an alpha would be fine. Unfortunately it's not test data and any claim that the bugs will be ironed out eventually is irrelevant.
As for how he plays the game, it's none of your business how he plays it. If he wants to play it by finding holes in CCPs code then good for him, not many people do that, they just want to complain and do nothing to help.
|
|
CCP Karuck
|
Posted - 2010.03.25 19:50:00 -
[12]
Some excellent points there sanswork :)
People must not forget that ALL software is prone to exploits and errors, and todays web applications can be just as complex as other more traditional desktop applications. Modern web development isn't "your boss's uncle who knows how to use Frontpage" anymore. We are very much disciplined in our approach to development of EVE Gate, using modern tools like static code analysers, automated test tools, profilers and unit testing to name a few.
If you are really paranoid, I'd recommend staying away from the internet.. here be dragons :)
Todays applications are complex beasts with tens or hundreds of thousands of lines of code, and when developing features rapidly it can be hard to catch every possible permutation a code can go through.
Rest assured that we are doing the best we can, we are listening to feedback and are not afraid of criticism.. if it's constructive. In the end we are doing all this for our customers, which are you guys!
|
|
|
CCP Karuck
|
Posted - 2010.03.25 19:55:00 -
[13]
Originally by: Narkhana
I originally posted a comment about the mutual contact list on 2010.03.23 20:33:00 (it's the first one I can find) and numerous other people have intimated they don't want this feature enabled by default. The devs still haven't changed it.
Excuse me? We removed the mutual contacts first thing yesterday morning and the change went out in a patch later the same day. In the same patch we raised the requirement to see someone's contacts list to Excellent (+10) standing. And soon you will be able to control all of this yourself (including turning it off!). I know some of you are ****ed about changes, but please get your facts straight and work with us.. instead of against us :)
Originally by: Narkhana
If he wants to play it by finding holes in CCPs code then good for him, not many people do that, they just want to complain and do nothing to help.
I actually applaud people who want to find bugs in our code, but please work with us in fixing them instead of blowing up a storm that does nothing?
|
|
Narkhana
|
Posted - 2010.03.25 20:40:00 -
[14]
Edited by: Narkhana on 25/03/2010 20:40:33
Originally by: CCP Karuck
Excuse me? We removed the mutual contacts first thing yesterday morning and the change went out in a patch later the same day.
As far as I know the first change was when Eve-Gate was brought down around 2010.03.24 15:40:00, 19 hours after I first brought up the issue. If it was removed before that then I'm wrong and I apologize.
Originally by: CCP Karuck
In the same patch we raised the requirement to see someone's contacts list to Excellent (+10) standing. And soon you will be able to control all of this yourself (including turning it off!).
When I said it still wasn't fixed, I was refering to the ability to turn off anyone viewing contacts, not that any of the bugs were still there. Sorry for the confusion.
|
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.25 23:37:00 -
[15]
Edited by: Dr BattleSmith on 25/03/2010 23:41:50
Originally by: Captain Greeneyes 1) If you're going to release open-source software, at least have the decency to write up semantically correct HTML rather than the atrocious code that's currently there. It looks like the HTMl was made from a WYSIWYG editor. x_x
lol I have *never* used a WYSIWYG.
It's very basic HTML with an old ugly "HTML is in caps" coding style I picked up on my first job.
Semantically correct? It's HTML 1.0, I doubt you could find any errors in code that simple :-D
This script is very simple, very basic, and very ready for whoever uses it to customise to their individual needs.
It's nothing more then a basic foundation for others to take further.
edit: lol so I run it through the W3C validator....... 3 errors.... No doctype, no XML namespace, no character encoding....
LOL.... who cares!
|
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.26 00:03:00 -
[16]
For those who are having trouble deleting all your contacts from Sisi 15 at a time via EveGate.
You can get your Sisi account completely deleted via petitions.
|
Qoi
New Eden Warriors
|
Posted - 2010.03.26 16:28:00 -
[17]
So i should use an application from someone who cannot even write proper XHTML and goes all crazy about security instead of one that is written by people that actually know how to do it?
They made some very very bad decisions with the default privacy settings at first launch, i'm sure they have learned now. I'm looking forward to eve gate.
Exploits? Prove that.
|
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.27 03:08:00 -
[18]
Originally by: Qoi So i should use an application from someone who cannot even write proper XHTML
The HTML is 100% valid idiot.
Who cares bout doctype and xhtml when it's a basic template for personal use.
If you think there is something wrong with that HTML then there is something very wrong with you.
|
Dragonaire
Caldari Corax. New Eden Retail Federation
|
Posted - 2010.03.27 06:24:00 -
[19]
Quote: Rest assured that we are doing the best we can, we are listening to feedback and are not afraid of criticism.. if it's constructive.
CCP Karuck
Quote: If you think there is something wrong with that HTML then there is something very wrong with you.
Dr BattleSmith
Think that sums up my post for me, CCP welcomes help improving stuff and you would rather attack anyone that would question anything you do.
The same kind of arrogance you are showing in your answer above is why no one should use anything you make. It show you think you know more than everyone else include people that just might actually know more about stuff like security etc than you and if anyone were to point out a real problem with anything you make you'll spend more time trying to prove them wrong than fixing the problem.
-- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API.
|
Lumy
Minmatar eXceed Inc. HYDRA RELOADED
|
Posted - 2010.03.27 11:23:00 -
[20]
Out of curiosity what is this supposed to be proof of? That you can make bug-free code and CCP can't? Well, your marvelous piece of software engineering has:
Conceptual errors: 1. Storing password as plain text 2. Storing contacts in text file readable for anyone
Code errors: 1. Not checking if request variable is set (pro move really) 2. Not checking allowed variable values (wanna add Friends, Enemies or Watchlist<script>malicious code here</script>) 3. Vulnerable to XSRF (<img src="http://yourdomain/index.php?action=delContact&id=406769056">, tokens are for losers) 4. Vulnerable to permanent XSS (2 and 3 combined)
Presentation errors (html/javascript): 1. onclick='del(406769056,'Lumy')' - parser must really enjoy this 2. if (confirm("Delete "+charactername+"?")) nothing wrong with this line, except that function parameter is called $charactername. How is it fixed in newest version? JS confirm is commented out.
Sorry, I'd rather prefer CCP's EveGate.
Joomla! in EVE - IGB compatible CMS. |
|
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.27 17:09:00 -
[21]
Cache cleared. |
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2010.03.27 17:18:00 -
[22]
Arguing with simplicity against obvious errors after claiming loudly that your work is bug-free...
Lumy, you've done a great work in beating this scrub to his hole, thanks! -- Thanks CCP for cu |
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.27 18:00:00 -
[23]
Edited by: Dr BattleSmith on 27/03/2010 18:07:11
Originally by: Tonto Auri Arguing with simplicity against obvious errors after claiming loudly that your work is bug-free...
Lumy, you've done a great work in beating this scrub to his hole, thanks!
At revision: 7
The quotes error is fixed and the charactername param used.
The security issues aren't relevant in this context.
Claiming loudly that it was bug free? Not at all, that was specifically a guy calling for XHTML on something so basic like it really mattered.
"Thanx"... geez get over it, just a script for those who want to keep everything separate.
|
Lumy
Minmatar eXceed Inc. HYDRA RELOADED
|
Posted - 2010.03.27 23:35:00 -
[24]
Originally by: Dr BattleSmith Claiming loudly that it was bug free? Not at all, that was specifically a guy calling for XHTML on something so basic like it really mattered.
Originally by: Dr BattleSmith The HTML is 100% valid idiot.
Originally by: Lumy onclick='del(406769056,'Lumy')'
^_^
Originally by: Dr BattleSmith The security issues aren't relevant in this context.
Then why do you even bother with password?
Originally by: Dr BattleSmith ...and the charactername param used.
LOL, you didn't get it.
Even if the user treats the script with absolute caution and doesn't enter any malicious input, regular EVE names can still break it. I let you figure out this one on our own.
I wonder, do you test whatever you do even once before you commit it to SVN?
Joomla! in EVE - IGB compatible CMS. |
Dragonaire
Caldari Corax. New Eden Retail Federation
|
Posted - 2010.03.27 23:52:00 -
[25]
Quote: Think that sums up my post for me, CCP welcomes help improving stuff and you would rather attack anyone that would question anything you do.
Lumy - You're just proving that quote more and more true, please continue we all need the . But to be truthful it's sad he can't see the point we've all been trying to make. -- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API.
|
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.28 02:03:00 -
[26]
Originally by: Dr BattleSmith Claiming loudly that it was bug free? Not at all, that was specifically a guy calling for XHTML on something so basic like it really mattered.
Originally by: Dr BattleSmith The HTML is 100% valid idiot.
Yes, yes it is. Just because HTML4.0 and XHTML are specs doesn't make HTML2.0 invalid.
Bug free? It's a markup language..... If some kid thinks that's me claiming I write bug-free code then that's his problem.
Originally by: Lumy onclick='del(406769056,'Lumy')'
[code]onclick='del(406769056,"Lumy")'[code]
Already fixed.
Originally by: Lumy
Originally by: Dr BattleSmith The security issues aren't relevant in this context.
Then why do you even bother with password?
For idiots that think they need one. Notice how it doesn't even have a username?
Originally by: Lumy
Originally by: Dr BattleSmith ...and the charactername param used.
LOL, you didn't get it.
lol yeah ok I always mix up JS and PHP var syntax.
Originally by: Lumy
I wonder, do you test whatever you do even once before you commit it to SVN?
Just once, enough for this, either someone wants it and has the ability to customise it to their own needs or they don't.
There is no way in the world that this lil script needs tokens, XHTML, hashed passwords and the like.
But.... If you're willing to waste time writing that code then go ahead and I'll set you up with commit permissions.
|
Johnathan Roark
Caldari The Graduates Morsus Mihi
|
Posted - 2010.03.28 04:35:00 -
[27]
Originally by: Dr BattleSmith Yes, yes it is. Just because HTML4.0 and XHTML are specs doesn't make HTML2.0 invalid.
That's like using Windows 3.1 because it works and is still valid. Newer specs come out to encourage better practices and introduce newer, better technologies.
I find the code in the svn rather difficult to read and think it would be easier to code the same app from scratch. I'm guessing the PHP for beginners book encourages you to mix PHP, HTML, and what ever else you can think of. And yet, you have a template with a string with the sole purpose of replacing with your HTML that you mixed in with your PHP. You would have been better off putting some PHP in that template or looking at a real, thought out, template engine such as Dwoo or Smarty. Also, look at HTML Tidy, its built into most PHP IDEs and Notepad++, It goes a long way to fix many of those I'm too lazy to use the newest spec errors.
POS-Tracker 3.0 Hosting |
Lumy
Minmatar eXceed Inc. HYDRA RELOADED
|
Posted - 2010.03.28 11:27:00 -
[28]
Sigh. Obviously, subtle smiley doesn't work, so let me be blunt. Nobody cares what kind of HTML spec you claim to use. You claimed the code is 100% valid and called the guy an idiot. I don't know what version HTML it is supposed to be, but Lumy')' is not valid markup. If I'm wrong, please show me. Forgive me I don't keep knowledge of more than decade obsolete technology.
Originally by: Dr BattleSmith For idiots that think they need one. Notice how it doesn't even have a username?
At least now we know who are target users of your scripts, and what do you think of them. Really good to know.
Originally by: Dr BattleSmith There is no way in the world that this lil script needs tokens, XHTML, hashed passwords and the like.
And for that reason I would not recommend to even touch it with standard-issue 10-ft. pole.
Joomla! in EVE - IGB compatible CMS. |
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.28 11:54:00 -
[29]
Edited by: Dr BattleSmith on 28/03/2010 11:55:32
Originally by: Johnathan Roark
That's like using Windows 3.1 because it works and is still valid. Newer specs come out to encourage better practices and introduce newer, better technologies.
Tell me one tag in that template that any single user-agent would choke on.
Originally by: Johnathan Roark
better off putting some PHP in that template or looking at a real, thought out, template engine such as Dwoo or Smarty.
A flat file text database and simple str_replace template were chosen specifically so that no template engine or 3rd party libraries would be required.
You seem to be having trouble grasping the concept that this is a simple utility script to fullfill a simple user requirement that some people may find handy.
If you don't...... Awesome for you!
Originally by: Lumy but Lumy')' is not valid markup.
That is a javascript miss-quote, a bug, the idiot I was referring to was claiming I should have doctypes and XML header. A silly suggestion for such a template used for such a script.
Originally by: Lumy
Forgive me I don't keep knowledge of more than decade obsolete technology.
HTML has changed? The tags I've used are deprecated? How is using HTML that was valid a decade ago mean that it is invalid today? Which parser/user-agent will choke on code if no doctype is specified?
Originally by: Lumy
At least now we know who are target users of your scripts, and what do you think of them. Really good to know.
I thought it would be enough to shut up idiots screaming on the forum that it wasn't password protected at all.
Didn't expect evangalists to be pulling it apart like some kind of mission from god.
Wish I could have you debug my proper projects.
Originally by: Lumy
And for that reason I would not recommend to even touch it with standard-issue 10-ft. pole.
lol then don't :-P
|
Johnathan Roark
Caldari The Graduates Morsus Mihi
|
Posted - 2010.03.28 15:31:00 -
[30]
Originally by: Dr BattleSmith Edited by: Dr BattleSmith on 28/03/2010 11:55:32
Originally by: Johnathan Roark
That's like using Windows 3.1 because it works and is still valid. Newer specs come out to encourage better practices and introduce newer, better technologies.
Tell me one tag in that template that any single user-agent would choke on.
I didn't say it would. Most browsers are actually rather good at rendering bad HTML. One thing it will do though is slow it down because it has to figure out how it should parse it.
Originally by: Dr BattleSmith
Originally by: Johnathan Roark
better off putting some PHP in that template or looking at a real, thought out, template engine such as Dwoo or Smarty.
A flat file text database and simple str_replace template were chosen specifically so that no template engine or 3rd party libraries would be required.
You seem to be having trouble grasping the concept that this is a simple utility script to fullfill a simple user requirement that some people may find handy.
If you don't...... Awesome for you!
My point is the way you did it with a single string being used as a placeholder for all your generated HTML that it becomes hard to read.
Originally by: Dr BattleSmith
Originally by: Lumy but Lumy')' is not valid markup.
That is a javascript miss-quote, a bug, the idiot I was referring to was claiming I should have doctypes and XML header. A silly suggestion for such a template used for such a script.
Originally by: Lumy
Forgive me I don't keep knowledge of more than decade obsolete technology.
HTML has changed? The tags I've used are deprecated? How is using HTML that was valid a decade ago mean that it is invalid today? Which parser/user-agent will choke on code if no doctype is specified?
You should have doctypes defined. It slows down the browser when you don't. Its not that it wont work without, it will work better with. I can get windows 3.1 to work, should I use it?
Originally by: Dr BattleSmith
Originally by: Lumy
At least now we know who are target users of your scripts, and what do you think of them. Really good to know.
I thought it would be enough to shut up idiots screaming on the forum that it wasn't password protected at all.
Didn't expect evangalists to be pulling it apart like some kind of mission from god.
Wish I could have you debug my proper projects.
Your project's point was to attack an ALPHPA version of EVEGATE. Rather then polity pointing out improvements that could be made, you made something claiming it would work better then CCP's attempt.
POS-Tracker 3.0 Hosting |
|
|
|
|
Pages: [1] 2 3 :: one page |
First page | Previous page | Next page | Last page |