Pages: 1 2 [3] 4 5 6 7 8 9 10 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 43 post(s) |
Diomedes Calypso
|
Posted - 2011.04.12 01:39:00 -
[61]
Originally by: CCP Sreegs
Originally by: Diomedes Calypso
à..)
I'm not ignoring the rest of this post, but if there's a very real threat we can very much make this call. I can understand how it could be a problem if you're a guy who's constantly crying wolf, but if you have good people in the right places it tends not to be a problem. One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.
ThereÆs a big difference between "A player has reported that he thinks he can access the forums by looking at some cookies" and "Mayday! Mayday!, there are people altering the forums now" The first might take an hour or so or get shoved aside for some other squeaking wheel explosion.
I do trust that once people are certain there is a problem that you are all competent and confident enough to act immediately. I do give you lots of credit there. I know youÆre hard working, competent guys doing your best.
As working adults though we understand how institutions operate, there is always the danger of ôslipping between the cracksö is something people in all businesses, (banking , insurance etc, ). As a real estate broker, there are times when if I need a deal to close by a given date, I cannot trust that going through the normal process will work. I need to assume that the normal process might fail and end run to a higher level to assure that it does (how you do an end-run will vary on the circumstanceàI might even show up in person on someoneÆs doorstep to make sure it happens as they know thatÆs the only way to make me go awayà)
I also give you personal credit for stating that you believe that there was a serious failure at the institutional process structure level, beyond a human mistake in performance. I think that is the real point.... I'm not a technical person so I canÆt fairly gauge the level of mistake in this case, but I've seen similar mistakes on the game dynamics level (implementation of the PI discontinuation of npc goods, player insistence from the very first anouncment of a new character editor in process that players would need a way to save work and be able to accurately see the actual results before a commitmentùwhich needed to be corrected the week after it was released with all sorts of *****ing moaning and customer service time wasted on it) . Something about the vetting process is amiss on many many levels when astute players see a problem coming before release but it can't win enough support internally (or people with doubts will be castigated for not being team players etc) The pattern seems to extend beyond the security department. Players who love playing the game and see a train-wreck coming are getting trained that only with huge explosions of demonstration can catch the eyes of people in charge at a level that they can stop the momentum of something in process long enough to objectively consider the concerns being raised.
|
Siiee
Recycled Heroes
|
Posted - 2011.04.12 01:40:00 -
[62]
Originally by: CCP Sreegs One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.
I don't think that anyone who's not trolling doubts the speed of your response once notified. The question lies in how you got notified in the first place. Was it a GM that read the exploit petition and passed it along? Was it a moderator that noticed brewing anarchy? It's the delay that we all expect exists due to the petition system (which previously was the only well known official way to pass on this sort of information). If the earliest petition about this exploit was what brought out your response then it's open and shut, but I don't think that many believe that to be the case which is what's fueling the attitude towards the circumstances.
The security email is a great thing and it's really good that you keep pushing it. That will help alot of these problems.
|
|
CCP Sreegs
|
Posted - 2011.04.12 01:42:00 -
[63]
Originally by: Grimpak
Originally by: CCP Sreegs I'm just not sure I personally get the comparison is all.
I think he meant that the cookie-derp incident has a comparable scope to those two.
Ok, that makes it a bit more clear. I think in general my perspective on that is that it's a large company and none of those incidents involved the same areas of the company. So while the failures could appear to create a pattern, one could also consider that the fact that those mistakes haven't been repeated is also a pattern? |
|
Mitchello
Against ALL Authorities
|
Posted - 2011.04.12 01:42:00 -
[64]
Originally by: CCP Sreegs
Originally by: El'Niaga
We've had promises before that CCP would improve internal practices. Most famously after the T20 incident and then after the boot.ini incident. That's what is concerning of this issue, there seems to be a culture where no one is held accountable and thus no one in CCP feels accountable for anything therefore it keeps happening time and again. Something is rotten in the core.
I'm sorry that I'm selectively quoting and I REALLY don't want to appear to be defensive BUT... to my knowledge we haven't had another T20 or another boot.ini incident. I'm NOT saying you're wrong or right. But, in the interests of providing a differing perspective, companies, especially ones the size of CCP are going to make mistakes. While this was a really bad mistake and you have every single right to be mad about it I'm not sure one should make a comparison to incidents involving completely unrelated areas of the company that occurred over... 5-7 years ago and haven't been repeated since.
I'm just not sure I personally get the comparison is all.
Don't think he is really making a comparison, but sketching what is more something of a perception challenge.
The currency is trust, the case is not about data but about perception, which has a push/pull effect on word of mouth, the same word of mouth which once grew EVE, etc etc.
What you're saying is understood, he's just coming from a different angle. Perception management, basically.
|
Helicity Boson
Amarr The Python Cartel. The Defenders of Pen Island
|
Posted - 2011.04.12 01:43:00 -
[65]
Originally by: Grimpak
Originally by: CCP Sreegs I'm just not sure I personally get the comparison is all.
I think he meant that the cookie-derp incident has a comparable scope to those two.
I think that is pretty much how it is perceived by the players, to us it doesnt matter that points A and B were resolved, when C happens our minds immediately group A+B+C.
This human, and it's not wrong (even Sreegs can do nothing about it).
The currency is trust, and it's a finite resource that only regrows slowly and is expended in ever larger amounts with each new error.
But this is not news to CCP, they know this, hopefully they will soon show us how they intend to regain a full(er) wallet of trust with us. I really do hope so anyways.
|
Siiee
Recycled Heroes
|
Posted - 2011.04.12 01:45:00 -
[66]
Originally by: Grimpak
I think he meant that the cookie-derp incident has a comparable scope to those two.
The scope of an incident and the process that allows it to happen have very little if anything in common. You just can't make that comparison with a straight face. There is no system to prevent all "big" issues from happening, you can only work on the process and deal with the outcome as it comes.
|
|
CCP Sreegs
|
Posted - 2011.04.12 01:45:00 -
[67]
Originally by: Diomedes Calypso
Originally by: CCP Sreegs
Originally by: Diomedes Calypso
à..)
I'm not ignoring the rest of this post, but if there's a very real threat we can very much make this call. I can understand how it could be a problem if you're a guy who's constantly crying wolf, but if you have good people in the right places it tends not to be a problem. One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.
ThereÆs a big difference between "A player has reported that he thinks he can access the forums by looking at some cookies" and "Mayday! Mayday!, there are people altering the forums now" The first might take an hour or so or get shoved aside for some other squeaking wheel explosion.
I do trust that once people are certain there is a problem that you are all competent and confident enough to act immediately. I do give you lots of credit there. I know youÆre hard working, competent guys doing your best.
As working adults though we understand how institutions operate, there is always the danger of ôslipping between the cracksö is something people in all businesses, (banking , insurance etc, ). As a real estate broker, there are times when if I need a deal to close by a given date, I cannot trust that going through the normal process will work. I need to assume that the normal process might fail and end run to a higher level to assure that it does (how you do an end-run will vary on the circumstanceàI might even show up in person on someoneÆs doorstep to make sure it happens as they know thatÆs the only way to make me go awayà)
I also give you personal credit for stating that you believe that there was a serious failure at the institutional process structure level, beyond a human mistake in performance. I think that is the real point.... I'm not a technical person so I canÆt fairly gauge the level of mistake in this case, but I've seen similar mistakes on the game dynamics level (implementation of the PI discontinuation of npc goods, player insistence from the very first anouncment of a new character editor in process that players would need a way to save work and be able to accurately see the actual results before a commitmentùwhich needed to be corrected the week after it was released with all sorts of *****ing moaning and customer service time wasted on it) . Something about the vetting process is amiss on many many levels when astute players see a problem coming before release but it can't win enough support internally (or people with doubts will be castigated for not being team players etc) The pattern seems to extend beyond the security department. Players who love playing the game and see a train-wreck coming are getting trained that only with huge explosions of demonstration can catch the eyes of people in charge at a level that they can stop the momentum of something in process long enough to objectively consider the concerns being raised.
heh, I'm "the security department" in the post! You are correct that we need more to go on to isolate the problem but in this case once we were aware of what we should be looking for we got on it pretty quickly. It's late now but maybe tomorrow I'll give you guys a bit more of an understanding of the timeline. |
|
|
CCP Sreegs
|
Posted - 2011.04.12 01:47:00 -
[68]
Originally by: Siiee
Originally by: CCP Sreegs One might notice that in the second half of the response it was essentially minutes from the time I received a notification of an exploit to the time the forum was down.
I don't think that anyone who's not trolling doubts the speed of your response once notified. The question lies in how you got notified in the first place. Was it a GM that read the exploit petition and passed it along? Was it a moderator that noticed brewing anarchy? It's the delay that we all expect exists due to the petition system (which previously was the only well known official way to pass on this sort of information). If the earliest petition about this exploit was what brought out your response then it's open and shut, but I don't think that many believe that to be the case which is what's fueling the attitude towards the circumstances.
The security email is a great thing and it's really good that you keep pushing it. That will help alot of these problems.
Yeah, I'm glad that gets noticed. It's something I talked about in the presentation at Fanfest as well which is that, for us to be really good at "security" we need to ensure that we have good feedback loops, which might mean tearing down some artificial barriers or instituting new systems to ensure that we're getting information in a timely fashion. The email address being public is a first step in that direction. |
|
Mister Short
|
Posted - 2011.04.12 01:50:00 -
[69]
So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ? ...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent. Right ?
ladies and gentleman, the new incarna release date :P
I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better? Totally.
January 17th, 2015
ladies and gentleman, the new incarna release date
|
Grimpak
Gallente The Whitehound Corporation Frontline Assembly Point
|
Posted - 2011.04.12 01:50:00 -
[70]
Edited by: Grimpak on 12/04/2011 01:54:16
Originally by: CCP Sreegs
Originally by: Grimpak
Originally by: CCP Sreegs I'm just not sure I personally get the comparison is all.
I think he meant that the cookie-derp incident has a comparable scope to those two.
Ok, that makes it a bit more clear. I think in general my perspective on that is that it's a large company and none of those incidents involved the same areas of the company. So while the failures could appear to create a pattern, one could also consider that the fact that those mistakes haven't been repeated is also a pattern?
well all these three incidents really don't have a visible pattern between them.
T20 incident was a dev intervening directly on the game by spawning ingame items for benefit. while the answer of CCP on this issue is debatable, they did react and created the IA department because of it.
boot.ini incident was, for the most part, a very, very simple and basic mistake that even the best can let slip from time to time. Granted it created quite the panic, and many people did had damage done to their computers. CCP's reaction to this was to change their boot.ini to another name.
cookie-derp incident, at least for now, it seems that it was a mixture of events that started in one department, went thru a few others and escalated into the incident proper, thus raising questions about how effective CCP's QA is really.
each and every one of these embarrassing incidents only really have in common the public exposure. ---
Quote: The more I know about humans, the more I love animals.
ain't that right. |
|
El'Niaga
Minmatar Republic Military School
|
Posted - 2011.04.12 01:50:00 -
[71]
Originally by: CCP Sreegs
Originally by: El'Niaga
We've had promises before that CCP would improve internal practices. Most famously after the T20 incident and then after the boot.ini incident. That's what is concerning of this issue, there seems to be a culture where no one is held accountable and thus no one in CCP feels accountable for anything therefore it keeps happening time and again. Something is rotten in the core.
I'm sorry that I'm selectively quoting and I REALLY don't want to appear to be defensive BUT... to my knowledge we haven't had another T20 or another boot.ini incident. I'm NOT saying you're wrong or right. But, in the interests of providing a differing perspective, companies, especially ones the size of CCP are going to make mistakes. While this was a really bad mistake and you have every single right to be mad about it I'm not sure one should make a comparison to incidents involving completely unrelated areas of the company that occurred over... 5-7 years ago and haven't been repeated since.
I'm just not sure I personally get the comparison is all.
You mean like the fatal security system of your current forum fiasco....and yes I'd put that right up there with boot.ini. Also its well known T20 was not the only individual to cheat in a position of power, though I believe the other was a GM not a dev, maybe even 2 GMs did....
|
Patient 2428190
DEGRREE'Fo'FREE Internet Business School
|
Posted - 2011.04.12 01:54:00 -
[72]
Has there been any investigation into the rest of EVE-Gate to see where it stands security wise? I'd imagine the same team responsible for the forums have worked on EVE gate.
...Then when you stopped to think about it. All you really said was Lalala. |
Herschel Yamamoto
Agent-Orange Nabaal Syndicate
|
Posted - 2011.04.12 01:54:00 -
[73]
I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
|
Mitchello
Against ALL Authorities
|
Posted - 2011.04.12 01:55:00 -
[74]
Originally by: Herschel Yamamoto I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
|
Grimpak
Gallente The Whitehound Corporation Frontline Assembly Point
|
Posted - 2011.04.12 01:58:00 -
[75]
Originally by: Herschel Yamamoto I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
pete's sake that one will haunt CCP for time everlasting
well Sreegs isn't at fault with it really. I don't even think he would've thought he would be working for CCP when it happened ---
Quote: The more I know about humans, the more I love animals.
ain't that right. |
Diomedes Calypso
|
Posted - 2011.04.12 01:59:00 -
[76]
Originally by: Herschel Yamamoto I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
I think people are trying to say that his eyes need to be on something more than what specifically went wrong in this case and that perhaps managment outside of security needs to examine if problems stem from company process structure (scrum stuff?)
I also thing that the t20 stuff is not at all pertinent though as it was an intirely different sort of bad judgment thatn releasing unfinished work.
|
Kasriel
Caldari Nadyr Heavy Industries
|
Posted - 2011.04.12 02:00:00 -
[77]
interesting, I'll have to check tomorrow to read more of this buy at the moment all I can really add is very good on you Sreegs, you will probably get many people complaining and venting their frustration at you, I'll leave the matter of it being justified or not to other more vocal people than myself, the only thing I wish to add is judging from the (mainly) positive feedback you've received for your actions talking to the community it may be a good idea for this to be more commonplace?
Also while internal matters need to be taken care of internally - and I don't doubt that the vast majority of the player base understands this - when matters affect the players directly they cease to be internal and some feedback and transparency can go a long way, especially if the reports that (for this particular example) during the testing round many issues were raised with the security and functionality of the "new" forums were raised and yet ignored prove to be true, for me at least that is the troubling matter and what has caused the largest loss of trust on my part, if we can't trust CCP to believe their users saying "this is broken" what can we trust? ----------
Theres a wonderful world out there..
lets hope it doesn't hit this one |
Mihara Shiharu
|
Posted - 2011.04.12 02:01:00 -
[78]
I blame it on using .NET (damn microsoft), why couldn't you just use python? you know it works so damn good, so why bother with and pay for .NET? WHY?
|
Ven Dak
|
Posted - 2011.04.12 02:01:00 -
[79]
Originally by: Herschel Yamamoto I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
Goons did T20
|
|
CCP Sreegs
|
Posted - 2011.04.12 02:05:00 -
[80]
Off to bed for the night I'll followup again tomorrow morning. |
|
|
Helicity Boson
Amarr The Python Cartel. The Defenders of Pen Island
|
Posted - 2011.04.12 02:06:00 -
[81]
Originally by: CCP Sreegs Off to bed for the night I'll followup again tomorrow morning.
left you a message ;)
sleep tight duder.
|
Catheryn Martobi
|
Posted - 2011.04.12 02:21:00 -
[82]
Seems like there is a bright side to all this. With all the harassment CCP is getting for this screw-up, this aught to make them take at least a cursory look inward at their current strategy of setting unmeetable deadlines with sub-par products.
|
ModeratedToSilence
|
Posted - 2011.04.12 02:24:00 -
[83]
Is this a good thread to discuss the merit of snorting wasabi?
|
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2011.04.12 02:38:00 -
[84]
It's really very simple.
Your web team is blowing smoke up your ass.
They are fail.
CCP Nathan "the data does not seem to support that polished quality sells" Evelgrivion "each passing year, each failure to deliver on expectations of basic competence" |
Zastrow
GoonWaffe Goonswarm Federation
|
Posted - 2011.04.12 02:38:00 -
[85]
sreegs Please resize image to a maximum of 400 x 120, not exceeding 24000 bytes. If you would like further details please mail [email protected] ~Saint |
Liang Nuren
|
Posted - 2011.04.12 02:42:00 -
[86]
Originally by: Herschel Yamamoto I have to say, it's pretty hilarious that we're giving Sreegs grief over T20, even indirectly.
-- Eve Forum ***** Extraordinaire On Twitter
|
Palovana
Caldari Inner Fire Inc.
|
Posted - 2011.04.12 03:04:00 -
[87]
Originally by: Patient 2428190 Has there been any investigation into the rest of EVE-Gate to see where it stands security wise? I'd imagine the same team responsible for the forums have worked on EVE gate.
I would hope all website-related material is given a security audit in light of this incident. Especially EVE-Gate for reasons you mentioned. ----- Your Plain Text Cookie perfectly strikes New Forums, wrecking for inifnite damage. |
mazzilliu
Caldari Sniggerdly Pandemic Legion
|
Posted - 2011.04.12 03:12:00 -
[88]
apparently the guy who first reported the issue and later got banned said that his initial exploit report was incomplete, but there was no ccp effort to get him to elaborate.
perhaps it would be an improvement to have some sort of followup for security related reports, in case the reporter does not understand how to properly demonstrate an exploit, to try to get him to communicate clearly, rather than brush them off as another incomplete bug report or potential troll. i think if that happened the forums might have gone down some time sooner.
|
Kuroki Meisa Kennedy
|
Posted - 2011.04.12 03:31:00 -
[89]
Originally by: mazzilliu apparently the guy who first reported the issue and later got banned said that his initial exploit report was incomplete, but there was no ccp effort to get him to elaborate.
perhaps it would be an improvement to have some sort of followup for security related reports, in case the reporter does not understand how to properly demonstrate an exploit, to try to get him to communicate clearly, rather than brush them off as another incomplete bug report or potential troll. i think if that happened the forums might have gone down some time sooner.
+1 I also feel just killing the messenger is wrong and makes the P in CCP stand for police. |
Misanth
RABBLE RABBLE RABBLE
|
Posted - 2011.04.12 03:39:00 -
[90]
Originally by: Dacil Arandur of all people Akita T has the most to lose!
No. The playerbase as a whole, has, if that monster of a forum comes back. -
|
|
|
|
|
Pages: 1 2 [3] 4 5 6 7 8 9 10 :: one page |
First page | Previous page | Next page | Last page |