Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 8 post(s) |
|
CCP Shadow
C C P C C P Alliance
|
Posted - 2011.05.27 07:36:00 -
[1]
Hello capsuleers,
We hope you enjoyed the May 26th Live Dev Blog on Customer Support and Security, with some insights from CCP Sreegs, GM Nova, and GM Nythanos.
We're interested in whatever constructive feedback you have that will help us improve future Live Dev Blogs. Please let us know what you think in this thread. We'll be keeping an eye on this Feedback thread and taking your views into account as we move forward with our Live Dev Blogs.
-- Shadow
|
|
DeBingJos
Minmatar Jukebox Warriors
|
Posted - 2011.05.27 07:39:00 -
[2]
Blog was good, better than the previous one. Sound quality was better and the anwers were better.
Not so much 'I'm not allowed to talk about that'. |
Orbington
|
Posted - 2011.05.27 07:51:00 -
[3]
Any way to listen to it if i missed it?
|
Ophelia Ursus
|
Posted - 2011.05.27 07:58:00 -
[4]
Originally by: Orbington Any way to listen to it if i missed it?
Signature removed. |
|
CCP Guard
|
Posted - 2011.05.27 08:11:00 -
[5]
We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.
We will have it ready for you as soon as possible and we'll announce it so you can't miss it.
|
|
Strazdas Unstoppable
|
Posted - 2011.05.27 08:26:00 -
[6]
it was quite interesting, even though one always wish he gets more details out of such things. it was pretty short though, 46 minutes. too bad i didnt get to ask anything as eve forums went down right at the time it started, at least the audio stayed on so it was all good.
|
Sedontane
|
Posted - 2011.05.27 08:41:00 -
[7]
Originally by: CCP Guard We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.
We will have it ready for you as soon as possible and we'll announce it so you can't miss it.
Can I play it loud from my office stereo or is that stipulation limited to cars?
|
|
CCP Guard
|
Posted - 2011.05.27 09:11:00 -
[8]
Originally by: Sedontane
Originally by: CCP Guard We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.
We will have it ready for you as soon as possible and we'll announce it so you can't miss it.
Can I play it loud from my office stereo or is that stipulation limited to cars?
Play it as loudly as you can in your office stereo so your friends will have no choice but to start playing, yet without risking your income stream which you presumably use to pay for your EVE Online subscription. That would be my professional opinion on that subject.
|
|
|
CCP Guard
|
Posted - 2011.05.27 09:16:00 -
[9]
Originally by: Strazdas Unstoppable it was quite interesting, even though one always wish he gets more details out of such things. it was pretty short though, 46 minutes. too bad i didnt get to ask anything as eve forums went down right at the time it started, at least the audio stayed on so it was all good.
It was the first one I organize and I had so much fun during the show and after. The bonus was hanging around talking and goofing with players in the Live Dev Blog channel afterwards. Stick around next time, we'll do another one before too long.
|
|
Iurnan Mileghere
Singularity Foundation
|
Posted - 2011.05.27 15:14:00 -
[10]
For those who might have missed it and don't want to wait for the podcast, I put my notes up on my blog.
|
|
Andrea Griffin
|
Posted - 2011.05.27 18:02:00 -
[11]
Originally by: Iurnan Mileghere For those who might have missed it and don't want to wait for the podcast, I put my notes up on my blog.
Excellent notes, thank you for putting these up. However: Originally by: Dev Blog Notes GM Grave says he is the best GM.
You can only be the best GM if you like ponies. Does he like ponies? I demand proof in the form of pictures. I fully expect his desk area to be full of ponies.
- "When I nerf something, it takes 2-3 months for your dreams to be crushed." - CCP Big Dumb Object |
Mynas Atoch
Eternity INC. Goonswarm Federation
|
Posted - 2011.05.27 19:05:00 -
[12]
Originally by: CCP Guard We recorded the whole thing and we'll make a podcast audio file out of it which you can then share with everyone you have ever come across, and you can even play it loudly in your car stereo with your windows rolled down.
We will have it ready for you as soon as possible and we'll announce it so you can't miss it.
The average leader speech for a large power block in EVE is posted in multiple locations within thirty minutes. Are you in need of technical assistance from the community?
|
delonewolf
|
Posted - 2011.05.27 20:41:00 -
[13]
If you don't want to wait for the podcast you can listen to the live dev blog on youtube here:
youtube
now you can't edit out the confirmation that finding hacked accounts involves a tub of water, a compass and a monkey
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.05.28 13:20:00 -
[14]
RSA key SEED database compromised.
http://www.teamshatter.com/topics/database-security/rsa-warns-customers-after-company-is-hacked/
Now Lockheed Martin hacked with DUPLICATED RSA securId keys
http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/
The Eve Online RSA dongles are using RSA seeds allocated to the manufacturer of the keys
Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?
I assume they are to be on the safe side.
After all hacking Loockheed Martin with duplicated keys (with known SEEDs) was easy, CCP should be easier.
Since CCP stated in their last Live Dev blog chat they wanted this to be an item they wanted "to make a profit on" in their own words.
I see this as nothing more than security profit theater if the seeds are compromised.
|
Ariz Black
|
Posted - 2011.05.28 16:39:00 -
[15]
Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:
Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient. Please can we have an answer here?
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.05.28 16:58:00 -
[16]
Originally by: Ariz Black Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:
Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient. Please can we have an answer here?
May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.
|
|
CCP Sreegs
|
Posted - 2011.05.28 17:40:00 -
[17]
Originally by: Miilla
Originally by: Ariz Black Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:
Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient. Please can we have an answer here?
May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.
This wouldn't be true even if RSA was our vendor, which they're not. |
|
|
CCP Sreegs
|
Posted - 2011.05.28 17:43:00 -
[18]
Originally by: Ariz Black Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:
Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient. Please can we have an answer here?
I didn't ignore this on purpose I actually never saw this question. We'll be looking into it but it may not be a part of the initial deployment. As soon as I have something solid I'll let you know. |
|
|
CCP Sreegs
|
Posted - 2011.05.28 17:45:00 -
[19]
Originally by: Miilla
RSA key SEED database compromised.
http://www.teamshatter.com/topics/database-security/rsa-warns-customers-after-company-is-hacked/
Now Lockheed Martin hacked with DUPLICATED RSA securId keys
http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/
The Eve Online RSA dongles are using RSA seeds allocated to the manufacturer of the keys
Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?
I assume they are to be on the safe side.
After all hacking Loockheed Martin with duplicated keys (with known SEEDs) was easy, CCP should be easier.
Since CCP stated in their last Live Dev blog chat they wanted this to be an item they wanted "to make a profit on" in their own words.
I see this as nothing more than security profit theater if the seeds are compromised.
We said we probably wouldn't make a profit on it. I'd really appreciate it if we wouldn't fearmonger or misrepresent what was actually quite clearly stated. Thanks! |
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.05.28 18:30:00 -
[20]
Edited by: Miilla on 28/05/2011 18:34:04
Originally by: CCP Sreegs
Originally by: Miilla
RSA key SEED database compromised.
http://www.teamshatter.com/topics/database-security/rsa-warns-customers-after-company-is-hacked/
Now Lockheed Martin hacked with DUPLICATED RSA securId keys
http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/
The Eve Online RSA dongles are using RSA seeds allocated to the manufacturer of the keys
Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?
I assume they are to be on the safe side.
After all hacking Loockheed Martin with duplicated keys (with known SEEDs) was easy, CCP should be easier.
Since CCP stated in their last Live Dev blog chat they wanted this to be an item they wanted "to make a profit on" in their own words.
I see this as nothing more than security profit theater if the seeds are compromised.
We said we probably wouldn't make a profit on it. I'd really appreciate it if we wouldn't fearmonger or misrepresent what was actually quite clearly stated. Thanks!
Im just saying what I heard on the audio which was choppy, not my fault the audio feed bounced about with a difficult accent to hear on low quality audio bandwidth. It was not CLEARLY stated on the receiving end, maybe on your uber bandwidth server but not on EDGE/GPRS bandwidth.
Im not fear mongering, just saying what I heard. If that is the case fine. There is still the issue about the seeds that is a concern.
|
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.05.28 18:33:00 -
[21]
Edited by: Miilla on 28/05/2011 18:34:58
Originally by: CCP Sreegs
Originally by: Miilla
Originally by: Ariz Black Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:
Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient. Please can we have an answer here?
May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.
This wouldn't be true even if RSA was our vendor, which they're not.
No, RSA's vendor is to the manufacturers that license the technology.
RSA License the technology and contain manufacturer seeds in their databases.
I never once said RSA was your vendor.
|
|
CCP Sreegs
|
Posted - 2011.05.28 19:52:00 -
[22]
Originally by: Miilla Edited by: Miilla on 28/05/2011 18:58:28
Originally by: CCP Sreegs
Originally by: Miilla
Originally by: Ariz Black Unless I missed it, CCP ignored the question which I posted in the questions thread before the lock, and which even a 2nd pilot asked be answered as well:
Will CCP be providing a software version of the account authenticator, specifically an android/iphone app? Many other companies (Google, Blizzard, Trion, to name a few) off this service. Carrying around physical keys is not nearly as convenient. Please can we have an answer here?
May aswell not bother with the dongle, most likely those seeds where part of the RSA raid.
This wouldn't be true even if RSA was our vendor, which they're not.
No, RSA's vendor is to the manufacturers that license the technology.
RSA License the technology and contain manufacturer seeds in their databases.
I never once said RSA was your vendor.
I will quote what i said here "Can CCP confirm that the seeds allocated to the manufacturer of these keys where not part of that compromised set?"
Did I say RSA was your vendor? we all know its not, but it uses RSA licensed technology and THEIR database was raided.
Why wouldnt it be true if they grabbed the manufacturer seeds and data that RSA sell to the manufacturers of your keys?
Can you explain WHY it wouldnt be true, you know more about this technology than me.
Please, make us feel confident in the security keys. Explain to us how it works with seeds and the manufacturer the RSA Licensee and RSA the technology licenser.
I didn't selectively quote your statement and that was the statement I was responding to. At a more appropriate time (Like, nearer to deployment) I'll be happy to discuss the security ins and outs of our specific implementation. In the meantime feel free to research the subject yourself at:
www.rsa.com www.vasco.com http://en.wikipedia.org/wiki/Two-factor_authentication |
|
Adrian Idaho
|
Posted - 2011.05.28 20:11:00 -
[23]
Edited by: Adrian Idaho on 28/05/2011 20:11:27
Originally by: Miilla The usual...
Dude, you just don't troll Sreegs. Ever.
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.05.29 09:54:00 -
[24]
Originally by: Adrian Idaho Edited by: Adrian Idaho on 28/05/2011 20:11:27
Originally by: Miilla The usual...
Dude, you just don't troll Sreegs. Ever.
Want a lollipop?
|
Mara Rinn
|
Posted - 2011.05.30 02:19:00 -
[25]
Originally by: Miilla Please, make us feel confident in the security keys. Explain to us how it works with seeds and the manufacturer the RSA Licensee and RSA the technology licenser.
To associate a SecureID authenticator (as used by Blizzard for WoW, and shortly CCP for EVE) with an account, you have to submit the serial number of the key and two consecutive generated codes. This establishes the sequence of generated codes that the key will use.
To guess the next code your key generates, an attacker will need to know the serial number of your key and at least one (timestamped) code generated by that key in the recent past, based on the assumption that the seeds for that key are known. The simple means of avoiding this attack is for the user and service provider to never release the key's serial number to anyone. Depending on your level of paranoia, you may decide to throw out the keyfob and get a new one based on a fresh key. Given the assumption that the keyfob will not defend against determined attackers, a more pragmatic user will simply rely on the serial number never being revealed, and ensure that procedures are in place for a customer to report a keyfob as being lost/stolen.
A more likely attack scenario is the one that has been successfully used against World of Warcraft, where a virus/trojan infects the victim's computer with a "man in the middle" attack, intercepting the username, password and current key value. The MITM attack sends an incorrect security code to the server on behalf of the victim, but routes the correct code to the attacker's systems where they can now log in as that user, strip all resources of value from the account, and abandon it.
There is some further reading about the RSA seed compromise here.
So, what attacks will the keyfob defend against when working correctly with secret seeds?
Only the one where the attacker doesn't have access to the current code on your RSA SecureID key (or the serial number of that key and a timestamped record of any key it has generated in the past).
Thus the keyfob will protect you from the miscreant trying to brute force their way into your account (guessing your username/password, for example), end of story.
The two main vectors for attacks against EVE Online accounts secured by keyfobs are going to be phishing the users, or compromising their computers to insert MITM attacks. A phishing or MITM attack will have a window of opportunity of up to 30 seconds (the refresh interval for the SecureID token), so using the keyfob will restrict the range of phishing attacks to only those that occur in real-time (i.e.: all phishing attacks will be done real-time)
TL;DR:
- Given the seeds, the attackers still need your serial number and at least one generated code (unless the algorithm behind the system is particularly broken)
- Even when working, the SecureID system only protects against certain attacks
- SecureID does not protect against MITM attacks (e.g.: shady Internet cafT or infected home computer)
- SecureID does not protect against live phishing attacks (e.g.: malicious website)
- No system of authentication can protect the service from stupid users
-- [Aussie players: join ANZAC channel] |
Lederstrumpf
|
Posted - 2011.05.31 14:52:00 -
[26]
Originally by: CCP Shadow We're interested in whatever constructive feedback you have
What are you willing to pay?
|
Vincent Athena
|
Posted - 2011.05.31 15:25:00 -
[27]
I'm somewhat disappointed that you did not get to my questions. Any possibility of my getting some sort of replies?
|
Miilla
Minmatar Hulkageddon Orphanage
|
Posted - 2011.06.01 13:07:00 -
[28]
Edited by: Miilla on 01/06/2011 13:07:48
Originally by: Mara Rinn
Originally by: Miilla Please, make us feel confident in the security keys. Explain to us how it works with seeds and the manufacturer the RSA Licensee and RSA the technology licenser.
To associate a SecureID authenticator (as used by Blizzard for WoW, and shortly CCP for EVE) with an account, you have to submit the serial number of the key and two consecutive generated codes. This establishes the sequence of generated codes that the key will use.
To guess the next code your key generates, an attacker will need to know the serial number of your key and at least one (timestamped) code generated by that key in the recent past, based on the assumption that the seeds for that key are known. The simple means of avoiding this attack is for the user and service provider to never release the key's serial number to anyone. Depending on your level of paranoia, you may decide to throw out the keyfob and get a new one based on a fresh key. Given the assumption that the keyfob will not defend against determined attackers, a more pragmatic user will simply rely on the serial number never being revealed, and ensure that procedures are in place for a customer to report a keyfob as being lost/stolen.
A more likely attack scenario is the one that has been successfully used against World of Warcraft, where a virus/trojan infects the victim's computer with a "man in the middle" attack, intercepting the username, password and current key value. The MITM attack sends an incorrect security code to the server on behalf of the victim, but routes the correct code to the attacker's systems where they can now log in as that user, strip all resources of value from the account, and abandon it.
There is some further reading about the RSA seed compromise here.
So, what attacks will the keyfob defend against when working correctly with secret seeds?
Only the one where the attacker doesn't have access to the current code on your RSA SecureID key (or the serial number of that key and a timestamped record of any key it has generated in the past).
Thus the keyfob will protect you from the miscreant trying to brute force their way into your account (guessing your username/password, for example), end of story.
The two main vectors for attacks against EVE Online accounts secured by keyfobs are going to be phishing the users, or compromising their computers to insert MITM attacks. A phishing or MITM attack will have a window of opportunity of up to 30 seconds (the refresh interval for the SecureID token), so using the keyfob will restrict the range of phishing attacks to only those that occur in real-time (i.e.: all phishing attacks will be done real-time)
TL;DR:
- Given the seeds, the attackers still need your serial number and at least one generated code (unless the algorithm behind the system is particularly broken)
- Even when working, the SecureID system only protects against certain attacks
- SecureID does not protect against MITM attacks (e.g.: shady Internet cafT or infected home computer)
- SecureID does not protect against live phishing attacks (e.g.: malicious website)
- No system of authentication can protect the service from stupid users
"To guess the next code your key generates, an attacker will need to know the serial number of your key"
>> You mean the pictures of keyfobs showing the serial numbers that fanfest participants released onto the internet showing them off?
|
Xtoveruss
|
Posted - 2011.06.02 14:38:00 -
[29]
would be nice if u finlay fixed eve voice so all eve players can use it
|
John'eh
Gallente Asteroid Belt Protection Services
|
Posted - 2011.06.06 09:13:00 -
[30]
Edited by: John''eh on 06/06/2011 09:15:26
Originally by: CCP Shadow We're interested in whatever constructive feedback you have
And yet history shows you don't actually listen to it.
From a security standpoint, you have had multiple people attempt to help CCP with the different security issues Eve has over the years. I'm one of them; I constantly do what I cant to help and I am mostly ignored. Emails just go the void, forums posts are ignored, or worse, censored by support staff who may be on the take from people explioting the flaws for money in the real world.
I dont feel like any of the constructive feedback - and valuable information that otherwise you would have spent money on getting from a paid consultant - that you have gotten from your customer base has actually been listened to, as many of these issues STILL EXIST today.
So basically the best feedback I can give you here is you guys need to stop acting like your listening and actually DO listen, instead of getting butt-hurt and ignoring people who are trying to help you.
|
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |