Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Aelius
Caldari Caldari State Inc. People for Organised Peace
|
Posted - 2009.05.17 08:43:00 -
[1]
Edited by: Aelius on 17/05/2009 08:42:58
Quote: hello<br>*insert scammer name here* > Hello.<br>To apply for the SQUIREs, you must send me your API key and user ID.<br>Then convo me or Imp Becre for a recruitment conversation.<br>I hope to see you flying with us soon...
The text above is a copy of a local channel scammer, also selling a Stabber as it if were a Navy Stabber.
What are the REAL dangers of providing the API key to someone?! (And yes i've read the CCP notice about it)
Are there some hidden dangers? which ones in the worst case senario?
Tks
|
Max Grundy
|
Posted - 2009.05.17 08:45:00 -
[2]
Edited by: Max Grundy on 17/05/2009 08:48:00 It's safe with just User ID and API key. Don't give out account name/password obviously.
What I do after I give someone my API for whatever reason is to reset it when they are done.
EDIT: To answer your question, there are no dangers unless you are worried about some secret alt on your account getting tied to you or you don't want them to find out how much isk you have or what skills you have trained.
|
TimMc
Gallente Brutal Deliverance Blackguard Coalition
|
Posted - 2009.05.17 08:51:00 -
[3]
First off I would not be interested in a corp who spam local.
Second, there are two types of API keys. Full and Limited.
Limited ones will provide your skills, wallet and implants. Nothing else as I recall.
Full API will provide skills, implants, location of all your assets and a detailed wallet journal (I think). You can also feed killmails off a full API.
|
Maria Kalista
Amarr Emerald Forest Securities
|
Posted - 2009.05.17 09:05:00 -
[4]
Just don't give your full access API key, even then it does NOT give people access to your account.
Having said that: CCP needs to update the text accompanying the EVE API Key management:
Quote: Limited Access API Key Allows access to character sheet and skill training information only. Use this for applications such as skill change notifiers.
Originally by: Jacharian This sounds like a bad idea. I'm in.
|
Imp Becre
|
Posted - 2009.05.17 17:55:00 -
[5]
Since i am mentioned in the first post, i'll reply. What you saw there was a normal recruitment ad. I've told the guy that he shouldn't try to recruit in local anymore. Most corporations will ask you for your API key because of security reasons(avoiding spies in corp etc.) and also for helping you with developing your character. SQUIRE does not ask for any information regarding your account! Only give your API key to people you trust. Fly Safe, Imp Becre
|
Haniblecter Teg
F.R.E.E. Explorer Wildly Inappropriate.
|
Posted - 2009.05.17 18:56:00 -
[6]
He can use it to log onto alliance forums and Team SPeak servers. ----------------- Friends Forever |
Mioelnir
Minmatar Meltd0wn Imperial Republic Of the North
|
Posted - 2009.05.19 19:41:00 -
[7]
Only advantage a scammer gets from your API is - as far as i know - to custom tailer the scam to your wallet.
|
Jacob Mei
|
Posted - 2009.05.19 19:45:00 -
[8]
Edited by: Jacob Mei on 19/05/2009 19:45:57
Originally by: Imp Becre
Most corporations will ask you for your API key because of security reasons(avoiding spies in corp etc.) Imp Becre
Im sorry but I have to laugh at any corporation that actually believes this.
1. Make alt account with buddy program, get 21 days free training. 2. Make alt account full with Plex, continue training. 3. Find sucker corp, apply and give API key. 4. Gain trust. 5. Rip off corp by stealing assets/leaking information/etc. 6. Delete character. 7. Profit!
In my opinion the limited API key gives too much information to strangers who can use it against you. Sun Tzu said it best: "know your enemies and know yourself, you will not be imperiled in a hundred battles". For a corp to know how much money you have in your pocket, your attributes (which can give an indication of what implants you have) and your skills (what you can fly and use) puts you in a vulnerable situation as they can hit you exactly where they need to if they choose to do so. -------------------------------- To borrow a phrase:
Players who post are like stars, there are bright ones and those who are dim.
|
Jack Dant
Minmatar The Gentlemen of Low Moral Fibre
|
Posted - 2009.05.19 20:41:00 -
[9]
Originally by: Jacob Mei Edited by: Jacob Mei on 19/05/2009 19:45:57
Originally by: Imp Becre
Most corporations will ask you for your API key because of security reasons(avoiding spies in corp etc.) Imp Becre
Im sorry but I have to laugh at any corporation that actually believes this.
1. Make alt account with buddy program, get 21 days free training. 2. Make alt account full with Plex, continue training. 3. Find sucker corp, apply and give API key. 4. Gain trust. 5. Rip off corp by stealing assets/leaking information/etc. 6. Delete character. 7. Profit!
If anyone wants to spend a month and several hundred million to infiltrate the Esquires of Questionable Intention, a new player pvp training corp with just enough isk in corp wallet to issue the next wardec, they are free to do so.
A simple API check keeps out the lazy spies who just create a second char on their account, get in corp, and start leaking info.
Just because an expert thief can pick any lock, you don't leave your home open, do you?
|
Jacob Mei
|
Posted - 2009.05.20 01:52:00 -
[10]
Edited by: Jacob Mei on 20/05/2009 01:53:06
Originally by: Jack Dant
Originally by: Jacob Mei Edited by: Jacob Mei on 19/05/2009 19:45:57
Originally by: Imp Becre
Most corporations will ask you for your API key because of security reasons(avoiding spies in corp etc.) Imp Becre
Im sorry but I have to laugh at any corporation that actually believes this.
1. Make alt account with buddy program, get 21 days free training. 2. Make alt account full with Plex, continue training. 3. Find sucker corp, apply and give API key. 4. Gain trust. 5. Rip off corp by stealing assets/leaking information/etc. 6. Delete character. 7. Profit!
If anyone wants to spend a month and several hundred million to infiltrate the Esquires of Questionable Intention, a new player pvp training corp with just enough isk in corp wallet to issue the next wardec, they are free to do so. A simple API check keeps out the lazy spies who just create a second char on their account, get in corp, and start leaking info.
Just because an expert thief can pick any lock, you don't leave your home open, do you?
1. Several hundred million in skills? Ha! It only costs about 4 million and a month to train for an assault ship. Give it another month and you can fly it compitently or at least have the skills needed to fool someone with a "my friend got me hooked into eve and told me to train for this ship class" story. I should also point out that anyone who wants to get into your corp bad enough may not nessessarly care how much isk it costs to do so in the first place.
2. Granted the odds of your corp being targeted for infilitration are high but they are still there. If someone wants in bad enough, they will get in. That is however beside the point. My point is that API keys do more harm to the owner than to the recipient as it shows potental enemies exactly what they are capable of.
3. Ah yes, the old "this rock keeps tigers away, it must be true because I dont see any tigers around here" arguement. API checks are a false sence of security that is easily circumvented by anyone with an interest to do so.
4. Thats why I keep a large breed dog trained to smile right before going for the throat of anyone who isnt "Okay" if in the event the theif does break the lock.
API checks are pathetic for screening out threats. You need to set up your corp in such a way that any information or assets that someone with ill intent does get is either minimal or easy to replace. |
|
Verx Interis
Amarr Embers of Fire
|
Posted - 2009.05.20 02:38:00 -
[11]
Corps asking for API keys is pretty standard. The limited key gives basically wallet balance and skills. Corps ask it so make sure people actually have the skills they claim they do, to tell them what to train for, and to help asses their ability as a pilot. |
Agent Known
Apotheosis of Virtue
|
Posted - 2009.05.20 03:20:00 -
[12]
Originally by: Verx Interis Corps asking for API keys is pretty standard. The limited key gives basically wallet balance and skills. Corps ask it so make sure people actually have the skills they claim they do, to tell them what to train for, and to help asses their ability as a pilot.
That's where certificates come in. The corp just needs to have the applicant set his/her certificates public, then they can have a general idea of what skills they have. It's not a definite, but it works. |
Verx Interis
Amarr Embers of Fire
|
Posted - 2009.05.20 03:33:00 -
[13]
Originally by: Agent Known
Originally by: Verx Interis Corps asking for API keys is pretty standard. The limited key gives basically wallet balance and skills. Corps ask it so make sure people actually have the skills they claim they do, to tell them what to train for, and to help asses their ability as a pilot.
That's where certificates come in. The corp just needs to have the applicant set his/her certificates public, then they can have a general idea of what skills they have. It's not a definite, but it works.
Certificates wouldn't really work.. Up until recently I lacked basic Core Competency because I didn't have shield operation III or something like that.
Since certificates only let you see if you have them or not, not if you have a ton of level 5 skills but don't have a lot of certificates because of skills you don't need and didn't train up.
They just don't show enough info. I don't get why anyone is so uptight about sharing their API, its essentially harmless. |
Jacob Mei
|
Posted - 2009.05.20 03:46:00 -
[14]
Originally by: Verx Interis
I don't get why anyone is so uptight about sharing their API, its essentially harmless.
You have no idea how powerful knowledge is.
Imagine this for a moment: You give your limited API to a corporation that you would like to join as part of their standard application process. CEO or whoever it is downloads your info and sees you have a decent sized wallet as well as what you can fly, as well as what sort of skills you have specced for turrets and defense.
For whatever reason they make up, they decline your application. A few days later while running missions, flying along, etc said corporation attacks you with ship set ups specifically tailored to counter what your skills are trained for. They bring your ship to its hull and the ransom is the amount in your wallet, the amount they know you generally have because you essentially told them how big of a mark you are and what you can do in a combat situation by giving them your limited API.
In this game trust is more valuable than anything and hard to earn, why someone just willingly gives complete strangers the "how much im worth and how to hit me where it hurts" code is beyond me.
Then theres the flip side, which I demonstrated earlier in this thread in how a spy can easily circumvent API key checks as a security measure. |
Velvet69
eXceed Inc.
|
Posted - 2009.05.20 05:13:00 -
[15]
Originally by: Jacob Mei You have no idea how powerful knowledge is...
I had a dream!
Dream on |
Max Grundy
|
Posted - 2009.05.20 06:04:00 -
[16]
Originally by: Jacob Mei In this game trust is more valuable than anything and hard to earn, why someone just willingly gives complete strangers the "how much im worth and how to hit me where it hurts" code is beyond me.
Simple solution: don't give it to complete strangers. Do research on the corp you are applying to. If they're shady, chances are someone else fell victim to them and posted it somewhere.
Also, the situation you described is kind of funny. |
Agent Known
Apotheosis of Virtue
|
Posted - 2009.05.20 06:10:00 -
[17]
I'm in ure APIz stealin' ure infoz. |
Johnathan Roark
Caldari Quantum Industries RAZOR Alliance
|
Posted - 2009.05.20 06:23:00 -
[18]
We ask for api keys for two reasons:
1) Website user verification. There is no other guaranteed way to tell if a user accessing our forums, TS, and other web based services is who they say they are without api key or tons of administrative overhead. Keep in mind we are managing 100s on characters on the corp level and 1000s on the alliance level.
2) The other reason is to make spies work harder. Yes, they can get a second account, but it makes them get the second account. Plus, they have to take the time to actually train it. We tend to look for higher skill point players so it works for us.
overall, there is very little risk in actually giving out your limited api key. And the idea of us working hard enough to get someone's api key, and then ganking them with our setup tailored to their skills is rather laughable, too much effort when we can likely find a target somewhere. Only way we'd put this much effort in is if you flew a supercap, and who would reject someone with a supercap joining? |
Jack Dant
Minmatar The Gentlemen of Low Moral Fibre
|
Posted - 2009.05.20 09:39:00 -
[19]
Originally by: Jacob Mei
1. Several hundred million in skills? Ha! It only costs about 4 million and a month to train for an assault ship.
No, several hundred million in a plex.
Quote:
3. Ah yes, the old "this rock keeps tigers away, it must be true because I dont see any tigers around here" arguement. API checks are a false sence of security that is easily circumvented by anyone with an interest to do so.
No, it's called raising the barrier of entry. Every corp can be infiltrated with enough effort, just like any security mechanism can be broken IRL. You just need to make it not worth the effort.
Quote: API checks are pathetic for screening out threats. You need to set up your corp in such a way that any information or assets that someone with ill intent does get is either minimal or easy to replace.
In the context of empire corps and their wars, the most valuable intel you can get does not require any roles or anything. Just a full list of corp members and access to corp mail/chat, will help the other side enormously. And 50k SP noob alts can get into most corps to that level.
|
Hirana Yoshida
Behavioral Affront
|
Posted - 2009.05.20 09:59:00 -
[20]
API keys are used to access database information only, no changes can be made, so it is perfectly safe.
Before API keys became available the larger (read: more paranoid/security-conscious) entities insisted on character selection screen-shots .. API's do the exact same thing just a lot smoother and hassle free.
We all know and love spies, but that doesn't mean we should make life easy for them. It is not spy-proof, but I am sure it catches the lazier ones
|
|
Cypherous
Minmatar Liberty Rogues Rally Against Evil
|
Posted - 2009.05.20 10:07:00 -
[21]
Originally by: Jacob Mei
Originally by: Verx Interis
For whatever reason they make up, they decline your application. A few days later while running missions, flying along, etc said corporation attacks you with ship set ups specifically tailored to counter what your skills are trained for. They bring your ship to its hull and the ransom is the amount in your wallet, the amount they know you generally have because you essentially told them how big of a mark you are and what you can do in a combat situation by giving them your limited API.
In this game trust is more valuable than anything and hard to earn, why someone just willingly gives complete strangers the "how much im worth and how to hit me where it hurts" code is beyond me.
Except your plan fails in that they have to get you to aggro them before they can actually kill you, i could give you my full skill sheet, doesn't help you in the least because you won't get me to aggro you in high sec :)
|
Karn Mithralia
Minmatar Neh'bu Kau Beh'Hude Ushra'Khan
|
Posted - 2009.05.20 11:11:00 -
[22]
Originally by: Jacob Mei In this game trust is more valuable than anything and hard to earn, why someone just willingly gives complete strangers the "how much im worth and how to hit me where it hurts" code is beyond me.
Exactly.
And thats why if you don't trust me enough to give me your API, you aren't coming close to getting in my corp.
|
SentryRaven
KIA Corp KIA Alliance
|
Posted - 2009.05.20 11:33:00 -
[23]
KIA asks for the FULL API key. Yes, we do. :) --------
EBANK Forum Manager | KIA Recruiting Director |
Sidrat Flush
Caldari Life is Experience
|
Posted - 2009.05.20 12:04:00 -
[24]
EXP-L asks for the full api key as well, and we're happy to explain why we ask for it it's almost a standard response so I'm going to type it here then copy and paste it up for future use.
We ask for a full API key in order to:
i) See what skills you have and what direction you're heading in, we'll make suggestions as well which you can take onboard
ii) To find out what you've got fitted to your ships to make suggestions and of course get you to post up the fittings so other people within the corp can see what you've done, and why it works.
iii) To determine where your ISK is coming from or going to. It's your Isk, so we don't tell you how to spend it, however it means we can investigate suspicious activity so that we don't accidently recruit a macro miner or part time Isk seller. If there's an item you sell on a regular basis either because you build it yourself or from rat drops, the corporation can make an offer to you for a price, depending on the item and its usage of course.
iv) Certificates suck so we use the API information.
v) Make life just a bit more difficult for spies to get in, and root out the habitual liars who state their abilities well above their skill set.
This is one part of an ongoing process, even if you do make it into the corporation it's up to yourself to participate and actively engage in corp operations or develop ideas and suggestions for new ones.
And that's pretty much it, yes it can be side stepped of course, but it's more interesting to get the people who don't want to send the API key to us than having an application come straight in with the api plastered all over it, oh well, we don't own outposts or have a 0.0 base so meh.
EXP-L Eve Industrial Organiser |
Meeogi
Amarr Lone Star Privateers
|
Posted - 2009.05.20 12:17:00 -
[25]
Originally by: Jacob Mei
Originally by: Verx Interis
I don't get why anyone is so uptight about sharing their API, its essentially harmless.
You have no idea how powerful knowledge is.
Imagine this for a moment: You give your limited API to a corporation that you would like to join as part of their standard application process. CEO or whoever it is downloads your info and sees you have a decent sized wallet as well as what you can fly, as well as what sort of skills you have specced for turrets and defense.
For whatever reason they make up, they decline your application. A few days later while running missions, flying along, etc said corporation attacks you with ship set ups specifically tailored to counter what your skills are trained for. They bring your ship to its hull and the ransom is the amount in your wallet, the amount they know you generally have because you essentially told them how big of a mark you are and what you can do in a combat situation by giving them your limited API.
In this game trust is more valuable than anything and hard to earn, why someone just willingly gives complete strangers the "how much im worth and how to hit me where it hurts" code is beyond me.
Then theres the flip side, which I demonstrated earlier in this thread in how a spy can easily circumvent API key checks as a security measure.
I like your ridiculous conspiracy theory...I really do! ...of course..nothing tells a pilot more about a ships capabilities then just knowing what ship hes in.. Or..you get a neutral pilot with a ship scanner...and fit accordingly .....damn dude...Could you send me other conspiracy theory's ......
And if your mega wealthy...guess what...you can probably afford a good defense.
Outside of your crrrazzzy "there all going to get me" view..Limited API is perfectly safe.
A quick BattleClinic search is all one usually needs to know every thing you fly. Wax on Wax off |
Jacob Mei
|
Posted - 2009.05.20 14:00:00 -
[26]
Originally by: Max Grundy
Simple solution: don't give it to complete strangers. Do research on the corp you are applying to. If they're shady, chances are someone else fell victim to them and posted it somewhere.
I agree in that an applicant should do research but from where I am coming from in my opinion you are still giving an individual a fair amount of information about yourself that has no demonstrated a reason to be given that trust in the first place.
Originally by: Cypherous
Except your plan fails in that they have to get you to aggro them before they can actually kill you, i could give you my full skill sheet, doesn't help you in the least because you won't get me to aggro you in high sec :)
Ah yes, how could I forget that High sec is 100% safe, especially the 0.5 ones .
Originally by: Karn Mithralia
Exactly.
And thats why if you don't trust me enough to give me your API, you aren't coming close to getting in my corp.
What form of trust you give the applicant? ItĘs a two way street in my opinion.
Originally by: Meeogi
I like your ridiculous conspiracy theory...I really do! ...of course..nothing tells a pilot more about a ships capabilities then just knowing what ship hes in.. Or..you get a neutral pilot with a ship scanner...and fit accordingly .....damn dude...Could you send me other conspiracy theory's ......
And if your mega wealthy...guess what...you can probably afford a good defense.
Outside of your crrrazzzy "there all going to get me" view..Limited API is perfectly safe.
A quick BattleClinic search is all one usually needs to know every thing you fly.
My point of view is that the more you know about someone the easier it is to defeat them.
-------------------------------- To borrow a phrase:
Players who post are like stars, there are bright ones and those who are dim.
|
Cypherous
Minmatar Liberty Rogues Rally Against Evil
|
Posted - 2009.05.20 14:32:00 -
[27]
Originally by: Jacob Mei
Ah yes, how could I forget that High sec is 100% safe, especially the 0.5 ones .
Fine i'll come sit in a 0.5 high sec system and i'll give you my limited API, hell i'll even give you the fit of the ship i'm flying, show me how exactly you're going to kill me without concord ****ing you in the ass long berfore you have any sort of chance to ransom me :)
|
Imp Becre
|
Posted - 2009.05.26 14:41:00 -
[28]
Originally by: Jacob Mei blah blah blah..
u mad?
|
billtcips mimatar
|
Posted - 2009.07.14 14:59:00 -
[29]
Originally by: Jacob Mei Edited by: Jacob Mei on 19/05/2009 19:45:57
Originally by: Imp Becre
Most corporations will ask you for your API key because of security reasons(avoiding spies in corp etc.) Imp Becre
Im sorry but I have to laugh at any corporation that actually believes this.
1. Make alt account with buddy program, get 21 days free training. 2. Make alt account full with Plex, continue training. 3. Find sucker corp, apply and give API key. 4. Gain trust. 5. Rip off corp by stealing assets/leaking information/etc. 6. Delete character. 7. Profit!
In my opinion the limited API key gives too much information to strangers who can use it against you. Sun Tzu said it best: "know your enemies and know yourself, you will not be imperiled in a hundred battles". For a corp to know how much money you have in your pocket, your attributes (which can give an indication of what implants you have) and your skills (what you can fly and use) puts you in a vulnerable situation as they can hit you exactly where they need to if they choose to do so.
That is why i balanced out, and i keep all my isk in terms of assests, yeah, it sucks cause i can never pay ransom, but beingbalanced and no one able to see my isk makes me more trouble then i am worth especiaclly since i use jump clones to travell from highsec to where my buds are fairly stable. but either way dont tempt fate is my advice, you can give it if you want but ask some good questions, and make them prove their worth to you as well as yours to them.
|
Kaylan Jahlar
Minmatar Industrial Limited
|
Posted - 2009.07.14 15:26:00 -
[30]
The API information you can fetch is all read only. That said, someone with full access to your Full API key, can access all of your wallet information, your assets, your skills and if you are in a corporation and have access to that info yourself, the location of all your outposts and corporation assets. This can provide valuable information to enemy corp and alliances if it is sold to them.
Fortunately, there's tools to reset compromised API keys.
Just go here: http://www.eveonline.com/api/default.asp
You can use the buttons on this page to create a new key (both for the restricted and full one). Doing so will render any previous key invalid.
You can also see a log of access attempts to your API information: http://www.eveonline.com/api/log.asp
If you suspect that someone has had unauthorized access to your key, just reset it.
________________
Kaylan Jahlar
The Assembly Hall needs your support! |
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |