| Pages: [1] 2 :: one page |
| Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Kitchie
Gallente
Kitchie's Logistics and Marketing Corp
   |
Posted - 2009.05.20 03:48:00 -
[1]
An ISK seller managed to send his sales spam to every member of my corp, including alts that almost never logon.
Now the only way that I can think of for him to get all the names is that one of the software tools, advertised here in MD, has sold/given the APIs to an RMT company.
There's nothing that my API reveals that I'm worried about but it's not a nice feeling to know that it's been stolen for nefarious reasons...
No idea which tool it was but be warned.......
Dynasty Banking - DBANK |
Frenden Dax
Dax Acquisitions
|
Posted - 2009.05.20 03:58:00 -
[2]
The same thing happened to me; one of my characters has been in 0.0 for over nine months, and out of the blue got an isk seller mail a few days back (three days? Can't remember.) I shrugged, dismissed it as wierdness, and moved on. Apparently it wasn't wierdness.
I only use EveWalletAware and EVEMon.
|
Brock Nelson
Caldari
Flux Technologies Inc
|
Posted - 2009.05.20 04:01:00 -
[3]
Got one of those mail too for an alt of mine that I only logged in once a week in a remote system...
Another thing to mention, my account was broken into last month. The only thing I had on my laptop (which as wiped few days before) was EVE and Evemon...
Blueprint Store |
Mara Rinn
|
Posted - 2009.05.20 04:08:00 -
[4]
Have you entered your API key in other tools on other platforms, such as an iPhone or Crackberry?
|
Brock Nelson
Caldari
Flux Technologies Inc
|
Posted - 2009.05.20 04:18:00 -
[5]
Nope
Blueprint Store |
EVEHelpisSeriousBusiness
|
Posted - 2009.05.20 04:21:00 -
[6]
You realize that your API User & Key have nothing to do with your login name, right? Right?
|
Kitchie
Gallente
Kitchie's Logistics and Marketing Corp
|
Posted - 2009.05.20 04:22:00 -
[7]
Edited by: Kitchie on 20/05/2009 04:32:24
 Originally by: EVEHel****eriousBusiness
You realize that your API User & Key have nothing to do with your login name, right? Right?
What has that got to do with the price of bread? This is about using an API key to get the names of all characters on an account and/or in a corporation.
Edit: Just realised you're talking about Brock's a/c being hacked. I do know that some people's character names are the same as their login name, doesn't help with the password though......
Dynasty Banking - DBANK |
Brock Nelson
Caldari
Flux Technologies Inc
|
Posted - 2009.05.20 04:28:00 -
[8]
Originally by: EVEHel****eriousBusiness
You realize that your API User & Key have nothing to do with your login name, right? Right?
Maybe but how else did someone get it?
Blueprint Store |
EVEHelpisSeriousBusiness
|
Posted - 2009.05.20 04:31:00 -
[9]
Edited by: EVEHel****eriousBusiness on 20/05/2009 04:33:08
Originally by: Kitchie
Originally by: EVEHel****eriousBusiness
You realize that your API User & Key have nothing to do with your login name, right? Right?
What has that got to do with the price of bread? This is about using an API key to get the names of all characters on an account and/or in a corporation.
You see, when someone posts a panicked "OMG MY ACCOUNT WAS HACKED BY _SOME UNKNOWN API KEY TOOL_" it increases the price of flour because the farmers spend less time growing wheat and more time ****ting themselves and changing API keys. Hence the price you pay for bread goes up, as the available flour supply is not only smaller but also smells faintly of shat pants.
Is that more clear?
Originally by: Brock Nelson
Originally by: EVEHel****eriousBusiness
You realize that your API User & Key have nothing to do with your login name, right? Right?
Maybe but how else did someone get it?
That's a much better question than jumping straight to blaming the API, but since I'm not harvesting character names I really don't know.
|
corestwo
Goonfleet Investment Banking
GoonSwarm
|
Posted - 2009.05.20 04:38:00 -
[10]
Originally by: EVEHel****eriousBusiness
Edited by: EVEHel****eriousBusiness on 20/05/2009 04:33:08
Originally by: Kitchie
Originally by: EVEHel****eriousBusiness
You realize that your API User & Key have nothing to do with your login name, right? Right?
What has that got to do with the price of bread? This is about using an API key to get the names of all characters on an account and/or in a corporation.
You see, when someone posts a panicked "OMG MY ACCOUNT WAS HACKED BY _SOME UNKNOWN API KEY TOOL_" it increases the price of flour because the farmers spend less time growing wheat and more time ****ting themselves and changing API keys. Hence the price you pay for bread goes up, as the available flour supply is not only smaller but also smells faintly of shat pants.
Is that more clear?
 Excellent reply
To the OP: The "nefarious purpose" of spamming you and your corpmates with isk selling ads is about all he can do with the API. Ignore him and move on.
-------------
Goonfleet Investment Banking - Bringing you the spoils of Delve!
Search Corestwo and Goonfleet Investment Banking under "issued by" on contracts for the current item list! |
Professor Leech
Transmetropolitan
|
Posted - 2009.05.20 04:38:00 -
[11]
I think we should panic and behave irrationally.
Originally by: Crawe DeRaven
this thread is obviously going places
|
Brock Nelson
Caldari
Flux Technologies Inc
|
Posted - 2009.05.20 04:40:00 -
[12]
Edited by: Brock Nelson on 20/05/2009 04:41:10
Originally by: EVEHel****eriousBusiness
Edited by: EVEHel****eriousBusiness on 20/05/2009 04:33:08
Originally by: Brock Nelson
Originally by: EVEHel****eriousBusiness
You realize that your API User & Key have nothing to do with your login name, right? Right?
Maybe but how else did someone get it?
That's a much better question than jumping straight to blaming the API, but since I'm not harvesting character names I really don't know.
That's a much better response than jumping straight to assuming that I was blaming the API...
Edit: Oh wait
Blueprint Store |
EVEHelpisSeriousBusiness
|
Posted - 2009.05.20 04:46:00 -
[13]
Originally by: Brock Nelson
Edited by: Brock Nelson on 20/05/2009 04:41:10
Originally by: EVEHel****eriousBusiness
Edited by: EVEHel****eriousBusiness on 20/05/2009 04:33:08
Originally by: Brock Nelson
Originally by: EVEHel****eriousBusiness
You realize that your API User & Key have nothing to do with your login name, right? Right?
Maybe but how else did someone get it?
That's a much better question than jumping straight to blaming the API, but since I'm not harvesting character names I really don't know.
That's a much better response than jumping straight to assuming that I was blaming the API...
Edit: Oh wait
Still waiting.
|
Kitchie
Gallente
Kitchie's Logistics and Marketing Corp
|
Posted - 2009.05.20 04:48:00 -
[14]
Edited by: Kitchie on 20/05/2009 04:58:47
Originally by: corestwo
To the OP: The "nefarious purpose" of spamming you and your corpmates with isk selling ads is about all he can do with the API. Ignore him and move on.
I'm not sure that you've really thought through how your API key can be used.
A couple of examples off the top of my head.
- Full API of corp director will show which systems you have POSes in and also the contents of those POSes. Not sensitive information?
- Reputation may mean nothing to a Goon but some people would rather not have the names of their alts publicly revealed.
edit: rewrite
Dynasty Banking - DBANK |
Bloody Rabbit
|
Posted - 2009.05.20 05:03:00 -
[15]
Originally by: Kitchie
Edited by: Kitchie on 20/05/2009 04:58:47
Originally by: corestwo
To the OP: The "nefarious purpose" of spamming you and your corpmates with isk selling ads is about all he can do with the API. Ignore him and move on.
I'm not sure that you've really thought through how your API key can be used.
A couple of examples off the top of my head.
- Full API of corp director will show which systems you have POSes in and also the contents of those POSes. Not sensitive information?
- Reputation may mean nothing to a Goon but some people would rather not have the names of their alts publicly revealed.
edit: rewrite
Like me, I don't want my actions to take an effect on my main. So why are your alts tied to your main on the API account?
Use a GTC to fund the char to start with or transfer isk to a ! which buys a char then delete the ! after the sale is done. Instant distances from your scamming/dirtybag/scumsucker main.
|
EVEHelpisSeriousBusiness
|
Posted - 2009.05.20 05:19:00 -
[16]
Edited by: EVEHel****eriousBusiness on 20/05/2009 05:20:17
Originally by: Bloody Rabbit
Originally by: Kitchie
Edited by: Kitchie on 20/05/2009 04:58:47
Originally by: corestwo
To the OP: The "nefarious purpose" of spamming you and your corpmates with isk selling ads is about all he can do with the API. Ignore him and move on.
I'm not sure that you've really thought through how your API key can be used.
A couple of examples off the top of my head.
- Full API of corp director will show which systems you have POSes in and also the contents of those POSes. Not sensitive information?
- Reputation may mean nothing to a Goon but some people would rather not have the names of their alts publicly revealed.
edit: rewrite
Like me, I don't want my actions to take an effect on my main. So why are your alts tied to your main on the API account?
Use a GTC to fund the char to start with or transfer isk to a ! which buys a char then delete the ! after the sale is done. Instant distances from your scamming/dirtybag/scumsucker main.
Launder it through two or three !'s, don't just use one.
Originally by: Kitchie
Edited by: Kitchie on 20/05/2009 04:58:47
Originally by: corestwo
To the OP: The "nefarious purpose" of spamming you and your corpmates with isk selling ads is about all he can do with the API. Ignore him and move on.
I'm not sure that you've really thought through how your API key can be used.
A couple of examples off the top of my head.
- Full API of corp director will show which systems you have POSes in and also the contents of those POSes. Not sensitive information?
- Reputation may mean nothing to a Goon but some people would rather not have the names of their alts publicly revealed.
edit: rewrite
OH NOES! They might find out where I keeps my rifter BPOs!
|
Gawain Hill
|
Posted - 2009.05.20 06:54:00 -
[17]
Ofcause if it happened within the last week then the api info bit tells you who downloaded your api info and does other neat tricks I asume but then I don't use my api key for anything very often
|
Ji Sama
Caldari
Tash-Murkon Prime Industries
|
Posted - 2009.05.20 08:18:00 -
[18]
Originally by: Professor Leech
I think we should panic and behave irrationally.
I agree this is the only logical and rational reaction!
*Ji Sama starts to panic and behave irrationallycallycal!*
Quote:
The SCC-LOUNGE is now offering Secure Commerce Services @ www.scc-lounge.wordpress.com
|
RaTTuS
BIG
Libertas Fidelitas
|
Posted - 2009.05.20 08:32:00 -
[19]
to the OP,
how many people in your corp?
who has director access [as that will be needed for finding corp members] and have you generated the api for for that?
Which toold have you used and which have been given the full ai access code
which other members of your corp have done this,
--
RaTTuS @ InEve, Capital Prints for sale |
Hel O'Ween
Academy of Truth
|
Posted - 2009.05.20 10:04:00 -
[20]
Originally by: Gawain Hill
Ofcause if it happened within the last week then the api info bit tells you who downloaded your api info and does other neat tricks I asume but then I don't use my api key for anything very often
Yepp, check out http://www.eveonline.com/api/log.asp
--
EVEWalletAware - an offline wallet manager |
Sophie Daigneau
CAPITAL Assistance in Destruction Society
GoonSwarm
|
Posted - 2009.05.20 13:15:00 -
[21]
Why hack the api when you could just write a script to parse out all the names in this thread?
|
Marcus Baltar
|
Posted - 2009.05.20 13:33:00 -
[22]
Forgive my ignorance (please), but does the full API key really list all of a corporation's membership? I looked around but could not find any information about this.
I know it does for assets and other corporation or personal items, but actual other players names in the same corporation?
-- --- --
DesuSigs |
Kouryusei
Caldari
|
Posted - 2009.05.20 13:47:00 -
[23]
Originally by: Marcus Baltar
Edited by: Marcus Baltar on 20/05/2009 13:42:28
Forgive my ignorance (please), but does the full API key really list all of a corporation's membership? I looked around but could not find any information about this.
I know it does for assets and other corporation or personal items, but actual other players names in the same corporation?
edit: Nevermind, just found it does - must have been looking at old info/using the wrong tools.  /edit
http://www.eveonline.com/api/doc/data-members.asp
-----
eveHOSTED - Hosting you can afford.
eveTALK - Ventrilo / Teamspeak at affordable prices. |
ingenting
20th Legion
Sodalitas XX
|
Posted - 2009.05.20 14:17:00 -
[24]
i use evemon and eve trader. i only get the occational mail on my jita alt.
_________________
- "Welcome to EVE, remember to insu *BAAOOM*... Told you, newb."
|
Alec V3
|
Posted - 2009.05.20 15:01:00 -
[25]
Hmm, if i had to take a guess i would say that its not an API being stolen, its just being used. It's not possible to view buddy lists through the API, however the wallet journal one would serve well.
I learned the following first hand from my bank project (which is now closed due to exams, ive just given out refunds. Lack of support mainly, ****s) anyway.
The XML dump for the wallet can give ALLOT of data.
The key thing is name, weather you are buying or selling your name is recorded.
as a result (much like my bank system did) all a computer has to do is flick through it. and look for the names, to make this system work faster, you could use the supplied primary key (transaction ID) to not do stuff twice.
As a result any player's API key is a threat to those who feel threatened by isk adds (?)
Alec
|
Dzil
Caldari
Second Quadrant Ice Division
|
Posted - 2009.05.20 15:17:00 -
[26]
Ok - but if all someone wants is a list of names why not just use your own wallet/market transaction log to generate names? IE drop a regional buy for small iridium ammo or something and isk spam every sucker that sells you one?
That this guy would bother to specific target a corp leads me to think he's after that corp - an isk selling site could easily be a front to a keylogger, and the spammer after a director role from which he could rob the corp blind.
It goes without saying, I would STRONGLY urge all members of your corp to delete that evemail and not visit that website :)
|
Vested Interest
|
Posted - 2009.05.20 16:17:00 -
[27]
Would it be possible to build a tool, or perhaps add to evemon, the ability to alert us if an unknown IP downloads our logs?
|
Hel O'Ween
Academy of Truth
|
Posted - 2009.05.20 16:41:00 -
[28]
Possible: yes (technically speaking).
But any tool would violate CCP's TOS, as you need to login with your EVE account details in order to retrieve your API access log.
This would make the situation even worse: instead of stealing your API key (how bad that might be, depending on the rights your chars have), you would open yourself to account hijacking.
--
EVEWalletAware - an offline wallet manager |
Vested Interest
|
Posted - 2009.05.20 17:10:00 -
[29]
Oh good call, they don't expose the log itself via API 
|
Kouryusei
Caldari
|
Posted - 2009.05.20 17:56:00 -
[30]
Originally by: Vested Interest
Would it be possible to build a tool, or perhaps add to evemon, the ability to alert us if an unknown IP downloads our logs?
I use such a tool myself (took about 10 minutes to make), but I wouldn't recommend using a 3rd party tool for this in case someone has every intention of stealing your account details.
-----
eveHOSTED - Hosting you can afford.
eveTALK - Ventrilo / Teamspeak at affordable prices.
intraPAY - A market tool of some kind... >_>. |
| |
|
| Pages: [1] 2 :: one page |
| First page | Previous page | Next page | Last page |