| Pages: [1] 2 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Max Torps
eXceed Inc.
   |
Posted - 2009.12.21 17:42:00 -
[1]
Edited by: Max Torps on 21/12/2009 17:43:09
Hi all.
Eve Instant Messenger is a Jabber instant messenger client that uses the Eve Online API to authenticate chat room participants. This ensures communication between all members without the need to use a multitude of IM services. It also provides a function where alerts can be broadcast to all chat room participants to act as a "Call to Arms". Eve IM can be opened or minimised to system tray.
You can download the Windows Installer here:
http://www.starfleetcomms.com/files/EveIM.exe
MD5 Sum: 02945796fc3a8c641f009109d0200ead
Eve Instant Messenger is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. Source code available: https://code.google.com/p/eveim/
Overview:
Eve Instant Messenger is a jabber instant messenger client that uses the Eve Online API to authenticate chat room participants. This ensures communication between all members without the need to use a multitude of IM services. It also provides a function where alerts can be broadcast to all chat room participants to act as a "Call to Arms". Eve IM can be opened or minimised to system tray.
Features:
Eve IM uses API authentication to provide confidence that the people in your corporation chat room are corporation members.
Security:
Authentication by API
Security through obscurity:
Server location
Corporation password
Hashing of room names
Room names not listed on server
Useage:
Starfleet Comms (www.starfleetcomms.com) provide a default Openfire server for use with Eve Instant Messenger, however for performance and security you may wish to use your own server.
This is encouraged. Please find further details on Openfire here: http://www.igniterealtime.org/projects/openfire/
Setting up an Openfire server is easy to do and as simple as installing the server and opening port 5222 (if using default - this is also default Jabber port).
You would then distribute the server IP to corpmates for them to enter in their Eve IM clients.
How it works:
The Eve IM client can hold 3 sets of API keys. These are saved on exit.
1: Enter or select your User ID/API key pair.
2: Verify server IP is correct.(You may have a corp issued one).
3: If your corporation uses a password, please enter it.
4: Click login. If successful Eve IM will present you with a character list.
5: Choose the character you wish to log in with, this will need to belong to the correct corporation.
6: A new window opens, this is the chat window.
7: You may mute Alerts, you may log chats.
8: Alerts can only be broadcast at certain intervals to help prevent alert spamming.
9: You may minimise the application and get on with other things, it takes very little system resource.
Note: If you failed to enter the correct password (if used) then you will be in a different chat room from your fellow corp members.
Note: A corporation can issue a new password to members at any time they wish.
Note: If the Eve API is unavailable and the response is not cached, API authentication will fail with a suitable error message.
Edit: Fail at linking
@MaxTorps
|
chadsshop
|
Posted - 2009.12.22 20:08:00 -
[2]
so anyone tried this yet?
|
R3V0LV3R
Caldari
Revolt Industries
|
Posted - 2009.12.22 23:49:00 -
[3]
I have, its alright, they dont use the full extent of the jabber client yet, right now it's simply a chat room, i would like to see a "buddy list" with your friends online status like googletalk, and have the chatroom available. Was hoping it would be a quick and easy setup for a jabber server but it's not quite. I like the simplistic feel, but i would like a buddy list to be able to message certain people. The chatroom just feels too clunky.
|
Max Torps
eXceed Inc.
|
Posted - 2009.12.23 10:09:00 -
[4]
Thank you for your comments R3V0LV3R, I'll certainly look into them.
For information, the client has been downloaded a few hundred times now so it's looking good. Thank you to everyone who is giving it a try. It is a small scale corp only chat client at present but additions can be made over time and that is something I am keen to do.
If anyone would like to assist with this project, either eve mail me in game or email me at maxtorps at gmail dot com.
Eve Instant Messenger
|
KaarBaak
Minmatar
Situation Grey
|
Posted - 2010.02.08 23:28:00 -
[5]
Tried downloading this today.
Download went ok. Started .exe and get "The Setup files are corrupted. Please obtain a new copy of the program"
Downloaded from the link provided. Running Win7. File size of EveIM.exe is 150kb.
kb
KB
My blogs:
Tastes Like Chicken
EvE Meta-Gaming |
Max Torps
Nomadic Conglomerate
|
Posted - 2010.03.12 13:58:00 -
[6]
 Originally by: KaarBaak
Tried downloading this today.
Download went ok. Started .exe and get "The Setup files are corrupted. Please obtain a new copy of the program"
Probably a transient internet network error. There have been quite a few downloads since with many connections to the server. Maybe you can try again?
Also, in other news, a new version is coming out very soon with some improvements.
Eve Instant Messenger - A Call to Arms |
BR0k3n5w0rD
Amarr
|
Posted - 2010.03.29 16:11:00 -
[7]
Is there a way to make this work for alliance level or is it just members in the same corp that can chat?
|
Max Torps
Nomadic Conglomerate
|
Posted - 2010.04.04 12:10:00 -
[8]
An alliance version is on it's way very soon. In fact, it should be ready in the next few days. I just need to do some tidying up with regard to layout. 
Eve Instant Messenger - A Call to Arms
My Blog |
BR0k3n5w0rD
Amarr
|
Posted - 2010.04.05 10:44:00 -
[9]
Excellent, I look forward to it.
|
BR0k3n5w0rD
Amarr
|
Posted - 2010.04.06 00:47:00 -
[10]
I would appreciate it if you can send me a mail when the alliance part is working.
|
|
|
Max Torps
Nomadic Conglomerate
|
Posted - 2010.04.07 01:14:00 -
[11]
Originally by: BR0k3n5w0rD
I would appreciate it if you can send me a mail when the alliance part is working.
Not a problem.
Eve Instant Messenger - A Call to Arms
My Blog |
Max Torps
Nomadic Conglomerate
|
Posted - 2010.04.07 18:39:00 -
[12]
Eve Online Instant Messenger Alliance Edition is now released,  .
Eve Instant Messenger - A Call to Arms
My Blog |
Gertrud ToD
Terrorists of Dimensions
Electric Monkey Overlords
|
Posted - 2010.04.11 04:22:00 -
[13]
since this software has come up in a few discussions lately,
and i got a bit suspicious, since for example no addons to the server are required -
i took the liberty to look at the code available at google code.
first of all, the code is horrible - now some folks will blame that on
visual basic being the language of choice (which is a weird choice btw),
but even for that it looks horrible - some objects simply have the automatic,
by the gui designer assigned name, some variable names are all-lowercase,
others are mixed case. The accesslevels of the subs seem a bit random too.
The API "verification" used pretty much is only responsible for picking out corpname / username,
however the way it is implemented allows various ways to temper with this,
starting by modifying the api-cache, ending by simply creating a copy of
the client which allows the user to simply input corp / user without any API
access at all.
The only "working" "security feature" is the creation of roomnames which consists of the
chosen roomname + a base64 converted md5 checksum of the roomname + the password,
meaning rotating the password does not change a passwort for the room, it just throws the members
in another room (members with the old password wont get an access denied, but simply will land in
a channel with less members in it)
What does all this mean?
The claimed features (being certain that only corp members are in the room) / the security features (authentication through API)
are worthless since they can be worked arround. Bringing it down to people knowing the password (ex members, spies, 3rd parties who got the password through whatever means), something which is covered with real password authentication, user-based passwords, user to channel authentication (instead of channel based "public" passwords) by other chat solutions quite well.
1 out of 10 points for at least trying
PS: security by design over security through obscurity
|
Max Torps
Nomadic Conglomerate
|
Posted - 2010.04.11 09:29:00 -
[14]
I think I'll start by explaining the concept behind this application.
The initial approach taken was to make it as easy as possible for a corp to set up a jabber server and have an instant solution with as little techbobbing as possible.
So it was a requirement that no server config was required and very little to be done client side.
Certainly, more secure applications can be written requiring some server side config to be done and also a little more tweaking client side but there ends the out of the box instant solution.
It does give you security by design rather than security by obscurity but again, how secure is that really? You can have a spy in your corp with a full account and authenticated access no matter what you do with servers and clients.
I'm going to look at the API cache issue you mentioned in more detail however the response cache is something that is a requirement for API use to lighten the load on the API servers...I'll need to look at implement something a bit more hidden in those terms then but in itself that is not a security hole as such although I agree it does lessen confidence somewhat about the API.
To prevent faking anything working, there is the option to use a password - which all corps use for TS/Vent, killboards etc. Same as usual in other words.
And yes, it just chucks people in a room by themselves if they get the password wrong. End result, they are not in the right room at all and not visible to others, they also cannot see others.
As for claims, I have only ever claimed that the software is as secure as the Corp using it and it is not a panacea for your existing security issues. As mentioned, API use won't prevent spying at all and that is not it's purpose.
So what is it's purpose? The purpose of this is to provide a simple, single solution for corp or alliance members to be alerted of a need to be in game whilst they are playing something else rather than a combo of telephone calls, several different IM clients - all of which have their own metagaming issues anyway.
In all, any application can be improved. If anyone really wants to help with development then they are free to do so. People are using it, and so far it serves it's designated purpose.
Eve Instant Messenger - A Call to Arms
My Blog |
Gertrud ToD
Terrorists of Dimensions
Electric Monkey Overlords
|
Posted - 2010.04.11 10:24:00 -
[15]
Originally by: Max Torps
The initial approach taken was to make it as easy as possible for a corp to set up a jabber server and have an instant solution with as little techbobbing as possible.
Creating extensions to exisisting servers and a simple-installer would solve the adressed goals much better than your "solution"
Originally by: Max Torps
So it was a requirement that no server config was required and very little to be done client side.
which is the picking of the wrong requirements - requirements should have been "easy as **** to setup" not "no config"
Originally by: Max Torps
As for claims, I have only ever claimed that the software is as secure as the Corp using it and it is not a panacea for your existing security issues. As mentioned, API use won't prevent spying at all and that is not it's purpose.
From your original Post:
Originally by: Max Torps
Features:
Eve IM uses API authentication to provide confidence that the people in your alliance/corporation chat room are alliance/corporation members.
Security:
Authentication by API
since its quite easy to run arround the API this is BS,
i call it as i see it.
Originally by: Max Torps
To prevent faking anything working, there is the option to use a password - which all corps use for TS/Vent, killboards etc. Same as usual in other words.
Killboard-Passwords are no critical information (and quite often given out to allies aswell), as for TS/Vent/Forums and stuff like that: usually each user has his own account there, which in many cases has been authed serverside against API (check this forum for scripts that do that).
Originally by: Max Torps
In all, any application can be improved. If anyone really wants to help with development then they are free to do so.
with a language which most more experienced people avoid,
and code with the issues i mentioned in my other Post?
Good luck finding someone.
|
Max Torps
Nomadic Conglomerate
|
Posted - 2010.04.11 20:37:00 -
[16]
Seeing as we are in tittle tattle mode and you are selectively quoting, you may as well read this one.
Originally by: Max Torps
For maximum security rotate your alliance/corporation password regularly. The alliance/corporation password generates unique room names.
And regarding code experience and language choice, well hey, we all start somewhere.
You have some great points, many of which I will take on board. However it is plain you just don't like the idea of this solution too. Each to their own really. I would again, welcome any assistance from those who are willing to step up and give a little time and effort. Failing that, I will continue as I have with improving the application in the time I have.
Eve Instant Messenger - A Call to Arms
My Blog |
Max Torps
Nomadic Conglomerate
|
Posted - 2010.04.11 20:44:00 -
[17]
Originally by: Gertrud ToD
Creating extensions to exisisting servers and a simple-installer would solve the adressed goals much better than your "solution"
A great help would be a pointer in this direction. I certainly don't mind radically altering the package if this really would be a better solution. It's all about helping the community.
Eve Instant Messenger - A Call to Arms
My Blog |
Max Torps
Nomadic Conglomerate
|
Posted - 2010.04.12 19:05:00 -
[18]
Version 1.0.1.2 is released. This version does not utilise file system API caching and is therefore no longer vulnerable to users creating/adjusting xml files to impersonate users.
Eve Instant Messenger - A Call to Arms
My Blog |
Aodha Khan
Minmatar
Ghost Festival
Naraka.
|
Posted - 2010.04.27 10:59:00 -
[19]
Originally by: Gertrud ToD
with a language which most more experienced people avoid,
Good luck finding someone.
Plenty of good developers in VB. Your just posting FUD. TIOBE
Very nice application. Keep up the good work.
So in war, the way is to avoid what is strong and to strike at what is weak. |
Gertrud ToD
Terrorists of Dimensions
Electric Monkey Overlords
|
Posted - 2010.05.01 04:13:00 -
[20]
Edited by: Gertrud ToD on 01/05/2010 04:14:01
Edit: fixed open quote
Originally by: Aodha Khan
with a language which most more experienced people avoid,
Good luck finding someone.
Plenty of good developers in VB. Your just posting FUD. TIOBE
Tiobe goes for the general popularity,
that does not measure any quality or any target audience at all.
Ask 50 people who have professional experience with at least 4 programming languages
if they would recommend you to use VB, then come back.
Originally by: Max Torps
Version 1.1.1.2 is released. This version does not utilise file system API caching and is therefore no longer vulnerable to users creating/adjusting xml files to impersonate users. Previous versions of Eve Instant Messenger will not be able to communicate with this newer version.
I'd like to thank those who have emailed me for their support.
So i thought "lets check the code again, lets see if he really fixed it, or just cloaked the problems a bit"
and i went to the side, and couldnt find the googlecode link anymore...
so i checked the FAQ:
Originally by: FAQ
The reason I am not publishing the code is because I have made several changes to the code to prevent the older versions connecting to the more secure versions and viewing the code can be used to subvert the new security of the application.
I have also altered the encoding of room names significantly and do not wish that method to fall in to the wrong hands.
LOL.
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html
but yeah,
just hide your stuff, that will
make it more secure.
|
|
|
Max Torps
Nomadic Conglomerate
|
Posted - 2010.05.01 10:02:00 -
[21]
Eve API authentication happens in real time with no file system caching at all, you can test that for yourself.
Being as that is now fixed, it's important to ensure the older clients cannot be used to communicate with the ones with API authentication fixed so I have introduced two methods of separating them. Those methods would be easily circumvented by looking at the code and a client could be built from that that allowed communication if the source code was published.
What you are now doing is smearing this. You've attacked the language used, which is a rather irrelevant thing to do. You've attacked the naming convention used which is also irrelevant and you are now trying to attack the fixes made with no good reason other than you as self appointed guardian cannot now view it.
Get back in your box, troll.
Eve Instant Messenger - A Call to Arms
My Blog |
Tokas III
Minmatar
Frost Fighters
|
Posted - 2010.05.01 10:18:00 -
[22]
+ rep for trying something diffrent. Good luck with it!
|
Gertrud ToD
Terrorists of Dimensions
Electric Monkey Overlords
|
Posted - 2010.05.01 16:08:00 -
[23]
Originally by: Max Torps
Being as that is now fixed, it's important to ensure the older clients cannot be used to communicate with the ones with API authentication fixed so I have introduced two methods of separating them. Those methods would be easily circumvented by looking at the code and a client could be built from that that allowed communication if the source code was published.
Translation: the underlying problem is not really fixed, you are working arround it.
Besides, if the circumventing would only affect one of the clients, and that one cant do harm to others, then there is no reason to hide it.
However if a modified client is able to do malevolent stuff to other participants of your chat, then there is a much more serious problem.
Originally by: Max Torps
What you are now doing is smearing this. You've attacked the language used, which is a rather irrelevant thing to do. You've attacked the naming convention used which is also irrelevant and you are now trying to attack the fixes made with no good reason other than you as self appointed guardian cannot now view it easily.
i am "attacking" you hiding your fixes, cause if it was fixed you had nothing to hide.
Originally by: Max Torps
If you were interested in actually helping, you would be doing exactly that but your motivation is obvious to see.
right, thats why i mentioned it instead of just ignoring your thing - because my motivation is sooo bad.
Originally by: Max Torps
The link you gave does have some interesting discussion that could be applied to all software on these boards. In fact it goes through the lifecycle of software development very well and it seems that Eve IM is following that.
It pretty much explains why opensource is not harming security if you actually learn from what you are told about your code.
Hiding your code is pretty much
NOT taking that advantage.
Besides, without implying any malevolent behaviour by yours
i would strongly advice anyone not to download any software from the forums where he doesnt have access to the source.
again, thats not pointing at your little hiding game, its a general advice about downloading software.
Originally by: Max Torps
You pointed out a flaw that I was not initially aware of and I fixed it. My job then was to ensure that older clients that could be used by non-API authenticated users could not join in on chats with API authenticated users. So I did that and released the fixed version. And I'll continue to fix flaws as they are found, as does everyone here with their projects.
Ok, a hint for you how i still can API authenticate myself, even without you caching it directly (just to show you that this is an issue that you cannot catch client side):
step 1) install webserver
step 2) place xml files there that are the answers you want the client to get from the API
step 3) edit your hosts file, so api.eveonline.com will be resolved to 127.0.0.1
step 4) bang.
as i mentioned before, you will have to tackle authentication serverside.
|
Max Torps
Nomadic Conglomerate
|
Posted - 2010.05.01 16:26:00 -
[24]
Originally by: Gertrud ToD
Ok, a hint for you how i still can API authenticate myself, even without you caching it directly (just to show you that this is an issue that you cannot catch client side):
step 1) install webserver
step 2) place xml files there that are the answers you want the client to get from the API
step 3) edit your hosts file, so api.eveonline.com will be resolved to 127.0.0.1
step 4) bang.
as i mentioned before, you will have to tackle authentication serverside.
Well this is the interesting stuff that actually helps. Everything else is you making claims about me hiding stuff for nefarious purposes which isn't true. I'll look into this...it throws new light on several programs that use API authentication though doesn't it? Meanwhile I will obviously withdraw the application until I have a fix. Thanks for pointing it out but no thanks for the method and tone.
Eve Instant Messenger - A Call to Arms
My Blog |
Max Torps
Nomadic Conglomerate
|
Posted - 2010.05.01 18:57:00 -
[25]
Ok, to combat this newest problem, what about a check to determine if api.eveonline.com is pointing to the right IP. That would surely resolve this?
Eve Instant Messenger - A Call to Arms
My Blog |
Dragonaire
Caldari
Corax.
New Eden Retail Federation
|
Posted - 2010.05.01 19:14:00 -
[26]
Max Torps - The only way to earn anyone's trust is by trusting them with the truth. It's normal human nature to think there's something wrong going on when you start hiding something especially when it's a stranger doing it. As soon as you start denying your doing anything wrong you loss any good will you might have had as well. They'll never feel they can trust you again as you think hiding the true is more important than anything else and if something like this happens again you'll try hiding it from them and never really fixing it.
I hope you can step back from this and try seeing it from everyone else's point of view and learn from it. I also hope you can over come the mountain it has become for something that should have been a small bump someone caught their toe on and told you about so you'd know and could do something about it.
--
Finds camping stations from the inside much easier.
Designer of Yapeal for Eve API.
|
Gertrud ToD
Terrorists of Dimensions
Electric Monkey Overlords
|
Posted - 2010.05.01 22:53:00 -
[27]
Originally by: Max Torps
Ok, to combat this newest problem, what about a check to determine if api.eveonline.com is pointing to the right IP. That would surely resolve this?
nah it would not.. not that hard to assign "the right IP" in a local network, with a bit of knowledge on how to set routes.
you would need a way to verify if the server answering is the authentic ccp server - which you cannot.
|
Ix Forres
Caldari
Vanguard Frontiers
Intrepid Crossing
|
Posted - 2010.05.02 00:43:00 -
[28]
I've not gone through and read this entirely, but a few months back myself and Makurid looked at building a platform that could be used for secure chatting such that not even the centralized operator would be able to read the messages being exchanged on it while still assuring API security and user identity.
Long story short; it's complicated. We were looking at a system that used clientside public/private key generation, asymmetric and symmetric cryptography for message/multiuser chat security, and reauthentication with the API for public key fingerprints, and that's just the start of it. In the end we decided we had better things to do, like fix bugs in EVE Metrics.
I've done this project in smaller form for a few alliances; a little systray app that can be sent messages from a central server. Want a fleet? Hit a button, all users get an update. Security on that was difficult; chat is considerably more complex.
Without source code, this app is useless. I mean this in the sense that the security of the application in terms of secure programming, good security techniques and correct implementations as well as the security in terms of what the application does is compromised by the closed source.
Security by obscurity is no security at all. Good cryptographic techniques are determined by those that nobody, through years of looking, has managed to break yet. Your 'secure' code might as well not do any checking until it has been published, scrutinized, and so on.
There is a right and a wrong way to do secure multiuser chat with API authentication. This is not, in my opinion, it. I am not belittling your achievement; what you've managed isn't without merit, but it requires a serious rethink, probably a complete rewrite (preferably in a platform-independent language: EVE runs on more than Windows, so you should support Mac and Linux too if you expect this to be used), and security rooted in cryptographic security instead of obscurity.
Just my 2AM 0.02p.
--
Ix Forres
EVE Application Developer
EVE Metrics | accVIEW | I Tweet |
Max Torps
Nomadic Conglomerate
|
Posted - 2010.05.02 11:00:00 -
[29]
Well, thank you all for your comments, I will scurry away and take them onboard. I am pretty new at application coding so this news about the level of spoofing that goes on etc has taken me a little by surprise. I had worked toward some examples published in some documentation for libeveapi perhaps a little literally and I can see now where I am in error.
Obviously I'm disappointed by this but hey, you march onwards don't you?
As for source, it's pretty much as it was originally when I published it open source some time ago with minor alterations but seeing as Gertrud TOD has highlighted exactly how API authentication can be spoofed (and I was shocked at how easy it is, perhaps I am naive), publishing it at all or even distribution is pretty much pointless as it stands.
So all remains for me now is to work on it in the background. Apologies to the community at large for essentially wasting your time with this and one day, I hope to have an app for you.
Eve Instant Messenger - A Call to Arms
My Blog |
Krathos Morpheus
Legion Infernal
|
Posted - 2010.05.02 13:36:00 -
[30]
Originally by: Max Torps
So all remains for me now is to work on it in the background. Apologies to the community at large for essentially wasting your time with this and one day, I hope to have an app for you.
Please don't apologize. Afaik this forum is not for professional programmers only, but to help new fellow developers too. I am one of them (new dev) and I've learned interesting things thanks to your mistakes. If you wouldn't came you would neither have learned, would you? I'm new at programming too and I'm using VB, so I would be interested to hear why is such a bad language from experienced developers. I chose VB mainly because I find more fun in designing the program than writing it, partially because I am learning to program and although I have it easy with logic structuring, I find myself struggling against simple mistakes derived from my 'noobishness'. As I was saying, I chose VB because I wanted to design the software visually (more fun for me), and although I think there is a way to link frames with other language, that is another layer of complexity that I didn't want to fight against on my first program. Back to the issue at hand, I would try to solve the authentication problem through an in-game registration check against the API as used on many forums, if that's not possible from the client itself, implement another software that checks it and passes the authentication to the client, or to the players for them to use it on the client, valid only to match the given API, maybe with an expiring timer that forces to 'check' in-game every two weeks or so. Note that I know nothing about the feasibility of that since I know nothing about the software in question, but that would be my approach to the problem given the info I have.
EVEwatch Sidebar soon
"It is the unofficial force ù the Jita irregulars. " |
|
|
|
|
| |
|
| Pages: [1] 2 :: one page |
| First page | Previous page | Next page | Last page |