Pages: 1 2 3 4 5 [6] 7 8 9 10 11 .. 11 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 65 post(s) |
Bubbled
|
Posted - 2010.03.24 08:04:00 -
[151]
Originally by: schwar2ss "Sorry, an error has occurred while processing your request. There are no free RPC proxies available right now"
I get this too on both my accounts I tried.
|
|
CCP Karuck
|
Posted - 2010.03.24 08:26:00 -
[152]
Originally by: Dr BattleSmith
https://test.evegate.com:443/Profile/CharacterName/AddContact
No RequestVerificationToken.
It is a POST request but if the code responds to GET as well (or if JS is used to make the POST) then this can be used to XSS attack AddContact.
Users could use this to add themselves to enemy addressbook so that they can retrieve private info on target. It's probable it could be used to set blue standings for yourself on someone elses profile.
I am very aware of attacks like that, this one must have slipped through. Next time please submit a bug report :)
|
|
|
CCP Karuck
|
Posted - 2010.03.24 08:28:00 -
[153]
Originally by: DenShou Interesting note, when loading this site in Chrome. I do not see [ Home, Profile, Mail, Calendar ] Menu that I do see in Firefox.
We do use Chrome for testing. The menu bar isn't shown when you aren't logged in, are you sure you were logged in?
|
|
ViolenTUK
Gallente Aliastra
|
Posted - 2010.03.24 08:42:00 -
[154]
A feature should be added to the eve client in the form of a checkbox. The option should be "Disable EVEGATE".
|
JeanMichel Bizarre
Volition Cult
|
Posted - 2010.03.24 08:42:00 -
[155]
Edited by: JeanMichel Bizarre on 24/03/2010 08:43:01 This doesn't work in Chrome anymore (it did last night) but if I open it in IE-tab, still in Chrome, it does work.
It also won't me log in now.
Quote: Sorry, an error has occurred while processing your request. There are no free RPC proxies available right now
------
|
Paknac Queltel
Standards and Practices
|
Posted - 2010.03.24 08:52:00 -
[156]
Originally by: Bubbled
Originally by: schwar2ss "Sorry, an error has occurred while processing your request. There are no free RPC proxies available right now"
I get this too on both my accounts I tried.
I get this as well.
I guess this would be why there's a stress test.
|
Femme Fatal
Roving Guns Inc.
|
Posted - 2010.03.24 09:03:00 -
[157]
same
Sorry, an error has occurred while processing your request.
There are no free RPC proxies available right now |
|
CCP Karuck
|
Posted - 2010.03.24 09:09:00 -
[158]
Try again now folks, we had Singularity downtime.. sorry the error message wasn't more explicit :)
|
|
Mantees
Gallente The Greater Goon Clockwork Pineapple
|
Posted - 2010.03.24 09:19:00 -
[159]
It looks interesting. I can't wait that we will be able to check the market journal and transactions, and the status of the industry/research jobs. That would be great! -- OGRank.com - EVE Online - MMORPG News |
Miana Amannar
|
Posted - 2010.03.24 09:58:00 -
[160]
Edited by: Miana Amannar on 24/03/2010 09:58:02 I'm strictly against this spacebook nonsense as long as my characters show up there by default. For privacy AND security reasons participating should be COMPLETELY optional - meaning that if I don't give my OK my chars will not show up in EVE Gate. No matter what!
Are trial chars able to use EVE Gate? If yes - block them!
You're opening a can of worms just to jump the social media bandwagon.
|
|
Mantees
Gallente The Greater Goon Clockwork Pineapple
|
Posted - 2010.03.24 10:06:00 -
[161]
I honestly don't understand the complaints. If you don't like it don't use it, right? There is plenty of people who are really happy to see this being developed. Leave us our new toy! :D :D -- OGRank.com - EVE Online - MMORPG News |
Evan Batarr
|
Posted - 2010.03.24 10:13:00 -
[162]
Originally by: CCP Karuck
Originally by: Dr BattleSmith
https://test.evegate.com:443/Profile/CharacterName/AddContact
No RequestVerificationToken.
It is a POST request but if the code responds to GET as well (or if JS is used to make the POST) then this can be used to XSS attack AddContact.
Users could use this to add themselves to enemy addressbook so that they can retrieve private info on target. It's probable it could be used to set blue standings for yourself on someone elses profile.
I am very aware of attacks like that, this one must have slipped through. Next time please submit a bug report :)
How many more of these very trivial attack possibilities have 'slipped through'? And what about the not so trivial ones?
I hope you're aware that EVE Gate is every EVE-playing hacker's wet dream? This will be the no. 1 spying tool. I already see the $$-signs in some people's eyes. Finding 0-day exploits for EVE-Gate will be a very lucrative business.
|
Miana Amannar
|
Posted - 2010.03.24 10:25:00 -
[163]
Originally by: Kyra Felann
Originally by: Latex Sandals How do I completely remove my character from public view on evegate? I don't want anything to do with it.
You can make it so that the only info available is the same info also available in-game. I don't think you'll be able to do anything about people looking you up exactly like they can already do in-game, though.
Well, there's a very big difference between IN GAME and out of game. If you follow some simple security measures it's practically impossible to hack your account to gather intel. It's a lot more trivial to do this on a web-based social media portal.
Another big difference IMO: It's nearly impossible (or at least not trivial) to automatically gather the 'public info' (like who is in which corp etc.) of a big number of individuals in game. It's pretty easy to do that on EVE Gate. Any way to make intel gathering easier is bad IMO. So an OPT-OUT (or even better - make it OPT-IN) of EVE Gate should be a matter of course!
|
Sturmwolke
|
Posted - 2010.03.24 10:48:00 -
[164]
Originally by: Evan Batarr How many more of these very trivial attack possibilities have 'slipped through'? And what about the not so trivial ones?
I hope you're aware that EVE Gate is every EVE-playing hacker's wet dream? This will be the no. 1 spying tool. I already see the $$-signs in some people's eyes. Finding 0-day exploits for EVE-Gate will be a very lucrative business.
I'd have to agree on this point. One major screw up here is they actually ported all the pertaining personal character data without wiping the contacts list/mailes/whatever else clean for this Alpha. I spent some time playing around with the mutual contacts list adding over 7-8 pages of names that made for some interesting intelligence discovery. I'm wondering how much damage has already been done and whether this is going to blow when the majority of players find out.
When your house is made of paper, don't risk the real data. I hope CCP sees this constructively when they move on to Beta, not repeating the same mistake again.
Truly, as it is, I'm wary of even logging onto EVE Gate for fear of account compromise, regardless of the secure https. Only the paranoid survives - Andrew Grove.
|
|
CCP Karuck
|
Posted - 2010.03.24 10:52:00 -
[165]
Originally by: Evan Batarr
Originally by: CCP Karuck
Originally by: Dr BattleSmith
https://test.evegate.com:443/Profile/CharacterName/AddContact
No RequestVerificationToken.
It is a POST request but if the code responds to GET as well (or if JS is used to make the POST) then this can be used to XSS attack AddContact.
Users could use this to add themselves to enemy addressbook so that they can retrieve private info on target. It's probable it could be used to set blue standings for yourself on someone elses profile.
I am very aware of attacks like that, this one must have slipped through. Next time please submit a bug report :)
How many more of these very trivial attack possibilities have 'slipped through'? And what about the not so trivial ones?
I hope you're aware that EVE Gate is every EVE-playing hacker's wet dream? This will be the no. 1 spying tool. I already see the $$-signs in some people's eyes. Finding 0-day exploits for EVE-Gate will be a very lucrative business.
I just edited my comment above, this was NOT a vulnerability. It was a post by a concerned user, which I have now validated not to be true. We are very much on top of security issues on EVE Gate and do not want things like this to slip through.. which is why we need to catch them in testing before they go live to TQ.
|
|
Elrianmk2
Gallente
|
Posted - 2010.03.24 10:53:00 -
[166]
[Quote]Sorry, an error has occurred while processing your request.
There are no free RPC proxies available right now
Well stress side of the test seems to be working? Are there any metrics on the number of RPC connections are being used? and how active these connections are, or is this company confidential? I would hope not as its the test server and i want to hammer it a lot.
Comment: good to see the incorrect username / PW message is easy to see and understand been on sites that dont comment on it just represent the credentials page, however could you make it bigger for um... people who may have imbibed a bit, to read?
If it wasnt for bad luck, i wouldnt have any luck at all |
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.03.24 11:22:00 -
[167]
Originally by: CCP Karuck
Edit: This wasn't an issue at all, this action was already blocked for HTTP GET. We are also using HTTP DELETE btw.
Still needs a token as HTTP DELETE can be generated by javascript.
Originally by: CCP Karuck
I just edited my comment above, this was NOT a vulnerability. It was a post by a concerned user, which I have now validated not to be true.
I don't think hubris is a pathway to good security.
The hit needs a token, it is insecure, HTTP DELETE is no different to POST in this respect and either can be forged within the users browser.
|
|
CCP Gangleri
Minmatar
|
Posted - 2010.03.24 11:29:00 -
[168]
Originally by: Elrianmk2
Quote: Sorry, an error has occurred while processing your request.
There are no free RPC proxies available right now
Well stress side of the test seems to be working? Are there any metrics on the number of RPC connections are being used?
This is the error that is returned when Sisi is not available, the daily downtime for Sisi is 07:30-09:00 GMT but as it is a test server unscheduled downtimes happen as well. The easiest way for you to see whether Sisi is available is to use one of the available webtools, like these: http://games.chruker.dk/eve_online/server_status.php http://www.eve-offline.net/?server=singularity ------------------ Tester, Scrum Master Quality Assurance
|
|
Camios
Minmatar Insurgent New Eden Tribe Systematic-Chaos
|
Posted - 2010.03.24 11:47:00 -
[169]
It does not load the character portraits even if I wait for 10 minutes.
|
Elrianmk2
Gallente
|
Posted - 2010.03.24 11:52:00 -
[170]
Currently i find that the [character]:[charactername]fields are overwriting each other when looking at the member list of the corporation, i assume that this is due to the field-width of the [character] not being defined accurately due to the lack of portrait propagation.
If it wasnt for bad luck, i wouldnt have any luck at all |
|
Jae Car'das
|
Posted - 2010.03.24 11:54:00 -
[171]
It's great that mail is now available out of game and I am really looking forward to the calander, but I am more looking forward to the API being updated so I can integrate it into our Alliance Website.
Will full mail and calander funcitonality be available via the API and if so any idea how long after Beta?
Are contacts, mail, calendar and chat broadcasting the only functions planned at the moment? Will skill queue viewing/managment, assets, order and wallet viewing come later to?
Feedback wise - very slow (to be expected) and my mail is out of sync. Eve Gate mail is behind in game mail by 3 weeks.
|
|
CCP Karuck
|
Posted - 2010.03.24 12:03:00 -
[172]
Originally by: Dr BattleSmith Edited by: Dr BattleSmith on 24/03/2010 11:25:56
Originally by: CCP Karuck
Edit: This wasn't an issue at all, this action was already blocked for HTTP GET. We are also using HTTP DELETE btw.
Still needs a token as HTTP DELETE can be generated by javascript.
Originally by: CCP Karuck
I just edited my comment above, this was NOT a vulnerability. It was a post by a concerned user, which I have now validated not to be true.
I don't think hubris is a pathway to good security.
The hit needs a token, it is insecure, HTTP DELETE is no different to POST in this respect and either can be forged within the users browser.
If this hit was not important I'd agree that DELETE was enough, however this very request can be used to set blue and gain access to users information.
I'm sorry I misunderstood what you were pointing out. I thought you were simply worried it was exposed as GET, I must have missed your comment about the token. I will definitely look into this, thanks for pointing it out.
|
|
Raidan Morfarik
|
Posted - 2010.03.24 12:05:00 -
[173]
Originally by: Jae Car'das It's great that mail is now available out of game and I am really looking forward to the calander, but I am more looking forward to the API being updated so I can integrate it into our Alliance Website.
Will full mail and calander funcitonality be available via the API and if so any idea how long after Beta?
Are contacts, mail, calendar and chat broadcasting the only functions planned at the moment? Will skill queue viewing/managment, assets, order and wallet viewing come later to?
Feedback wise - very slow (to be expected) and my mail is out of sync. Eve Gate mail is behind in game mail by 3 weeks.
Eve gate seems to be linked to Sisi, not TQ. so no sync since release i think !
|
|
CCP Karuck
|
Posted - 2010.03.24 12:06:00 -
[174]
Originally by: Jae Car'das
Are contacts, mail, calendar and chat broadcasting the only functions planned at the moment? Will skill queue viewing/managment, assets, order and wallet viewing come later to?
Feedback wise - very slow (to be expected) and my mail is out of sync. Eve Gate mail is behind in game mail by 3 weeks.
Actually, your skill list and skill queue are already there and working (look under Character Sheet on your profile page). We have big plans for the future, but are still deciding on what takes priority... but everything you mentioned has been discussed.
Again.. this test website is running on our test environment Singularity, it's not your live data. Currently this data is 2 weeks old, and updated roughly every 3 weeks.
|
|
Alice Krige
|
Posted - 2010.03.24 13:12:00 -
[175]
On my contact list I get the
[ ] Generic Corp logo Disbanded alliance [ standing ]
with a number of my contacts. So I can't see the character names only their standing and that they were member of an Alliance which has since disbanded...
So who are they?
|
Narkhana
|
Posted - 2010.03.24 13:28:00 -
[176]
Originally by: CCP Karuck
Again.. this test website is running on our test environment Singularity, it's not your live data. Currently this data is 2 weeks old, and updated roughly every 3 weeks.
The data being two weeks old is besides the point, having contacts available to be viewed without the option to opt-out is unacceptable in a game such as EVE. Unfortunately it doesn't seem that CCP cares as their only response is "this data is 2 weeks old". Thankfully professional companies that hold personal information don't take the same approach with my personal data. I wonder what would happen if Facebook made all friends lists available (even if the list is 2 weeks old) and didn't give the option to opt-out?
Like I said, all of what you've done is cool so far, but leaving the contact lists available on Eve-Gate is a serious lack of concern for your players privacy.
|
|
CCP Purple Tentacle
|
Posted - 2010.03.24 13:46:00 -
[177]
Originally by: Camios It does not load the character portraits even if I wait for 10 minutes.
In order to see how the image servers copes with load, we started them with a completely empty image cache. Your initial rush on the website yielded the expected results, the render queue skyrocketed and is still trying to catch up.
It's safe to say that it will require some more time to process everything it got during the initial phase of the alpha test, probably even one more day or so. Once it managed to burn down the current epic queue and nicely filled up its portrait and corp logo caches, it will become much more responsive and hopefully render the faces of the newcomers within 10 minutes of the first request, the speed we were originally aiming for.
|
|
ULTImatio
|
Posted - 2010.03.24 14:04:00 -
[178]
EVE-Online is a place of life and dead! ItĘs no dam social site. Now this EVE-Gate just turned into a dam Intel tool.
I donĘt think Pilots like to see that there current buddy list becomes a social network thing that can be use as Intel.
Now every Pilot in EVE can checkout your Mutual Contacts. If there standings are all positive they can checkout your entire address book.
|
Lionel Redstar
|
Posted - 2010.03.24 14:07:00 -
[179]
Edited by: Lionel Redstar on 24/03/2010 14:14:12 Small bug on the contact list: I have 2 "Disbanded alliance" that can't be deleted. Dunno which, have to check ingame.
Edit: I checked ingame and they are actually 2 closed corporations. After I removed them ingame they disappeared from EveGate too.
|
Jae Car'das
|
Posted - 2010.03.24 14:41:00 -
[180]
Can a CCP anwser my previous question please -
Will full mail and calander funcitonality be available via the API and if so any idea how long after Beta?
Thanks
|
|
|
|
|
Pages: 1 2 3 4 5 [6] 7 8 9 10 11 .. 11 :: one page |
First page | Previous page | Next page | Last page |