Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.

I would like to see two new classes of petiton created:

- A Bug Petition, so that I don't have to leave the game, figure out where to go, created the bug report and flip back and forth to capture it in full detail. (Even better would be the ability to capture user input that triggers the bug.)

- A Security Petition, so that there's no question to where I go to report things. (Again, allowing me to log info through some form of capture mechanism would be great here too.)

I think one of the main problems is that a dev-blog only gets so much visibility, and only for so long.

If someone wants to report a security issue some six months from now there is some 95% chance he won't have read this blog (or any other blog from the security team for that matter), and even if he did it is quite possible he won't remember it.

That's probably why those four ways people try to raise security issues are so common.

The petition system is always there. You can create a petition from inside or outside the game.

I think promoting that "Exploits" sub-category to a category by its own would give it more visibility and, upon selecting it, the system could give the player better instructions of how to properly submit a security related issue. This would go a long way to ensure that the information reach the right people.

This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.

Unless this is changed people will be wary of reporting issues. It's not like people didn't learn from CCPs reactions... *cough*

CCP Screegs,

These security issues that you mention and hope to be able to identify a lot quicker now with the help of the player base, are they issues that you believe ordinary non-technical pilots can attempt to find/locate?
In my opinion this opportunity for reward and helping CCP is more oriented towards the technical playerbase. Software engineers and similar.

What do you think?

regards
Ammzi

Sreegs, a (larger) thought....

Open up a new set of servers for EXACTLY that purpose...to let people hack on them in any way they want. To do this right, the user database would need to be scrubbed (in case someone did get in) but point to it and say, "That....That is where you can try and hack into. You find a route, you report it. If we see it used anywhere else, everyone using it on any server is banned."

I would go a few steps further...place it on it's own network with not access to the production or other test environments. Completely isolate it from anything else. To use it for any testing, the users need to reset their password on that cluster using a tool from outside that then updates their account on that cluster within the next 24 hours. Doing all of this would be a little time consuming, but not difficult. Updates of passwords could be performed by sending the hash in an email going from the registration page to the new cluster.....I could go on and on with this but that should be a good start for discussion.

Screegs


YOU BEEN HAZED!

Sounds interesting. Or at least allow people to easily get permissions to poke around a little, basically a mechanism where I could say "I'd like to do some weird things to your forums and, if I find anything, I'll report it back to you. In turn, you won't ban me for trying" would be cool.

That said, I'm glad you are trying to get the community involved. Nice devblog.

not like the system is already vulnerable to exploitation before the vulnerability is discovered & reported, amirite?

I don't have a set position on responsible vs immediate (full) disclosure but I think it needs to be acknowledged that while immediate disclosure may increase the probability of the vulnerability being actually exploited it also tends to minimize the time that the system is vulnerable (by applying maximum pressure to the developers) and gives users the ability to take precautions much faster/earlier than any company could issue them an advisory.

The vulnerability does not start to exist when it is reported for the first time - if anything it becomes much less threatening once it has been reported and is known about (as users can then start to take precautions/use workarounds).

Assume I experience a bug "visiting website xyz in the IGB does sometimes make the browser "hang" (have to restart client to fix this) and leads in rare cases to a BSoD".
I file a bug report describing this behavior and expressing mild annoyance at CCP for releasing such a shoddy product, the bug gets verified by volunteers or CCP staff, gets assigned to CCP's IGB team, gets prioritized ("only one website of over 9000 is known to cause this issue, telemetry says only three users experienced client crashes due to it in the last month") and some CCP dev will grab the bug report and look into it whenever he gets around to doing so.

My guess would be that many users experience glitchy behavior due to accidentally triggering vulnerabilities and (if you are lucky) report it as a bug without thinking of it as more than a harmless but annoying glitch.

Shouldn't there be some process of screening incoming bug reports for signs of potential vulnerabilities and fast-track those that might point towards a security issue?

Given how things played out with the first release of the new forums, I can conclude one of several things:

1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur.
2. The procedures were in place but were not followed.
3. The "peers" and "reputable third parties" were incompetent.
4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing.

Care to tell us which it was?

MDD

I cant decide if you got that from The Buzzword Dictionary or The Dictionary of Corporate Bullsh!t.


Both available on Amazon if anyone is interested.

Asking the EVE community for help in fixing security issues after banning Helicity Bonson for doing exact this could only be some kind of a hilarious troll.

You guys have some strange humor...

//off topic
The new forum is less useful/handy/effective than the old one.

Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.

sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?

edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go?

Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up

Report multiple issues: offer them a job because clearly it's better to have them on NDA than not.

this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is.

the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that.

Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue.

Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap

finding some xss in your site or something like that is attacking your infrastructure and also a crime(and also has been rewarded by CCP in the past). needs more clarification.

edit: to clarify my own point, we need some clarification of what is and is not acceptable. the guy who got banned did so because he was reading secret forums, while being "logged in" as an employee, which clearly shows he didn't understand the situation as he would have either concealed his identity or else didn't try to find secret information if he did. i'm not asking ccp to "talk about administrative actions" but it's clear that there was misunderstanding going on and there need to be clearly laid out rules for people to report weaknesses and guarantee their own safety in doing so.

whether a javascript alert box is thought of as active malicious exploitation or agreeable proof of concept for vulnerability reporting, is entirely in the eye of the beholder, in this case CCP. other entities would wholly disagree with whatever definition you come up with, so you must be crystal clear in what you say.

you have a singularity test server, where AFAIK it's anything goes except taking down services, however most of your web resources do not have a publicly available backup, so any actual vuln testing has to be done on production machines. which could or could not be a big deal, depending on the vulnerability and your current stance. if you are asking people to test on production servers, if there is a denial of service or sql injection bug the question really becomes, how do we report this without being malicious or getting banned, and will ccp need to conduct an investigation to ensure the bug(now known by 3rd parties) was never maliciously exploited?

as i understand it this blog is basically an invitation for people to go around vuln scanning(be it manual or automated) on production servers and try to find vulnerabilities without taking down services or stealing secret information, etc. if this is a mistaken idea, then i apologize and you really need to clarify.

also a list of acceptable locations where rewards will be given for vulnerabilities would be appreciated. nobody likes their time being wasted, and i'm sure you don't like getting vuln reports for web resources you don't even manage.

I think the issue is that we don't agree on the definition of attack or testing. for me, i have to operate under the assumption that an attack is a single 'or 1=1, or a single unauthorized failed login. based on my knowledge of past happenings with ccp, something seems to only be considered an attack when secret info is viewed, or there is a denial of service.

IMO, "testing" and "attacking" would be required to accomplish this:


People in different roles than either of us probably have an even different idea of what these words mean. Clearly some users at the release of this forum software had a vastly different idea of what malicious activity meant.

I propose the following rules to clarify for all parties regardless of their knowledge of how to handle security incidents:
-no taking down services
-no viewing secret information, as you can't undo your actions on the internet don't even try to get close
-if you must test if something can be used against another user, use it only on your alt and not even a consenting 3rd party, as knowledge of the exploit could spread
-no sharing knowledge of a live exploit with any other person
-no exploiting for personal gain
-no corrupting the integrity of information owned by other users.

i think this sort of thing needs to be crystal clear for the users out there.

what are you smoking this is no conspiracy, this is true facts. and we are talking about security this a very helpfull tip for the people playing this game.. Not something you might want to hear i am sure..