Pages: [1] 2 3 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 24 post(s) |
|
CCP Guard
C C P C C P Alliance
173
|
Posted - 2011.09.21 16:12:00 -
[1] - Quote
CCP Sreegs, the chief of CCP's security forces, has written a dev blog on how to responsibly report security issues and make the world a better place. He also tells us a little bit about what's in it for those who do.
Check it out here and if questions arise, this comment thread is where you want to write them down.
CCP Guard | EVE Community Developer |
|
Spanking Monkeys
ZC Industries
1
|
Posted - 2011.09.21 16:14:00 -
[2] - Quote
yay, maybe first |
ConstantinValdor
Science and Trade Institute Caldari State
0
|
Posted - 2011.09.21 16:24:00 -
[3] - Quote
Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.
|
T'amber Anomandari Demaleon
Republic Military School Minmatar Republic
9
|
Posted - 2011.09.21 16:25:00 -
[4] - Quote
..cough..
someone else can say it.
Microtransactions Crowdsource and Survey |
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 16:33:00 -
[5] - Quote
ConstantinValdor wrote:Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.
Reporting a bot itself really wouldn't qualify in this program. Reporting something like a new or privately created bot, or giving more valid insight into an organization with actionable information would. :) |
|
Maven Deltor
Bad Sekta
2
|
Posted - 2011.09.21 16:49:00 -
[6] - Quote
Thanks for the updates, love them all. |
Callic Veratar
Power of the Phoenix
17
|
Posted - 2011.09.21 16:57:00 -
[7] - Quote
I would like to see two new classes of petiton created:
- A Bug Petition, so that I don't have to leave the game, figure out where to go, created the bug report and flip back and forth to capture it in full detail. (Even better would be the ability to capture user input that triggers the bug.)
- A Security Petition, so that there's no question to where I go to report things. (Again, allowing me to log info through some form of capture mechanism would be great here too.) |
Tork Norand
Mechanical Eagles Inc. The Ancients.
0
|
Posted - 2011.09.21 17:17:00 -
[8] - Quote
A few reward options come to mind....
1) Skill Points for small things. Hell, this would work great for reporting bots (at 1,000 SP for each verified bot report, you may just introduce a new profession....) but for the "small things", I think SP would be appropriate.
2) PLEX, but in 1-week increments....not only the 30-day version.
3) For people who actually use AUR (meaning they ask for this reward type), a deposit into their AUR account. Since the items aren't game changing anyway, this would let those who want to use it to have a way to increase what they have now.
Just what comes to mind...
|
Orisa Medeem
Hedion University Amarr Empire
0
|
Posted - 2011.09.21 17:19:00 -
[9] - Quote
I think one of the main problems is that a dev-blog only gets so much visibility, and only for so long.
If someone wants to report a security issue some six months from now there is some 95% chance he won't have read this blog (or any other blog from the security team for that matter), and even if he did it is quite possible he won't remember it.
That's probably why those four ways people try to raise security issues are so common.
The petition system is always there. You can create a petition from inside or outside the game.
I think promoting that "Exploits" sub-category to a category by its own would give it more visibility and, upon selecting it, the system could give the player better instructions of how to properly submit a security related issue. This would go a long way to ensure that the information reach the right people. |
Two step
Aperture Harmonics K162
152
|
Posted - 2011.09.21 17:23:00 -
[10] - Quote
Can you post CCP Soundwave's address so I can send him some spare Anime I have laying around? CSM 6 Alternate Delegate @two_step_eve on Twitter My Blog What does CSM 6 do? |
|
ORCACommander
Astral Synthetics
0
|
Posted - 2011.09.21 17:29:00 -
[11] - Quote
name in lights?
but ya always a good policy to bribe those that could damage instead of giving them incentive to take advantage. |
Sentient Blade
Walk It Off Coalition of the Unfortunate
2
|
Posted - 2011.09.21 17:31:00 -
[12] - Quote
This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts. |
The Mittani
GoonWaffe Goonswarm Federation
518
|
Posted - 2011.09.21 17:35:00 -
[13] - Quote
A reliable source informed me that since Soundwave likes anime and manga so much, when the CCP office began playing 40k, he insisted upon being the Tau player. He just can't get enough battlesuits! |
|
Chribba
Otherworld Enterprises Otherworld Empire
301
|
Posted - 2011.09.21 17:37:00 -
[14] - Quote
How about PLEX for making New Eden a better place as a working title.
|
|
Tork Norand
Mechanical Eagles Inc. The Ancients.
0
|
Posted - 2011.09.21 17:49:00 -
[15] - Quote
Chribba wrote:How about PLEX for making New Eden a better place as a working title.
Informative, but I think it's a bit of a mouthful...assuming the part I underlined is the full working title.... |
malaire
43
|
Posted - 2011.09.21 17:55:00 -
[16] - Quote
Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.
Permanent ban of all your accounts on first offense of client exploiting.
from Current Botting and Exploit/Client Modification Policies - 12/5/2011:
Quote: ALL levels all actions are levied against all of your accounts. Client Modification or exploiting GÇô First Offense GÇô Permanent Ban
Carebear -á* -áTrader -á* -áPerfect Music-á-á* -áNever Scamming -á* -áNever Pirating |
Bugcheck
Origin. Black Legion.
0
|
Posted - 2011.09.21 18:06:00 -
[17] - Quote
A TL;DR would have been nice.
Only responsible way of reporting security issues is mailing [email protected], not filing bugs/petitions. Be responsible and you may receive PLEX. |
Zarnak Wulf
Amok. Goonswarm Federation
9
|
Posted - 2011.09.21 18:07:00 -
[18] - Quote
Instead of PLEX can I get a BPO for a Frekki? |
Aineko Macx
Royal Amarr Institute Amarr Empire
3
|
Posted - 2011.09.21 18:16:00 -
[19] - Quote
malaire wrote:Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts. Permanent ban of all your accounts on first offense of client exploiting. from Current Botting and Exploit/Client Modification Policies - 12/5/2011: Quote: One other thing to note is that at ALL levels all actions are levied against all of your accounts.
Client Modification or exploiting GÇô First Offense GÇô Permanent Ban
Unless this is changed people will be wary of reporting issues. It's not like people didn't learn from CCPs reactions... *cough* |
ConstantinValdor
Science and Trade Institute Caldari State
0
|
Posted - 2011.09.21 18:35:00 -
[20] - Quote
CCP Sreegs wrote:ConstantinValdor wrote:Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.
Reporting a bot itself really wouldn't qualify in this program. Reporting something like a new or privately created bot, or giving more valid insight into an organization with actionable information would. :)
No I understand that this doesnGÇÖt qualify for it. I also understand that CCP needs to make money and laying down the bannhammer on botters will severely impact CCPs revenue, while at the same time doing too little will anger a lot of people not botting (but probably wont cause as much of an impact to CCPs revenue as the former). So I understand that they need to maintain a sort of unspoken of balance around the botting issue, all im saying is that plex for bot reporting is a good idea to maintain that balance. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:03:00 -
[21] - Quote
Callic Veratar wrote:I would like to see two new classes of petiton created:
- A Bug Petition, so that I don't have to leave the game, figure out where to go, created the bug report and flip back and forth to capture it in full detail. (Even better would be the ability to capture user input that triggers the bug.)
- A Security Petition, so that there's no question to where I go to report things. (Again, allowing me to log info through some form of capture mechanism would be great here too.)
Whether it's in the form of a petition or not this is something that we've been discussing internally and I know that removing the ambiguity is necessary. The other poster and yourself are right on in that reporting security incidents should be something that's more clear from an end-user perspective than being something that's just communicated in dev blogs and we do have some things in motion to rectify this. I'll be more comfortable speaking about what that will look like when it's finalized. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:03:00 -
[22] - Quote
Orisa Medeem wrote:I think one of the main problems is that a dev-blog only gets so much visibility, and only for so long.
If someone wants to report a security issue some six months from now there is some 95% chance he won't have read this blog (or any other blog from the security team for that matter), and even if he did it is quite possible he won't remember it.
That's probably why those four ways people try to raise security issues are so common.
The petition system is always there. You can create a petition from inside or outside the game.
I think promoting that "Exploits" sub-category to a category by its own would give it more visibility and, upon selecting it, the system could give the player better instructions of how to properly submit a security related issue. This would go a long way to ensure that the information reach the right people.
Quoting the other person who was right for great justice. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:09:00 -
[23] - Quote
Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.
Actually I think I'm pretty clear on that point, though it's not the point of the blog, and it brings me to a topic we didn't discuss mainly because I haven't confirmed that we can do it.
In essence, as I mentioned, we're not giving you license to hack our servers and any indication that this is being attempted will be treated as exactly that, you trying to hack our servers. There's not much I can do about that, as was stated in the blog. The logs are what the logs are and in a production environment it would be absolutely terrible practice to allow people to cause disruption or risk.
That being said, the point is 100% correct that part of the incentive should also be providing an atmosphere where you don't place yourself at risk via experimentation. What I'd like to facilitate is some form of environment where experimentation is possible without risk to the account. As it stands today if an exploit does occur the only thing that stands between yourself and administrative action is you letting us know that the exploit exists. If you discover something and you do not make us aware of it then our sole perspective both will and has to be that your intent was malicious. |
|
Ammzi
Imperial Guardians Blazing Angels Alliance
17
|
Posted - 2011.09.21 19:10:00 -
[24] - Quote
CCP Screegs,
These security issues that you mention and hope to be able to identify a lot quicker now with the help of the player base, are they issues that you believe ordinary non-technical pilots can attempt to find/locate? In my opinion this opportunity for reward and helping CCP is more oriented towards the technical playerbase. Software engineers and similar.
What do you think?
regards Ammzi |
lceman
FinFleet Raiden.
0
|
Posted - 2011.09.21 19:12:00 -
[25] - Quote
snitches get stitches
|
Grimpak
Midnight Elites Echelon Rising
45
|
Posted - 2011.09.21 19:14:00 -
[26] - Quote
The Mittani wrote:A reliable source informed me that since Soundwave likes anime and manga so much, when the CCP office began playing 40k, he insisted upon being the Tau player. He just can't get enough battlesuits!
if it's battlesuits then he needs gundams or macrosses [img]http://eve-files.com/sig/grimpak[/img]
[quote]The more I know about humans, the more I love animals.[/quote] ain't that right |
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:17:00 -
[27] - Quote
Aineko Macx wrote:malaire wrote:Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts. Permanent ban of all your accounts on first offense of client exploiting. from Current Botting and Exploit/Client Modification Policies - 12/5/2011: Quote: One other thing to note is that at ALL levels all actions are levied against all of your accounts.
Client Modification or exploiting GÇô First Offense GÇô Permanent Ban
Unless this is changed people will be wary of reporting issues. It's not like people didn't learn from CCPs reactions... *cough*
Without getting into individual detail, as I've said before, never has their been a case where an exploit has been responsibly reported to us without abuse that anyone has ever been at risk or actioned against. I find it unfortunate that I can't wield godlike powers that prevent people from lying on the internet and I don't get a bonus for banning people and would prefer not to. I'd much rather have that creative energy channeled into making all of us a better product than investigating bad guys or playing he-said she-said with attention seeking criminals.
At the end of the day this is my initiative and if I didn't earnestly believe it was the best course of action I could have pumped out a pile of words about something else. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:20:00 -
[28] - Quote
Ammzi wrote:CCP Screegs,
These security issues that you mention and hope to be able to identify a lot quicker now with the help of the player base, are they issues that you believe ordinary non-technical pilots can attempt to find/locate? In my opinion this opportunity for reward and helping CCP is more oriented towards the technical playerbase. Software engineers and similar.
What do you think?
regards Ammzi
That may be true in some respects but one of the great beauties of EVE is the social aspect and skullduggery, which may help explain the joking use of the word "snitches" in the blog. The fact is that if you give me an exploit and detail I'm going to reward you whether you discovered it or not. The reward is for the disclosure, not the discovery, if that spells it out any clearer. I'd like to encourage discovery as well in the long term, but at the end of the day my primary concern is fixing something that's broken. |
|
Tork Norand
Mechanical Eagles Inc. The Ancients.
0
|
Posted - 2011.09.21 19:42:00 -
[29] - Quote
CCP Sreegs wrote: In essence, as I mentioned, we're not giving you license to hack our servers and any indication that this is being attempted will be treated as exactly that, you trying to hack our servers. There's not much I can do about that, as was stated in the blog. The logs are what the logs are and in a production environment it would be absolutely terrible practice to allow people to cause disruption or risk.
That being said, the point is 100% correct that part of the incentive should also be providing an atmosphere where you don't place yourself at risk via experimentation. What I'd like to facilitate is some form of environment where experimentation is possible without risk to the account. As it stands today if an exploit does occur the only thing that stands between yourself and administrative action is you letting us know that the exploit exists. If you discover something and you do not make us aware of it then our sole perspective both will and has to be that your intent was malicious.
Sreegs, a (larger) thought....
Open up a new set of servers for EXACTLY that purpose...to let people hack on them in any way they want. To do this right, the user database would need to be scrubbed (in case someone did get in) but point to it and say, "That....That is where you can try and hack into. You find a route, you report it. If we see it used anywhere else, everyone using it on any server is banned."
I would go a few steps further...place it on it's own network with not access to the production or other test environments. Completely isolate it from anything else. To use it for any testing, the users need to reset their password on that cluster using a tool from outside that then updates their account on that cluster within the next 24 hours. Doing all of this would be a little time consuming, but not difficult. Updates of passwords could be performed by sending the hash in an email going from the registration page to the new cluster.....I could go on and on with this but that should be a good start for discussion.
--Tork. CEO and Herder of Cats. |
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:49:00 -
[30] - Quote
Tork Norand wrote: Sreegs, a (larger) thought....
Open up a new set of servers for EXACTLY that purpose...to let people hack on them in any way they want. To do this right, the user database would need to be scrubbed (in case someone did get in) but point to it and say, "That....That is where you can try and hack into. You find a route, you report it. If we see it used anywhere else, everyone using it on any server is banned."
I would go a few steps further...place it on it's own network with not access to the production or other test environments. Completely isolate it from anything else. To use it for any testing, the users need to reset their password on that cluster using a tool from outside that then updates their account on that cluster within the next 24 hours. Doing all of this would be a little time consuming, but not difficult. Updates of passwords could be performed by sending the hash in an email going from the registration page to the new cluster.....I could go on and on with this but that should be a good start for discussion.
That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it.
|
|
|
|
|
|
Pages: [1] 2 3 :: one page |
First page | Previous page | Next page | Last page |