Pages: 1 2 3 :: [one page] |
|
Author |
Thread Statistics | Show CCP posts - 24 post(s) |
|
CCP Guard
C C P C C P Alliance
173
|
Posted - 2011.09.21 16:12:00 -
[1] - Quote
CCP Sreegs, the chief of CCP's security forces, has written a dev blog on how to responsibly report security issues and make the world a better place. He also tells us a little bit about what's in it for those who do.
Check it out here and if questions arise, this comment thread is where you want to write them down.
CCP Guard | EVE Community Developer |
|
Spanking Monkeys
ZC Industries
1
|
Posted - 2011.09.21 16:14:00 -
[2] - Quote
yay, maybe first |
ConstantinValdor
Science and Trade Institute Caldari State
0
|
Posted - 2011.09.21 16:24:00 -
[3] - Quote
Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.
|
T'amber Anomandari Demaleon
Republic Military School Minmatar Republic
9
|
Posted - 2011.09.21 16:25:00 -
[4] - Quote
..cough..
someone else can say it.
Microtransactions Crowdsource and Survey |
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 16:33:00 -
[5] - Quote
ConstantinValdor wrote:Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.
Reporting a bot itself really wouldn't qualify in this program. Reporting something like a new or privately created bot, or giving more valid insight into an organization with actionable information would. :) |
|
Maven Deltor
Bad Sekta
2
|
Posted - 2011.09.21 16:49:00 -
[6] - Quote
Thanks for the updates, love them all. |
Callic Veratar
Power of the Phoenix
17
|
Posted - 2011.09.21 16:57:00 -
[7] - Quote
I would like to see two new classes of petiton created:
- A Bug Petition, so that I don't have to leave the game, figure out where to go, created the bug report and flip back and forth to capture it in full detail. (Even better would be the ability to capture user input that triggers the bug.)
- A Security Petition, so that there's no question to where I go to report things. (Again, allowing me to log info through some form of capture mechanism would be great here too.) |
Tork Norand
Mechanical Eagles Inc. The Ancients.
0
|
Posted - 2011.09.21 17:17:00 -
[8] - Quote
A few reward options come to mind....
1) Skill Points for small things. Hell, this would work great for reporting bots (at 1,000 SP for each verified bot report, you may just introduce a new profession....) but for the "small things", I think SP would be appropriate.
2) PLEX, but in 1-week increments....not only the 30-day version.
3) For people who actually use AUR (meaning they ask for this reward type), a deposit into their AUR account. Since the items aren't game changing anyway, this would let those who want to use it to have a way to increase what they have now.
Just what comes to mind...
|
Orisa Medeem
Hedion University Amarr Empire
0
|
Posted - 2011.09.21 17:19:00 -
[9] - Quote
I think one of the main problems is that a dev-blog only gets so much visibility, and only for so long.
If someone wants to report a security issue some six months from now there is some 95% chance he won't have read this blog (or any other blog from the security team for that matter), and even if he did it is quite possible he won't remember it.
That's probably why those four ways people try to raise security issues are so common.
The petition system is always there. You can create a petition from inside or outside the game.
I think promoting that "Exploits" sub-category to a category by its own would give it more visibility and, upon selecting it, the system could give the player better instructions of how to properly submit a security related issue. This would go a long way to ensure that the information reach the right people. |
Two step
Aperture Harmonics K162
152
|
Posted - 2011.09.21 17:23:00 -
[10] - Quote
Can you post CCP Soundwave's address so I can send him some spare Anime I have laying around? CSM 6 Alternate Delegate @two_step_eve on Twitter My Blog What does CSM 6 do? |
|
ORCACommander
Astral Synthetics
0
|
Posted - 2011.09.21 17:29:00 -
[11] - Quote
name in lights?
but ya always a good policy to bribe those that could damage instead of giving them incentive to take advantage. |
Sentient Blade
Walk It Off Coalition of the Unfortunate
2
|
Posted - 2011.09.21 17:31:00 -
[12] - Quote
This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts. |
The Mittani
GoonWaffe Goonswarm Federation
518
|
Posted - 2011.09.21 17:35:00 -
[13] - Quote
A reliable source informed me that since Soundwave likes anime and manga so much, when the CCP office began playing 40k, he insisted upon being the Tau player. He just can't get enough battlesuits! |
|
Chribba
Otherworld Enterprises Otherworld Empire
301
|
Posted - 2011.09.21 17:37:00 -
[14] - Quote
How about PLEX for making New Eden a better place as a working title.
|
|
Tork Norand
Mechanical Eagles Inc. The Ancients.
0
|
Posted - 2011.09.21 17:49:00 -
[15] - Quote
Chribba wrote:How about PLEX for making New Eden a better place as a working title.
Informative, but I think it's a bit of a mouthful...assuming the part I underlined is the full working title.... |
malaire
43
|
Posted - 2011.09.21 17:55:00 -
[16] - Quote
Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.
Permanent ban of all your accounts on first offense of client exploiting.
from Current Botting and Exploit/Client Modification Policies - 12/5/2011:
Quote: ALL levels all actions are levied against all of your accounts. Client Modification or exploiting GÇô First Offense GÇô Permanent Ban
Carebear -á* -áTrader -á* -áPerfect Music-á-á* -áNever Scamming -á* -áNever Pirating |
Bugcheck
Origin. Black Legion.
0
|
Posted - 2011.09.21 18:06:00 -
[17] - Quote
A TL;DR would have been nice.
Only responsible way of reporting security issues is mailing [email protected], not filing bugs/petitions. Be responsible and you may receive PLEX. |
Zarnak Wulf
Amok. Goonswarm Federation
9
|
Posted - 2011.09.21 18:07:00 -
[18] - Quote
Instead of PLEX can I get a BPO for a Frekki? |
Aineko Macx
Royal Amarr Institute Amarr Empire
3
|
Posted - 2011.09.21 18:16:00 -
[19] - Quote
malaire wrote:Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts. Permanent ban of all your accounts on first offense of client exploiting. from Current Botting and Exploit/Client Modification Policies - 12/5/2011: Quote: One other thing to note is that at ALL levels all actions are levied against all of your accounts.
Client Modification or exploiting GÇô First Offense GÇô Permanent Ban
Unless this is changed people will be wary of reporting issues. It's not like people didn't learn from CCPs reactions... *cough* |
ConstantinValdor
Science and Trade Institute Caldari State
0
|
Posted - 2011.09.21 18:35:00 -
[20] - Quote
CCP Sreegs wrote:ConstantinValdor wrote:Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.
Reporting a bot itself really wouldn't qualify in this program. Reporting something like a new or privately created bot, or giving more valid insight into an organization with actionable information would. :)
No I understand that this doesnGÇÖt qualify for it. I also understand that CCP needs to make money and laying down the bannhammer on botters will severely impact CCPs revenue, while at the same time doing too little will anger a lot of people not botting (but probably wont cause as much of an impact to CCPs revenue as the former). So I understand that they need to maintain a sort of unspoken of balance around the botting issue, all im saying is that plex for bot reporting is a good idea to maintain that balance. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:03:00 -
[21] - Quote
Callic Veratar wrote:I would like to see two new classes of petiton created:
- A Bug Petition, so that I don't have to leave the game, figure out where to go, created the bug report and flip back and forth to capture it in full detail. (Even better would be the ability to capture user input that triggers the bug.)
- A Security Petition, so that there's no question to where I go to report things. (Again, allowing me to log info through some form of capture mechanism would be great here too.)
Whether it's in the form of a petition or not this is something that we've been discussing internally and I know that removing the ambiguity is necessary. The other poster and yourself are right on in that reporting security incidents should be something that's more clear from an end-user perspective than being something that's just communicated in dev blogs and we do have some things in motion to rectify this. I'll be more comfortable speaking about what that will look like when it's finalized. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:03:00 -
[22] - Quote
Orisa Medeem wrote:I think one of the main problems is that a dev-blog only gets so much visibility, and only for so long.
If someone wants to report a security issue some six months from now there is some 95% chance he won't have read this blog (or any other blog from the security team for that matter), and even if he did it is quite possible he won't remember it.
That's probably why those four ways people try to raise security issues are so common.
The petition system is always there. You can create a petition from inside or outside the game.
I think promoting that "Exploits" sub-category to a category by its own would give it more visibility and, upon selecting it, the system could give the player better instructions of how to properly submit a security related issue. This would go a long way to ensure that the information reach the right people.
Quoting the other person who was right for great justice. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:09:00 -
[23] - Quote
Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.
Actually I think I'm pretty clear on that point, though it's not the point of the blog, and it brings me to a topic we didn't discuss mainly because I haven't confirmed that we can do it.
In essence, as I mentioned, we're not giving you license to hack our servers and any indication that this is being attempted will be treated as exactly that, you trying to hack our servers. There's not much I can do about that, as was stated in the blog. The logs are what the logs are and in a production environment it would be absolutely terrible practice to allow people to cause disruption or risk.
That being said, the point is 100% correct that part of the incentive should also be providing an atmosphere where you don't place yourself at risk via experimentation. What I'd like to facilitate is some form of environment where experimentation is possible without risk to the account. As it stands today if an exploit does occur the only thing that stands between yourself and administrative action is you letting us know that the exploit exists. If you discover something and you do not make us aware of it then our sole perspective both will and has to be that your intent was malicious. |
|
Ammzi
Imperial Guardians Blazing Angels Alliance
17
|
Posted - 2011.09.21 19:10:00 -
[24] - Quote
CCP Screegs,
These security issues that you mention and hope to be able to identify a lot quicker now with the help of the player base, are they issues that you believe ordinary non-technical pilots can attempt to find/locate? In my opinion this opportunity for reward and helping CCP is more oriented towards the technical playerbase. Software engineers and similar.
What do you think?
regards Ammzi |
lceman
FinFleet Raiden.
0
|
Posted - 2011.09.21 19:12:00 -
[25] - Quote
snitches get stitches
|
Grimpak
Midnight Elites Echelon Rising
45
|
Posted - 2011.09.21 19:14:00 -
[26] - Quote
The Mittani wrote:A reliable source informed me that since Soundwave likes anime and manga so much, when the CCP office began playing 40k, he insisted upon being the Tau player. He just can't get enough battlesuits!
if it's battlesuits then he needs gundams or macrosses [img]http://eve-files.com/sig/grimpak[/img]
[quote]The more I know about humans, the more I love animals.[/quote] ain't that right |
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:17:00 -
[27] - Quote
Aineko Macx wrote:malaire wrote:Sentient Blade wrote:This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts. Permanent ban of all your accounts on first offense of client exploiting. from Current Botting and Exploit/Client Modification Policies - 12/5/2011: Quote: One other thing to note is that at ALL levels all actions are levied against all of your accounts.
Client Modification or exploiting GÇô First Offense GÇô Permanent Ban
Unless this is changed people will be wary of reporting issues. It's not like people didn't learn from CCPs reactions... *cough*
Without getting into individual detail, as I've said before, never has their been a case where an exploit has been responsibly reported to us without abuse that anyone has ever been at risk or actioned against. I find it unfortunate that I can't wield godlike powers that prevent people from lying on the internet and I don't get a bonus for banning people and would prefer not to. I'd much rather have that creative energy channeled into making all of us a better product than investigating bad guys or playing he-said she-said with attention seeking criminals.
At the end of the day this is my initiative and if I didn't earnestly believe it was the best course of action I could have pumped out a pile of words about something else. |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:20:00 -
[28] - Quote
Ammzi wrote:CCP Screegs,
These security issues that you mention and hope to be able to identify a lot quicker now with the help of the player base, are they issues that you believe ordinary non-technical pilots can attempt to find/locate? In my opinion this opportunity for reward and helping CCP is more oriented towards the technical playerbase. Software engineers and similar.
What do you think?
regards Ammzi
That may be true in some respects but one of the great beauties of EVE is the social aspect and skullduggery, which may help explain the joking use of the word "snitches" in the blog. The fact is that if you give me an exploit and detail I'm going to reward you whether you discovered it or not. The reward is for the disclosure, not the discovery, if that spells it out any clearer. I'd like to encourage discovery as well in the long term, but at the end of the day my primary concern is fixing something that's broken. |
|
Tork Norand
Mechanical Eagles Inc. The Ancients.
0
|
Posted - 2011.09.21 19:42:00 -
[29] - Quote
CCP Sreegs wrote: In essence, as I mentioned, we're not giving you license to hack our servers and any indication that this is being attempted will be treated as exactly that, you trying to hack our servers. There's not much I can do about that, as was stated in the blog. The logs are what the logs are and in a production environment it would be absolutely terrible practice to allow people to cause disruption or risk.
That being said, the point is 100% correct that part of the incentive should also be providing an atmosphere where you don't place yourself at risk via experimentation. What I'd like to facilitate is some form of environment where experimentation is possible without risk to the account. As it stands today if an exploit does occur the only thing that stands between yourself and administrative action is you letting us know that the exploit exists. If you discover something and you do not make us aware of it then our sole perspective both will and has to be that your intent was malicious.
Sreegs, a (larger) thought....
Open up a new set of servers for EXACTLY that purpose...to let people hack on them in any way they want. To do this right, the user database would need to be scrubbed (in case someone did get in) but point to it and say, "That....That is where you can try and hack into. You find a route, you report it. If we see it used anywhere else, everyone using it on any server is banned."
I would go a few steps further...place it on it's own network with not access to the production or other test environments. Completely isolate it from anything else. To use it for any testing, the users need to reset their password on that cluster using a tool from outside that then updates their account on that cluster within the next 24 hours. Doing all of this would be a little time consuming, but not difficult. Updates of passwords could be performed by sending the hash in an email going from the registration page to the new cluster.....I could go on and on with this but that should be a good start for discussion.
--Tork. CEO and Herder of Cats. |
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 19:49:00 -
[30] - Quote
Tork Norand wrote: Sreegs, a (larger) thought....
Open up a new set of servers for EXACTLY that purpose...to let people hack on them in any way they want. To do this right, the user database would need to be scrubbed (in case someone did get in) but point to it and say, "That....That is where you can try and hack into. You find a route, you report it. If we see it used anywhere else, everyone using it on any server is banned."
I would go a few steps further...place it on it's own network with not access to the production or other test environments. Completely isolate it from anything else. To use it for any testing, the users need to reset their password on that cluster using a tool from outside that then updates their account on that cluster within the next 24 hours. Doing all of this would be a little time consuming, but not difficult. Updates of passwords could be performed by sending the hash in an email going from the registration page to the new cluster.....I could go on and on with this but that should be a good start for discussion.
That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it.
|
|
|
Zhilia Mann
Tide Way Out Productions
12
|
Posted - 2011.09.21 20:38:00 -
[31] - Quote
Three positive dev blogs in a row and in under a week. Ok, I'm convinced this whole thing isn't dying just yet. So far so good. |
Sered Woollahra
No Fixed Abode LEGIO ASTARTES ARCANUM
1
|
Posted - 2011.09.21 21:01:00 -
[32] - Quote
Tork Norand wrote:A few reward options come to mind....
1) Skill Points for small things. Hell, this would work great for reporting bots (at 1,000 SP for each verified bot report, you may just introduce a new profession....) but for the "small things", I think SP would be appropriate.
2) PLEX, but in 1-week increments....not only the 30-day version.
3) For people who actually use AUR (meaning they ask for this reward type), a deposit into their AUR account. Since the items aren't game changing anyway, this would let those who want to use it to have a way to increase what they have now.
Just what comes to mind...
I like this suggestion, of different levels of rewards depending on the severity of the issue discovered. Other parties do this as well: Google for instance has a policy of paying between 500 and 1337 USD per Chrome bug found according to this blog entry: http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html And Facebook, whose normal bounty is 500 USD per bug found, has paid up to 5000 USD for single bugs as they mention here https://www.facebook.com/notes/facebook-security/updates-to-the-bug-bounty-program/10150270651335766.
And although slighly OT, the idea of rewarding bot hunting with skill points or AUR sounds very interesting too. A new profession indeed.. |
Manfred Sideous
Body Count Inc. Pandemic Legion
4
|
Posted - 2011.09.21 21:05:00 -
[33] - Quote
Screegs the only security hole I could find was your anus on our last date.
Recommend buttplug |
darmwand
wiremaniacs
0
|
Posted - 2011.09.21 22:39:00 -
[34] - Quote
Quote:That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it.
Sounds interesting. Or at least allow people to easily get permissions to poke around a little, basically a mechanism where I could say "I'd like to do some weird things to your forums and, if I find anything, I'll report it back to you. In turn, you won't ban me for trying" would be cool.
That said, I'm glad you are trying to get the community involved. Nice devblog. |
Manfred Sideous
Body Count Inc. Pandemic Legion
6
|
Posted - 2011.09.21 23:33:00 -
[35] - Quote
Screegs
YOU BEEN HAZED! |
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 23:44:00 -
[36] - Quote
Manfred Sideous wrote:Screegs
YOU BEEN HAZED!
stop hazing me man |
|
|
CCP Sreegs
C C P C C P Alliance
101
|
Posted - 2011.09.21 23:49:00 -
[37] - Quote
darmwand wrote:Quote:That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it. Sounds interesting. Or at least allow people to easily get permissions to poke around a little, basically a mechanism where I could say "I'd like to do some weird things to your forums and, if I find anything, I'll report it back to you. In turn, you won't ban me for trying" would be cool. That said, I'm glad you are trying to get the community involved. Nice devblog.
The idea of whitelisting is certainly something I'd take into consideration, but I do have concerns about availability of services in that scenario. Something else I've considered to ease the burden is rotating services, which can be difficult due to interdependence, and running contests or something. Really this is exactly the type of feedback I'm hoping to obtain.
I really want to establish something that can harness the community, but I also want it to be interesting and worth everyone's while. I really don't just want to be like "Test crap is up" then a week later "ok I updated the list of guys here's your gold star". I want to facilitate engagement and a sense of ownership, but also give people a chance to contribute to something they enjoy and in some cases further their education. Our community has a ridiculous number of security professionals and security professional-to-be's. |
|
Ubee Rubiks
Caldari Provisions Caldari State
0
|
Posted - 2011.09.22 00:53:00 -
[38] - Quote
Sorry to detail this thread a little bit but it made me wonder, if reporting forum security in the petition system does not get sorted to the right people in a speedy manner then what happens when someone petitions for a stolen account? Does that get sorted and investigated in the same way? |
Blazde
4S Corporation Morsus Mihi
0
|
Posted - 2011.09.22 05:36:00 -
[39] - Quote
Great initiative that's very needed. I'll cover some of my worst experiences reporting bugs in EVE and why I became so disillusioned with it I wouldn't even report a serious security vulnerability because it's a clear waste of time. Not all of this is security related and it's not clear how much you consider ingame exploits 'security' stuff, but I did always prioritise security bugreports anyway, and just perhaps if you make a success of the security stuff you can use it to trigger fixing the wider bugreporting problem. Edit: And sorry it got really long, this is mostly my entire reason for becoming a bitter CCP-hating vet ^^ and you're the first dev I've seen even acknowledge the problem in 6 years so maybe my rant can help
Incentive wise I think the most important thing to begin with is convincing people submitting the bugreport has any effect at all and is worth their effort. This goes most quality bugreports that take time to make which is probably why the bugreport system is flooded with low-quality no-effort, frustrated "You guys are idiots the whole thing is broken" type reports atm (and I can't help noticing you basically confirmed devs don't read bugreports because it's not worth their time)
So that means:
1) The report isn't rejected or important details edited out of it by a bughunter who doesn't understand it. [email protected] sounds promising but still if there is any kind of screening then feedback on that is needed. At least under the current system if a bughunter edits your report you get to see how and if they've royally screwed it up you can reedit and explain where they went wrong. Ideally I think a special security category in the existing bugreporting system that explicitly bypasses bughunters and goes straight to security-conscious devs (but otherwised functions the same for report feedback) would be best
2) The problem must be actually fixed reasonably quickly (not incorrectly filed under the 'UI related - ignore' category forever). There's a knock on effect here: not only is it disheartening to spend effort reporting a problem and it not be fixed but also if you know reported problems often aren't fixed then the chances are much higher the problem you're about to report has already been reported by someone else, potentially years ago - so why waste time reporting it again
Way back in 2004 I reported a whole clutch of security-related problems. Mostly it was a satisfying experience (the most serious server-crashing bugs were fixed very fast and I dodged a deserved perma-ban) but 5-6 years later I learnt two of those exploits (related to the directional-scanner) hadn't been fixed and were being used fairly widely in client hacks. I had my local CSM rep raise it and he got zero feedback. They may or may not be fixed now - I don't know - but after spending time investigating, writing-up and chasing-up obviously I stopped caring
3) Some reasonable feedback on whether the report was useful. Some people might like a quick mention in the patch notes which should be easy enough, but even a quick one-line private evemail/email saying 'thanks - your report helped' if that's actually the case, from the dev who fixed it would be awesome. If 100 people report an obvious bug then the current bugreport feedback is fine, but if 2 people's reports were absolutely instrumental in it getting fixed they deserve to know that so tell them that and give them the warm fuzzy feeling of knowing they made a difference, so they can do it again
Couple of years ago I set out to investigate the huge descyncing that was happening at the time. It was already a 12 month old problem that was becoming worse as capital fleets grew in size and was disrupting every op often causing lost capitals (that never got reimbursed even under the pre-Dominion policies, GMs often blamed client-lag). Pretty quickly I had a reproduction case but knew it would be a lot of effort to refine it and write it up properly - this is important btw: investigating bugs is fun (for some of us), writing them up is tedious. So I poked some devs and BHs in #eve-chaos to see if they already had a reproduction case, fairly sure they must because it was obvious. The only dev I got a response from said he couldn't talk about the current status of bugs in case what he said was spun by players as a promise - something like that, it was unhelpful anyway :) A helpful BH (these are rare!) lacked access to check. However another player said he had reported desync with a solid reproduction case so I dropped it for a few months. When it still wasn't fixed given it was a well-known bug with reproduction I figured CCP were just being lazy so pushed Vuk to raise it on the CSM, even helping write some of his campaign material specifically about desync. At the CSM summit they said they had no reproduction case and would I submit one, so I went to work writing up the case and motivated by the fact the devs had got nowhere in 18 months also reverse-engineered the heck out of the client and pin-pointed the most major cause of the bug. By now it was dozens of hours of effort, a lot of it was fun of course or I wouldn't have done it, but some tedious and I submitted the report happy that I'd worked to fix a serious bug in a game I loved. A couple of months and an expansion later it still wasn't fixed so I poked through the CSM again and got told it'd been deprioritised in the rush to expansion
... |
Blazde
4S Corporation Morsus Mihi
0
|
Posted - 2011.09.22 05:38:00 -
[40] - Quote
...
A long time later it was eventually fixed, however then a devblog appeared telling in excruciating detail how this long-running difficult bug had been squashed by the extreme determination of our awesome CCP devs. Apparently a former-bughunter (then dev) had discovered a reproduction case and they'd gone on a difficult journey over many weeks to discover exactly what I'd reported 6 months earlier (and then a little further and actually fix it and quite a bit further to fix related issues). I don't doubt the devs put a lot of effort into fixing it and I personally didn't want a public mention especially not in a devblog, but it was hugely insulting that there was zero reference to player bugreports (and I'm sure there were plenty on the issue besides mine). Either the devblog was fictional or my weeks spent on the bugreport were wasted because it was never read by the right people and they had to duplicate my effort (not just wasting my time but wasting valuable dev resources)
Either way it was a monumental disincentive to ever report a bug again, security or otherwised. The worst thing is desync still exists and with plenty of experience, leads and a custom tool I could have helped fix more of it with just a little technical feedback to avoid investigating dead-ends and some indication that the effort was worth spending at all
Other stuff that might help:
Reimbursement - There was a 'decloak-in-warp and gain mass to bump stuff violently' exploit a while back. Again I reported and 6 months later it was still unfixed when a corp-mate lost a titan over it. It was stolen rather than destroyed which made it a difficult/impossible reimbursement case but I think in similar cases where reimbursement is at least possible then a bugreport related to the issue that caused the loss should influence the reimbursement. I lost a nid to the desync and if a dev ever approached me about a 'reward' then reimbursement of it would have been very appropriate. Another non-security example that comes to mind is ships dying >15 minutes after log off which I could have gotten a token-Devoter reimbursement over. For me at least the ISK-value is irrelevant but the acknowledgement from CCP that bugs in EVE probably caused the loss and that instead of whining in a petition the player set out to solve the bugs and get them fixed is. Spending the bugreporting time making ISK instead would have covered the loss a lot quicker, so reward that choice. And players are already most motivated to report bugs that affect them directly in a negative way so reversing that affect where possible as a reward seems like a no-brainer
Assistance in investigating - In the past I've tried to get help from BHs to spawn items or move characters and been told they're not allowed to, even when it's very clear that it's for investigating bugs. Other players have had better experiences but at the least it could be improved. I even applied to the BHs to try to get the abilities myself while following up the desync, but got rejected because (apparently): Bughunters are primarily filing-secretaries for bugreports and saying you actually want to hunt bugs on your application will hurt it. If I could have just gotten an extra account or two on Sisi, or even just a couple more supercaps and some fast-anchoring test towers it would have been hugely time-saving
Game mechanic exploits - I've always been nervous of submitting exploits to the bugreporting system because they will get seen by unaccountable player-volunteers and as a result very possibly exploited by enemy alliances (especially when the problem isn't fixed for 6+ months). There is a perception that using exploits in EVE is intentionally part of the metagame and they don't get fixed until they're widely abused, allowing those that discover them to benefit from them. Back in the day the F11 deep-safespot bug was considered treasured knowledge and CCP didn't rush to fix it or ban it's use. At the other end of the scale the ferrogel exploit was obviously considered much more serious. Somewhere in the middle is a grey area and if your exploit falls in that area you need to be able to contact a dev not a player-volunteer (devs might leak the info to their player-friends too of course but their job is on the line so it's less likely)
gl |
|
Davelantor
The Resistance Movement
24
|
Posted - 2011.09.22 07:44:00 -
[41] - Quote
3 DEV blogs in 3 days ... I am so happy .... i think now i will stop killing for today ... |
Florestan Bronstein
United Engineering Services
50
|
Posted - 2011.09.22 10:04:00 -
[42] - Quote
CCP Sreegs wrote:Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums. not like the system is already vulnerable to exploitation before the vulnerability is discovered & reported, amirite?
I don't have a set position on responsible vs immediate disclosure but I think it needs to be acknowledged that while immediate disclosure may increase the probability of the vulnerability being actually exploited it also tends to minimize the time that the system is vulnerable (by applying maximum pressure to the developers) and gives users the ability to take precautions much faster/earlier than any company could issue them an advisory.
The vulnerability does not start to exist when it is reported for the first time - if anything it becomes much less threatening once it has been reported and is known about (as users can then start to take precautions/use workarounds). |
Florestan Bronstein
United Engineering Services
50
|
Posted - 2011.09.22 11:23:00 -
[43] - Quote
CCP Sreegs wrote:Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports. Assume I experience a bug "visiting website xyz in the IGB does sometimes make the browser "hang" (have to restart client to fix this) and leads in rare cases to a BSoD". I file a bug report describing this behavior and expressing mild annoyance at CCP for releasing such a shoddy product, the bug gets verified by volunteers or CCP staff, gets assigned to CCP's IGB team, gets prioritized ("only one website of over 9000 is known to cause this issue, telemetry says only three users experienced client crashes due to it in the last month") and some CCP dev will grab the bug report and look into it whenever he gets around to doing so.
My guess would be that many users experience glitchy behavior due to accidentally triggering vulnerabilities and (if you are lucky) report it as a bug without thinking of it as more than a harmless but annoying glitch.
Shouldn't there be some process of screening incoming bug reports for signs of potential vulnerabilities and fast-track those that might point towards a security issue? |
|
CCP Sreegs
C C P C C P Alliance
102
|
Posted - 2011.09.22 12:07:00 -
[44] - Quote
Florestan Bronstein wrote:CCP Sreegs wrote:Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums. not like the system is already vulnerable to exploitation before the vulnerability is discovered & reported, amirite? I don't have a set position on responsible vs immediate (full) disclosure but I think it needs to be acknowledged that while immediate disclosure may increase the probability of the vulnerability being actually exploited it also tends to minimize the time that the system is vulnerable (by applying maximum pressure to the developers) and gives users the ability to take precautions much faster/earlier than any company could issue them an advisory. The vulnerability does not start to exist when it is reported for the first time - if anything it becomes much less threatening once it has been reported and is known about (as users can then start to take precautions/use workarounds).
I disagree with you completely. While you may personally have the capacity to react the average user may not.
If the developers respond responsibly then there's really no point to disclosing openly immediately. There are certainly many documented cases of developers of various applications not reacting to security notifications in time, what we're trying to enable is a framework to prevent that.
:edit: In the absence of the developer actively shirking their responsibility the claim that they may potentially do so is dubious. One can't simply go through life using assumptions about how people or companies may or may not react to a situation as the basis for their decisions, which seems to be the crutch the most extreme full disclosure advocates cling to. |
|
|
CCP Sreegs
C C P C C P Alliance
102
|
Posted - 2011.09.22 12:09:00 -
[45] - Quote
Florestan Bronstein wrote:CCP Sreegs wrote:Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports. Assume I experience a bug "visiting website xyz in the IGB does sometimes make the browser "hang" (have to restart client to fix this) and leads in rare cases to a BSoD". I file a bug report describing this behavior and expressing mild annoyance at CCP for releasing such a shoddy product, the bug gets verified by volunteers or CCP staff, gets assigned to CCP's IGB team, gets prioritized ("only one website of over 9000 is known to cause this issue, telemetry says only three users experienced client crashes due to it in the last month") and some CCP dev will grab the bug report and look into it whenever he gets around to doing so. My guess would be that many users experience glitchy behavior due to accidentally triggering vulnerabilities and (if you are lucky) report it as a bug without thinking of it as more than a harmless but annoying glitch. Shouldn't there be some process of screening incoming bug reports for signs of potential vulnerabilities and fast-track those that might point towards a security issue?
In your example you directly state that the bug simply looks like glitchy behavior. In a world where a potential security (or not) vulnerability could mimic any behavior how would you propose this screening should work? |
|
Andski
GoonWaffe Goonswarm Federation
58
|
Posted - 2011.09.22 13:15:00 -
[46] - Quote
hey cool now whoever manages to figure out the Ev0ke Cheetah gets a multibillion ISK bounty and a PLEX!!! |
MailDeadDrop
Rage and Terror Against ALL Authorities
13
|
Posted - 2011.09.22 22:07:00 -
[47] - Quote
CCP Sreegs wrote:All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. Given how things played out with the first release of the new forums, I can conclude one of several things:
1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur. 2. The procedures were in place but were not followed. 3. The "peers" and "reputable third parties" were incompetent. 4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing.
Care to tell us which it was?
MDD |
|
CCP Sreegs
C C P C C P Alliance
102
|
Posted - 2011.09.22 23:03:00 -
[48] - Quote
MailDeadDrop wrote:CCP Sreegs wrote:All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. Given how things played out with the first release of the new forums, I can conclude one of several things: 1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur. 2. The procedures were in place but were not followed. 3. The "peers" and "reputable third parties" were incompetent. 4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing. Care to tell us which it was? MDD
Yeah let me get right on that.
|
|
MailDeadDrop
Rage and Terror Against ALL Authorities
13
|
Posted - 2011.09.22 23:14:00 -
[49] - Quote
CCP Sreegs wrote:MailDeadDrop wrote:CCP Sreegs wrote:All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. *snip* MDD Yeah let me get right on that. While I'm not exactly pleased with the tone of your reply, I'll have to say I am glad you did reply. Really.
So maybe my initial posting was more snide than it should have been. And perhaps this topic doesn't exactly follow the main thrust of the dev blog. Hopefully you'll agree that the initial rollout was rather calamitous, and that there are lessons to be learned from how it came to happen. I suppose the root of my question is: did you (as The Security Guy) determine how it came to happen? A simple "yes", "partially", or "no" response is all that I'm seeking. Well, that and the realization that if the answer is "no" that maybe you should go ask those questions.
On a completely tangential topic, I've seen recent discussions on the petition queues, and how the security-related (non-exploit) petitions take a substantially larger share of :effort: to disposition. I also recall that the 2010 FanFest goodie bag included an authenticator (a la RSA SecureId fob). It seems to me that allowing, perhaps even mandating, the use of those fobs for login would dramatically reduce the incidence of the "hacked account" security petitions. Would you please add "login security" to the list of topics for you to cover in the next dev blog you write (hopefully SoonGäó)?
Thanks for your time.
MDD |
|
CCP Sreegs
C C P C C P Alliance
102
|
Posted - 2011.09.22 23:21:00 -
[50] - Quote
Yeah sorry dude, but framing a question in such a way that there's no good, or even honest answer isn't really going to get you the rosiest of replies on my best day. :)
The answer is that yes we did determine how we could improve the process and the process today is different from what it was then. The process today is what I'm describing. I think I went over some of the changes as well during a presentation at EVE Vegas which I think is being hosted by EVE Radio somewhere if you're curious. We knew what the issue was within an hour or two of it occurring, figuring out what needed to change in order to prevent that didn't really require a great deal. My shoe is on backwards how to I prevent? Put it on the right way.
Regarding the two factor tokens, let's just say I'm looking forward wholeheartedly to the day where I can say when they'll be deployed. :) |
|
|
buck herrick
101st Space Marine Force Nulli Secunda
0
|
Posted - 2011.09.23 00:05:00 -
[51] - Quote
i am liking this sreegs more and more (although his singing is terrible and i dont beleive that the recent hazing will help)
he posts and the actually reads responses to said post and then he even replies to said post.
this is a step forward, please ensure that we are able to have a new petition category where we can request all CCP'ers to act in this fashion. our security may depend on it.
|
T'Laar Bok
24
|
Posted - 2011.09.23 04:23:00 -
[52] - Quote
CCP Sreegs wrote:incentivizing
I cant decide if you got that from The Buzzword Dictionary or The Dictionary of Corporate Bullsh!t.
Both available on Amazon if anyone is interested.
Amphetimines are your friend. |
T'Laar Bok
24
|
Posted - 2011.09.23 04:23:00 -
[53] - Quote
Double post Amphetimines are your friend. |
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.23 11:45:00 -
[54] - Quote
T'Laar Bok wrote:CCP Sreegs wrote:incentivizing I cant decide if you got that from The Buzzword Dictionary or The Dictionary of Corporate Bullsh!t. Both available on Amazon if anyone is interested.
It means to give incentive. Hope that helps. |
|
mazzilliu
Sniggerdly Pandemic Legion
0
|
Posted - 2011.09.23 15:18:00 -
[55] - Quote
Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.
sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com? |
Internet Knight
The Kobayashi Maru RONA Directorate
2
|
Posted - 2011.09.24 01:15:00 -
[56] - Quote
Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up
Report multiple issues: offer them a job because clearly it's better to have them on NDA than not. |
mazzilliu
Sniggerdly Pandemic Legion
0
|
Posted - 2011.09.24 01:31:00 -
[57] - Quote
Internet Knight wrote:Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up
this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is.
the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that.
Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue. |
Garia666
T.H.U.G L.I.F.E Xenon-Empire
1
|
Posted - 2011.09.24 20:50:00 -
[58] - Quote
Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap |
Knalldari Testpilot
State War Academy Caldari State
0
|
Posted - 2011.09.25 15:13:00 -
[59] - Quote
Asking the EVE community for help in fixing security issues after banning Helicity Bonson for doing exact this could only be some kind of a hilarious troll.
You guys have some strange humor...
//off topic The new forum is less useful/handy/effective than the old one. |
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.26 16:20:00 -
[60] - Quote
Knalldari Testpilot wrote:Asking the EVE community for help in fixing security issues after banning Helicity Bonson for doing exact this could only be some kind of a hilarious troll. You guys have some strange humor... //off topic The new forum is less useful/handy/effective than the old one.
Can you please let me know what part of "We've never banned anyone for reporting a security issue" was unclear? I can't speak to the specifics of any user you might be referring to as we don't publically discuss administrative actions as a matter of policy, but I can categorically define your post as patently false and ask you to refrain from spreading such falsehoods on this forum as it can be detrimental to what we're trying to do, which is encourage people to participate. |
|
|
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.26 16:23:00 -
[61] - Quote
mazzilliu wrote:Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.
sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?
edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go?
What's not sanctioned at this time is any active exploitation or testing in any CCP owned environments. This thread is merely for comment so that we can gauge how best to institute, perhaps, a testing environment. Attacking our infrastructure was and remains a crime.
What I'd like to hear are thoughts as to what type of environment you feel would be useful. In addition we do get reports of things discovered anecdotally and those we encourage and reward. |
|
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.26 16:26:00 -
[62] - Quote
Internet Knight wrote:Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up
Report multiple issues: offer them a job because clearly it's better to have them on NDA than not.
The "hire the hacker" mentality simply has no real world application when you start to discover that you need to be able to trust the person you'd be hiring and they've already shown themselves to be willing to break laws. Where it starts to make more sense is when you can set up a controlled environment where they can operate ethically. |
|
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.26 16:27:00 -
[63] - Quote
mazzilliu wrote:Internet Knight wrote:Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is. the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that. Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue.
CCP isn't going to be throwing you hundred dollar bills ever so we can go ahead and write that off for the time being. :) |
|
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.26 16:29:00 -
[64] - Quote
Garia666 wrote:Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap
I'm pretty sure there are threads for conspiracy theories or trolling somewhere on this forum, but this one isn't it. Please refrain and stick to the topic. |
|
mazzilliu
Sniggerdly Pandemic Legion
1
|
Posted - 2011.09.27 02:24:00 -
[65] - Quote
CCP Sreegs wrote:mazzilliu wrote:Internet Knight wrote:Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is. the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that. Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue. CCP isn't going to be throwing you hundred dollar bills ever so we can go ahead and write that off for the time being. :) not cash. plex |
mazzilliu
Sniggerdly Pandemic Legion
1
|
Posted - 2011.09.27 02:25:00 -
[66] - Quote
CCP Sreegs wrote:mazzilliu wrote:Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.
sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?
edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go? What's not sanctioned at this time is any active exploitation or testing in any CCP owned environments. This thread is merely for comment so that we can gauge how best to institute, perhaps, a testing environment. Attacking our infrastructure was and remains a crime. What I'd like to hear are thoughts as to what type of environment you feel would be useful. In addition we do get reports of things discovered anecdotally and those we encourage and reward. finding some xss in your site or something like that is attacking your infrastructure and also a crime. needs more clarification. |
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.27 12:12:00 -
[67] - Quote
mazzilliu wrote:CCP Sreegs wrote:mazzilliu wrote:Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.
sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?
edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go? What's not sanctioned at this time is any active exploitation or testing in any CCP owned environments. This thread is merely for comment so that we can gauge how best to institute, perhaps, a testing environment. Attacking our infrastructure was and remains a crime. What I'd like to hear are thoughts as to what type of environment you feel would be useful. In addition we do get reports of things discovered anecdotally and those we encourage and reward. finding some xss in your site or something like that is attacking your infrastructure and also a crime(and also has been rewarded by CCP in the past). needs more clarification. edit: to clarify my own point, we need some clarification of what is and is not acceptable. the guy who got banned did so because he was reading secret forums, while being "logged in" as an employee, which clearly shows he didn't understand the situation as he would have either concealed his identity or else didn't try to find secret information if he did. i'm not asking ccp to "talk about administrative actions" but it's clear that there was misunderstanding going on and there need to be clearly laid out rules for people to report weaknesses and guarantee their own safety in doing so. whether a javascript alert box is thought of as active malicious exploitation or agreeable proof of concept for vulnerability reporting, is entirely in the eye of the beholder, in this case CCP. other entities would wholly disagree with whatever definition you come up with, so you must be crystal clear in what you say. you have a singularity test server, where AFAIK it's anything goes except taking down services, however most of your web resources do not have a publicly available backup, so any actual vuln testing has to be done on production machines. which could or could not be a big deal, depending on the vulnerability and your current stance. if you are asking people to test on production servers, if there is a denial of service or sql injection bug the question really becomes, how do we report this without being malicious or getting banned, and will ccp need to conduct an investigation to ensure the bug(now known by 3rd parties) was never maliciously exploited? as i understand it this blog is basically an invitation for people to go around vuln scanning(be it manual or automated) on production servers and try to find vulnerabilities without taking down services or stealing secret information, etc. if this is a mistaken idea, then i apologize and you really need to clarify. also a list of acceptable locations where rewards will be given for vulnerabilities would be appreciated. nobody likes their time being wasted, and i'm sure you don't like getting vuln reports for web resources you don't even manage.
I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.
The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)
The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such. |
|
mazzilliu
Sniggerdly Pandemic Legion
1
|
Posted - 2011.09.27 12:55:00 -
[68] - Quote
CCP Sreegs wrote:
I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.
The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)
The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such.
I think the issue is that we don't agree on the definition of attack or testing. for me, i have to operate under the assumption that an attack is a single 'or 1=1, or a single unauthorized failed login. based on my knowledge of past happenings with ccp, something seems to only be considered an attack when secret info is viewed, or there is a denial of service.
IMO, "testing" and "attacking" would be required to accomplish this:
Quote:The Good Example - User sends an email to [email protected] which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept"
People in different roles than either of us probably have an even different idea of what these words mean. Clearly some users at the release of this forum software had a vastly different idea of what malicious activity meant.
I propose the following rules to clarify for all parties regardless of their knowledge of how to handle security incidents: -no taking down services -no viewing secret information, as you can't undo your actions on the internet don't even try to get close -if you must test if something can be used against another user, use it only on your alt and not even a consenting 3rd party, as knowledge of the exploit could spread -no sharing knowledge of a live exploit with any other person -no exploiting for personal gain -no corrupting the integrity of information owned by other users.
i think this sort of thing needs to be crystal clear for the users out there. |
Blazde
4S Corporation Morsus Mihi
6
|
Posted - 2011.09.27 13:03:00 -
[69] - Quote
If you really want players to actively seek out security issues for rewards (as opposed to just responsibly turning in any info that might be 'in the community' anyway as a result of a non-authorised 'testing') then absolutely the most effective option is to open-source the relevant bits of infrastructure you want tested in some limited way, and preferably also setup a test environment, and then also offer rewards
It's not effective, nevermind efficient to blackbox pentest a big network for the token rewards you're likely to be able to offer. You just won't provoke the level of commitment needed, as mazz says to systematically stress every single input with quotes and angular brackets and so on, guessing hidden variable names and inferring the backend logic from little clues, going on huge detours to provoke errors to get those clues. It all takes an immense amount of time, which ultimately means that if a hundred undermotivated testers mostly replicating each others work can't find a vulnerability you really haven't achieved much confidence that one properly motivated individual won't
Whereas the whole test could be conducted an order or two magnitude more efficiently by simply auditing the code/config |
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.27 14:27:00 -
[70] - Quote
mazzilliu wrote:CCP Sreegs wrote:
I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.
The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)
The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such.
I think the issue is that we don't agree on the definition of attack or testing. for me, i have to operate under the assumption that an attack is a single 'or 1=1, or a single unauthorized failed login. based on my knowledge of past happenings with ccp, something seems to only be considered an attack when secret info is viewed, or there is a denial of service. IMO, "testing" and "attacking" would be required to accomplish this: Quote:The Good Example - User sends an email to [email protected] which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept" People in different roles than either of us probably have an even different idea of what these words mean. Clearly some users at the release of this forum software had a vastly different idea of what malicious activity meant. I propose the following rules to clarify for all parties regardless of their knowledge of how to handle security incidents: -no taking down services -no viewing secret information, as you can't undo your actions on the internet don't even try to get close -if you must test if something can be used against another user, use it only on your alt and not even a consenting 3rd party, as knowledge of the exploit could spread -no sharing knowledge of a live exploit with any other person -no exploiting for personal gain -no corrupting the integrity of information owned by other users. i think this sort of thing needs to be crystal clear for the users out there.
I'm telling you in no uncertain terms, again, that from the log's perspective there's no difference between a "test" and an "attack". If that's too difficult or nuanced to be clear then let's just say don't "test" either. I don't think it's clear what anyone thought at any time because I'm not psychic and I'm not going to ever be unless something awesome happens.
I propose the following:
Don't test, don't attack and don't in any way shape or form attempt to use systems for anything other than their intended purpose.
That is production systems. When it comes to a system specifically built for this purpose then the bulk of your proposed rules would make sense with some additions that I'll touch on when I have a free minute. |
|
|
mazzilliu
Sniggerdly Pandemic Legion
1
|
Posted - 2011.09.27 14:33:00 -
[71] - Quote
CCP Sreegs wrote:mazzilliu wrote:CCP Sreegs wrote:
I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.
The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)
The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such.
I think the issue is that we don't agree on the definition of attack or testing. for me, i have to operate under the assumption that an attack is a single 'or 1=1, or a single unauthorized failed login. based on my knowledge of past happenings with ccp, something seems to only be considered an attack when secret info is viewed, or there is a denial of service. IMO, "testing" and "attacking" would be required to accomplish this: Quote:The Good Example - User sends an email to [email protected] which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept" People in different roles than either of us probably have an even different idea of what these words mean. Clearly some users at the release of this forum software had a vastly different idea of what malicious activity meant. I propose the following rules to clarify for all parties regardless of their knowledge of how to handle security incidents: -no taking down services -no viewing secret information, as you can't undo your actions on the internet don't even try to get close -if you must test if something can be used against another user, use it only on your alt and not even a consenting 3rd party, as knowledge of the exploit could spread -no sharing knowledge of a live exploit with any other person -no exploiting for personal gain -no corrupting the integrity of information owned by other users. i think this sort of thing needs to be crystal clear for the users out there. I'm telling you in no uncertain terms, again, that from the log's perspective there's no difference between a "test" and an "attack". If that's too difficult or nuanced to be clear then let's just say don't "test" either. I don't think it's clear what anyone thought at any time because I'm not psychic and I'm not going to ever be unless something awesome happens. I propose the following: Don't test, don't attack and don't in any way shape or form attempt to use systems for anything other than their intended purpose. That is production systems. When it comes to a system specifically built for this purpose then the bulk of your proposed rules would make sense with some additions that I'll touch on when I have a free minute. so, we'll soon be getting a 'singularity' of eve's web resources? |
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.27 14:48:00 -
[72] - Quote
It's something I'm looking into. I haven't decided how to structure it yet though really so sisi may not be the best example. For instance, does it make more sense to have a sisi up all the time or to hold a kind of contest? For the next x time pound away at this here's where it is, and rotate those things out with maybe larger prizes going to winners.
I'm curious whether you think that might be more impactful than just having it up and running 24/7, and also provide a lot more incentive to the individual. |
|
T'Laar Bok
26
|
Posted - 2011.09.27 17:29:00 -
[73] - Quote
CCP Sreegs wrote: I'm not psychic and I'm not going to ever be unless something awesome happens..
This thread shows you have the patients of a saint so you never know. Amphetimines are your friend. |
Garia666
T.H.U.G L.I.F.E Xenon-Empire
1
|
Posted - 2011.09.28 14:00:00 -
[74] - Quote
CCP Sreegs wrote:Garia666 wrote:Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap I'm pretty sure there are threads for conspiracy theories or trolling somewhere on this forum, but this one isn't it. Please refrain and stick to the topic.
what are you smoking this is no conspiracy, this is true facts. and we are talking about security this a very helpfull tip for the people playing this game.. Not something you might want to hear i am sure..
|
|
CCP Sreegs
C C P C C P Alliance
106
|
Posted - 2011.09.29 11:22:00 -
[75] - Quote
Garia666 wrote:CCP Sreegs wrote:Garia666 wrote:Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap I'm pretty sure there are threads for conspiracy theories or trolling somewhere on this forum, but this one isn't it. Please refrain and stick to the topic. what are you smoking this is no conspiracy, this is true facts. and we are talking about security this a very helpfull tip for the people playing this game.. Not something you might want to hear i am sure..
Yes, because clearly from an account security perspective it is a good idea for you to maintain 12 different email accounts, or use one you could lose access to, which would then leave you in the position of not being able to access your account. Nevermind the fact that your insinuation that we randomly ban people is a flat-out falsehood. Not liking why you were banned or choosing not to recognize that you've violated the terms of an agreement don't mean there was no reason.
In short, I've asked you once not to mislead our customers, provide them with bad information or mischaracterize our actions with conspiracy theories about account actions. Your advice is simply terrible for the end user and has no place in this thread regardless.
If you have an opinion on disclosures or security testing I'd love to hear them. Otherwise take the less than subtle hint and refrain from posting unrelated FUD in the thread devoted to security testing and disclosures. |
|
Chanina
ASGARD HEAVY INDUSTRIES Cascade Associates
3
|
Posted - 2011.09.30 08:46:00 -
[76] - Quote
I don't know how your system for petition and bugreports is working but there are plans to make changes to it you might consider a common database were all reports come together and are sorted by labels. Combine that with a tag system so a BH, GM or DEV can sign it with "Browser Crash" or "POS Exploit". To keep it clearly arranged us several levels of tags.
Use-Case: You are looking into some trouble considering POS. Once you melted down all the reports to POS related only you can see the lower level POS Tags like "POS Exploit" or even some more detailed ones with more information in the tag (e. g. "Hybrid weapon ammo exploit")
Why? Everyone describing a problem or bug will name it different. Also one problem might be related to more than one scenario. The person who processes the issue might change too, with tags applied to the reports you can find related issues or reports that may provide the missing information. Describing a problem is pretty hard. Most of the time you assume something is standard and don't mention it. The next person don't know your "standard" and fails to follow your description.
Banns: Is there a public list of character/accounts which have been band? If not it might help to prevent reselling those accs/chars if it is clear that it was abused. Maybe even an entry in the employment history of the character? ("Was sent to Vacation" ) At least I would never buy a character which got band for what ever cause. |
|
|
|
Pages: 1 2 3 :: [one page] |