|
Author |
Thread Statistics | Show CCP posts - 6 post(s) |
|
CCP Navigator
C C P C C P Alliance
|
Posted - 2011.01.15 14:15:00 -
[1]
The final meeting minutes of the CSM December Summit are now available which looks at Incarna game play and vision, account security and much more. Read the full blog here.
Navigator Senior Community Representative CCP Hf, EVE Online
|
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.15 17:17:00 -
[2]
Originally by: Ravcharas
This is also an issue with most anything CCP insists on NDA'ing. Exploits and botting and what have you. I get that there're things CCP wants to keep under wraps, but they cannot both have their cake and eat it. Support is built through communication.
Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.
|
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.15 19:04:00 -
[3]
Originally by: Ravcharas
I'm not saying the players need to now specific counter-hacking/botting methodologies. What I'm saying is that maybe you guys have erred on the safe side a little too often, especially concerning Incarna. Which is totally understandable, by the way, but no less annoying to see.
My apologies then I thought you were referring specifically to the security-type redaction. I'm not in the Incarna department so I'll toss you a hi five and ride off into the sunset. |
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.15 22:40:00 -
[4]
Originally by: trjcquee Edited by: trjcquee on 15/01/2011 21:42:20
Originally by: CCP Sreegs Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.
Re. bots, I think people would like to have some feedback on how seriously CCP investigates accusations of botting. The actual methods you use to evaluate and catch botters are not the issue. I reported 3 dozen suspected bots a couple of months ago. Were they bots? Did CCP ban them? Without some sort of feedback I don't know if my effort to petition them was worth it, and I haven't bothered petitioning dozens more since then because I don't like wasting my time. How about some monthly statistics along the lines of number of bots petitioned vs the number investigated by CCP vs the number of accounts banned as a result?
When a buddy of mine gets his wallet submerged into the red because he bought isk as a noob over 2 years ago, yet incredible botting activity by virtually every large alliance in the game goes unchecked..... it's kind of a kick in the ass.
It's not that we want to know specific methodologies (which should be kept secret), what we want to know is whether you're doing anything at all about the biggest offenders. The consensus here and elsewhere (mostly elsewhere) seems to be "CCP doesn't really care about bots". The evidence is overwhelming that that's the case, and that fact appears to be what the iron-fisted NDA is designed to hide.
I apologize for not addressing every single post on this subject. I'll do my best but there's a lot of text to sort through. Firstly to address Trebor's "Security by obscurity" mention. This is a term that has a very specific meaning that is often overused or used in an incorrect context. An example of Security By Obscurity would be one where you create an administrative interface for a store. Instead of wrapping security around the administrative interface you decide to stick it in a subfolder called /supersecretadminland/. Accessing that subfolder grants access. Your SOLE basis of securing your application in this context is the presumption that nobody will find it. This is the definition of Security by Obscurity.
This does not mean that from a security perspective you should be laying all of your cards face up on the table. That would be silly. What this means is that your methodology should be sound enough that you're not simply relying on people's ignorance to keep your jewels safe. I don't think it should be misinterpreted as an open call to publish your procedures on the internet.
My question was of an academic nature really. I am merely a bit curious about the underlying motivation people have for asking the questions because it will help us frame our responses. While we cannot always lay all of our cards out on the table, we can come up with ways to communicate information sensibly that shows results. So what I was looking for really was the type of information regarding these things that you as players would find of value.
What I can say in this post is that a great deal of my own time is spent on this subject, as well as the time of many others. Every petition to my knowledge gets investigated. Every email to the security inbox is read and actioned on and a great deal of things are actioned on for which no individual player initiated a request. I've seen your requests for information and would really like to know more about what would be of value to you, such as the examples quoted. I think it helps us to see where we're missing the mark in this regard from your perspectives.
|
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.15 22:41:00 -
[5]
Originally by: Infinion
Regarding the future plans to improve account security, has CCP considered giving players a standalone password for account management?
I'm assuming you're referring to having a separate password for account management? I don't quite get the question and I don't want to try to answer it if I don't understand what you're asking. |
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2011.01.16 00:20:00 -
[6]
Originally by: Trebor Daehdoow
I must beg to differ; you are construing the term much more narrowly than is the case in actual practice. Security by Obscurity is defined, on Wikipedia for example, as "a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security"
For example, attempting to keep the details of an encryption algorithm secret would be Security By Obscurity. A black box, whether it is an encryption algorithm or a suite of bot-detection techniques, cannot be relied upon by third parties -- there is simply insufficient information to make a reasonable judgment on the matter.
I'm pretty sure we're saying the same thing here, though I did oversimplify the explanation. Without turning this into a giant dialogue where we speak in circles I'll say that you are definitely correct that there's a balance that needs to be struck in communicating these things and a lot that has to be taken into consideration. One of those things is determining how to communicate a complex issue. Saying "We have mechanisms in place to detect bad activity" would certainly appear to be overbroad (as well as obvious). However, it is also unlike a cryptographic algorithm in that these things are by nature in a constant state of change. "Signatures" have the capability of changing multiple times per day and don't lend themselves to the kind of peer review we're discussing here. As patterns are determined and actions are taken tactics change.
The blog will be posted as soon as I can finish it, and there's another one in the pipeline already for after that with a third growing. I'm glad you found the session useful. Aside from the feedback already solicited I can say that we do take botting and attempts at client manipulation very seriously. We do not want them in Eve and we action against unallowed activity pretty much 24/7. There's no grand conspiracy here to secretly allow violations of the rules. Were that the case it would probably be simpler and more cost effective to merely get rid of the rules. The reason I requested information about what you guys would like to hear is because I think it's obvious that there's a disconnect there between what's being done and the perception of what's being done and I want to make sure that when we address it we're addressing what you actually want to know rather than what we think you want to know. |
|
|
|
|