| Author |
Thread Statistics | Show CCP posts - 19 post(s) |
|
CCP Sreegs
C C P
C C P Alliance
   |
Posted - 2011.01.20 23:33:00 -
[1]
 Originally by: Wollari
I also got already some kind of eve newsletter where all URLs have been masked using tinyurl.com
Forward it to [email protected] if you can. Those have been getting nuked pretty quickly. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 01:07:00 -
[2]
Edited by: CCP Sreegs on 21/01/2011 01:09:30
Originally by: Vilgan Mazran
SPF records have been pretty mandatory for ages. How has CCP not been getting emails rejected essentially saying "your SPF records are nonexistant or not specific enough, contact your postmaster". Like wtf :P
The SPF records exist they just need to be tweaked a bit. If there weren't SPF records set a giant pile of you wouldn't be receiving our emails.
:edit: Which is pretty much what you just said it would seem, heh |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 01:26:00 -
[3]
Originally by: PC l0adletter
Authenticators, please.
Originally by: CCP Sreegs
Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.
I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.
This blog was presented to the CSM prior to that post being made and they were told at the time that it would be given to the playerbase in the form of a dev blog. I tried after that post to make it clear that the question was academic in nature, as I can make changes to my messaging based on what you (players) tell me you'd like to know. I guess you could call it an apparently clumsy attempt to get around specific detail requests and get to the nature of the question.
To expand a bit, a lot of security-related questions tend to focus on specific solutions or cookie cutter types of individual requests and to really solve a lot of problems you need to look at bigger pictures. As you can see in this blog at least I don't consider any one thing to be a magic solution. There's a lot of different moving pieces of vulnerability that each need to be addressed individually. My hope was that by framing the question a particular way I could get some thought flowing and get some interesting responses, which did happen.
Sorry if that left the impression that I was on some super secret need to know CIA spy kick or something as I really tend towards the opposite philosophically and I don't believe in any way that people are best served by being left in the dark, though there are and will be cases where full disclosure just doesn't benefit anyone. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 09:48:00 -
[4]
Originally by: Cyaxares II
Edited by: Cyaxares II on 21/01/2011 09:02:55
nice devblog - except for the heavy scaremongering
Quote:
If you got it for free there's a catch and they're probably stealing from you.
There are plenty of (free) AHK/IS scripts floating around that verifiably don't contain any malicious functionality on their own and it seems highly unlikely that AHK or IS itself would be specifically adapted to steal EVE account data (especially for AHK, IS might be more risky).
On top of that stealing account data is just plain bad business for most paid-for bots (especially subscription-based ones) - the only case i can come up with in which it would make sense to steal an account would be if CCP did magically manage to disable botting thus denying the bot writer any further revenue from his work.
If you want to convince us not to use bots please do it by delivering decent arguments and not FUD.
Taking a very wild guess I would guess that a similar amount of information is stolen through the official API ("all your in-game mails are belong to us") or through tools building on the API that are trojans, keyloggers, ... as is via bots.
Just provide a "Download source here" link and nobody will check if the version he could compile from source matches with the official binary, anyways.
edit: also, consider that people running bots are already willing to gamble their account based on incomplete information - otherwise they wouldn't break the EULA.
Saying "OMG you might lose access to your account" might change the perceived odds but it's a quantitative change rather than a qualitative one.
... and without naming & shaming (and providing reproducible steps to confirm the malicious behavior) you are not exactly the most credible source of information on the risks of botting to start with as CCP has a large business interest in making EULA violations look extremely risky, independent of reality.
tl;dr serious botters will carry on as before (because they know what they're doing and probably use their own software anyways), some casual botters might be a bit scared but will reaffirm each other that you're just spreading FUD in their forums and my mood is ruined by reading that silly, silly paragraph.
Every single thing I said in that paragraph about botting is true and while you're welcome to your opinion, opinions don't alter facts. The paragraph was written for your benefit, so that people are aware of the information being collected and motivations of the creators. This wasn't a delivery of opinion. It was a statement of facts based on our investigations. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 09:56:00 -
[5]
Originally by: Agent Stone
Edited by: Agent Stone on 21/01/2011 09:54:00
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:00:00 -
[6]
Originally by: Sentient Blade
There is a potential sixth wall that I do not see mentioned which is effectively "Tell me something about myself".
Show me your birthmark... Show me the rose... drop your pants*
To put it simply, allow each player to define a few words that are tied to their account such as "turtle, antelope, gallentesux" and display this string to the person attempting to login prior to them getting to the sector factor of authentication, i.e.
<Enter name and password>
Hello [Full real name]. This is CCP server secure.eveonline.com saying "[word string]" please enter any character name to continue.
This would give an opportunity for the user to verify that the server already had sufficient details on the account to know their real life name and their secret word string, and back out, before entering the character name.
* James Bond reference
Geographic Jumping Checks
Seen as it is unlikely that the person attempting to phish for accounts is going to be living in the house next door, or even in the same country for the most part, login attempts to both websites and the EvE client should be GeoIP'd and the original registrar notified via email when 2 logins occur within a short period which come from geographically diverse locations.
In game / out of game paradox
It occurs to me that there is somewhat of a paradox in security within the EvE universe where CCP seems to condone, and perhaps even actively encourage scams and behaviour designed to strip a victim of all of their assets and enjoyment through trickery and obscufation of data, in an almost identical way to how phishing attacks work.
Is there really that much difference in the CCP financial loss / bad player experience when comparing the end results of in-game scamming vs out-of-game phishing?
How does CCP reconcile treating two mechanism with near identical end results differently?
Misc
* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.
* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.
These are all tied to authentication and if we're not already considering them I'll add them to the list to think about. re: your questions
1) I don't see this happening anytime soon. Whether you have bigger problems if someone can read your disk or not, when it happens it also becomes our problem. There have been quite a few trojans that targeted various games who have used this methodology and I'm not sure the risk outweighs the potential benefits.
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:02:00 -
[7]
Originally by: DmitryEKT
Gmail labs has a thing you can enable which puts a little key icon next to legit emails from ebay/paypal to make it obvious they're not fakes. Have CCP thought of getting in on that?
I have to look into the labs solution. The one solution I'd seen involved the use of an installer which proceeded to make it impossible for me to access gmail so I shot it down. I'll take a look at this one ASAP, because these types of things are specifically what I was referring to when I said it would be possible for you to verify that an email had come from us. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:05:00 -
[8]
Originally by: Remulon McNab
Quote:
SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly
@CCP Sreegs
Why are you guys implementing SPF and DKIM/DomainKeys now, technology wise the start of 2010 was the year that everyone started encountering huge problems related to phishing.
So from my point of view you are a bit late, especially with all those phising mails going round.
What are the global plans to protect your customers from phishing/account security issues in the future?
Mail security & deliverability is part of my daily job and those are going hand in hand 
SPF was implemented, it just wasn't implemented the best way. Whether we're late to the SPF table or not I didn't work here in 2010 so I can't speak to what people may have done or been thinking at the time. I'm here now and we're correcting our SPF implementation.
Regarding future plans, I'm assuming you're alluding to something particular but from my perspective this blog is what we have for the next x period of time. Once implementation is done we can measure effectiveness and determine what additional steps may be required. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:06:00 -
[9]
Originally by: Lost Hamster
Originally by: CCP Sreegs
Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account.
The idea itself is not bad, however there is still a hole in the security system.
With this feature you try to protect the account management - that's fine.
However if a bad guy have access to the user name and password, then how long will it take to get a character name on that account?
I will tell you. 15 seconds.. Just log in to the game and voila.
However it's a positive note that the similar hole on the evegate site have been filed. :)
So please get a similar login screen to the game as well. With an option to save the Character name to the individual game files.
Just to clarify I'm talking about authentication at every interface. I don't believe authentication of the same credentials should be in any way different because you're using a different interface to request the information. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:07:00 -
[10]
Originally by: Avensys
Edited by: Avensys on 21/01/2011 09:11:46
(posting on a different character as it's a separate point)
How does asking for a character name actually help?
Wouldn't phishing sites just ask for a character name as well (they want to mimic the "real" login process as closely as possible after all)?
Yes, which is why it's not good enough and we're looking to improve. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:43:00 -
[11]
Originally by: Sentient Blade
In my experience it really depends on how big a hole they can punch in the attack surface, and 99% of the time if that hole is big enough that if it provides a means of reading the hard disk then that hole is also big enough for them to be capable of installing a keyboard hook or swiping the person's paypal or banking details and using them to create a few hundred accounts.
That's a worse case scenario of course, but once it gets to the remote code execution stage there is not much more that can be done on your part - it's the actual identity of the account holder that's been compromised rather than the underlying security of EvE.
You are of course correct. I will say though that it doesn't make it any less our problem when an account is compromised whether it's through a fault of our own or not and I'm not sure that the costs of putting information on disk outweigh the benefits. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 11:41:00 -
[12]
Originally by: Remulon McNab
@Sreegs
Thanks for your reply, besides SPF it might be worth in implementing SenderID besides SPF.
This improves deliverability of all your e-mail messages.
I am aware of the fact that SenderID is backwards compatible, though it's still useful as Microsoft implements it in all their mailserver software.
So far, great job!
If I'm correct, and I'll Google in a second and either be right or have immortalized my wrongness, SenderID is just Microsoft rebranding of either SPF or DomainKeys.
(I was wrong and I'll dig into it a bit. It's based on SPF but not the same. Thanks!) |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:33:00 -
[13]
Originally by: ROXGenghis
You could look at RSA's Site Key:
http://en.wikipedia.org/wiki/SiteKey
I've never had a problem with it as a user, but I haven't studied its protocol so I can't vouch for it at this point.
This is a pretty interesting approach though it has at least one rather glaring weakness. Thanks though it does provide some food for thought. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:36:00 -
[14]
Originally by: Melekhar Tazinas
Sreegs, have you guys considered signing your emails with a GPG signature?
Not that many people use GPG-enabled email clients, but for those of us that do, there's few better means of authenticating your emails.
We have and I'm looking into it deeper. The problem in the past with this type of thing has been the barrier to entry for the end user. DomainKeys uses a certificate in the actual sending of the email to validate the sending source, so once that implementation's done you may be able to get similar functionality though. I'm taking some liberty and oversimplifying here I know but it's 2:30 am and I'm pretty much stupid right now.
Ultimately I'd like it to be simple enough for Joe Average to be able to verify that an email came from us. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:39:00 -
[15]
Originally by: Wollari
You just advised to use SPF to block spammail where other people claiming your identity. SPF is okay in general, but the way your SPF record is registered doesn't let the fakemail getting dropped.
== your spf record ==
mail:~# host -t TXT eveonline.com
eveonline.com TXT "v=spf1 mx ip4:87.237.32.0/24 ip4:87.237.38.0/24 ip4:87.237.39.0/24 mx:mail.global.frontbridge.com mx:ymir.ccpgames.com ~all"
the "~all" match generates a "softfail". Mail in general gets "marked" as possible identity problem but won't get discarded in the first instance of the mta. It's good for testing and monitoring purpose.
If you're 100% sure that no other systems (apart from the listed in your SPF record) will send emails from eveonline.com it's maybe an idea to change "~all" to "-all". This will other MTAs force to drop the mail if it's not send by an authorized system. This may cause problems when somebody is forwarding emails from one account to another. But that's a different story.
When you're happy with your spf record change it to -all and prevent us all from the spam.
happy mailing.
Removed a forum-breaking tag. Spitfire
We know the record's set up improperly and making it proper is the change I was alluding to in the dev blog. Thanks though! |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:41:00 -
[16]
Originally by: Thirler
Thanks for a good insight.
I have a related question, one of my corporations members got hacked earlier. He had some trouble in getting a quick reaction to get his account blocked/returned to him quickly(he got locked out), there wasn't really a petition section appropriate for this.
What is the best way to reach CCP when you think your account has been hacked? I would imagine the priority should be the same as the 'stuck' section as this can minimize the harm done and the profit for the hackers.
I'll follow up here tomorrow but I thought there was a category for this. I'm not in Customer Service so it's not on the top of my head. I'd file as stuck until I can dig into it and tell you what the proper queue is. I can say that if it's not obvious it's probably something that should be fixed. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:44:00 -
[17]
Originally by: TCL987
Everything is hackable, using an authenticator just makes it harder and prevents someone from gaining access to your account using a keylogger. Given enough time someone could eventually figure out the algorithim but it would take too long to be worth it.
Using an authenticator does help. The most glaring problem with authenticators tends to come from how sessions are managed by the application and not in the authenticator itself. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:45:00 -
[18]
Originally by: herot
Originally by: CCP Sreegs
Originally by: Sentient Blade
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon.
One also have to consider that some of us use VPN services and can therefore appear to flit around the world in a strange fashion (or even be i two places at once if we for instance log in from diffrent comupters to the forum and the game, with one machine routing through VPN).
In any scenario flitting around the world would probably only require you to validate yourself out of band somehow. To be frank, this is still something we're thinking through and your concern here is something we're taking into consideration. |
|
| |
|