| Pages: 1 2 3 :: [one page] |
|
|
| Author |
Thread Statistics | Show CCP posts - 19 post(s) |
|
CCP Fallout
   |
Posted - 2011.01.20 22:53:00 -
[1]
CCP Sreegs is back, talking to us about account security. His new target: phishing attacks.
Fallout
Associate Community Manager
CCP Hf, EVE Online
Contact us |
|
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2011.01.20 23:00:00 -
[2]
Secure 3rd party service | my in-game channel 'Holy Veldspar' |
|
Salyan
|
Posted - 2011.01.20 23:05:00 -
[3]
CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.
P.S. Chribba, sorry but your picture scares me now.
|
SXYGeeK
Gallente
do you
-Mostly Harmless-
|
Posted - 2011.01.20 23:10:00 -
[4]
well done Sreegs,
As always I'm particularly interested in multi-factor authentication.
I love how paypal sends me a text on my phone as a second factor.
It's cheap, effective, and could reach a large portion of your player base.
Keep us in the loop like you've done in this Blob and thing will only get better :)
-We So SeXy |
Halvus
Minmatar
Sons Of 0din
C0NVICTED
|
Posted - 2011.01.20 23:19:00 -
[5]
Excellent blog. Keep up the good work :)
|
Wollari
Phoenix Industries
Black Star Alliance
|
Posted - 2011.01.20 23:25:00 -
[6]
I also got already some kind of eve newsletter where all URLs have been masked using tinyurl.com
|
Doctor Mabuse
|
Posted - 2011.01.20 23:32:00 -
[7]
Have you considered GrIDsure as a form of two factor authentication?
Simple and no messing around with tokens...
------------------------------------
Who's trip-trapping on my bridge? |
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.20 23:33:00 -
[8]
 Originally by: Wollari
I also got already some kind of eve newsletter where all URLs have been masked using tinyurl.com
Forward it to [email protected] if you can. Those have been getting nuked pretty quickly. |
|
Jmarr Hyrgund
The Bastards
|
Posted - 2011.01.20 23:36:00 -
[9]
Onions. He knows his. Read well and note his advice.
Awesome blog.
Pirate - Blogger - Rifter Pilot |
Grady Eltoren
Minmatar
UNITED STATES ARMY
|
Posted - 2011.01.20 23:42:00 -
[10]
Originally by: Salyan
CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.
P.S. Chribba, sorry but your picture scares me now.
LOL - my thoughts too. JK! : ) My guy has hair now too so I can't talk much. :) Apparently Incarna and Hairclub for Men go hand in hand.
On a serious note - how do phisher's even make emails look like they came from CCP? E.G. the email addresses?
Aviation Professionals for EVE (APEVE)
|
|
|
Steve Thomas
Minmatar
|
Posted - 2011.01.20 23:47:00 -
[11]
Originally by: Salyan
CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.
P.S. Chribba, sorry but your picture scares me now.
not only do they do that but they actualy created even better bots if you will to detect thoes bots in the first place.
Seriously how big of a moron do you have to be to not think that one of the things they do is search for sights that have "bots" for EvE online.
or that they have people who have voluntered to host bots here in North American AND Europe AND Brazil for example, secificaly so they can monitor exactly what said bot does and when said bots get updated into account zombies?
|
Filodar
|
Posted - 2011.01.21 00:08:00 -
[12]
Originally by: Doctor Mabuse
Have you considered GrIDsure as a form of two factor authentication?
Simple and no messing around with tokens...
Looks like a bad system, its overly complicated and would lead to a huge increase in support costs. And the attackers could still do it as a password reply, or phishing users by having a distinct number per square.
|
Steve Thomas
Minmatar
|
Posted - 2011.01.21 00:09:00 -
[13]
Originally by: Grady Eltoren
Originally by: Salyan
CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.
P.S. Chribba, sorry but your picture scares me now.
LOL - my thoughts too. JK! : ) My guy has hair now too so I can't talk much. :) Apparently Incarna and Hairclub for Men go hand in hand.
On a serious note - how do phisher's even make emails look like they came from CCP? E.G. the email addresses?
Its not realy hard to do, there still open email services out there where you bascialy send email out to the web with forged "from" information. heck check your spam filter, odds are you have or got mail stuck in it from days if not years in the future due to that kind of forgeing.
here is one header that showes where the mail actualy came from
suposedly it was from "Webaccountsecurity" at Twitter.com but it actualy was from someone at "xt07.verada.ru", and thats assuming that "xt07.verada.ru" was legit to start with!
Quote:
From Twitter Mon Dec 20 18:02:00 2010
X-Apparently-To: [email protected] via 98.136.183.31; Mon, 20 Dec 2010 10:02:01 -0800
Return-Path: <[email protected]>
Received-SPF: pass (mta1004.mail.ac4.yahoo.com: xt07.verada.ru designates 18.381.165.058 as permitted sender)
X-YMailISG:
(Deleted massive wall of id number)
X-Originating-IP: [18.381.165.058]
Authentication-Results: mta1904.mail.ac4.yahoo.com from=nstr30j.verada.ru; domainkeys=pass (ok); from=verada.ru; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO xt07.verada.ru) (128.121.146.143) by mta1004.mail.ac4.yahoo.com with SMTP; Mon, 20 Dec 2010 10:02:01 -0800
Received: from verada.ru (localhost [127.0.0.1]) by xt07verada.ru (Postfix) with ESMTP id 53F8F74E4C5 for <[email protected]>; Mon, 20 Dec 2010 18:02:00 +0000 (UTC)
X-DKIM: Sendmail DKIM Filter v2.8.2 xt07.verada.ru 53F8F74E4C5
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim; t=1292868120; [email protected]; bh=C28GCdbF451aVoXKHvtW1vhtn3w=; h=Date:From:Reply-To:To:Message-Id:Subject:Mime-Version: Content-Type; b=Q9iYzf4szHlPqCaLLFbDDCMm7wYMQI52Pm6kcNWqsgVNTTd3C38zf9UD0WuF8xDXr JUGZqvBd3HJjBdOHHzEnvkee3QpaasrG1V47RQDZeNzUfkOHmMgPJwJqk+l/Nx8JX6 sKobWRA8ovn5PGiNXhjDmvyMwoEl/u+UHcLhHczU=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 xt07.verada.ru 53F8F74E4C5
DomainKey-Signature: a=rsa-sha1; s=default; d=verada.ru; c=simple; q=dns; b=T3sVw6BWLbarybK55vzYegZua7dDKofchvgcC6Ois+9GSvplRc3NFWe1DLp2npcy5 FetkBiooKtB434G2P0fwA==
Date: Mon, 20 Dec 2010 18:02:00 +0000
From: This sender is DomainKeys verified verada.ru <[email protected]> Add sender to Contacts
Reply-To: [email protected]
To: [email protected]
Message-Id: <[email protected]>
Subject: Suspention of account, StevenWThomas!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=mimepart_4d0f9a185322b_1b6b5e34aa460852
X-Campaignid: welcome20100914phx
Errors-To: va <[email protected]>
Bounces-To: va <[email protected]>
.
|
Ravcharas
GREY COUNCIL
Nulli Secunda
|
Posted - 2011.01.21 00:16:00 -
[14]
Quote:
The reason these things exist RMT, Phishing, Forum Hacking for account harvesting, Bots, etc... is to squeeze money out of you and into the hands of a third party.
And remember kids, squeezing money out of you is CCP's job!
No no. I jest. Good read.
One aspect of botting and RMT is that it's kind of interesting that some people would rather not have to deal with ratting in Eve. They would, in fact, rather give their credit card number to some guy in Latvia than have to deal with it. I'm not trying to be mean here, my point is that one aspect of it is a game design thing. Wormholes and incursions are actually a step in the right direction here. Moving away from a repetitive and boring activity that is easily outsourced to a bot application into something else not only hurts botters, it also makes Eve more enjoyable for people with, you know, a pulse. In fact, implementing something like the wormhole ai for old school rats or simply having them scram you more often seems like a very cost effective way of dealing with botting. Anyway, I digress.
Looking forward to the next installments.
|
Sarinat Talen
Celestial Arms Manufacturing and Operations
|
Posted - 2011.01.21 00:22:00 -
[15]
Edited by: Sarinat Talen on 21/01/2011 00:22:34
Good work CCP, and thanks for you efforts. As someone who has gotten one of these phishing emails I really appreciate the upcoming countermeasures.
|
Caiman Graystock
Caldari
Massively Mob
|
Posted - 2011.01.21 00:27:00 -
[16]
You guys are doing a really great job and it is much appreciated.
|
Xituqtra
|
Posted - 2011.01.21 00:42:00 -
[17]
nice blog and great information in there and you even made me check my browser settings
And for that I will give you much love <3 <3 <3
|
Daedalus II
|
Posted - 2011.01.21 00:49:00 -
[18]
I got a great idea!
You CCP guys should know your game pretty well, right? So you could build a kick-ass bot that is better than any other bot right? So you do this, and distribute it through some fishy channels. It works just as it's supposed to and outperforms all other bots, except that when the user isn't looking it's sending a mail to a specific CCP character identifying itself. After a moderate time you ban the sender on grounds of botting. If the timing is right they don't suspect the program, and use it again if they continue, and that way you can ban them again and again
Essentially it's a honey-pot I guess.
|
Estel Arador
|
Posted - 2011.01.21 00:50:00 -
[19]
Edited by: Estel Arador on 21/01/2011 00:50:41
Can we get authenticators and the option to whitelist IP addresses?
|
Vilgan Mazran
Aperture Harmonics
K162
|
Posted - 2011.01.21 01:03:00 -
[20]
SPF records have been pretty mandatory for ages. How has CCP not been getting emails rejected essentially saying "your SPF records are nonexistant or not specific enough, contact your postmaster". Like wtf :P
|
|
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 01:07:00 -
[21]
Edited by: CCP Sreegs on 21/01/2011 01:09:30
Originally by: Vilgan Mazran
SPF records have been pretty mandatory for ages. How has CCP not been getting emails rejected essentially saying "your SPF records are nonexistant or not specific enough, contact your postmaster". Like wtf :P
The SPF records exist they just need to be tweaked a bit. If there weren't SPF records set a giant pile of you wouldn't be receiving our emails.
:edit: Which is pretty much what you just said it would seem, heh |
|
PC l0adletter
|
Posted - 2011.01.21 01:15:00 -
[22]
Authenticators, please.
Originally by: CCP Sreegs
Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.
I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.
|
Ravcharas
GREY COUNCIL
Nulli Secunda
|
Posted - 2011.01.21 01:25:00 -
[23]
Originally by: PC l0adletter
Authenticators, please.
Originally by: CCP Sreegs
Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.
I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.
I was wondering how long it would take for someone to quote that.
Anyway, the subject of the devblog isn't quite what I'd call specific in nature. So leave Sreegney alone.
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 01:26:00 -
[24]
Originally by: PC l0adletter
Authenticators, please.
Originally by: CCP Sreegs
Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.
I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.
This blog was presented to the CSM prior to that post being made and they were told at the time that it would be given to the playerbase in the form of a dev blog. I tried after that post to make it clear that the question was academic in nature, as I can make changes to my messaging based on what you (players) tell me you'd like to know. I guess you could call it an apparently clumsy attempt to get around specific detail requests and get to the nature of the question.
To expand a bit, a lot of security-related questions tend to focus on specific solutions or cookie cutter types of individual requests and to really solve a lot of problems you need to look at bigger pictures. As you can see in this blog at least I don't consider any one thing to be a magic solution. There's a lot of different moving pieces of vulnerability that each need to be addressed individually. My hope was that by framing the question a particular way I could get some thought flowing and get some interesting responses, which did happen.
Sorry if that left the impression that I was on some super secret need to know CIA spy kick or something as I really tend towards the opposite philosophically and I don't believe in any way that people are best served by being left in the dark, though there are and will be cases where full disclosure just doesn't benefit anyone. |
|
PC l0adletter
|
Posted - 2011.01.21 02:21:00 -
[25]
Originally by: CCP Sreegs
Originally by: PC l0adletter
Authenticators, please.
Originally by: CCP Sreegs
Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.
I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.
This blog was presented to the CSM prior to that post being made and they were told at the time that it would be given to the playerbase in the form of a dev blog. I tried after that post to make it clear that the question was academic in nature, as I can make changes to my messaging based on what you (players) tell me you'd like to know. I guess you could call it an apparently clumsy attempt to get around specific detail requests and get to the nature of the question.
To expand a bit, a lot of security-related questions tend to focus on specific solutions or cookie cutter types of individual requests and to really solve a lot of problems you need to look at bigger pictures. As you can see in this blog at least I don't consider any one thing to be a magic solution. There's a lot of different moving pieces of vulnerability that each need to be addressed individually. My hope was that by framing the question a particular way I could get some thought flowing and get some interesting responses, which did happen.
Sorry if that left the impression that I was on some super secret need to know CIA spy kick or something as I really tend towards the opposite philosophically and I don't believe in any way that people are best served by being left in the dark, though there are and will be cases where full disclosure just doesn't benefit anyone.
Well, at least I only got my hopes up for a minute....
There are a lot of botters out there. Have you looked at the thread in general discussion where they ask for questions about incarna? 20% of the questions are about botting. Players take the fairness and integrity of the gameplay environment seriously, and we see a lot of really blatant botting going on. Personally, I don't care if you blurgh about it or not, so long as it stops.
|
Nye Jaran
|
Posted - 2011.01.21 03:15:00 -
[26]
Say it with me... auth-en-tic-a-tor.
|
Frug
Omega Wing
Snatch Victory
|
Posted - 2011.01.21 03:30:00 -
[27]
While I can understand the reasoning for your fighting phishing attacks, I am in need of many different forms of male enhancement due to a condition I have which requires me to take a multi-pronged approach to enlargement options. If you continue to combat the providers of my enhancement services which offer both cheap pills and payment options that are incredibly easy to use and bill me automatically without all the effort of most sites, I may have to cancel my subscription.
-
- - - - - - - - Do not use dotted lines - - - - - -
If you think I'm awesome say BOOO
BOOO!! - Ductoris
Neat look what I found - Kreul
Whisper/PrismX 4 emperor |
Noun Verber
Gallente
|
Posted - 2011.01.21 03:38:00 -
[28]
Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.
still hack-a-ble
|
Mielono
Caldari
SWARTA
|
Posted - 2011.01.21 04:30:00 -
[29]
Originally by: Noun Verber
Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.
still hack-a-ble
and bullet proof vest dont always work, but for some reason people still wear them
Originally by: Culmen
A cat is like that carebear who sticks around only while there's food, and at best kills a few rats.A dog F*cking enforces NBSI, and deep down is slightly disappointed you aren't tak |
Bhattran
|
Posted - 2011.01.21 04:45:00 -
[30]
Edited by: Bhattran on 21/01/2011 04:46:35
This is promising, both in what is done and talked about, I eagerly await moar information.
I still wonder what the fate of locking a character or account so the character(s) cannot be transfered ever, or only after a set time period has passed ie a month, 3 months, a year is. The 'worst' situation for a player besides having their account hacked/compromised and/or having stuff sold off, isk transferred is losing the irreplaceable, the characters.
Certainly curtailing situations where people put themselves in jeopardy is great, protecting our communications etc but how about letting us stop someone from abusing the system CCP created for character sales? *I* don't ever want to sell my character but because CCP allows it, presumably to stop ebay sales of accounts as well as to make some money from people wanting and willing to do it, I am 'vulnerable' to losing my character should my account get compromised, we all are.
--WIS/Incarna/Ambulation where microtransactions come to play, and uh bars.-- |
|
|
Xodd Hil
Gallente
Trucido Veritas
|
Posted - 2011.01.21 06:04:00 -
[31]
Originally by: Mielono
Originally by: Noun Verber
Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.
still hack-a-ble
and bullet proof vest dont always work, but for some reason people still wear them
+better than nothing! Still, if the shipping prices would be the same hialriously inflated for the CCP authenticator, it wouldn't be bought by many outside the US...
60day ETC |
Komiliya Jenius
|
Posted - 2011.01.21 06:26:00 -
[32]
I miss the old Chribba picture.
|
Abulurd Boniface
Gallente
Honored By Death
|
Posted - 2011.01.21 07:12:00 -
[33]
Great dev blog!
It's great to see CCP is making every effort to keep the bad people away, although, if you did the meta, you'd say that the care you take in the game is nothing more than the care you should be taking in the real world.
To an EVE player this should be second nature, no?
I was asked to provide the name of a character on logging in [a new one for me] while this is the machine I play EVE on. "lolwut?" appears appropriate.
For good to survive it suffices for evil to acquire a deadly, incapacitating disease. |
DmitryEKT
Point of No Return
Waterboard
|
Posted - 2011.01.21 08:01:00 -
[34]
Gmail labs has a thing you can enable which puts a little key icon next to legit emails from ebay/paypal to make it obvious they're not fakes. Have CCP thought of getting in on that?
|
Sentient Blade
|
Posted - 2011.01.21 08:14:00 -
[35]
There is a potential sixth wall that I do not see mentioned which is effectively "Tell me something about myself".
Show me your birthmark... Show me the rose... drop your pants*
To put it simply, allow each player to define a few words that are tied to their account such as "turtle, antelope, gallentesux" and display this string to the person attempting to login prior to them getting to the sector factor of authentication, i.e.
<Enter name and password>
Hello [Full real name]. This is CCP server secure.eveonline.com saying "[word string]" please enter any character name to continue.
This would give an opportunity for the user to verify that the server already had sufficient details on the account to know their real life name and their secret word string, and back out, before entering the character name.
* James Bond reference
Geographic Jumping Checks
Seen as it is unlikely that the person attempting to phish for accounts is going to be living in the house next door, or even in the same country for the most part, login attempts to both websites and the EvE client should be GeoIP'd and the original registrar notified via email when 2 logins occur within a short period which come from geographically diverse locations.
In game / out of game paradox
It occurs to me that there is somewhat of a paradox in security within the EvE universe where CCP seems to condone, and perhaps even actively encourage scams and behaviour designed to strip a victim of all of their assets and enjoyment through trickery and obscufation of data, in an almost identical way to how phishing attacks work.
Is there really that much difference in the CCP financial loss / bad player experience when comparing the end results of in-game scamming vs out-of-game phishing?
How does CCP reconcile treating two mechanism with near identical end results differently?
Misc
* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.
* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.
|
Kayen Qeid
Federal Navy Academy
|
Posted - 2011.01.21 08:26:00 -
[36]
[email protected] ...is [email protected] available aswell. Easier to remember =) |
Remulon McNab
The Galactic Collective
|
Posted - 2011.01.21 08:38:00 -
[37]
Quote:
SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly
@CCP Sreegs
Why are you guys implementing SPF and DKIM/DomainKeys now, technology wise the start of 2010 was the year that everyone started encountering huge problems related to phishing.
So from my point of view you are a bit late, especially with all those phising mails going round.
What are the global plans to protect your customers from phishing/account security issues in the future?
Mail security & deliverability is part of my daily job and those are going hand in hand 
---
got Twitter?
-
* said hi to CCP Navigator @ Gamescom 2010 - Cologne, G |
Cyaxares II
|
Posted - 2011.01.21 08:39:00 -
[38]
Edited by: Cyaxares II on 21/01/2011 08:43:11
nice devblog - except for the heavy scaremongering
Quote:
If you got it for free there's a catch and they're probably stealing from you.
There are plenty of (free) AHK/IS scripts floating around that verifiably don't contain any malicious functionality on their own and it seems highly unlikely that AHK or IS itself would be specifically adapted to steal EVE account data (especially for AHK, IS might be more risky).
On top of that stealing account data is just plain bad business for most paid-for bots (especially subscription-based ones) - the only case i can come up with in which it would make sense to steal an account would be if CCP did magically manage to disable botting thus denying the bot writer any further revenue from his work.
If you want to convince us not to use bots please do it by delivering decent arguments and not FUD.
Taking a very wild guess I would guess that a similar amount of information is stolen through the official API ("all your in-game mails are belong to us") or through tools building on the API that are trojans, keyloggers, ... as is via bots.
Just provide a "Download source here" link and nobody will check if the version you compile from source matches with the official binary, anyways.
|
Lost Hamster
Hamster Holding Corp
|
Posted - 2011.01.21 08:59:00 -
[39]
Originally by: CCP Sreegs
Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account.
The idea itself is not bad, however there is still a hole in the security system.
With this feature you try to protect the account management - that's fine.
However if a bad guy have access to the user name and password, then how long will it take to get a character name on that account?
I will tell you. 15 seconds.. Just log in to the game and voila.
However it's a positive note that the similar hole on the evegate site have been filed. :)
So please get a similar login screen to the game as well. With an option to save the Character name to the individual game files.
--------------------------------------------------------------------------------------------
Shields are like pants, they're supposed to come off. Armor is like the condom once its gone ur ****ed |
Alain Kinsella
Minmatar
|
Posted - 2011.01.21 09:04:00 -
[40]
As a part-time security officer (and an old Stoll fan), I appreciate this devblog. +1 and /salute
Consider me a +1 for an Auth Token Generator (either something like the SecurID fob - I've had four so far at work - or a software OTP). One interesting thing I heard recently was that RSA/EMC has a BlackBerry app which can replace the fob; I've got mixed feelings about that.
Originally by: Sentient Blade
Misc
* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.
* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.
I'm actually happy with having the client not save a password. When I was in NYC for State of Play 2005 (and the SLCC right after), I saw a couple instances of folks walking up and logging in to someone else's SL account on an open notebook. Not something you want to happen in that environment (where US$ really was hard-linked into the environment).
Big Heck Yes to that second item though. If possible the list should include website login (and distinct lists for both perhaps).
|
|
|
Naga Tokiba
|
Posted - 2011.01.21 09:05:00 -
[41]
Excelent post, keep up the good work.
|
Avensys
|
Posted - 2011.01.21 09:11:00 -
[42]
Edited by: Avensys on 21/01/2011 09:11:46
(posting on a different character as it's a separate point)
How does asking for a character name actually help?
Wouldn't phishing sites just ask for a character name as well (they want to mimic the "real" login process as closely as possible after all)?
|
Pottsey
Enheduanni Foundation
|
Posted - 2011.01.21 09:23:00 -
[43]
Edited by: Pottsey on 21/01/2011 09:26:29
ôAn initial shot at this was when we began asking you to name one of the characters on your account.ö
This has caused me problem as I am unable to post. My main account is fine but since this was implanted my secondary account has been unable to post. Even if I copy and paste the characterÆs name the security check still fails.
I understand why you implant this stuff but it a pain when a person with legal account cannot access what he needs due to faulty security.
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
______
How to Passive Shield Tank T2
|
Sentient Blade
|
Posted - 2011.01.21 09:35:00 -
[44]
Originally by: Pottsey
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
You probably want to petition that one.
In the world of the internets the ' character is responsible for more exploits and pwnage than almost anything else, and there's a remote possibility that CCP may have forgot to escape a query argument.
|
Louis deGuerre
Gallente
Malevolence.
Imperial 0rder
|
Posted - 2011.01.21 09:45:00 -
[45]
Nice work guys.
I am slightly worried that extra security you are thinking about will cause me more hassle than the occasional phising attack (remembers forum locking horror), but we'll see.
-----
Malevolence. is recruiting. Dive into the world of 0.0 !
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 09:48:00 -
[46]
Originally by: Cyaxares II
Edited by: Cyaxares II on 21/01/2011 09:02:55
nice devblog - except for the heavy scaremongering
Quote:
If you got it for free there's a catch and they're probably stealing from you.
There are plenty of (free) AHK/IS scripts floating around that verifiably don't contain any malicious functionality on their own and it seems highly unlikely that AHK or IS itself would be specifically adapted to steal EVE account data (especially for AHK, IS might be more risky).
On top of that stealing account data is just plain bad business for most paid-for bots (especially subscription-based ones) - the only case i can come up with in which it would make sense to steal an account would be if CCP did magically manage to disable botting thus denying the bot writer any further revenue from his work.
If you want to convince us not to use bots please do it by delivering decent arguments and not FUD.
Taking a very wild guess I would guess that a similar amount of information is stolen through the official API ("all your in-game mails are belong to us") or through tools building on the API that are trojans, keyloggers, ... as is via bots.
Just provide a "Download source here" link and nobody will check if the version he could compile from source matches with the official binary, anyways.
edit: also, consider that people running bots are already willing to gamble their account based on incomplete information - otherwise they wouldn't break the EULA.
Saying "OMG you might lose access to your account" might change the perceived odds but it's a quantitative change rather than a qualitative one.
... and without naming & shaming (and providing reproducible steps to confirm the malicious behavior) you are not exactly the most credible source of information on the risks of botting to start with as CCP has a large business interest in making EULA violations look extremely risky, independent of reality.
tl;dr serious botters will carry on as before (because they know what they're doing and probably use their own software anyways), some casual botters might be a bit scared but will reaffirm each other that you're just spreading FUD in their forums and my mood is ruined by reading that silly, silly paragraph.
Every single thing I said in that paragraph about botting is true and while you're welcome to your opinion, opinions don't alter facts. The paragraph was written for your benefit, so that people are aware of the information being collected and motivations of the creators. This wasn't a delivery of opinion. It was a statement of facts based on our investigations. |
|
Agent Stone
Volition Cult
-Mostly Harmless-
|
Posted - 2011.01.21 09:51:00 -
[47]
Edited by: Agent Stone on 21/01/2011 09:54:00
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
|
Alain Kinsella
Minmatar
|
Posted - 2011.01.21 09:55:00 -
[48]
Originally by: Pottsey
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
I have another character (in a second account) with a name like that. Auth was fine.
However, that's a single quote mark. I'm not sure if the backquote ` has problems here - in UNIX circles that's far more dangerous, but Eve's backend is Windows.
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 09:56:00 -
[49]
Originally by: Agent Stone
Edited by: Agent Stone on 21/01/2011 09:54:00
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:00:00 -
[50]
Originally by: Sentient Blade
There is a potential sixth wall that I do not see mentioned which is effectively "Tell me something about myself".
Show me your birthmark... Show me the rose... drop your pants*
To put it simply, allow each player to define a few words that are tied to their account such as "turtle, antelope, gallentesux" and display this string to the person attempting to login prior to them getting to the sector factor of authentication, i.e.
<Enter name and password>
Hello [Full real name]. This is CCP server secure.eveonline.com saying "[word string]" please enter any character name to continue.
This would give an opportunity for the user to verify that the server already had sufficient details on the account to know their real life name and their secret word string, and back out, before entering the character name.
* James Bond reference
Geographic Jumping Checks
Seen as it is unlikely that the person attempting to phish for accounts is going to be living in the house next door, or even in the same country for the most part, login attempts to both websites and the EvE client should be GeoIP'd and the original registrar notified via email when 2 logins occur within a short period which come from geographically diverse locations.
In game / out of game paradox
It occurs to me that there is somewhat of a paradox in security within the EvE universe where CCP seems to condone, and perhaps even actively encourage scams and behaviour designed to strip a victim of all of their assets and enjoyment through trickery and obscufation of data, in an almost identical way to how phishing attacks work.
Is there really that much difference in the CCP financial loss / bad player experience when comparing the end results of in-game scamming vs out-of-game phishing?
How does CCP reconcile treating two mechanism with near identical end results differently?
Misc
* What's wrong with letting the EvE login screen remember passwords? If someone can read my hard disk where they're stored I've got bigger problems.
* Can we have a webpage to show all of the recent login times / IPs / Locations we've connected with? Like we do on the EvE API. Heck, mail it out distinct(location) once a month or so.
These are all tied to authentication and if we're not already considering them I'll add them to the list to think about. re: your questions
1) I don't see this happening anytime soon. Whether you have bigger problems if someone can read your disk or not, when it happens it also becomes our problem. There have been quite a few trojans that targeted various games who have used this methodology and I'm not sure the risk outweighs the potential benefits.
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon. |
|
|
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:02:00 -
[51]
Originally by: DmitryEKT
Gmail labs has a thing you can enable which puts a little key icon next to legit emails from ebay/paypal to make it obvious they're not fakes. Have CCP thought of getting in on that?
I have to look into the labs solution. The one solution I'd seen involved the use of an installer which proceeded to make it impossible for me to access gmail so I shot it down. I'll take a look at this one ASAP, because these types of things are specifically what I was referring to when I said it would be possible for you to verify that an email had come from us. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:05:00 -
[52]
Originally by: Remulon McNab
Quote:
SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly
@CCP Sreegs
Why are you guys implementing SPF and DKIM/DomainKeys now, technology wise the start of 2010 was the year that everyone started encountering huge problems related to phishing.
So from my point of view you are a bit late, especially with all those phising mails going round.
What are the global plans to protect your customers from phishing/account security issues in the future?
Mail security & deliverability is part of my daily job and those are going hand in hand
SPF was implemented, it just wasn't implemented the best way. Whether we're late to the SPF table or not I didn't work here in 2010 so I can't speak to what people may have done or been thinking at the time. I'm here now and we're correcting our SPF implementation.
Regarding future plans, I'm assuming you're alluding to something particular but from my perspective this blog is what we have for the next x period of time. Once implementation is done we can measure effectiveness and determine what additional steps may be required. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:06:00 -
[53]
Originally by: Lost Hamster
Originally by: CCP Sreegs
Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account.
The idea itself is not bad, however there is still a hole in the security system.
With this feature you try to protect the account management - that's fine.
However if a bad guy have access to the user name and password, then how long will it take to get a character name on that account?
I will tell you. 15 seconds.. Just log in to the game and voila.
However it's a positive note that the similar hole on the evegate site have been filed. :)
So please get a similar login screen to the game as well. With an option to save the Character name to the individual game files.
Just to clarify I'm talking about authentication at every interface. I don't believe authentication of the same credentials should be in any way different because you're using a different interface to request the information. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:07:00 -
[54]
Originally by: Avensys
Edited by: Avensys on 21/01/2011 09:11:46
(posting on a different character as it's a separate point)
How does asking for a character name actually help?
Wouldn't phishing sites just ask for a character name as well (they want to mimic the "real" login process as closely as possible after all)?
Yes, which is why it's not good enough and we're looking to improve. |
|
Agent Stone
Volition Cult
-Mostly Harmless-
|
Posted - 2011.01.21 10:08:00 -
[55]
Originally by: CCP Sreegs
Originally by: Agent Stone
Edited by: Agent Stone on 21/01/2011 09:54:00
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit.
Cool. Thanks.
Yes, I read Block 3 Authentication section and felt urged to reiterate... "Hey, Look... This is what banks use as additional authentication... (normally plastic tokens of some sort) CCP... research doing something like this..." Players have suggested it for years so its good CCP are researching such things.
I also mention the smartphone implementation as well as actual tokens, as for players who have such they don't need to pay extra and you can get additional layers of security to more of your player base.
For others players reading about this and not in the know:
http://en.wikipedia.org/wiki/Security_token
|
Sentient Blade
|
Posted - 2011.01.21 10:33:00 -
[56]
Originally by: CCP Sreegs
1) I don't see this happening anytime soon. Whether you have bigger problems if someone can read your disk or not, when it happens it also becomes our problem. There have been quite a few trojans that targeted various games who have used this methodology and I'm not sure the risk outweighs the potential benefits.
In my experience it really depends on how big a hole they can punch in the attack surface, and 99% of the time if that hole is big enough that if it provides a means of reading the hard disk then that hole is also big enough for them to be capable of installing a keyboard hook or swiping the person's paypal or banking details and using them to create a few hundred accounts.
That's a worse case scenario of course, but once it gets to the remote code execution stage there is not much more that can be done on your part - it's the actual identity of the account holder that's been compromised rather than the underlying security of EvE.
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 10:43:00 -
[57]
Originally by: Sentient Blade
In my experience it really depends on how big a hole they can punch in the attack surface, and 99% of the time if that hole is big enough that if it provides a means of reading the hard disk then that hole is also big enough for them to be capable of installing a keyboard hook or swiping the person's paypal or banking details and using them to create a few hundred accounts.
That's a worse case scenario of course, but once it gets to the remote code execution stage there is not much more that can be done on your part - it's the actual identity of the account holder that's been compromised rather than the underlying security of EvE.
You are of course correct. I will say though that it doesn't make it any less our problem when an account is compromised whether it's through a fault of our own or not and I'm not sure that the costs of putting information on disk outweigh the benefits. |
|
Flios Bror
Amarr
Doom Guard
|
Posted - 2011.01.21 10:56:00 -
[58]
Originally by: Sentient Blade
Originally by: Pottsey
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
You probably want to petition that one.
Sounds like something for a bugreport, instead of petition, imho.
[None] |
Remulon McNab
The Galactic Collective
|
Posted - 2011.01.21 11:06:00 -
[59]
@Sreegs
Thanks for your reply, besides SPF it might be worth in implementing SenderID besides SPF.
This improves deliverability of all your e-mail messages.
I am aware of the fact that SenderID is backwards compatible, though it's still useful as Microsoft implements it in all their mailserver software.
So far, great job!
---
got Twitter?
-
* said hi to CCP Navigator @ Gamescom 2010 - Cologne, G |
Bhattran
|
Posted - 2011.01.21 11:11:00 -
[60]
Originally by: Pottsey
Edited by: Pottsey on 21/01/2011 09:26:29
ôAn initial shot at this was when we began asking you to name one of the characters on your account.ö
This has caused me problem as I am unable to post. My main account is fine but since this was implanted my secondary account has been unable to post. Even if I copy and paste the characterÆs name the security check still fails.
I understand why you implant this stuff but it a pain when a person with legal account cannot access what he needs due to faulty security.
My best guess is any name with a ' symbol automatically fails the security even if the name is correct.
I don't know if the issue is this or not but I found I 'failed' when I entered the name of a character NOT training, when I entered the name of the currently training character it worked, haven't had an issue since but it presumption on my part. For characters that trained out their queue I used the last character that was training. Again don't know if makes a difference if you have no alts, or use ' as neither situation fit my accounts at the time.
--WIS/Incarna/Ambulation where microtransactions come to play, and uh bars.-- |
|
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.21 11:41:00 -
[61]
Originally by: Remulon McNab
@Sreegs
Thanks for your reply, besides SPF it might be worth in implementing SenderID besides SPF.
This improves deliverability of all your e-mail messages.
I am aware of the fact that SenderID is backwards compatible, though it's still useful as Microsoft implements it in all their mailserver software.
So far, great job!
If I'm correct, and I'll Google in a second and either be right or have immortalized my wrongness, SenderID is just Microsoft rebranding of either SPF or DomainKeys.
(I was wrong and I'll dig into it a bit. It's based on SPF but not the same. Thanks!) |
|
lhaslop
|
Posted - 2011.01.21 11:42:00 -
[62]
Edited by: lhaslop on 21/01/2011 11:42:11
Sreegs, fantastic blog. Always refreshing to see things moving forward and good security minds in the ranks.
|
Remulon McNab
The Galactic Collective
|
Posted - 2011.01.21 12:24:00 -
[63]
@Sreegs
I send CCP Fallout a DM on Twitter, if you need further clarification just let me know via there.
---
got Twitter?
-
* said hi to CCP Navigator @ Gamescom 2010 - Cologne, G |
Arshes Nei
LifeLine Solutions
|
Posted - 2011.01.21 13:59:00 -
[64]
Personally i think that ANY communication with CCP, bar password resets, should be done via EvE-Gate. The way i see it you are already "hosting" a personal mail account for every eve player, i would imagine that it would be alot harder for a scammer to send out phishing mails over your own service. You could even very easily make an extension where eve mails from CCP are marked as such, maybe automatically go into a specific mail folder.
The fishing crap lately has gotten so bad that i hardly read anything gamerelated sent to me via email anymore, why even bother if 90% is scam anyway.
|
amarian arch
|
Posted - 2011.01.21 15:15:00 -
[65]
good work
|
ROXGenghis
|
Posted - 2011.01.21 17:02:00 -
[66]
You could look at RSA's Site Key:
http://en.wikipedia.org/wiki/SiteKey
I've never had a problem with it as a user, but I haven't studied its protocol so I can't vouch for it at this point.
|
Melekhar Tazinas
|
Posted - 2011.01.21 17:17:00 -
[67]
Sreegs, have you guys considered signing your emails with a GPG signature?
Not that many people use GPG-enabled email clients, but for those of us that do, there's few better means of authenticating your emails.
|
PC l0adletter
|
Posted - 2011.01.21 18:23:00 -
[68]
Originally by: Cyaxares II
brilliance
Can you run for CSM, please?
Originally by: CCP Sreegs
Originally by: Agent Stone
Would a security token not act as another valuable block against this? I am pretty sure people have been asking CCP to release one of these, either Smartphone based, or via the Eve Store for years.
For example, see this thread from about a year ago where people are asking CCP to release such after a similar security blog post.
Your competitors (Blizzard as an example) are years ahead of you in this regard.
Without discussing a specific technology, were I you I would assume that something would be done to improve things given the comments I made in the "Authentication" section. We are looking at the authentication issue quite a bit.
So, you're looking "quite a bit" at things your competitors implemented three or four years ago?
Is there some sort of magazine award you can get for that?
Originally by: CCP Sreegs
I didn't work here in 2010
Well, fair enough.
I think everyone realizes you're sticking your neck out, and I'm not trying to chop your head off for things for which you couldn't possibly be responsible.
At the same time, there are a lot of problems with this gameproduct and no accountability. Are you aware of other companies that have seen 10% year/year revenue declines, customer revolts, repeatedly missed development deadlines, and buggy end-product without consequences for those responsible?
|
TCL987
Gallente
|
Posted - 2011.01.21 18:27:00 -
[69]
Originally by: Noun Verber
Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.
still hack-a-ble
Everything is hackable, using an authenticator just makes it harder and prevents someone from gaining access to your account using a keylogger. Given enough time someone could eventually figure out the algorithim but it would take too long to be worth it.
|
Fury Mole
|
Posted - 2011.01.21 18:38:00 -
[70]
I have not got the time and inclination to read through all of this thread but found it interesting to see that CCP is looking to combat Phishing e-mails. Tidying up some of their own processes might help in the first place.
I am currently having to log into the forum under one of my Alt accounts due to the fact that my main character is banned due to someone else trying to hack my account. The fact that I now have my account, that I pay for banned for 7 days... or at least until someone from CCP responds to the petition that they opened for me has wound me up enough but to add to that I found myself with an e-mail that for all intents and purposes mirrors the behaviour of Phishing! So I am sorry to vent on this subject but I have nothing better to do now due to waiting to get my account unbanned.
I have never seen a Phishing e-mail relating to CCP or Eve and I have a very simple rule for any e-mail that I receive that indicates that I have a problem with any account of any kind.
Rule number 1. Never click on the link in the e-mail. Always go to the institutions website and access the information that thay are drawing your attention to directly from their own website.
Now the e-mail that I got from CCP explained very politely that my account had been banned for 7 days (remaining calm) and that I could click on the link in the e-mail to get details of how to reactivate it before this.
Engage Rule number 1. Go to http://www.eveonline.com and try to access the account. I cannot .... it is banned. Attempt to access the petition system to confirm that the petition that is linked in the e-mail is real and not an attempt at Phishing. I cannot access the petition system to see the petition is real or not and I cannot log in.... my account is banned.
So I am left with having to click on the link in the e-mail and if necessary provide information within the petition that could be used by a Phisher to gain access to my account.
@CCP Maybe look at how your own behavoiur enpowers the Phishers that you are trying to combat.
|
|
|
joe1
|
Posted - 2011.01.21 20:23:00 -
[71]
how about a USB key ? I would pay for such a thing to protect my accounts
|
Riffix
The Graduates
|
Posted - 2011.01.21 23:36:00 -
[72]
Good Dev Blog! Thanks for the information and the insight into what you are doing Sreegs. Your responses in this thread are also interesting/useful.
"Lead, follow, or get the #@$@#$ out of the way" |
Sel'Na Rey
|
Posted - 2011.01.21 23:58:00 -
[73]
Just wanted to add a couple of thoughts on this topic, since my personal background is in Software Engineering and areas of computer/network security.
First, Sreegs blog was great in outlining the problem and some proposed solutions. Sounds like the solutions were well designed and should help reduce phishing. However I question how the SPF and DomainKeys will translate for email users not on MSN,Google, and Yahoo, like the comcast, att, cox, and other smaller ISP providers out there. Also once phishing filtering is in place, the flow of fraudulent emails back to CCP by user submissions should fall off reducing their ability to proactively detect and react to new methods.
So one of my ideas for possible consideration is essentially driving up the "cost" of these Bot and RMT activities. The motivation for this activity is the input cost to gain ratio. This academic paper outlines the costs associated with Spamming. Spamalytics. My proposed idea is some ideas for what CCP could do to increase the operating cost of RMTers and bots.
It seems to me the way CCP could drive up the cost of Bots and RTMs is to discover their accounts by honey-pot methods and then use game play elements against them. I know the point of Unholy Rage was to flat out ban their accounts which made sense from a hardware usage perspective, but in the next round, CCP could start taking away privileges from their accounts. My ideas rage from dropping standings with all empires to -10, preventing bounty payout, disallow wallet transfers of any kind, removing skills and the gained SP, and hot dropping sansha incursions on their ships. Essentially harass the heck out of them. I think these methods would be best applied to the identified participants of RMT networks and not the players unfortunate enough to have their accounts stolen by bad credentials or phishing attacks. Obviously a little leg work by the CCP security team to identify the RMT players and their army of bots.
Just seems to me that simply banning accounts doesn't solve the root of the problem, but treats a reoccurring. symptom. I'm sure there are many more ideas out there worth looking. Just my 2 cents.
|
BeanBagKing
Terra Incognita
Black Star Alliance
|
Posted - 2011.01.22 06:01:00 -
[74]
Originally by: Sentient Blade
http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1452886&page=2#35
I won't quote the whole thing, you can follow the link and read it, but he was discussing the use of personal strings to make sure we were logged into the correct site.
Bank of Montreal Uses something very similar to this, a phrase and a picture, both picked by the user, that are displayed when they log in. If you click a link and don't see your unique picture and phrase, then it's a phishing site. By then you are already logged in, but it does make you aware of it so you can immediatly go to the real site, change your info, open petitions, and otherwise secure date. Their methods may be worth checking out.
Also, +1 for smartphone authenticators.
|
Wollari
Phoenix Industries
Black Star Alliance
|
Posted - 2011.01.22 12:30:00 -
[75]
You just advised to use SPF to block spammail where other people claiming your identity. SPF is okay in general, but the way your SPF record is registered doesn't let the fakemail getting dropped.
== your spf record ==
mail:~# host -t TXT eveonline.com
eveonline.com TXT "v=spf1 mx ip4:87.237.32.0/24 ip4:87.237.38.0/24 ip4:87.237.39.0/24 mx:mail.global.frontbridge.com mx:ymir.ccpgames.com ~all"
the "~all" match generates a "softfail". Mail in general gets "marked" as possible identity problem but won't get discarded in the first instance of the mta. It's good for testing and monitoring purpose.
If you're 100% sure that no other systems (apart from the listed in your SPF record) will send emails from eveonline.com it's maybe an idea to change "~all" to "-all". This will other MTAs force to drop the mail if it's not send by an authorized system. This may cause problems when somebody is forwarding emails from one account to another. But that's a different story.
When you're happy with your spf record change it to -all and prevent us all from the spam.
happy mailing.
|
herot
Fortunis - Redux
|
Posted - 2011.01.23 12:37:00 -
[76]
Originally by: CCP Sreegs
Originally by: Sentient Blade
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon.
One also have to consider that some of us use VPN services and can therefore appear to flit around the world in a strange fashion (or even be i two places at once if we for instance log in from diffrent comupters to the forum and the game, with one machine routing through VPN).
|
Ranka Mei
Caldari
|
Posted - 2011.01.23 13:45:00 -
[77]
Edited by: Ranka Mei on 23/01/2011 13:46:59
Originally by: CCP Sreegs
If I'm correct, and I'll Google in a second and either be right or have immortalized my wrongness, SenderID is just Microsoft rebranding of either SPF or DomainKeys.
(I was wrong and I'll dig into it a bit. It's based on SPF but not the same. Thanks!)
Yes, you were wrong. :)
tl;dr version: SPF works on the 'MAIL FROM' identity, as given during the envelope stage of the SMTP communication (and before DATA has been issued). And in some cases on the HELO identity.
SenderID works on an algorithm which extracts a sender ID from the mail headers (everything after DATA, basically, up to the first double linebreak). |
Thirler
The Arrow Project
Morsus Mihi
|
Posted - 2011.01.24 10:09:00 -
[78]
Thanks for a good insight.
I have a related question, one of my corporations members got hacked earlier. He had some trouble in getting a quick reaction to get his account blocked/returned to him quickly(he got locked out), there wasn't really a petition section appropriate for this.
What is the best way to reach CCP when you think your account has been hacked? I would imagine the priority should be the same as the 'stuck' section as this can minimize the harm done and the profit for the hackers.
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:33:00 -
[79]
Originally by: ROXGenghis
You could look at RSA's Site Key:
http://en.wikipedia.org/wiki/SiteKey
I've never had a problem with it as a user, but I haven't studied its protocol so I can't vouch for it at this point.
This is a pretty interesting approach though it has at least one rather glaring weakness. Thanks though it does provide some food for thought. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:36:00 -
[80]
Originally by: Melekhar Tazinas
Sreegs, have you guys considered signing your emails with a GPG signature?
Not that many people use GPG-enabled email clients, but for those of us that do, there's few better means of authenticating your emails.
We have and I'm looking into it deeper. The problem in the past with this type of thing has been the barrier to entry for the end user. DomainKeys uses a certificate in the actual sending of the email to validate the sending source, so once that implementation's done you may be able to get similar functionality though. I'm taking some liberty and oversimplifying here I know but it's 2:30 am and I'm pretty much stupid right now.
Ultimately I'd like it to be simple enough for Joe Average to be able to verify that an email came from us. |
|
|
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:39:00 -
[81]
Originally by: Wollari
You just advised to use SPF to block spammail where other people claiming your identity. SPF is okay in general, but the way your SPF record is registered doesn't let the fakemail getting dropped.
== your spf record ==
mail:~# host -t TXT eveonline.com
eveonline.com TXT "v=spf1 mx ip4:87.237.32.0/24 ip4:87.237.38.0/24 ip4:87.237.39.0/24 mx:mail.global.frontbridge.com mx:ymir.ccpgames.com ~all"
the "~all" match generates a "softfail". Mail in general gets "marked" as possible identity problem but won't get discarded in the first instance of the mta. It's good for testing and monitoring purpose.
If you're 100% sure that no other systems (apart from the listed in your SPF record) will send emails from eveonline.com it's maybe an idea to change "~all" to "-all". This will other MTAs force to drop the mail if it's not send by an authorized system. This may cause problems when somebody is forwarding emails from one account to another. But that's a different story.
When you're happy with your spf record change it to -all and prevent us all from the spam.
happy mailing.
Removed a forum-breaking tag. Spitfire
We know the record's set up improperly and making it proper is the change I was alluding to in the dev blog. Thanks though! |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:41:00 -
[82]
Originally by: Thirler
Thanks for a good insight.
I have a related question, one of my corporations members got hacked earlier. He had some trouble in getting a quick reaction to get his account blocked/returned to him quickly(he got locked out), there wasn't really a petition section appropriate for this.
What is the best way to reach CCP when you think your account has been hacked? I would imagine the priority should be the same as the 'stuck' section as this can minimize the harm done and the profit for the hackers.
I'll follow up here tomorrow but I thought there was a category for this. I'm not in Customer Service so it's not on the top of my head. I'd file as stuck until I can dig into it and tell you what the proper queue is. I can say that if it's not obvious it's probably something that should be fixed. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:44:00 -
[83]
Originally by: TCL987
Everything is hackable, using an authenticator just makes it harder and prevents someone from gaining access to your account using a keylogger. Given enough time someone could eventually figure out the algorithim but it would take too long to be worth it.
Using an authenticator does help. The most glaring problem with authenticators tends to come from how sessions are managed by the application and not in the authenticator itself. |
|
|
CCP Sreegs
C C P
C C P Alliance
|
Posted - 2011.01.25 02:45:00 -
[84]
Originally by: herot
Originally by: CCP Sreegs
Originally by: Sentient Blade
2) Playing with location IMO is part of Authentication and I'll have something more to say about that soon.
One also have to consider that some of us use VPN services and can therefore appear to flit around the world in a strange fashion (or even be i two places at once if we for instance log in from diffrent comupters to the forum and the game, with one machine routing through VPN).
In any scenario flitting around the world would probably only require you to validate yourself out of band somehow. To be frank, this is still something we're thinking through and your concern here is something we're taking into consideration. |
|
Epitrope
The Citadel Manufacturing and Trade Corporation
|
Posted - 2011.01.25 07:58:00 -
[85]
Originally by: CCP Sreegs
Originally by: Melekhar Tazinas
Sreegs, have you guys considered signing your emails with a GPG signature?
Not that many people use GPG-enabled email clients, but for those of us that do, there's few better means of authenticating your emails.
We have and I'm looking into it deeper. The problem in the past with this type of thing has been the barrier to entry for the end user. DomainKeys uses a certificate in the actual sending of the email to validate the sending source, so once that implementation's done you may be able to get similar functionality though. I'm taking some liberty and oversimplifying here I know but it's 2:30 am and I'm pretty much stupid right now.
Ultimately I'd like it to be simple enough for Joe Average to be able to verify that an email came from us.
Honestly, I'd like to see CCP use PGP/GPG signatures a lot more: on emails, on downloads (the client and especially patches), and on killmails, off the top of my head. Allowing users to verify that something came from CCP is just as important as allowing CCP to verify that something is coming from a given user.
It seems to me that generating signatures doesn't make it any more difficult for users who don't validate the signatures. In emails, it'd be a bit they'd ignore; for downloads, it'd be an extra file they wouldn't get; and for killmails, it'd be a field, file, or API method they wouldn't read, download, or call.
Aside from that, EVE Online has never been filled with "Joe Average" users...
|
Vaneshi SnowCrash
|
Posted - 2011.01.26 17:30:00 -
[86]
Originally by: CCP Sreegs
Ultimately I'd like it to be simple enough for Joe Average to be able to verify that an email came from us.
You're talking about a group of people who will click a link in an e-mail, send all their money to a 'Nigerian prince' and sit there with expired anti-virus software that came with their PC all those years ago.
That's Joe Average and frankly he's an idiot. If you want to keep him safe, sell him an iPad with an ARM compiled EVE client on it running a touch capable UI.
So if you want Joe Average to be safe... you should start taking the anti-psychotic's erm... last week :)
|
Aineko Macx
|
Posted - 2011.01.26 20:47:00 -
[87]
Just to say thank you for the hint on SPF/DKIM, I'm now implementing my own DKIM signer for use at my company in a project that requires the sending of lots of mails to customers.
________________________
CCP: Where fixing bugs is a luxury, not an obligation. |
|
|
| |
|
| Pages: 1 2 3 :: [one page] |