|
|
| Author |
Thread Statistics | Show CCP posts - 36 post(s) |
Ban Doga
   |
Posted - 2011.04.10 07:41:00 -
[1]
 Originally by: Trocent
Originally by: Marconus Orion
Originally by: Trocent
I really wish these whiners were real programmers. They'd know how strange problems arise. Out of all the MMOs I played CCP still does a hell of a lot better than anyone else.
Also to all you whiners, remember that CCP could always make this a carebear game. That'd probably get a few million subscriptions and make a ton more money, but they don't. Feel grateful or leave.
Some of these people complaining are programmers. The same people who pointed out the problems before it went live. CCP just ignored them and shoved it out to the customers so they could say they Delivered.
Then I take it they've programmed a game as advanced as Eve and could single handedly fix the problems in eve. I doubt it. All these people do is whine. CCP released some forums, people exploided them and CCP took it down, would you rather them just keep the forums up?
Regardless of what the whiners say, CCP are doing a pretty good job even when problems arise. Suck it up people.
This was a forum issue, not an ingame issue.
As is many times pointed out: those two things are not done by the same people.
I would not have them keep the compromised forums running.
I want them to release software that has received at least a modicum of testing so that the users won't tear it appart in less than 24 hours.
|
Ban Doga
|
Posted - 2011.04.10 07:57:00 -
[2]
Originally by: Julyan Fox
Maybe if more ppl went to test it things would have been better too. Ppl tend to forget EVE isn't an 11 million subscriber mmo.
You can't transfer the developer's responsibility for delivering a quality product to the users by throwing your product out and telling users "Please test it".
You can ask your users to help but the responsibility stays with the one delivering the product.
And if you really want people to help with finding defects, do it in a way that actually works.
Give people an incentive to spend their time. Give them a reason to really try.
"You get better software" is not really an incentive at all (see above: that's already the developer's responsibility).
Open an empty instance of the new forums, tell people that its contents will be whiped after the "Hack me if you can" phase.
Hide a PLEX (eg in form of a unique code that can be used to get a PLEX in-game) in a forum area that should be inaccesible to players.
Offer a PLEX for the first post as CCP Explorer stating "WE WERE GANKED!", first locked thread, first banned user, first poll, first ...
All this half-assed "Here, you can test the new forums for a week" is only leading to half-assed results which will eventually lead to **** like falling back to your old forums.
|
Ban Doga
|
Posted - 2011.04.10 10:36:00 -
[3]
Originally by: BackStreet Babe
Originally by: CCP Sreegs
Originally by: Titus Phook
Well if he passed the new forum as fit for use, and lets face it he's the security guy and it was a security issue, he's probably busy trying to get the egg off his face.
My job is response, not reviewing every single line of code that gets written.
dosnt look like anyone had the job of reviewing the code in the new forums. fail is fail is ccp
Looks like there isn't even someone to review the security concept.
"... and then the server uses the character ID provided by the client to add the posting ..." should make someone fall out of their chair even without looking at any code at all.
Same with "... if a thread is locked the client will not show buttons to "like" postings, that'll suffice".
People are really fast to argue on the code level ("I don't review code", "It's just x lines of code", ...) when most of the problems are really on the conceptual level.
IMO that suggest people are still struggling to get the code to do what they want and cannot even start to think about whether their concept makes sense (or not).
|
Ban Doga
|
Posted - 2011.04.10 12:53:00 -
[4]
Originally by: CCP Navigator
Thread has been cleaned up a little.
I wanted to quickly address one or two concerns, specifically over personal information and logins. At no stage were other players able to access your login, passwords, payment details or real life information.
CCP Sreegs has already stated that he is writing a blog on this subject and this is one of the things he will cover.
Are you sure?
Scratch that, you were probably sure the new forums were ready to be rolled out too.
Are you saying at no time someone was able to access my personal information stored on CCP's systems?
Or are you saying no one injected a keylogger/trojan/malware executing/downloading/installing signature that could access information on the forum users' system(s)?
|
Ban Doga
|
Posted - 2011.04.10 14:08:00 -
[5]
Originally by: Miilla
You all got what you wanted, the old fourms back, why are you all still whining?
Are you one of those people who are totally happy when someone steals their car and brings it back later "because you got it back now so everything is okay again"?
|
Ban Doga
|
Posted - 2011.04.10 14:10:00 -
[6]
Originally by: Miilla
Originally by: Ban Doga
Originally by: Miilla
You all got what you wanted, the old fourms back, why are you all still whining?
Are you one of those people who are totally happy when someone steals their car and brings it back later "because you got it back now so everything is okay again"?
Shouldn't your anology involve space ships?
Are you one of those people who are totally happy when someone steals their car spaceship and brings it back later "because you got it back now so everything is okay again"?
|
Ban Doga
|
Posted - 2011.04.10 14:22:00 -
[7]
Originally by: Miilla
Originally by: Ban Doga
Originally by: Miilla
Originally by: Ban Doga
Are you one of those people who are totally happy when someone steals their car and brings it back later "because you got it back now so everything is okay again"?
Shouldn't your anology involve space ships?
Are you one of those people who are totally happy when someone steals their car spaceship and brings it back later "because you got it back now so everything is okay again"?
No because I have a Keanu Reeves anti ship alarm fitted. I simply press a button and every ship around me exploads except my own. Makes it easier to locate in the station mall parking area.
Shouldn't your analogy not involve Keanu Reeves?
|
Ban Doga
|
Posted - 2011.04.10 16:42:00 -
[8]
Edited by: Ban Doga on 10/04/2011 16:43:28
Originally by: CCP Sreegs
Edited by: CCP Sreegs on 10/04/2011 16:34:23
Originally by: Helicity Boson
Originally by: CCP Sreegs
There are 3 problems with your post.
A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.
Horsedung. And you know it. Javascript and CSS were confirmed to work.
I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So if you aren't SURE script could not be injected how can you be SURE that there was no risk?
*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...
|
Ban Doga
|
Posted - 2011.04.10 16:53:00 -
[9]
Originally by: CCP Sreegs
Originally by: Ban Doga
Edited by: Ban Doga on 10/04/2011 16:43:28
Originally by: CCP Sreegs
Edited by: CCP Sreegs on 10/04/2011 16:34:23
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So if you aren't SURE script could not be injected how can you be SURE that there was no risk?
*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...
I explained this.
Originally by: CCP Sreegs
IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So are you saying you already know your investigation will show that no script could be injected or
that injecting script posed no risk to the computers of the forums users?
|
Ban Doga
|
Posted - 2011.04.10 17:55:00 -
[10]
Originally by: CCP Sreegs
I'm saying exactly what I said.
That's great, I'm doing the same.
I think more people should do it...
|
|
|
Ban Doga
|
Posted - 2011.04.10 18:26:00 -
[11]
Edited by: Ban Doga on 10/04/2011 18:26:35
Originally by: Miilla
Edited by: Miilla on 10/04/2011 18:22:55
The "whistleblower" who "exploited" the issue instead of posting about it publically anonymously.
How can anyone say there's a security hole without exploiting it?
"Uhm, your client is sending data to your server. If the server does not validate this data you have a security hole..."?
|
Ban Doga
|
Posted - 2011.04.10 18:34:00 -
[12]
Originally by: Miilla
Edited by: Miilla on 10/04/2011 18:30:31
Originally by: Ban Doga
Edited by: Ban Doga on 10/04/2011 18:26:35
Originally by: Miilla
Edited by: Miilla on 10/04/2011 18:22:55
The "whistleblower" who "exploited" the issue instead of posting about it publically anonymously.
How can anyone say there's a security hole without exploiting it?
"Uhm, your client is sending data to your server. If the server does not validate this data you have a security hole..."?
So post it as theory then, but don't EXPLPOIT it, it is clearly obvious he exploited it from his self bragging posts on SHC forum.
"hey look at me, look what I can do etc etc" even the forum thread was titled who wanted to post as somebody else.
There would be quite a lot of possible theories.
You can't be sure there is a weakness until you try (this is not like finding a hole in a fence, it's like finding a tunnel and guessing where it might lead)
You would get ignored pretty quickly (I'd assume) and in the story about the boy who cried wolf the wolf actually comes and no one believes it...
|
Ban Doga
|
Posted - 2011.04.10 18:37:00 -
[13]
Edited by: Ban Doga on 10/04/2011 18:37:44
Originally by: Miilla
Originally by: Elyssa MacLeod
Originally by: Miilla
Originally by: Elyssa MacLeod
so miilla, what did they give you to turn you into a CCP kiss ass?
cause you used to be a rabblerouser lie the rest of us, now all you do in troll us and kiss CCP's ass.
I don't take sides :)
yeah sure you dont lol
how much isk or PLEX did it take? lol
He denied me the oppertunity to use my paid for trolling service for the weekend. The agony was terrible. All because some know it all show off wanted to act big on the internet posting javascript signiture exploits.
Careful now.
Sreegs already said he talked to some people who remember they believe it was not possible to post Javascript.
And he really says what he said.
|
Ban Doga
|
Posted - 2011.04.10 18:42:00 -
[14]
Originally by: Kristina Vanszar
Edited by: Kristina Vanszar on 10/04/2011 18:40:09
Quote:
who remember they believe it was not possible
WTF!?
Sorry for paraphrasing.
The original statement was
Quote:
The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1493904&page=13#364
|
Ban Doga
|
Posted - 2011.04.10 18:54:00 -
[15]
Originally by: Furb Killer
So let me get this straight: pointing out security flaws the size of the hole in the WTC and, granted, exploiting them a bit for the lulz (without afaik doing any serious damage, considering what he could have done with it and notifying you so it could be fixed), results in an account ban + IP ban. Meanwhile abusing exploits in the game client and rampant botting (often a combination of those two) is perfectly fine?
We should probably ask The Monkeysphere, but I guess he would say not telling anything is better for your account...
|
Ban Doga
|
Posted - 2011.04.10 19:14:00 -
[16]
Originally by: Miilla
Edited by: Miilla on 10/04/2011 19:12:57
Originally by: mkint
Originally by: Miilla
Originally by: Furb Killer
So let me get this straight: pointing out security flaws the size of the hole in the WTC and, granted, exploiting them a bit for the lulz (without afaik doing any serious damage, considering what he could have done with it and notifying you so it could be fixed), results in an account ban + IP ban. Meanwhile abusing exploits in the game client and rampant botting (often a combination of those two) is perfectly fine?
Pointing out means TELLING us about it, he went beyond that, he EXPLOITED the vulnerability for his own gain (ego).
Would CCP have done anything if he didn't demonstrate it? Hell no. The entire web team is a complete failure and seriously needs to be fired. They haven't done a single piece of good work, but have instead screwed up over and over again, unapologetically putting client privacy at risk every single day, and now putting client security at risk. There is no excuse for it. They are not up to the job.
Also: surprise! Miilla is taking a contrarian position. Wonder why... troll much? Get a life.
Did I say just tell CCP I meant tell EVERYBODY, the PUBLIC. It is very easy to download YET and install it yourself and test your theory then view the source on your client browser to see if it is much different (and the files it poo poos for authentication). If he is really concerned, he can even submit a fix into the open source YET project tree or send the diff to the owners.
Test on your own machines, not in the cloud.
Maybe you should take a break.
This was 2/10.
At most.
|
Ban Doga
|
Posted - 2011.04.10 19:20:00 -
[17]
Edited by: Ban Doga on 10/04/2011 19:20:20
Originally by: Miilla
Originally by: Ban Doga
Maybe you should take a break.
This was 2/10.
At most.
Didn't know we were keeping score. Do you keep little rage lists too?
How could we not keep score?
And what makes you think my rage list - IF I had one - would be little? 
|
Ban Doga
|
Posted - 2011.04.11 09:52:00 -
[18]
Edited by: Ban Doga on 11/04/2011 09:53:23
Originally by: Bomberlocks
We'll see what Sreegs posts in his blog, but I'm not entirely convinced that CCP will be honest as to the extent of the problem as I think it might open them up to possible legal problems.
The blog will reiterate the statements already made.
This will include "injection of HTML", "user data was not at risk" and "security's job is to react to issues - not to prevent them by reading code".
It will contain a more lengthy and (slightly) more detailed explanation of "What" happened but not "Why".
Questions regarding "Why" will be met with "Policy says 'No'", "I already explained that", "I say what I said" and "Asking about bans or warnings could get you a ban or warning yourself".
And I'll be delighted to be wrong...
|
|
|
| |
|