Originally by: Sullen Skoung

---

Hey wait, wheres Sreeg, the mouthpiece? Why isnt he here reassuring us everything's OK etc etc etc

---

Originally by: Titus Phook

---

Well if he passed the new forum as fit for use, and lets face it he's the security guy and it was a security issue, he's probably busy trying to get the egg off his face.

---

Originally by: Marconus Orion

---

Originally by: Trocent

---

I really wish these whiners were real programmers. They'd know how strange problems arise. Out of all the MMOs I played CCP still does a hell of a lot better than anyone else.

Also to all you whiners, remember that CCP could always make this a carebear game. That'd probably get a few million subscriptions and make a ton more money, but they don't. Feel grateful or leave.

---

Some of these people complaining are programmers. The same people who pointed out the problems before it went live. CCP just ignored them and shoved it out to the customers so they could say they Delivered.

---

Originally by: Steve Thomas

---

Originally by: CCP Sreegs

---

Edited by: CCP Sreegs on 10/04/2011 03:10:15

Originally by: Marconus Orion

---

Originally by: Trocent

---

I really wish these whiners were real programmers. They'd know how strange problems arise. Out of all the MMOs I played CCP still does a hell of a lot better than anyone else.

Also to all you whiners, remember that CCP could always make this a carebear game. That'd probably get a few million subscriptions and make a ton more money, but they don't. Feel grateful or leave.

---

Some of these people complaining are programmers. The same people who pointed out the problems before it went live. CCP just ignored them and shoved it out to the customers so they could say they Delivered.

---

If you have any evidence of this I'd welcome you to share it with me. [email protected]

---

I can save you the time, on this forum thread you have one IT systems developer who works for Kinder*Morgan Pipelines, two Web content developers from CITIgroup and a Network system specialist for The Clydesdale Bank PLC UK.

now how many of them actualy ARE in thoes feilds is a matter of speculation. after all you can say whatever you like in facebook.

---

Originally by: Kerfira

---

Edited by: Kerfira on 10/04/2011 08:53:07

Originally by: CCP Sreegs

---

Just to keep you guys who weren't in the loop aware there will still be a security-related blog about the forum issues Monday or so. Now with BONUS CONTENT!

---

Sorry, but to me this (and the post after it) smells like CCP are pretending that the ONLY problems with the new forums were the security issues, and are deliberately ignoring all the other usability issues...
If this is the case, then you really, REALLY(!) should take a step back and think a bit about the image you present to your customers.

The new forums were horrible to read, wasted a shedload of bandwidth (especially on mobile devices which is what a lot of people use these days), lacked very basic functionality that the current forums have, and were horribly slow.

In short, they were, and ARE, not ready for live deployment!

As one previous poster in this thread said, compare it with the introduction of the new contracts search... That was also a complete new interface, and I don't think I've seen a single complaint over it.
Why? Because it replaced something BAD with something OK (still not 'good'). With the forums, you're replacing OK with BAD. No wonder people complain...

---

Originally by: Bomberlocks

---

Originally by: CCP Navigator

---

Thread has been cleaned up a little.

I wanted to quickly address one or two concerns, specifically over personal information and logins. At no stage were other players able to access your login, passwords, payment details or real life information.

CCP Sreegs has already stated that he is writing a blog on this subject and this is one of the things he will cover.

---

I would like to post a few pertinent facts:
- The person who was banned petitioned the vulnerability to CCP. It was not acted upon.
- Said person then proceeded to demonstrate that vulnerability after discussing it on the now-defunct SHC forums.
- Said person was banned for impersonating someone who was not himself.
- The forums were taken down.
- The forums were brought back up and CCP Fallout asserted that the vulnerabilities had been patched and "We would like to reiterate that your personal details and billing information have not been compromised, and that your eve online account was not at risk".
- The banned person then proceed to post, as himself, inspite of him being banned, in reply to CCP Fallout's assertion, thereby proving Fallout's assertion to be false.
- The forums were then taken down again.
- The forums brought back up a while later.
- Later on, I presume after having discovered that the forums were still vulnerable, they were taken down again.
- The old forums were brought back up.
- Discussions involving said banned person are closed with further threats of banning, ignoring the fact that the story has already been widely spread, on other forums, Facebook, twitter and probably the media as well (slashdot for example).
- You now claim, again, that customer data was never at risk.

In light of that information, how do you expect us to believe your current assertion without a transparent and open discussion of the vulnerability? The banned person can easily post his version any else he chooses, and given his disproving of CCP's earlier assertions, I presume that the benefit of the doubt will go to him.

The ball, I think, is in your court.

---

Originally by: Helicity Boson

---

Edited by: Helicity Boson on 10/04/2011 14:54:40
You're also being lied to.

While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk.

Saying we were completely safe is, demonstrably, FALSE.

I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592

After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.

---

Originally by: Baihuigau

---

To be honest im actually liking skreegs more and more, like others have said its not his job to poor over every single line of code to make sure the forums were secure hes not a coder, hell alot of IT guys hate coding, but hes doing his job now reacting to a security matter kudos to you man..........on the other hand i dident like the whole IP banning of the guy that pointed out the exploit, that left me with extreme sour grapes about ccp just like the t20 incident, not to mention since it was not a account man but ip ban, there is this thing called a dynamic ip.....its almost like someone freaked out and pushed the ban button without knowing how to do a propper ban.

---

Originally by: Akita T

---

Back on topic : Sreegs, security issues and your job title and all those things aside...
...which version are you more comfortable using personally, this one right here or the "new" (now closed) one ? And why ?

---

Originally by: Helicity Boson

---

Originally by: CCP Sreegs

---

There are 3 problems with your post.

A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.

---

Horsedung. And you know it. Javascript and CSS were confirmed to work.

I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.

---

Originally by: Sullen Skoung

---

Originally by: CCP Sreegs

---

I'm sure a lot of people work for a lot of good companies. What I was stating was that if anyone has an actual evidence of the malfeasance that was suggested they're welcome to email it to me.

---

love the defense by way of "prove we got the emails" when theres no way you actually can do that short of working at CCP.

---

Originally by: Helicity Boson

---

Originally by: CCP Sreegs

---

my job is to determine and respond to the problem. Honestly.

---

I appreciate that, I'm not having a go at you as a person.

These things are some pretty damned basic security risks, and you cannot in good conscience sit there and just blankly state "your account info was not compromised" when that is only a half truth, yeah your logins were safe, but their browsers weren't.

I'd also really appreciate a devblog detailing how something THIS BASIC could go live like this. And how you are altering peer review procedures to make sure it does not happen again.

I'm not causing a ruckus because I don't like you, I'm doing so because you have let us down, yet again, but you're all still walking around with your head in the clouds of "awesome".

I want you to be the company we deserve, and you are failing.

---

Originally by: Ban Doga

---

Edited by: Ban Doga on 10/04/2011 16:43:28

Originally by: CCP Sreegs

---

Edited by: CCP Sreegs on 10/04/2011 16:34:23

Originally by: Helicity Boson

---

Originally by: CCP Sreegs

---

There are 3 problems with your post.

A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.

---

Horsedung. And you know it. Javascript and CSS were confirmed to work.

I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.

---

If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.

---

So if you aren't SURE script could not be injected how can you be SURE that there was no risk?

*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...

---

Originally by: Helicity Boson

---

Originally by: CCP Sreegs

---

My job isn't to make anyone look good it's to catch bad guys and deal with problems.

---

Good, so we can look forwards to a devblog explaining exactly what changes you are going to make in your structure to make sure something so utterly moronic as not having validation on a charID number will never ever ever occur then?

Because frankly that makes me even more mad than the injection (which is also unforgivable really).

If you do that, then we have a deal.

If, instead, you guys just keep monkeying around and pretend it took 72,000 man hours to chop down an existing forum, break it's security and then reskin it. Then we're going to be having a problem.

---

Originally by: LtCol Laurentius

---

Edited by: LtCol Laurentius on 10/04/2011 14:48:57

Originally by: CCP Sreegs

---

We don't discuss administrative actions. At all. Ever. No matter how many times you ask, demand or otherwise say the same thing over and over and over again. Our policy is simply that we don't, and to be fair you only have access to enough information to speculate.

I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.

---

It doesnt matter. The public image you have created is that you **** over the whistleblower, while claiming everything is allright.

---

Originally by: Helicity Boson

---

Sean, btw, who do you think Virt was copy/pasting to you last night?

---

Originally by: Ban Doga

---

Originally by: CCP Sreegs

---

Originally by: Ban Doga

---

Edited by: Ban Doga on 10/04/2011 16:43:28

Originally by: CCP Sreegs

---

Edited by: CCP Sreegs on 10/04/2011 16:34:23
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.

---

So if you aren't SURE script could not be injected how can you be SURE that there was no risk?

*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...

---

I explained this.

---

Originally by: CCP Sreegs

---

IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.

---

So are you saying you already know your investigation will show that no script could be injected or
that injecting script posed no risk to the computers of the forums users?

---

Originally by: Grimpak

---

dude, go to sleep, lol

---

Originally by: Helicity Boson

---

Originally by: CCP Sreegs

---

I'm saying exactly what I said.

---

you're damned if you do, damned if you don't mate.

I don't believe for one second your "review" will ever yield any result other than "no we were safe".

Especially since via-via-via-IM I was showing you how the night before and you didn't get it.

You'd never own up to the site being vulnerable anyways, and it's that fact that makes me shudder with revulsion.

Terrible coding practices combined with a willingness to lie make for a grim picture indeed.

---

Originally by: Bomberlocks

---

Originally by: CCP Sreegs

---

Originally by: Bomberlocks

---

......

---

We don't discuss administrative actions. At all. Ever. No matter how many times you ask, demand or otherwise say the same thing over and over and over again. Our policy is simply that we don't, and to be fair you only have access to enough information to speculate.

I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.

---

Your policy of not discussing administrative actions is one thing (and IMO is currently being used to shield CCP from public humiliation), but if you read the post on Helicity's blog, you'll see that what you are saying with respect to the vulnerability is demonstrably false. If you do not honestly address the issues in at least the same detail Helicity did, then I think it's time to take this to the media, because, as it currently stands, there is no good reason to believe anything you are saying, but there are a lot of good reasons to not believe anything you say.

In short: Customer data was in danger through code injected into the signature. CCP did ignore the warnings of numerous people. You are trying to avoid admitting to your errors. Prove me wrong and I'll happily apologise, but simply claiming I'm wrong without proof is simply not good enough.

---

Originally by: Sullen Skoung

---

Originally by: CCP Sreegs

---

Originally by: Sullen Skoung

---

Originally by: CCP Sreegs

---

I'm sure a lot of people work for a lot of good companies. What I was stating was that if anyone has an actual evidence of the malfeasance that was suggested they're welcome to email it to me.

---

love the defense by way of "prove we got the emails" when theres no way you actually can do that short of working at CCP.

---

I said if you have evidence send it to me. I never said prove we got them. If you're going to try to reword a post you should probably not do so with the complete text of the statement quoted.

---

Still a crap defense man, we CANT get the emails from your site so theres no way TO prove that we sent them. Its a stupid defense when all you have to do is get whoever browses ccp@security email FOR those emails, assuming that isnt you. Unless of course you cant send them an email or talk to them or something. Which would be a ****ty way to run a company tbh

---

Originally by: Elyssa MacLeod

---

you realize yer talking in circles right? You earlier stated it was a security issue that brought down the forums and now youre saying you dont blog about forums.
That blog is gonna be pretty thin then if its not about this fiasco.

Hey helicity, how you know his name? Sreegs: An whats all this about you not having ppl on yer IM anymore?

lol these ppl are all closer than we think they are...

---

Originally by: Bomberlocks

---

You'd trust the people who made the mistake in the first place more than the people who tried to warn you about it?

---

Originally by: Sullen Skoung

---

Originally by: CCP Sreegs

---

Quote:

---

Still a crap defense man, we CANT get the emails from your site so theres no way TO prove that we sent them. Its a stupid defense when all you have to do is get whoever browses ccp@security email FOR those emails, assuming that isnt you. Unless of course you cant send them an email or talk to them or something. Which would be a ****ty way to run a company tbh

---

What? I have no idea what you're trying to say.

---

you are saying WE need to provide proof of sending emails to ccp@security

IM saying we cant provide this proof being that we cant get into ccp@security to get copies of those emails sent.

YOU who work at CCP, supposedly AS security, should either be able to access that email account or email the guy that can and can see if those emails do in fact exist.

---

Originally by: Elyssa MacLeod

---

Originally by: Bomberlocks

---

And if he posts his chat logs?

---

gets banned for posting GM communications?

Im guessing he cant say anything like he gets IMs from players cause that player/GM interaction wall breach was part of the issue in T20

---

Originally by: Sullen Skoung

---

Edited by: Sullen Skoung on 10/04/2011 17:21:43

Originally by: Hel O'Ween

---

And I remind you that Cat reported the issue first and then - when his warning got ignored - demonstrated it for all to see. This was the time CCP finally got the message and pulled the plug.

---

I think this is the part that Sreegs is trying to get us to prove

---

Originally by: Elyssa MacLeod

---

Apparently they chose to publish the CSM blog over his blog lol

that strikes me as damn funny

Like even they dont give a **** about informing us to what happened cause we already KNOW thanks to Helicity Boson

---

Originally by: Siiee

---

Originally by: Barakkus

---

simply a lack of thinking outside of the box about matters of security by their web team...

---

That's part of what I don't understand about this whole mess (as I've said before I'm barely even a hobbyist programmer) Sure it would have been much more difficult to exploit if they had encrypted the cookie, and it's fixable by confirming the clients credentials on each action. But if the server can verify that the particular char ID that is submitted with the session belongs to that session, why bother having the client manage any of that data in the first place? All of that should be maintained entirely server side where it's safe and protected, the only thing that the client needs to provide (and that needs to be constantly verified) is it's specific session. The entire idea behind taking such an important part of the authentication process, tearing it out and putting it in the untrusted client, only to re-authenticate it every step of the way (which was missing here) seems like such a total WTF to me. This isn't a clever exploit of some obscure loophole or code gotcha, it's just such a fundamentally flawed idea on the conceptual level, or at least that's what it seems like with my understanding.

---

Originally by: Jada Maroo

---

Originally by: CCP Sreegs

---

I just had it published...

---

It lacks an overly optimistic estimate of when the new forums will make their grand return.

---

Originally by: Jada Maroo

---

Originally by: CCP Sreegs

---

Originally by: Jada Maroo

---

Originally by: CCP Sreegs

---

I just had it published...

---

It lacks an overly optimistic estimate of when the new forums will make their grand return.

---

Not my department. :)

---

CCP isn't that big! That department must be like 15 feet from you. Go over there and ask you lazy bum!

---