| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 [13] 14 15 16 17 18 19 20 .. 27 :: one page |
| Author |
Thread Statistics | Show CCP posts - 36 post(s) |
|
CCP Sreegs
   |
Posted - 2011.04.10 16:27:00 -
[361]
 Originally by: Akita T
Back on topic : Sreegs, security issues and your job title and all those things aside...
...which version are you more comfortable using personally, this one right here or the "new" (now closed) one ? And why ?
I like... oh wait I see what you're doing...
Seriously that's a loaded question with no right answer. |
|
Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
|
Posted - 2011.04.10 16:28:00 -
[362]
Edited by: Helicity Boson on 10/04/2011 16:31:30
Originally by: CCP Sreegs
There are 3 problems with your post.
A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.
Horsedung. And you know it. Javascript and CSS were confirmed to work.
I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.
And no matter what, that you didn't even see the error in your login design for forum posting and the documented injection holes in the forum you gutted to serve as a base for "your" 72,000 man hour project is pretty damning.
You need peer reviews of code, you need penetration tests.
But most of all you need to get your collective heads out of your "awesome" backsides and start communicating internally and externally.
And above all you need to be honest and forthcoming.
|
Akita T
Caldari Navy Volunteer Task Force
|
Posted - 2011.04.10 16:29:00 -
[363]
Edited by: Akita T on 10/04/2011 16:29:31
Originally by: Baihuigau
Originally by: Akita T
CCP Sreegs being a pretty decent guy and trying his best to sort out problems still doesn't make "CCP, the enterprise" any less exasperating considering what's happening nowadays.
I agree with you on that akita, to be honest i just dont know anything we could do to change that, in the past month i have read alot of stuff about internal procedures of ccp mostly from disgruntled employees around the net and it does paint a picture of management being rather incompetent and full of themselves, but thats not anything new when companies get big.
Feel free to evemail me some links to the type of stories you mention if you think posting them in public would be a big nono for you.
Originally by: CCP Sreegs
Originally by: Akita T
Back on topic : Sreegs, security issues and your job title and all those things aside...
...which version are you more comfortable using personally, this one right here or the "new" (now closed) one ? And why ?
I like... oh wait I see what you're doing...
Seriously that's a loaded question with no right answer.
:evil grin: 
_
CCP LEADERSHIP MENTALITY NEEDS TO CHANGE FAST !
"New junky features sell, old polished content doesn't" ? KILL IT WITH FIRE. |
|
CCP Sreegs
|
Posted - 2011.04.10 16:31:00 -
[364]
Edited by: CCP Sreegs on 10/04/2011 16:34:23
Originally by: Helicity Boson
Originally by: CCP Sreegs
There are 3 problems with your post.
A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.
Horsedung. And you know it. Javascript and CSS were confirmed to work.
I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
Everything's not some shadowy conspiracy. I appreciate that you feel wronged somehow and I can't change that. I have no need whatsoever to save anyone's face, my job is to determine and respond to the problem. Honestly.
:Edit: to respond to the rest, I can say that we have internal procedure which include peer review and pen testing. Part of the investigation will be to determine if that was done and if not why, etc... That's probably mostly going to be internal, but it's not something I'm not thinking about. |
|
Sullen Skoung
|
Posted - 2011.04.10 16:32:00 -
[365]
Originally by: CCP Navigator
That is right. Your login and password would not have been compromised.
It should also be noted though that it is just good practice to change your passwords regularly 
lol this reads "there was no danger, but you probably should anyways" to me
|
Jon Taggart
State War Academy
|
Posted - 2011.04.10 16:34:00 -
[366]
Originally by: Sullen Skoung
Originally by: CCP Navigator
That is right. Your login and password would not have been compromised.
It should also be noted though that it is just good practice to change your passwords regularly
lol this reads "there was no danger, but you probably should anyways" to me
Isn't this standard operating procedure?
I'm not an alt  |
Sullen Skoung
|
Posted - 2011.04.10 16:35:00 -
[367]
Originally by: CCP Sreegs
I'm sure a lot of people work for a lot of good companies. What I was stating was that if anyone has an actual evidence of the malfeasance that was suggested they're welcome to email it to me.
love the defense by way of "prove we got the emails" when theres no way you actually can do that short of working at CCP.
|
Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
|
Posted - 2011.04.10 16:35:00 -
[368]
Edited by: Helicity Boson on 10/04/2011 16:38:15
Originally by: CCP Sreegs
my job is to determine and respond to the problem. Honestly.
I appreciate that, I'm not having a go at you as a person.
These things are some pretty damned basic security risks, and you cannot in good conscience sit there and just blankly state "your account info was not compromised" when that is only a half truth, yeah your logins were safe, but their browsers weren't.
I'd also really appreciate a devblog detailing how something THIS BASIC could go live like this. And how you are altering peer review procedures to make sure it does not happen again.
I'm not causing a ruckus because I don't like you, I'm doing so because you have let us down, yet again, but you're all still walking around with your head in the clouds of "awesome".
I want you to be the company we deserve, and you are failing.
Also, please don't make me bring up the part of last night where I was explaining how it was done to one of your coworkers via someone with access to your communicator and they didn't and quote "get it."
I'm pretty mad at CCP as a whole, please don't pour fuel on my fire.
|
Baihuigau
Gallente
The Scope
|
Posted - 2011.04.10 16:36:00 -
[369]
Originally by: Akita T
Edited by: Akita T on 10/04/2011 16:29:31
Originally by: Baihuigau
Originally by: Akita T
CCP Sreegs being a pretty decent guy and trying his best to sort out problems still doesn't make "CCP, the enterprise" any less exasperating considering what's happening nowadays.
I agree with you on that akita, to be honest i just dont know anything we could do to change that, in the past month i have read alot of stuff about internal procedures of ccp mostly from disgruntled employees around the net and it does paint a picture of management being rather incompetent and full of themselves, but thats not anything new when companies get big.
Feel free to evemail me some links to the type of stories you mention if you think posting them in public would be a big nono for you.
Originally by: CCP Sreegs
Originally by: Akita T
Back on topic : Sreegs, security issues and your job title and all those things aside...
...which version are you more comfortable using personally, this one right here or the "new" (now closed) one ? And why ?
I like... oh wait I see what you're doing...
Seriously that's a loaded question with no right answer.
:evil grin:
There was a post in shc a while back discussing it, and a site where you can post reviews of your employer cant think of it now but it was interesting, if i find the thread and site ill send it to you it would be a interesting article.
|
|
CCP Sreegs
|
Posted - 2011.04.10 16:37:00 -
[370]
Originally by: Sullen Skoung
Originally by: CCP Sreegs
I'm sure a lot of people work for a lot of good companies. What I was stating was that if anyone has an actual evidence of the malfeasance that was suggested they're welcome to email it to me.
love the defense by way of "prove we got the emails" when theres no way you actually can do that short of working at CCP.
I said if you have evidence send it to me. I never said prove we got them. If you're going to try to reword a post you should probably not do so with the complete text of the statement quoted. |
|
Sullen Skoung
|
Posted - 2011.04.10 16:40:00 -
[371]
Originally by: Grimpak
in all honesty the chance was still slim. not impossible but the likelihood of it happening was small since that, altho there was some time wasted, they acted within a couple of hours.
granted it's still a couple of hours and any semi-competent scripter can code anything in that time, but as far as one can see, nothing happened yet.
also, as far as one knows, the major security breach was only code related. the cookie derp, as stated, didn't go beyond forums.
it was still a very serious security breach however, and precautions are still welcome.
Is it scary to anyone that here, slim chance is OK in a situation where "no chance" SHOULD be whats acceptable?
|
Grimpak
Gallente
The Whitehound Corporation
Frontline Assembly Point
|
Posted - 2011.04.10 16:41:00 -
[372]
Edited by: Grimpak on 10/04/2011 16:46:35
Originally by: Helicity Boson
Edited by: Helicity Boson on 10/04/2011 16:38:15
Originally by: CCP Sreegs
my job is to determine and respond to the problem. Honestly.
I appreciate that, I'm not having a go at you as a person.
These things are some pretty damned basic security risks, and you cannot in good conscience sit there and just blankly state "your account info was not compromised" when that is only a half truth, yeah your logins were safe, but their browsers weren't.
I'd also really appreciate a devblog detailing how something THIS BASIC could go live like this. And how you are altering peer review procedures to make sure it does not happen again.
I'm not causing a ruckus because I don't like you, I'm doing so because you have let us down, yet again, but you're all still walking around with your head in the clouds of "awesome".
I want you to be the company we deserve, and you are failing.
Also, please don't make me bring up the part of last night where I was explaining how it was done to one of your coworkers via someone with access to your communicator and they didn't and quote "get it."
I'm pretty mad at CCP as a whole, please don't pour fuel on my fire.
in all honesty, Helicity, I think Sreegs is giving us as much info as he can without risking his job, which is quite alot, considering he has been the front face from CCP about this issue.
just give him some time, I bet he didn't had any decent sleep in these past 2-3 days
Originally by: Sullen Skoung
Is it scary to anyone that here, slim chance is OK in a situation where "no chance" SHOULD be whats acceptable?
no, it's not ok. slim chance is still a chance. it doesn't mean it won't happen however (or that it will for that matter), but from what it has been said, security had a hole, but it wasn't exploited (in a harmful way) in time.
---
Quote:
The more I know about humans, the more I love animals.
ain't that right. |
|
CCP Sreegs
|
Posted - 2011.04.10 16:41:00 -
[373]
Originally by: Helicity Boson
Originally by: CCP Sreegs
my job is to determine and respond to the problem. Honestly.
I appreciate that, I'm not having a go at you as a person.
These things are some pretty damned basic security risks, and you cannot in good conscience sit there and just blankly state "your account info was not compromised" when that is only a half truth, yeah your logins were safe, but their browsers weren't.
I'd also really appreciate a devblog detailing how something THIS BASIC could go live like this. And how you are altering peer review procedures to make sure it does not happen again.
I'm not causing a ruckus because I don't like you, I'm doing so because you have let us down, yet again, but you're all still walking around with your head in the clouds of "awesome".
I want you to be the company we deserve, and you are failing.
I want us to be the company we deserve to be as well. I think perhaps where we digress a bit is that I have to deal with hard solid evidence before I have an opinion. If it does come out that script could be executed (I'm trying to sort that), then there is a chance someone could have done something malicious.
However, beyond that are logging processes which is a part of the picture you don't have. Logs allow us to do a deeper investigation into how any exploits were actually applied rather than how something theoretically could be applied.
So as I said, I get why you're mad. I get why you'd come to the conclusions you came to. I just don't believe them all to be true at this time and if I do find that script could have been executed I'll let you know that you were correct. My job isn't to make anyone look good it's to catch bad guys and deal with problems. |
|
Ban Doga
|
Posted - 2011.04.10 16:42:00 -
[374]
Edited by: Ban Doga on 10/04/2011 16:43:28
Originally by: CCP Sreegs
Edited by: CCP Sreegs on 10/04/2011 16:34:23
Originally by: Helicity Boson
Originally by: CCP Sreegs
There are 3 problems with your post.
A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.
Horsedung. And you know it. Javascript and CSS were confirmed to work.
I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So if you aren't SURE script could not be injected how can you be SURE that there was no risk?
*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...
|
Elyssa MacLeod
|
Posted - 2011.04.10 16:43:00 -
[375]
Originally by: Miilla
Originally by: Tippia
Originally by: Miilla
So go make your own style sheet.
That only solves (some of) the design issues ù the functionality is still gone.
Design-wise, I could probably live with the way the forums looked with my CSS. Feature-wise, it made little difference and didn't improve on what the forums offered.
Like button withdrawals?
I see your sig got nerfed... bitter much?
----------------------------
fail leads to anger
anger leads to hate
hate leads to the dark side of MMOs |
Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
|
Posted - 2011.04.10 16:44:00 -
[376]
Originally by: CCP Sreegs
My job isn't to make anyone look good it's to catch bad guys and deal with problems.
Good, so we can look forwards to a devblog explaining exactly what changes you are going to make in your structure to make sure something so utterly moronic as not having validation on a charID number will never ever ever occur then?
Because frankly that makes me even more mad than the injection (which is also unforgivable really).
If you do that, then we have a deal.
If, instead, you guys just keep monkeying around and pretend it took 72,000 man hours to chop down an existing forum, break it's security and then reskin it. Then we're going to be having a problem.
|
|
CCP Sreegs
|
Posted - 2011.04.10 16:44:00 -
[377]
Originally by: Ban Doga
Edited by: Ban Doga on 10/04/2011 16:43:28
Originally by: CCP Sreegs
Edited by: CCP Sreegs on 10/04/2011 16:34:23
Originally by: Helicity Boson
Originally by: CCP Sreegs
There are 3 problems with your post.
A) It's premature, pending investigation but from what I recall though the signatures would allow HTML you could not execute script, which kills a lot of your assertions.
Horsedung. And you know it. Javascript and CSS were confirmed to work.
I appreciate your need to save face, but your guys made an unforgivable screwup, own up to it and instill me with the feeling you guys are deserving of our trust.
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So if you aren't SURE script could not be injected how can you be SURE that there was no risk?
*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...
I explained this. |
|
Elyssa MacLeod
|
Posted - 2011.04.10 16:46:00 -
[378]
Originally by: LtCol Laurentius
Edited by: LtCol Laurentius on 10/04/2011 14:48:57
Originally by: CCP Sreegs
We don't discuss administrative actions. At all. Ever. No matter how many times you ask, demand or otherwise say the same thing over and over and over again. Our policy is simply that we don't, and to be fair you only have access to enough information to speculate.
I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.
It doesnt matter. The public image you have created is that you **** over the whistleblower, while claiming everything is allright.
and put their ame on the name filter like ********** - four years plus later and you STILL ban the use of his name? why is that? Isnt that a LITTLE childish guys?
----------------------------
fail leads to anger
anger leads to hate
hate leads to the dark side of MMOs |
|
CCP Sreegs
|
Posted - 2011.04.10 16:46:00 -
[379]
Originally by: Helicity Boson
Originally by: CCP Sreegs
My job isn't to make anyone look good it's to catch bad guys and deal with problems.
Good, so we can look forwards to a devblog explaining exactly what changes you are going to make in your structure to make sure something so utterly moronic as not having validation on a charID number will never ever ever occur then?
Because frankly that makes me even more mad than the injection (which is also unforgivable really).
If you do that, then we have a deal.
If, instead, you guys just keep monkeying around and pretend it took 72,000 man hours to chop down an existing forum, break it's security and then reskin it. Then we're going to be having a problem.
I don't blog about forums so lets see where the investigation takes us and we'll figure out if you have a reason to be mad at me after I've actually finished the work :) |
|
|
CCP Sreegs
|
Posted - 2011.04.10 16:47:00 -
[380]
Originally by: LtCol Laurentius
Edited by: LtCol Laurentius on 10/04/2011 14:48:57
Originally by: CCP Sreegs
We don't discuss administrative actions. At all. Ever. No matter how many times you ask, demand or otherwise say the same thing over and over and over again. Our policy is simply that we don't, and to be fair you only have access to enough information to speculate.
I'm not claiming. I'm stating outright that customer data was never at risk. We've also said there will be a blog which will detail what occurred and what was wrong.
It doesnt matter. The public image you have created is that you **** over the whistleblower, while claiming everything is allright.
If I don't talk about administrative actions I'm really not sure how I could have created an opinion about one. I'm pretty sure what you mean to say is "The public image that SOMEONE ELSE has created". |
|
Elyssa MacLeod
|
Posted - 2011.04.10 16:48:00 -
[381]
Originally by: Miilla
If you don't like it, stop paying.
No?
nice 180 there... from rabblerouser to kiss ass in .5 sec
----------------------------
fail leads to anger
anger leads to hate
hate leads to the dark side of MMOs |
Gnulpie
Minmatar
Miner Tech
|
Posted - 2011.04.10 16:48:00 -
[382]
At least that CCP Sreegs guy seems to do good work right now.
Props for that. I can imagine way better things to do than talking with angry EVE people on the forums  |
Jon Taggart
State War Academy
|
Posted - 2011.04.10 16:49:00 -
[383]
Originally by: Gnulpie
At least that CCP Sreegs guy seems to do good work right now.
Props for that. I can imagine way better things to do than talking with angry EVE people on the forums
Glutton for punishment  .
I'm not an alt |
Helicity Boson
Amarr
The Python Cartel.
The Defenders of Pen Island
|
Posted - 2011.04.10 16:50:00 -
[384]
Sean, btw, who do you think Virt was copy/pasting to you last night?
|
Grimpak
Gallente
The Whitehound Corporation
Frontline Assembly Point
|
Posted - 2011.04.10 16:51:00 -
[385]
Originally by: Jon Taggart
Originally by: Gnulpie
At least that CCP Sreegs guy seems to do good work right now.
Props for that. I can imagine way better things to do than talking with angry EVE people on the forums
Glutton for punishment .
or at the very least just trying to explain what he can to us, the angry mob.
honestly Sreegs, try to get some sleep.
---
Quote:
The more I know about humans, the more I love animals.
ain't that right. |
|
CCP Sreegs
|
Posted - 2011.04.10 16:53:00 -
[386]
Originally by: Helicity Boson
Sean, btw, who do you think Virt was copy/pasting to you last night?
I don't have Virt on any of my IMs anymore and I don't recall getting any pastes, but I'll check through my logs and see if maybe I was just stupid after sleeping 3 hours in 2 days. |
|
Ban Doga
|
Posted - 2011.04.10 16:53:00 -
[387]
Originally by: CCP Sreegs
Originally by: Ban Doga
Edited by: Ban Doga on 10/04/2011 16:43:28
Originally by: CCP Sreegs
Edited by: CCP Sreegs on 10/04/2011 16:34:23
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So if you aren't SURE script could not be injected how can you be SURE that there was no risk?
*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...
I explained this.
Originally by: CCP Sreegs
IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So are you saying you already know your investigation will show that no script could be injected or
that injecting script posed no risk to the computers of the forums users?
|
|
CCP Sreegs
|
Posted - 2011.04.10 16:55:00 -
[388]
Originally by: Ban Doga
Originally by: CCP Sreegs
Originally by: Ban Doga
Edited by: Ban Doga on 10/04/2011 16:43:28
Originally by: CCP Sreegs
Edited by: CCP Sreegs on 10/04/2011 16:34:23
If I knew it I'd say so. I'm not here to save face and I'd ask that you not continue to mischaracterize me. IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So if you aren't SURE script could not be injected how can you be SURE that there was no risk?
*EDIT*
It looks like you haven't seen everything that was injected (because then you could state that no script was injected) so you're really going out on an assumption here...
I explained this.
Originally by: CCP Sreegs
IF when we continue our investigation I find out I am wrong and you WERE actually able to inject script then I'll say so in my blog. The word from the people who checked it earlier today was that FROM MEMORY they didn't believe script could be injected.
So are you saying you already know your investigation will show that no script could be injected or
that injecting script posed no risk to the computers of the forums users?
I'm saying exactly what I said. |
|
Grimpak
Gallente
The Whitehound Corporation
Frontline Assembly Point
|
Posted - 2011.04.10 16:55:00 -
[389]
Edited by: Grimpak on 10/04/2011 16:57:15
dude, go to sleep, lol
powernap, anything. don't you have half of the staff working on this already?
---
Quote:
The more I know about humans, the more I love animals.
ain't that right. |
|
CCP Sreegs
|
Posted - 2011.04.10 16:57:00 -
[390]
Originally by: Grimpak
dude, go to sleep, lol
I slept last night like a good 7 hours. I came back in today to continue, so I'm pretty well rested actually. |
|
| |
|
| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 [13] 14 15 16 17 18 19 20 .. 27 :: one page |
| First page | Previous page | Next page | Last page |