| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 .. 27 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 36 post(s) |
dexington
Caldari
Baconoration
   |
Posted - 2011.04.11 14:37:00 -
[601]
 Originally by: MisterAl tt1
Trolls damage controling CCP ? How nice.
You don't seem to understand troll culture, they are the superheros of the internet, fighting to save the internet from people like you!
Every time to many self-righteous, to stupid to know better, angry forum warriors gather for a session of group jerking, while discussing some crack pot theory, eg. how html/javascript injection in mmo forums is going to change the world as we know it, what's when the superhero troll emerge to try and save the internet from stupidity.
|
Hel O'Ween
Men On A Mission
|
Posted - 2011.04.11 14:37:00 -
[602]
Originally by: Miilla
Given the attitude this guy has, he probably wrote it in rage speak in the email and bug report with l33t too. I can see why it would be downgraded or ignored.
Granted, Cat isn't a trained diplomat, but he has been a helpful member of the 3rd party dev community over the years. Just check out the Tech Lab forums for his posts, before you make any wild assumptions.
And if you as a company ignore a bug report about a serious security issue because you don't like "the sound" of it, you're doing it terribly wrong.
--
EVEWalletAware - an offline wallet manager |
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 14:40:00 -
[603]
Originally by: Hel O'Ween
Originally by: Miilla
Given the attitude this guy has, he probably wrote it in rage speak in the email and bug report with l33t too. I can see why it would be downgraded or ignored.
Granted, Cat isn't a trained diplomat, but he has been a helpful member of the 3rd party dev community over the years. Just check out the Tech Lab forums for his posts, before you make any wild assumptions.
And if you as a company ignore a bug report about a serious security issue because you don't like "the sound" of it, you're doing it terribly wrong.
A. ****** was also a productive member of society as a youth, no one really seemed to care about that after WW2.
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 14:41:00 -
[604]
Originally by: Hel O'Ween
Originally by: Miilla
Given the attitude this guy has, he probably wrote it in rage speak in the email and bug report with l33t too. I can see why it would be downgraded or ignored.
Granted, Cat isn't a trained diplomat, but he has been a helpful member of the 3rd party dev community over the years. Just check out the Tech Lab forums for his posts, before you make any wild assumptions.
And if you as a company ignore a bug report about a serious security issue because you don't like "the sound" of it, you're doing it terribly wrong.
When you write a bug, write it clear and concise and include the impact. you dont run off in an ego tantrum and exploit it then post to the world asking if they also want to exploit it. You just post the facts, and leave it at that.
He is not involved in the decision process, however how he presents it can influence the decision if done correctly.
 |
Tippia
Sunshine and Lollipops
|
Posted - 2011.04.11 14:43:00 -
[605]
Originally by: Miilla
He did do damage, he started posting as somebody else, modifying other customers posts and end result we where denied access to the service for a few days.
So where's the damage?
ùùù
ôIf you're not willing to fight for what you have in ≡v≡à
you don't deserve it, and you will lose it.ö
ù Karath Piki |
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 14:45:00 -
[606]
Edited by: dexington on 11/04/2011 14:45:06
Originally by: Miilla
When you write a bug, write it clear and concise and include the impact. you dont run off in an ego tantrum...
Finding security bugs is all about showing the other guy you know more about programming and it-tech then he does, the world needs to know when you are better then someone else.
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 14:45:00 -
[607]
Edited by: Miilla on 11/04/2011 14:45:17
Originally by: Tippia
Originally by: Miilla
He did do damage, he started posting as somebody else, modifying other customers posts and end result we where denied access to the service for a few days.
So where's the damage?
2 days inaccessible forum service we pay for, loss of confidence in our account security, damage to the reputation of the product and processes. Damage is not always measurable as money.
|
Tippia
Sunshine and Lollipops
|
Posted - 2011.04.11 14:46:00 -
[608]
Originally by: Miilla
2 days inaccessible forum service we pay for, loss of confidence in our account security, damage to the reputation of the product and processes.
Yes, but where's the damage he did?
ùùù
ôIf you're not willing to fight for what you have in ≡v≡à
you don't deserve it, and you will lose it.ö
ù Karath Piki |
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 14:48:00 -
[609]
Originally by: dexington
Edited by: dexington on 11/04/2011 14:45:06
Originally by: Miilla
When you write a bug, write it clear and concise and include the impact. you dont run off in an ego tantrum...
Finding security bugs is all about showing the other guy you know more about programming and it-tech then he does, the world needs to know when you are better then someone else.
That is why those people never make management or lead positions as they cannot handle the decision process and lack maturity in the thinking. The higher up you go the more it becomes less a technical decision and more a business decision. Learn that and you will go far otherwise you end up sitting in your cage competing with students (cheaper and work longer hours). True fact of employment.
|
Valator Uel
Caldari
Mercenaries of Andosia
Northern Coalition.
|
Posted - 2011.04.11 14:48:00 -
[610]
Originally by: Miilla
Edited by: Miilla on 11/04/2011 14:45:17
Originally by: Tippia
Originally by: Miilla
He did do damage, he started posting as somebody else, modifying other customers posts and end result we where denied access to the service for a few days.
So where's the damage?
2 days inaccessible forum service we pay for, loss of confidence in our account security, damage to the reputation of the product and processes. Damage is not always measurable as money.
And who's fault is it? Had CCP did their job, he wouldn't have had to.
------------------
empty sig |
|
|
Yuki Kulotsuki
|
Posted - 2011.04.11 14:50:00 -
[611]
Originally by: Miilla
2 days inaccessible forum service we pay for, loss of confidence in our account security, damage to the reputation of the product and processes. Damage is not always measurable as money.
CCP did that themselves and should have REGARDLESS of "hack" posting. Your so-called damage is reasonable reaction to shipping a vulnerable product that puts customers at risk. Proof of concept posting simply made it so that it could not be ignored which is a good thing. Ignoring such issues is willfully negligent.
--
Did you know there's an alliance who's name you're not allowed to say, or website you're not allowed to link? |
Calathea Sata
State War Academy
|
Posted - 2011.04.11 14:50:00 -
[612]
It is all CCP's fault. They know this themselves so they put down their new creation for good.
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 14:51:00 -
[613]
Pay me 10 plex and I will change sides :)
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 14:52:00 -
[614]
Edited by: dexington on 11/04/2011 14:52:10
Originally by: Miilla
That is why those people never make management or lead positions as they cannot handle the decision process and lack maturity in the thinking. The higher up you go the more it becomes less a technical decision and more a business decision. Learn that and you will go far otherwise you end up sitting in your cage competing with students (cheaper and work longer hours). True fact of employment.
You make it sounds like that's a bad thing, you can easily get a salary where money is not a big deal without being in management, and you don't have to do the meeting and the hierarchical butt kissing... not being in management is win/win.
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 14:55:00 -
[615]
Originally by: dexington
Edited by: dexington on 11/04/2011 14:52:10
Originally by: Miilla
That is why those people never make management or lead positions as they cannot handle the decision process and lack maturity in the thinking. The higher up you go the more it becomes less a technical decision and more a business decision. Learn that and you will go far otherwise you end up sitting in your cage competing with students (cheaper and work longer hours). True fact of employment.
You make it sounds like that's a bad thing, you can easily get a salary where money is not a big deal without being in management, and you don't have to do the meeting and the hierarchical butt kissing... not being in management is win/win.
Still being in a lead role also means you have to factor in business decisions which are inherently non-technically influenced and you have to at the end of the day, accept the decision made and 99% of those decisions have very good business reasons for not doing A or B when you think about it and you have to then execute that decision, a lot of rage boy engineers cannot do that and keep ranting oh but thats not right yes theyre right, from an engineer perspective, but that's not the perspective the decision was taken with (well that was factored in ofcourse), I've seen it first hand.
|
Zey Nadar
Gallente
Unknown Soldiers
Wildly Inappropriate.
|
Posted - 2011.04.11 15:01:00 -
[616]
Originally by: Miilla
There is no reason to go exploit the bug to deny us all the service we pay for. That is a no no. Shout all he wants publically, thats what whistleblowers do. End of story.
Given the attitude this guy has, he probably wrote it in rage speak in the email and bug report with l33t too. I can see why it would be downgraded or ignored.
He crossed the line.
The new forums put every user who browsed those forums at risk. People could inject any malicious code they wanted into the signatures, including code that defines how the page looks like. So they could have in practise added something extra to the forums which would have made unaware users log in again and give out their login credentials etc to the hackers. The forums should have been pulled down at first light. They were a banal mockery of online security. The guy in question did what he did to force a response and Im happy that he did.
Check eve news site for an article that explains at more detail what was open.
|
LtCol Laurentius
Zor Industries
|
Posted - 2011.04.11 15:03:00 -
[617]
Originally by: Miilla
He took advantage of his bug and used it to post as other people and gain moderator privlidges and also modifying other customers posts, that is exploiting.
Even using YOUR own definition, he exploited a bug in the forums (not a game) and elevated his privlidges against the intent by the designers as is injecting formatting and markup, changing the content of the intended design by the designers.
Exploit is exploited.
Its not my definition, its wikipedias. But sorry no, I dont buy it. After CCP did a ****poor job converting a open source forum for their own use, and then utterly failing to heed feedback during testing, they rolled out u product with such basic security flaws that would make a high school student blush. So he SHOWED THEM what they had done. Sometimes, when people just dont want to listen, thats what you do. He didnt gain any advantage from it (if you dont count him getting banned an advantage). He is not an exploiter, he is a whistleblower. But by all means, dont let me stop you sucking CCPs ****, because you seem to be really really good at it.
|
Niraia
Zaratha Zarati
Shaktipat Revelators
|
Posted - 2011.04.11 15:06:00 -
[618]
Originally by: Miilla
Originally by: dexington
Edited by: dexington on 11/04/2011 14:52:10
Originally by: Miilla
That is why those people never make management or lead positions as they cannot handle the decision process and lack maturity in the thinking. The higher up you go the more it becomes less a technical decision and more a business decision. Learn that and you will go far otherwise you end up sitting in your cage competing with students (cheaper and work longer hours). True fact of employment.
You make it sounds like that's a bad thing, you can easily get a salary where money is not a big deal without being in management, and you don't have to do the meeting and the hierarchical butt kissing... not being in management is win/win.
Still being in a lead role also means you have to factor in business decisions which are inherently non-technically influenced and you have to at the end of the day, accept the decision made and 99% of those decisions have very good business reasons for not doing A or B when you think about it and you have to then execute that decision, a lot of rage boy engineers cannot do that and keep ranting oh but thats not right yes theyre right, from an engineer perspective, but that's not the perspective the decision was taken with (well that was factored in ofcourse), I've seen it first hand.
I'm trying to figure out what the business reasons for releasing a forum replacement that wasn't tested for security are, but I can't.
I see it like this:
Best case, company is seen to be doing something productive.
Worst/this case, customers lose faith in company, company loses customers.
What am I missing, from my naive engineering perspective?
-
shipsofeve.com
eohpoker.com
sanshasnation.net
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 15:09:00 -
[619]
Originally by: Niraia
Originally by: Miilla
Originally by: dexington
Edited by: dexington on 11/04/2011 14:52:10
Originally by: Miilla
That is why those people never make management or lead positions as they cannot handle the decision process and lack maturity in the thinking. The higher up you go the more it becomes less a technical decision and more a business decision. Learn that and you will go far otherwise you end up sitting in your cage competing with students (cheaper and work longer hours). True fact of employment.
You make it sounds like that's a bad thing, you can easily get a salary where money is not a big deal without being in management, and you don't have to do the meeting and the hierarchical butt kissing... not being in management is win/win.
Still being in a lead role also means you have to factor in business decisions which are inherently non-technically influenced and you have to at the end of the day, accept the decision made and 99% of those decisions have very good business reasons for not doing A or B when you think about it and you have to then execute that decision, a lot of rage boy engineers cannot do that and keep ranting oh but thats not right yes theyre right, from an engineer perspective, but that's not the perspective the decision was taken with (well that was factored in ofcourse), I've seen it first hand.
I'm trying to figure out what the business reasons for releasing a forum replacement that wasn't tested for security are, but I can't.
I see it like this:
Best case, company is seen to be doing something productive.
Worst/this case, customers lose faith in company, company loses customers.
What am I missing, from my naive engineering perspective?
It probalby was evaluated for security. Saying it was not just naieve. Most processes have a threat model.
|
Tippia
Sunshine and Lollipops
|
Posted - 2011.04.11 15:12:00 -
[620]
Edited by: Tippia on 11/04/2011 15:12:11
Originally by: Miilla
It probalby was evaluated for security. Saying it was not just naieve. Most processes have a threat model.
àand yet the most common threat imaginable was not found.
So either the process was deeply flawed (and shouldn't exist in its current incarnation) or it already didn't exist. The effect is much the same.
ùùù
ôIf you're not willing to fight for what you have in ≡v≡à
you don't deserve it, and you will lose it.ö
ù Karath Piki |
|
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 15:13:00 -
[621]
Originally by: Tippia
Originally by: Miilla
It probalby was evaluated for security. Saying it was not just naieve. Most processes have a threat model.
àand yet the most common thread imaginable was not found.
So either the process was deeply flawed (and shouldn't exist in its current incarnation) or it already didn't exist. The effect is much the same.
Or perhaps it wasn't reported correctly which resulted in a breakdown of communication, that seems one factor here. I would love to see his report on this but I didn't all I saw was him exploiting it. Bad news.
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 15:13:00 -
[622]
Originally by: Niraia
I'm trying to figure out what the business reasons for releasing a forum replacement that wasn't tested for security are, but I can't.
Maybe they were behind schedule, and then asked if they were ready to deploy someone took a chance and said yes. It¦s always the last 10% that takes 90% of the time, it's so much easier to do the last changes/fixes when you have user feedback/test data from a running system, someone probably believed the last fixes and changes could be applied to the deployed system. Probably would even have been a good idea, had it not been security issues they needed to fix.
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 15:15:00 -
[623]
Originally by: dexington
Originally by: Niraia
I'm trying to figure out what the business reasons for releasing a forum replacement that wasn't tested for security are, but I can't.
Maybe they were behind schedule, and then asked if they were ready to deploy someone took a chance and said yes. It¦s always the last 10% that takes 90% of the time, it's so much easier to do the last changes/fixes when you have user feedback/test data from a running system, someone probably believed the last fixes and changes could be applied to the deployed system. Probably would even have been a good idea, had it not been security issues they needed to fix.
Bingo, DATE DRIVEN. Most businesses are date driven, when do we deliver this to market, when does this go live? How can you plan a business without dates? Especially in a competitive world where you don't have the luxary of "when its ready" or perhaps you already committed to this date by communicating it and then you have to run with it.
|
Tippia
Sunshine and Lollipops
|
Posted - 2011.04.11 15:16:00 -
[624]
Edited by: Tippia on 11/04/2011 15:17:07
Originally by: Miilla
Or perhaps it wasn't reported correctly which resulted in a breakdown of communication, that seems one factor here. I would love to see his report on this but I didn't all I saw was him exploiting it. Bad news.
Now you're mixing two completely different processes.
I'm talking about the security evaluation; you're talking about what happened because no such evaluation took place (while at the same time saying that it did, even though, as mentioned, the effect of any such evaluation was the same as if there was none).
ùùù
ôIf you're not willing to fight for what you have in ≡v≡à
you don't deserve it, and you will lose it.ö
ù Karath Piki |
Niraia
Zaratha Zarati
Shaktipat Revelators
|
Posted - 2011.04.11 15:17:00 -
[625]
Originally by: Miilla
stuff
You aren't going to answer the question, though?
Assume that it was evaluated, and replace my assumption of a lack of evaluation with that of a failure in evaluation, if it helps.
-
shipsofeve.com
eohpoker.com
sanshasnation.net
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 15:18:00 -
[626]
Originally by: Tippia
Originally by: Miilla
Or perhaps it wasn't reported correctly which resulted in a breakdown of communication, that seems one factor here. I would love to see his report on this but I didn't all I saw was him exploiting it. Bad news.
Now you're mixing two completely different processes.
I'm talking about the security evaluation; you're talking about what happened because no such evaluation took place.
So what your saying is, we're both guessing. Like everybody else, all acting experts and claiming to know what happened and why, guessing and blame raging.
Right? I know I am, just as you are.
|
William Henry McGregor
|
Posted - 2011.04.11 15:19:00 -
[627]
Originally by: Miilla
It probalby was evaluated for security. Saying it was not just naieve. Most processes have a threat model.
Your believe - I don't buy it, no one does!
The "new and shiny" forum was "Broken by Design"(TM) - there was absolutely no QA.
Everyone with a functioning brain could see it.
Well, the reason behind this new forum is simple:
CCP wants all of us forced into SpaceBook! Something no sane person ever wanted.
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 15:21:00 -
[628]
Originally by: William Henry McGregor
Originally by: Miilla
It probalby was evaluated for security. Saying it was not just naieve. Most processes have a threat model.
Your believe - I don't buy it, no one does!
The "new and shiny" forum was "Broken by Design"(TM) - there was absolutely no QA.
Everyone with a functioning brain could see it.
Well, the reason behind this new forum is simple:
CCP wants all of us forced into SpaceBook! Something no sane person ever wanted.
You're right no sane person wants to be social or be able to single sign on to their service and no sane person wants to read their eve mail without logging onto eve client, right? No sane company wants to integrate their own service seamlessly.
|
Zey Nadar
Gallente
Unknown Soldiers
Wildly Inappropriate.
|
Posted - 2011.04.11 15:22:00 -
[629]
Edited by: Zey Nadar on 11/04/2011 15:22:28
Originally by: Miilla
LALALALALALALA
Jeez dude, get a grip. If you want us to stop posting, why are you yourself still posting?
edit: Actually I don't think youre a guy, only girls are this stubborn.
|
Tippia
Sunshine and Lollipops
|
Posted - 2011.04.11 15:23:00 -
[630]
Originally by: Miilla
So what your saying is, we're both guessing.
No, what I'm saying is that you can't call people nanve for saying that no security evaluation when the one solid fact we have is the end result had a security hole so huge that "no security evaluation" ù be it in practice or by active choice ù is the only reasonable explanation.
ùùù
ôIf you're not willing to fight for what you have in ≡v≡à
you don't deserve it, and you will lose it.ö
ù Karath Piki |
|
|
|
|
| |
|
| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 .. 27 :: one page |
| First page | Previous page | Next page | Last page |