| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 .. 27 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 36 post(s) |
Steve Thomas
Minmatar
Sebiestor Tribe
   |
Posted - 2011.04.11 16:55:00 -
[661]
 Originally by: Helicity Boson
Originally by: Miilla
Stable and Secure
YAF has been vetted.
YAF has been around since 2003. During that time, the application has been throughly tested. Since the code has been freely available for 7 years, there is nothing to hide and no stone has been left unturned.
You are correct. There's nothing inherently wrong with YAF.
The blame for this shameful debacle lies squarely with CCP and their incompetent gutting of a working bit of software.
I'm still not entirely sure how I feel about all this.
Terified might be a good place to start, after all there Database is also a off the shelf product just like YAF is. only they customised it to work the way they wanted it to work...
which reminds me, Im never ever going to use the IGB in EvE again.
http://desusig.crumplecorn.com/sigs.html Crumplecorn's DesuSigs
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 16:57:00 -
[662]
Originally by: Steve Thomas
Originally by: Helicity Boson
Originally by: Miilla
Stable and Secure
YAF has been vetted.
YAF has been around since 2003. During that time, the application has been throughly tested. Since the code has been freely available for 7 years, there is nothing to hide and no stone has been left unturned.
You are correct. There's nothing inherently wrong with YAF.
The blame for this shameful debacle lies squarely with CCP and their incompetent gutting of a working bit of software.
I'm still not entirely sure how I feel about all this.
Terified might be a good place to start, after all there Database is also a off the shelf product just like YAF is. only they customised it to work the way they wanted it to work...
which reminds me, Im never ever going to use the IGB in EvE again.
YAF being open source they could have submitted their functional changes back into the project which would also get a review.
 |
Elyssa MacLeod
|
Posted - 2011.04.11 16:57:00 -
[663]
hey Yuki Kulotsuki,
whats the alliance?
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 16:59:00 -
[664]
Originally by: Elyssa MacLeod
hey Yuki Kulotsuki,
whats the alliance?
Electrified dead skunk hair Inc.
|
Sullen Skoung
|
Posted - 2011.04.11 17:03:00 -
[665]
Originally by: Grimpak
Originally by: Akita T
Originally by: Grimpak
wait, are you telling me that this the exact same ****up as on boot.ini but in a different place?
It would appear so, at least as far as signatures are concerned...
wtf, didn't they fired that guy?
no, they did with him the same as they did with T20; xferred him to a new department... Web design would be my guess
----------------------------------------
CCP Forum fail ALMOST as much fail as this:
http://www.youtube.com/watch?v=hnZb5wi_jsU |
Bomberlocks
Minmatar
CTRL-Q
|
Posted - 2011.04.11 17:03:00 -
[666]
Originally by: Miilla
Originally by: Bomberlocks
Originally by: Miilla
Originally by: Bomberlocks
....You are avoiding the fact that it was not only Catari who reported and petitioned bugs. I know of at least three others who did as well. Helicity, who posted earlier on in this thread is one of them. It would be most helpful if you stopped trying to put all the focus on Catari and instead stick to the issue of how the forums got released in the state they did.
You are avoiding the fact that it was Catari who EXPLOITED this for his own ego gain. He even bragged about it.
No, I am not. He did brag about it on SHC. Why he did that is something you'll have to ask him.
Now that we've got that out of the way, do you think we could go back to the problem of the forums, or would that be asking too much?
He not only bragged about it, he EXPLOITED the issue.
Stop avoiding the fact he EXPLOITED a forum bug.
There's a reason that 95% of Rens had you on block. Oh well, my fault for trying, I suppose.
|
Yuki Kulotsuki
|
Posted - 2011.04.11 17:03:00 -
[667]
Originally by: Elyssa MacLeod
hey Yuki Kulotsuki,
whats the alliance?
Oh no. I'm not falling for that. You're trying to get me to do something I'm not supposed to and end up banned.
...
Maybe it's ok to use the ticker... C0M
--
Did you know there's an alliance who's name you're not allowed to say, or website you're not allowed to link? |
Sullen Skoung
|
Posted - 2011.04.11 17:07:00 -
[668]
Originally by: Yuki Kulotsuki
Originally by: Elyssa MacLeod
hey Yuki Kulotsuki,
whats the alliance?
Oh no. I'm not falling for that. You're trying to get me to do something I'm not supposed to and end up banned.
...
Maybe it's ok to use the ticker... C0M
you can get BANNED for saying an alliance's NAME??
WOW these guys are ban happy now arent they?
What rule does that violate on the forums TOS or w/e again?
Oh yeah, where is that blog Sreegs was writing? I looked in the info area and I dont see it; I could be blind though
----------------------------------------
CCP Forum fail ALMOST as much fail as this:
http://www.youtube.com/watch?v=hnZb5wi_jsU |
Richard Aiel
Caldari
FireTech Industries
|
Posted - 2011.04.11 17:08:00 -
[669]
Originally by: Sullen Skoung
Originally by: Yuki Kulotsuki
Originally by: Elyssa MacLeod
hey Yuki Kulotsuki,
whats the alliance?
Oh no. I'm not falling for that. You're trying to get me to do something I'm not supposed to and end up banned.
...
Maybe it's ok to use the ticker... C0M
you can get BANNED for saying an alliance's NAME??
WOW these guys are ban happy now arent they?
What rule does that violate on the forums TOS or w/e again?
Oh yeah, where is that blog Sreegs was writing? I looked in the info area and I dont see it; I could be blind though
I caught, no ****, a 7 day ban once for calling BoB BoD back in the day, its not a surprise really.
-----------------------------------------
If you dont learn from the past you are doomed to repeat it
http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1469262&page=2#51 |
Hel O'Ween
Men On A Mission
|
Posted - 2011.04.11 17:13:00 -
[670]
Originally by: Miilla
Stop avoiding the fact he EXPLOITED a forum bug.
After no action has been taken by CCP, he demonstrated the security problems. This is common practice.
As guess you call it "kidnapping" if someone hinders a thief of running away until the police arrives.
--
EVEWalletAware - an offline wallet manager |
|
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 17:17:00 -
[671]
Originally by: Hel O'Ween
Originally by: Miilla
Stop avoiding the fact he EXPLOITED a forum bug.
After no action has been taken by CCP, he demonstrated the security problems. This is common practice.
As guess you call it "kidnapping" if someone hinders a thief of running away until the police arrives.
You should ask the customers who's accounts he exploited on the forum if they liked his "demonstration".
|
dexington
Caldari
Baconoration
|
Posted - 2011.04.11 17:22:00 -
[672]
Originally by: Hel O'Ween
After no action has been taken by CCP, he demonstrated the security problems. This is common practice.
Common practice would be to wait with public disclouser, until it's confirmed that the issue is solved. Hacking into a website no matter what the reason is a crime, in most parts of the world.
|
Yuki Kulotsuki
|
Posted - 2011.04.11 17:23:00 -
[673]
Originally by: Miilla
You should ask the customers who's accounts he exploited on the forum if they liked his "demonstration".
The one person he did thought it was amusing or said as much in the SHC thread.
--
Did you know there's an alliance who's name you're not allowed to say, or website you're not allowed to link? |
Marcus Fey
|
Posted - 2011.04.11 17:23:00 -
[674]
Lol Miilla
Clearly you didnt bother to read the SHC thread while it was up
"exploited account" customer didn't seem that bothered to me
|
Kengutsi Akira
|
Posted - 2011.04.11 17:25:00 -
[675]
Originally by: Marcus Fey
Lol Miilla
Clearly you didnt bother to read the SHC thread while it was up
"exploited account" customer didn't seem that bothered to me
You have to understand, miilla cant hear us from the white knight standpoint. "Its the PRINCIPLE. It doesnt MATTER if they cared or not."
------------------------------------
"You know, my foot oughta vandilize your ass" |
Marcus Fey
|
Posted - 2011.04.11 17:28:00 -
[676]
Originally by: Kengutsi Akira
Originally by: Marcus Fey
Lol Miilla
Clearly you didnt bother to read the SHC thread while it was up
"exploited account" customer didn't seem that bothered to me
You have to understand, miilla cant hear us from the white knight standpoint. "Its the PRINCIPLE. It doesnt MATTER if they cared or not."
Hummm : Will we get a "block r@tard" function on the new forums then ? :)
|
Ix Forres
Caldari
Righteous Chaps
|
Posted - 2011.04.11 17:29:00 -
[677]
Edited by: Ix Forres on 11/04/2011 17:31:05
Originally by: Miilla
Originally by: Hel O'Ween
Originally by: Miilla
Stop avoiding the fact he EXPLOITED a forum bug.
After no action has been taken by CCP, he demonstrated the security problems. This is common practice.
As guess you call it "kidnapping" if someone hinders a thief of running away until the police arrives.
You should ask the customers who's accounts he exploited on the forum if they liked his "demonstration".
I'm sure they had no real issue with it given the severity. The one other customer who had a post made from him using the exploit probably didn't mind. If that customer wants to come forward and counter my statement then fair enough.
You cannot properly perform such a security check on a forum like this without exploiting the flaw publicly. That's kind of the point. You have to be able to use the exploit to prove that it exists in order for you to report it.
The guy did this in a limited capacity to see if it worked, it did, he reported it. CCP did nothing so he demonstrated a proof of concept.
Now, when it comes to reasonable disclosure policies, that's pretty sane. The timeframe between reporting and actioning was unacceptably slow on CCP's part given the potential for naughtiness from malicious people. The severity of the flaws was massive and the implications similarly massive. A proof of concept in public to demonstrate just how massive a problem it was to the people using the forums was not only the right thing to do morally but the right thing to do for CCP. CCP was then forced to move -right then- to take the forums down, which was absolutely the right thing to do - take them down, then have a good long hard look at them, get some external help, and so on. Do that behind the scenes and test it all internally. If management forced early deployment in a broken state then that's proof to management that you needed more time. If the developers were at fault they can say they've acted in the interests of the company when their performance review comes up. This isn't rocket science.
Edit: I archived the SHC thread (and all of SHC) before it went down. http://assets.talkunafraid.co.uk/shc/viewtopic.php%3Ft=40002&start=405.html
In fact, in that thread you can see the response from the customer who was impersonated: "lol brilliant".
http://assets.talkunafraid.co.uk/shc/viewtopic.php%3Fp=1589423.html#1589423
--
Ix Forres - Used to be a third party developer, now a full-time bittervet |
Steve Thomas
Minmatar
Sebiestor Tribe
|
Posted - 2011.04.11 17:32:00 -
[678]
Originally by: Erichk Knaar
Originally by: Steve Thomas
Crome I was promptly told that it had detected and blocked suspected attacks BEFORE THE PAGE LOADED ok I may need to replace Firefox.
^^ This is good advice.
In fairness IE9 and CROME and other new browsers were about the same and frankly I was not trying to outsmart them nor realy know how to in the first place.
http://desusig.crumplecorn.com/sigs.html Crumplecorn's DesuSigs
|
Zey Nadar
Gallente
Unknown Soldiers
Wildly Inappropriate.
|
Posted - 2011.04.11 17:36:00 -
[679]
Originally by: Miilla
YAF being open source they could have submitted their functional changes back into the project which would also get a review.
I don't know why Im responding to you, but the point is that CCP ripped off what security measures YAF HAD and tried to put in their own miserable ****-up of eve gate-integration.
|
NinjaSpud
|
Posted - 2011.04.11 17:49:00 -
[680]
Edited by: NinjaSpud on 11/04/2011 17:51:11
ok, I just skimmed threw the last 20 pages of people flaming CCP for the new forums....Seriously People? You're getting that riled up about a few bugs in a forum?
One of the things IÆve always liked about Eve, is the kind of ôhelp me help youö attitude CCP has towards their gamers. Think about it, after every major patch/addition to the game hasnÆt there always been a ôWe want your feedbackö thread? At this very moment isnÆt CCP investing time, effort and money helping the players out with the bot problem? They could have ignored it, bots pay subscriptions too ya know. But they are doing something about it because the playersàYOU GUYSàare asking them to.
IÆm not saying the new forums are perfect, neither is CCPàtheyÆre all human. And yes, the forums had a major bug that needed to be recalled. But thatÆs life, it happens all the time even to the biggest and the baddest. Remember Windows Vista...or MEà or the XBOX360 red ring of deathà or pretty much anything Microsoft related lol. IÆd like to see any professional or amateur coder here make any kind of major program that could satisfy the needs of 300,000 people.
All IÆm saying is cut them some slack people, I think theyÆre doing a pretty good job.
Originally by: Zey Nadar
hey devs, if youre reading this I want a "ignore user" option to the new forums.
I also support this 
|
|
|
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 17:52:00 -
[681]
Originally by: Zey Nadar
Edited by: Zey Nadar on 11/04/2011 17:40:50
Originally by: Miilla
YAF being open source they could have submitted their functional changes back into the project which would also get a review.
I don't know why Im responding to you, but the point is that CCP ripped off what security measures YAF HAD and tried to put in their own miserable ****-up of eve gate-integration.
edit: hey devs, if youre reading this I want a "ignore user" option to the new forums.
Originally by: Miilla
You should ask the customers who's accounts he exploited on the forum if they liked his "demonstration".
Ironically, I believe they were CCP's.
I guess CCP didn't mind.
|
Sullen Skoung
|
Posted - 2011.04.11 17:53:00 -
[682]
is Sreegs' blog out yet?
----------------------------------------
Whats the forum TOS violation for saying an alliance's name? |
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 17:54:00 -
[683]
Originally by: Sullen Skoung
is Sreegs' blog out yet?
He's in the WC preparing it.
|
Bomberlocks
Minmatar
CTRL-Q
|
Posted - 2011.04.11 17:55:00 -
[684]
Originally by: Ix Forres
...
I'm sure they had no real issue with it given the severity. The one other customer who had a post made from him using the exploit probably didn't mind. If that customer wants to come forward and counter my statement then fair enough.
You cannot properly perform such a security check on a forum like this without exploiting the flaw publicly. That's kind of the point. You have to be able to use the exploit to prove that it exists in order for you to report it.
The guy did this in a limited capacity to see if it worked, it did, he reported it. CCP did nothing so he demonstrated a proof of concept.
Now, when it comes to reasonable disclosure policies, that's pretty sane. The timeframe between reporting and actioning was unacceptably slow on CCP's part given the potential for naughtiness from malicious people. The severity of the flaws was massive and the implications similarly massive. A proof of concept in public to demonstrate just how massive a problem it was to the people using the forums was not only the right thing to do morally but the right thing to do for CCP. CCP was then forced to move -right then- to take the forums down, which was absolutely the right thing to do - take them down, then have a good long hard look at them, get some external help, and so on. Do that behind the scenes and test it all internally. If management forced early deployment in a broken state then that's proof to management that you needed more time. If the developers were at fault they can say they've acted in the interests of the company when their performance review comes up. This isn't rocket science.
Edit: I archived the SHC thread (and all of SHC) before it went down. http://assets.talkunafraid.co.uk/shc/viewtopic.php%3Ft=40002&start=405.html
In fact, in that thread you can see the response from the customer who was impersonated: "lol brilliant".
http://assets.talkunafraid.co.uk/shc/viewtopic.php%3Fp=1589423.html#1589423
Quoting because this nonsense over Cat needs to end now. It's not about Catari (or strawmen being used by trolls), it's about the vulnerability of the forums which said trolls, who apparently used to work for Microsoft, seem to want to ignore.
|
Yuki Kulotsuki
|
Posted - 2011.04.11 17:55:00 -
[685]
Originally by: NinjaSpud
stuff
The errors in the forums was the kind of thing that should never make it past code review. There were feedback threads on the test set up that were ignored and the forums were pushed live. When you're adapting software that works and you make it unstable that's a problem.
--
Did you know there's an alliance who's name you're not allowed to say, or website you're not allowed to link? |
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 17:57:00 -
[686]
Originally by: Yuki Kulotsuki
Originally by: NinjaSpud
stuff
The errors in the forums was the kind of thing that should never make it past code review. There were feedback threads on the test set up that were ignored and the forums were pushed live. When you're adapting software that works and you make it unstable that's a problem.
It is even more of a problem when people EXPLOIT the defects for their own gain.
|
Yuki Kulotsuki
|
Posted - 2011.04.11 17:58:00 -
[687]
Originally by: Miilla
Originally by: Sullen Skoung
is Sreegs' blog out yet?
He's in the WC preparing it.
That's a bit...
irrevenant.
--
Did you know there's an alliance who's name you're not allowed to say, or website you're not allowed to link? |
Sullen Skoung
|
Posted - 2011.04.11 17:58:00 -
[688]
Edited by: Sullen Skoung on 11/04/2011 18:00:36
Edited by: Sullen Skoung on 11/04/2011 18:00:17
Edited by: Sullen Skoung on 11/04/2011 17:59:10
Originally by: Miilla
Originally by: Yuki Kulotsuki
Originally by: NinjaSpud
stuff
The errors in the forums was the kind of thing that should never make it past code review. There were feedback threads on the test set up that were ignored and the forums were pushed live. When you're adapting software that works and you make it unstable that's a problem.
It is even more of a problem when people EXPLOIT the defects for their own gain.
woo, beat that dead horse
Miilla, I think it twitched, beat it again.
Originally by: Kengutsi Akira
Originally by: Marcus Fey
Lol Miilla
Clearly you didnt bother to read the SHC thread while it was up
"exploited account" customer didn't seem that bothered to me
You have to understand, miilla cant hear us from the white knight standpoint. "Its the PRINCIPLE. It doesnt MATTER if they cared or not."
Originally by: Miilla
It is even more of a problem when people EXPLOIT the defects for their own gain.
see?
----------------------------------------
Whats the forum TOS violation for saying an alliance's name? |
Tippia
Sunshine and Lollipops
|
Posted - 2011.04.11 18:02:00 -
[689]
Originally by: Miilla
It is even more of a problem when people EXPLOIT the defects for their own gain.
Good thing no-one did that then.
ùùù
ôIf you're not willing to fight for what you have in ≡v≡à
you don't deserve it, and you will lose it.ö
ù Karath Piki |
Miilla
Minmatar
Hulkageddon Orphanage
|
Posted - 2011.04.11 18:03:00 -
[690]
Edited by: Miilla on 11/04/2011 18:03:05
Originally by: Tippia
Originally by: Miilla
It is even more of a problem when people EXPLOIT the defects for their own gain.
Good thing no-one did that then.
You're right, nothing happened. The forums just modified themselves.
|
|
|
|
|
| |
|
| Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 .. 27 :: one page |
| First page | Previous page | Next page | Last page |