Pages: [1] 2 3 4 5 6 7 8 9 10 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 43 post(s) |
|
CCP Zymurgist
Gallente C C P
|
Posted - 2011.04.11 22:58:00 -
[1]
As many of you know we had to temporarily take down the new forums due to some security issues. CCP Sreegs has been on the case since Friday and brings us a new dev blog talking about the current situation. You can read his blog here.
Zymurgist Community Representative CCP NA, EVE Online Contact Us |
|
Marconus Orion
S.E.G.W.A.Y.
|
Posted - 2011.04.11 23:03:00 -
[2]
First in a soon to be rage thread.
|
Akita T
Caldari Navy Volunteer Task Force
|
Posted - 2011.04.11 23:07:00 -
[3]
Edited by: Akita T on 11/04/2011 23:23:56 _
Funny (to me) translated and slightly adapted tidbit from my brother (who's a .Net/C#/whatever codemonkey)... if this is not accurate, I have no clue...
"I don't get it, how did they manage to make the signature f-up, in .Net you have the .HTMLEncode() method, and then everything is magically secure from cross-site scripting. That's all they had to do. 1 line. Also, .Net has built-in safeguards for cross site scripting, which you specifically need to disable by hand... guess what? they probably effin' did, because otherwise you couldn't enter HTML code in text boxes. HTMLEncode(), that's all they needed to do, as in, REALLY. Item.Signature.Text = HTMLEncode(Item.Signature.Text) ... or something like that, and that's it. ... from http://msdn.microsoft.com/en-us/library/w3te6wfz.aspx ... HTML encoding makes sure that text is displayed correctly in the browser and not interpreted by the browser as HTML. For example, if a text string contains a less than sign (<) or greater than sign (>), the browser would interpret these characters as the opening or closing bracket of an HTML tag. When the characters are HTML encoded, they are converted to the strings < and >, which causes the browser to display the less than sign and greater than sign correctly. HttpServerUtility.HtmlEncode() ..."
Well, APPARENTLY, this does not really apply, since you mention in your post that you DID (sort of) sanitize the output to SOME degree. _
Also, security issues aside (which were mistakes APPARENTLY so basic that one has to wonder if CCP even _had_ a QA team worth mentioning working on them), there were so many other issues with the new forums that it would take more than one full post to list, most of those issues having been presented in public on the previous two test runs (only to be almost completely ignored).
The new forums were in such a sorry state FROM SO MANY different viewpoints that THE MIND BOGGLES how in the world anybody at CCP could even consider NOT ONLY putting them live, BUT ALSO closing down the old forums.
And most importantly : WHY IN THE WORLD WOULD YOU NOT MIGRATE ALL POST DATA TO THE NEW FORUMS ?!? Or why not let BOTH of them run for a while ?
P.S. All caps were perfectly justified. I was screaming inside my head while typing them. _
CCP LEADERSHIP MENTALITY NEEDS TO CHANGE FAST ! "New junky features sell, old polished content doesn't" ? KILL IT WITH FIRE. |
Marconus Orion
S.E.G.W.A.Y.
|
Posted - 2011.04.11 23:12:00 -
[4]
I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.
Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.
The question on everyones mind is; When will you be unbanning them?
|
Baihuigau
Gallente The Scope
|
Posted - 2011.04.11 23:13:00 -
[5]
Edited by: Baihuigau on 11/04/2011 23:14:10 Rofl Akita, yes we already know ccp web devs need some professional development :P, not their fault ccp probably does not have a incentive program to develop their skills further, to Sreegs that was a good blog, i agree with you in not devulging internal processes, i dont think we need absolute reproduction steps either more of a follow up of did you whip the web dev team and slap them in the face, and if you found the fix
for the new forums........ooh and tell us if multiboxing programs are allowed :P, your communication skills have improved alot though, the one thing i dident like is the fact no one else from ccp apologised, i mean you did but i think someone higher up should say something or we might think this all fell on def ears.
|
Yuki Kulotsuki
|
Posted - 2011.04.11 23:14:00 -
[6]
Quote: Hey I just wanted to let you know how much you smell terrible and also how bad your posts are.
Seems like perfectly reasonable criticism leveled at CCP Sreegs.
Other than that, good blog. -- Did you know there's an alliance who's name you're not allowed to say, or website you're not allowed to link? |
|
CCP Sreegs
|
Posted - 2011.04.11 23:15:00 -
[7]
Originally by: Marconus Orion I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.
Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.
The question on everyones mind is; When will you be unbanning them?
We do not discuss administrative actions with anyone whatsoever. I can tell you that I have detailed quite clearly in the blog how to "warn" us without risking your account. I also gave a bit of insight into why it is that way. That's the only response I'm going to be able to give you on this subject. |
|
Marconus Orion
S.E.G.W.A.Y.
|
Posted - 2011.04.11 23:17:00 -
[8]
Originally by: CCP Sreegs
Originally by: Marconus Orion I know of one person you banned who tried to warn you guys. You ignored them until they showed it to your face where you could not ignore the problem any longer.
Bottom line is you killed the messenger and set the body on fire and tried to hide the ashes. In actuallity you should be praising them for bringing the issue to your attention and not doing bad things.
The question on everyones mind is; When will you be unbanning them?
We do not discuss administrative actions with anyone whatsoever. I can tell you that I have detailed quite clearly in the blog how to "warn" us without risking your account. I also gave a bit of insight into why it is that way. That's the only response I'm going to be able to give you on this subject.
Well, I guess its a good thing we all were briefed on the proper way to file a petition regarding security issues with your forums before you released them.
Mental note: Be sure to add hugs and kisses to the bottom of all petitions to insure said petition does not get you banned.
|
Liang Nuren
|
Posted - 2011.04.11 23:19:00 -
[9]
Interesting. Can I ask how you're rewarding the people that helped you out (Helicity Boson, for example) without exploiting the system? :)
-Liang -- Eve Forum ***** Extraordinaire On Twitter
|
Xercodo
Amarr Daj'Juntar
|
Posted - 2011.04.11 23:21:00 -
[10]
first page on a soon to be whine thread? =D
-------------------------------------------------- The drake is a lie
|
|
|
CCP Sreegs
|
Posted - 2011.04.11 23:22:00 -
[11]
Originally by: Liang Nuren Interesting. Can I ask how you're rewarding the people that helped you out (Helicity Boson, for example) without exploiting the system? :)
-Liang
I don't want to really say at this point because I don't want to appear to be establishing a system or making any promises. We'll have a program up pretty quickly and then we'll answer this particular question. |
|
Lubomir Penev
Dark Nexxus S I L E N T.
|
Posted - 2011.04.11 23:24:00 -
[12]
The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.
|
Liang Nuren
|
Posted - 2011.04.11 23:24:00 -
[13]
Alright, well... I hope it's actually awesome. :)
-Liang -- Eve Forum ***** Extraordinaire On Twitter
|
Kerfira
Kerfira Corp
|
Posted - 2011.04.11 23:27:00 -
[14]
As expected... CCP is pretending that the only problems with the new forums were small security matters, not that the forums themselves were a serious step down in functionality, readability AND a giant step up in bandwidth use compared to the old ones...
Originally by: CCP Wrangler EVE isn't designed to just look like a cold, dark and harsh world, it's designed to be a cold, dark and harsh world.
|
|
CCP Sreegs
|
Posted - 2011.04.11 23:27:00 -
[15]
Originally by: Lubomir Penev The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.
The blog never said there wasn't an audit. The blog also said you couldn't insert script. That being said, it's clear that people were able to perform actions on the forums that were not meant to be done. I'm not the kind of person to pretend I know everything. Therefore, it is only prudent to not take the worldview that everyone who isn't me is a liar, but rather that other people may have knowledge that I do not. If you have said knowledge share it. |
|
Shar Tegral
|
Posted - 2011.04.11 23:28:00 -
[16]
Originally by: CCP Sreegs That's the only response I'm going to be able to give you on this subject.
It was suitable to the occasion. Good read and thank you for it. <cracks whip> Go to bed, get some sleep, get back at in the morning.
Wealth, howsoever got, in Eve makes Lords of morons and gentlemen of thieves; Aptitude and intellect are needless here; 'Tis impudence and money that grants fame. |
William Loire
State War Academy
|
Posted - 2011.04.11 23:28:00 -
[17]
I'm sure Catari's petition went something like this:
"CCP you're all a bunch of f**kheads. I'm in yer base killing your doods." Right?
Did he forget to add the prerequisite "speaking of which, Luv yoo, xx!"?
|
|
CCP Sreegs
|
Posted - 2011.04.11 23:28:00 -
[18]
Originally by: Kerfira As expected... CCP is pretending that the only problems with the new forums were small security matters, not that the forums themselves were a serious step down in functionality, readability AND a giant step up in bandwidth use compared to the old ones...
I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum. |
|
Eclorc
|
Posted - 2011.04.11 23:29:00 -
[19]
" No matter what you post it comes out as garbage " hehe, this happens with my posts all the time I think
Seriously tho, having read that threadnought over the weekend, Sreegs needs to be thanked too for his time and patience. I woulda been effing and blinding by even halfway through that lot tbh.
Returning to this forum again did feel like a homecoming... Sure the search sucks and the 2 minute timer, but it works well enough for all that, and the navigation bar at the side was noticeably missing from the new one. I'd dearly love to know how much of the root causes of problems the new one had could be attributed to .NET/ASP, and MS's insistence on job security through obscurity, rambling disjointed libraries etc. and having to write special spaghetti code to even get anything to work without a 10 year MS certification training course. Not a fan of .NET (can u tell?).
|
Jovan Geldon
Gallente Lead Farmers Kill It With Fire
|
Posted - 2011.04.11 23:29:00 -
[20]
Getting in on the ground floor in an epic nerd rage thread.
|
|
Kerfira
Kerfira Corp
|
Posted - 2011.04.11 23:32:00 -
[21]
Sreegs....
Say that one was to discover how to do the same thing again, i.e. inject HTML code (or scripting for that matter) into someone else's post. Or some other way of exploiting the forum (or in-game features)...
Would it be OK to do this as an EXAMPLE (non-damaging) between two of one's own characters and then pass a reference to the post(s) in any petition/mail?
Of course after the example, one shouldn't do it again...
What I'm getting at is that it is sometimes difficult to explain something like this, but utterly simple if one can exemplify it...
Originally by: CCP Wrangler EVE isn't designed to just look like a cold, dark and harsh world, it's designed to be a cold, dark and harsh world.
|
|
CCP Sreegs
|
Posted - 2011.04.11 23:33:00 -
[22]
Edited by: CCP Sreegs on 11/04/2011 23:34:01
Originally by: Kerfira Sreegs....
Say that one was to discover how to do the same thing again, i.e. inject HTML code (or scripting for that matter) into someone else's post. Or some other way of exploiting the forum (or in-game features)...
Would it be OK to do this as an EXAMPLE (non-damaging) between two of one's own characters and then pass a reference to the post(s) in any petition/mail?
Of course after the example, one shouldn't do it again...
What I'm getting at is that it is sometimes difficult to explain something like this, but utterly simple if one can exemplify it...
That would be precisely the right way to do it and precisely how others have.
:edit: Though one should send the reproduction steps in the email as well. :) |
|
Akita T
Caldari Navy Volunteer Task Force
|
Posted - 2011.04.11 23:34:00 -
[23]
Edited by: Akita T on 11/04/2011 23:35:57
Originally by: CCP Sreegs I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.
So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ? ...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent. Right ?
P.S. If your unofficial guess is "never", then please don't post a picture of a pink elephant in your reply. _
CCP LEADERSHIP MENTALITY NEEDS TO CHANGE FAST ! "New junky features sell, old polished content doesn't" ? KILL IT WITH FIRE. |
|
CCP Sreegs
|
Posted - 2011.04.11 23:35:00 -
[24]
Originally by: Akita T
Originally by: CCP Sreegs I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.
So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ? ...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent. Right ?
I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better? |
|
StevieTopSiders
|
Posted - 2011.04.11 23:36:00 -
[25]
Well, glad to know that you guys can react, if not prevent.
I'm more interested in something else, however. Where is the apology for lying to us?
Wait, lying, what do you speak of, Stevie?
I mean lying about the development of the forum. Supposedly, you all were building a brand new forum, completely in-house. What we see here is you all using Yet Another Forum with some sloppy patching to allow Character log-ins. Seriously? Modifying open source software with an Eve theme and slightly different log-in system is not in-house development. This is a case of blatant untruths being spoken to the community. We all deserve a formal apology. And soon.
|
Yuki Kulotsuki
|
Posted - 2011.04.11 23:37:00 -
[26]
Originally by: CCP Sreegs
Originally by: Akita T
Originally by: CCP Sreegs I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.
So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ? ...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent. Right ?
I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?
Totally. -- Did you know there's an alliance who's name you're not allowed to say, or website you're not allowed to link? |
Akita T
Caldari Navy Volunteer Task Force
|
Posted - 2011.04.11 23:38:00 -
[27]
Edited by: Akita T on 11/04/2011 23:38:54
Originally by: CCP Sreegs I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?
Hasn't that been the official public CCP policy for at least 2 years now ? Nah, what would make me happy is if the entire new forum code and all backups of it got lost in an accidental office fire :wink:,:wink:. _
CCP LEADERSHIP MENTALITY NEEDS TO CHANGE FAST ! "New junky features sell, old polished content doesn't" ? KILL IT WITH FIRE. |
|
CCP Sreegs
|
Posted - 2011.04.11 23:39:00 -
[28]
Originally by: Yuki Kulotsuki
Originally by: CCP Sreegs
Originally by: Akita T
Originally by: CCP Sreegs I'm afraid if you want comment on those items I'm not the person who would be communicating them. I'm a security person commenting on security matters. This isn't CCP issuing some grand declaration on all things forum. This is the security guy discussing the security problems with the forum.
So when do you think can we expect the (NON-security-related) PR damage control blog about how the new forum is actually not that bad as everybody with complaints about it was claiming ? ...yeah, not your department, you can't say, and if you wager a personal opinion one of your most dearest appendages will get pickled or something to that extent. Right ?
I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?
Totally.
January 17th, 2015 |
|
|
CCP Sreegs
|
Posted - 2011.04.11 23:39:00 -
[29]
Originally by: StevieTopSiders Well, glad to know that you guys can react, if not prevent.
I'm more interested in something else, however. Where is the apology for lying to us?
Wait, lying, what do you speak of, Stevie?
I mean lying about the development of the forum. Supposedly, you all were building a brand new forum, completely in-house. What we see here is you all using Yet Another Forum with some sloppy patching to allow Character log-ins. Seriously? Modifying open source software with an Eve theme and slightly different log-in system is not in-house development. This is a case of blatant untruths being spoken to the community. We all deserve a formal apology. And soon.
I really can't comment on that as it's not my area. I'll make sure the post gets pointed out though. |
|
Sevarus James
Minmatar Meridian Dynamics
|
Posted - 2011.04.11 23:40:00 -
[30]
Originally by: Akita T Edited by: Akita T on 11/04/2011 23:38:54
Originally by: CCP Sreegs I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?
Hasn't that been the official public CCP policy for at least 2 years now ? Nah, what would make me happy is if the entire new forum code and all backups of it got lost in an accidental office fire :wink:,:wink:.
+1 to this...completely.
Updated Arch64 Compiz-Linux Desktop Who is John Galt? |
|
|
|
|
Pages: [1] 2 3 4 5 6 7 8 9 10 :: one page |
First page | Previous page | Next page | Last page |