EVE Search - New Dev Blog: New Forum Security Blog

All Channels

EVE Information Portal

New Dev Blog: New Forum Security Blog - Cookie Derp

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Author	Thread Statistics \| Show CCP posts - 43 post(s)
Spyke BlackIce Minmatar	Posted - 2011.04.12 18:37:00 - [1] Well written blog CCP Sreegs, and the way you've been handling the responses here is admirable to put it mildly. Hopefully, your attention to this will set a precedence for the rest of CCP. Kudos to you. What I find disturbing is that no one else involved in this fiasco (and I'm referring to the new forums as a whole here, not just the security issues) has so much as uttered a peep here or anywhere else. The person responsible for heading the webteam, the person responsible for overseeing the new forums' development and deployment, and especially, the person or persons in upper management who set and drove the timeline and deadline for the forums are all apparently content to sit back and let you take the flak that is rightfully theirs to take. The longer they hide behind you without comment, the worse it makes them look. Since this thread is directly related to the security issues, I won't go into the overall mess that the forums were/are (a reskinned YAF forum with half of the features disabled and even using the basic editor instead of taking the time to install a more robust, freely available editor, not to mention the total disregard of the user feedback from the two public test runs). Instead, I'd like to know how a web team could make such a glaring mistake as to allow cookies with plain text IDs. As has been asked here in this thread, how in hell did that make it past the whiteboard, let alone past the actual coding, the third-party testing, and the internal audit (if it did in fact actually occur)? I'm no code cruncher by any stretch of the imagination, but I have looked at my share of cookies and almost never is there any readable text in them let alone a user's ID. This just simply, flat out, should never have happened and is totally unacceptable no matter what the excuse. It just boggles the mind that it did happen. Is the web team made up of certifiable web developers or was the team for the forums patched together from members of other teams with specialties in other fields and a smattering of web development knowledge? If the former, they have lied about their credentials (or cheated to get them). If the latter, the person who was responsible for putting the team together in that manner needs to be replaced pronto. There. I've let off my share of the steam and did my share of the whining. CCP Sreegs, keep up the good work. For what it's worth (which probably isn't much admittedly) your blog and your replies in this thread has moved you to the top layer of CCP employees whom I deem trustworthy at this point in time, and that list unfortunately is getting pretty dammed short. Blog: Mortal Immortals - Pods & Footprints in the Dust Twitter: @Spyke_BlackIce (#TweetFleet) Facebook: facebook.com/spyke.blackice

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.