| Pages: [1] 2 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Dave Day
   |
Posted - 2006.01.07 00:39:00 -
[1]
Firstly - Hats off to CCP for quickly and effectively holding back the servers and resetting passwords for those users who they think may have been hacked...I applaud your efforts......BUT
Can you please explain to me just why you had to do this in the first place? Frankly, I'm more than a little worried. My PW is secure, I don't answer phishing mails, My Firewall is up to date and all three ( Yes, three ) of my Anti Virus programs are current. I run a full scan with them weekly and my system is clean.
It's clear that there has been a breach of security on CCP's side of things, there is no other possible explanation for this knee jerk reaction of the mass re setting of passwords.
Sure, my bank details are mercifully protected. However, if my PW were hacked (And CCP clearly think this is a possibility or they would not be taking these precautions) My name and address are clearly viewable from the ''My account'' section of this site.
This is quite clearly in breach of the Data Protection Act. I have provided this information to CCP and EXPECT THAT IT WILL BE KEPT SECURE. CCP have a LEGAL RESPONSIBILITY to keep my information secure. HOW HAS THIS BEEN COMPROMISED AND TO WHAT EXTENT?
Personally, I would at least like the Community Relationship Manager (That's you, Kieron) to come on these forums and explain to your paying customers what has happened and to what extent CCP may have compromised their legal responsibilities to their paying customers.
And please, I'm not talking personal opinions or forum rules here....I'm discussing the Data protection act and my rights as a consumer. Please discharge your legal responsibilities to me and explain to me to what extent my information may have been compromised.
Thank You
|
Lori Carlyle
|
Posted - 2006.01.07 00:43:00 -
[2]
from how i understand the DPA. You got a point there!...
400x120@24000 bytes max please. -Capsicum |
Mr Feltcher
|
Posted - 2006.01.07 00:49:00 -
[3]
Edited by: Mr Feltcher on 07/01/2006 00:52:45
Edited by: Mr Feltcher on 07/01/2006 00:50:23
I am in agreement here as well. for those of us that cannot reset our own passwords due to email adresses being invalid while we know they are not, suggests we have had accounts hacked. If an email adress could have been changed, who knows what else they have done or plan to do. And if in fact we HAVE had an account hacked, resetting the pw will do no good whatsoever as the new pw will go right to the email address of the person who changed it, meaning i have lost an account, which i am still paying for till i cancell my debit card, and all my personal details are there too.
This is not a whine, I am genuinly concerned about this and despite my best efforts since approx 4 pm GMT I have not heard a single word from anyone from CCP on this matter....
I myself am considering seeking legal advice on this... |
KIAPieman
|
Posted - 2006.01.07 00:55:00 -
[4]
the data protection act is there to sa***uard your information from being intentionally released by the holding company. there is also legislation reguarding the security of the said information as well.
BUT HARPING ON ABOUT IT DOES NOTHING, THIS WASNT AND INTENTIONAL BREACH BY CCP.
there is no such thing as a 100% secure database on a computer, with enough time a hacker will gain access. think on a bit, those compramised accounts could have all been the property of people who have no concept on why a password should be secure and as a result were easily hackable.
be thankfull that ccp have done all the action they can to sa***uard this situation, but you are going on the premise that they are in the wrong when it could be the fact that all 57 accounts were hacked due to negligence on the account holder part, or could have been compramised by keyloggers etc.
--------------------------------------------------
BNC + KIA = The Ultimate Drunken Retard
|
My grandfather
|
Posted - 2006.01.07 00:59:00 -
[5]
 Originally by: KIAPieman
the data protection act is there to sa***uard your information from being intentionally released by the holding company. there is also legislation reguarding the security of the said information as well.
BUT HARPING ON ABOUT IT DOES NOTHING, THIS WASNT AND INTENTIONAL BREACH BY CCP.
there is no such thing as a 100% secure database on a computer, with enough time a hacker will gain access. think on a bit, those compramised accounts could have all been the property of people who have no concept on why a password should be secure and as a result were easily hackable.
be thankfull that ccp have done all the action they can to sa***uard this situation, but you are going on the premise that they are in the wrong when it could be the fact that all 57 accounts were hacked due to negligence on the account holder part, or could have been compramised by keyloggers etc.
Very true. If you want a 100% secure protection of your personal data, go change your name and live somewhere in the middle of the rainsforest or something. And then still...
CCP would never intetionally hand out info, and they handled this situation exceptionally well.
Originally by: Imaran
*cli.. .... nahhhh. 
|
Vishnej
|
Posted - 2006.01.07 01:02:00 -
[6]
Edited by: Vishnej on 07/01/2006 01:04:16
Originally by: My grandfather
Originally by: KIAPieman
the data protection act is there to sa***uard your information from being intentionally released by the holding company. there is also legislation reguarding the security of the said information as well.
BUT HARPING ON ABOUT IT DOES NOTHING, THIS WASNT AND INTENTIONAL BREACH BY CCP.
there is no such thing as a 100% secure database on a computer, with enough time a hacker will gain access. think on a bit, those compramised accounts could have all been the property of people who have no concept on why a password should be secure and as a result were easily hackable.
be thankfull that ccp have done all the action they can to sa***uard this situation, but you are going on the premise that they are in the wrong when it could be the fact that all 57 accounts were hacked due to negligence on the account holder part, or could have been compramised by keyloggers etc.
Very true. If you want a 100% secure protection of your personal data, go change your name and live somewhere in the middle of the rainsforest or something. And then still...
CCP would never intetionally hand out info, and they handled this situation exceptionally well.
We Know Where You Live
|
Maya Rkell
|
Posted - 2006.01.07 01:04:00 -
[7]
Originally by: My grandfather
CCP would never intetionally hand out info, and they handled this situation exceptionally well.
They sent out a password to me account to me, in plain text.
This alone is bluntly NOT good.
Warning: above post may contain traces of sarcasm.
"Corpse cannot be fitted onto ship. Only hardware modules can be fitted." |
Embattle
|
Posted - 2006.01.07 01:06:00 -
[8]
So you would like him to come on here and explain a possible exploit or something which they might not of fixed yet.....now to me that wouldn't be the smartest thing to do.
-----------
STFU Macromoaners |
KIAPieman
|
Posted - 2006.01.07 01:07:00 -
[9]
Originally by: Maya Rkell
Originally by: My grandfather
CCP would never intetionally hand out info, and they handled this situation exceptionally well.
They sent out a password to me account to me, in plain text.
This alone is bluntly NOT good.
they also warned you that they had done this and said to change it immidiatly.
what do you want them to do, send smoke signals?
--------------------------------------------------
BNC + KIA = The Ultimate Drunken Retard
|
SengH
|
Posted - 2006.01.07 01:08:00 -
[10]
Edited by: SengH on 07/01/2006 01:11:00
Your computer doesnt need to be connected to any network for anyone to monitor it if they want to. Look up TEMPEST Hardened systems and why TEMPEST hardening is needed for ultrasecure systems. Given any electronical device, if the need to get the data is critical enough, you CAN monitor remotely what a given user is doing on it.
Edit: OFC you could store all the data within a faraday cage but given CCPs finances are that of a small game company not the NSA. I dont think any of us expect them to do that.
|
|
|
Embattle
|
Posted - 2006.01.07 01:08:00 -
[11]
Would be fun trying to do smoke signals...esp from Iceland 
-----------
STFU Macromoaners |
Dave Day
|
Posted - 2006.01.07 01:11:00 -
[12]
Originally by: KIAPieman
the data protection act is there to sa***uard your information from being intentionally released by the holding company. there is also legislation reguarding the security of the said information as well.
BUT HARPING ON ABOUT IT DOES NOTHING, THIS WASNT AND INTENTIONAL BREACH BY CCP.
there is no such thing as a 100% secure database on a computer, with enough time a hacker will gain access. think on a bit, those compramised accounts could have all been the property of people who have no concept on why a password should be secure and as a result were easily hackable.
be thankfull that ccp have done all the action they can to sa***uard this situation, but you are going on the premise that they are in the wrong when it could be the fact that all 57 accounts were hacked due to negligence on the account holder part, or could have been compramised by keyloggers etc.
Possibly true, though the sheer scale of the response from CCP would indicate that there has been a serious security breach of the information they hold.
The Data Protection Act is quite clear in this respect, it is the responsibility of the holders of the information to ensure that it is held securely. CCP have either been actually hacked or at the very least fear for the security of their information enough to embark upon this large scale password changing exercise. Even if we assume the latter then clearly our information is at a very real risk and an explanation is called for.
Of course it isn't an intentional breach by CCP, and I'm not ''Harping on '' about it. Let's keep factual, now. If I disclose personal information to a third party (CCP) then that third party (CCP) is obliged BY LAW to maintain the security of my information. Sure, If they have been hacked I sympathise, but I need a better explanation than ''Didn't we do well, we changed your PW and protected you'' My question is, how did you get hacked in the first place and why has the personal data which I provided you with been possibly compromised?
|
Embattle
|
Posted - 2006.01.07 01:15:00 -
[13]
Edited by: Embattle on 07/01/2006 01:16:30
You'll never know the exact details so tough **** 
PS Didn't realise Iceland was bound by the DPA.
-----------
STFU Macromoaners |
SkaffenAmtiskaw
|
Posted - 2006.01.07 01:15:00 -
[14]
Originally by: Maya Rkell
They sent out a password for my account to to me, in plain text.
This alone is bluntly NOT good.
What do you suggest - that CCP require everyone to fly over to Reykjavik and form an orderly queue outside CCP HQ with passport, birth certificate and a photo signed by a priest, then wait a week for the DNA profiling to confirm your ID?
______
|
KIAPieman
|
Posted - 2006.01.07 01:20:00 -
[15]
Edited by: KIAPieman on 07/01/2006 01:21:38
Originally by: Dave Day
Originally by: KIAPieman
the data protection act is there to sa***uard your information from being intentionally released by the holding company. there is also legislation reguarding the security of the said information as well.
BUT HARPING ON ABOUT IT DOES NOTHING, THIS WASNT AND INTENTIONAL BREACH BY CCP.
there is no such thing as a 100% secure database on a computer, with enough time a hacker will gain access. think on a bit, those compramised accounts could have all been the property of people who have no concept on why a password should be secure and as a result were easily hackable.
be thankfull that ccp have done all the action they can to sa***uard this situation, but you are going on the premise that they are in the wrong when it could be the fact that all 57 accounts were hacked due to negligence on the account holder part, or could have been compramised by keyloggers etc.
Possibly true, though the sheer scale of the response from CCP would indicate that there has been a serious security breach of the information they hold.
The Data Protection Act is quite clear in this respect, it is the responsibility of the holders of the information to ensure that it is held securely. CCP have either been actually hacked or at the very least fear for the security of their information enough to embark upon this large scale password changing exercise. Even if we assume the latter then clearly our information is at a very real risk and an explanation is called for.
Of course it isn't an intentional breach by CCP, and I'm not ''Harping on '' about it. Let's keep factual, now. If I disclose personal information to a third party (CCP) then that third party (CCP) is obliged BY LAW to maintain the security of my information. Sure, If they have been hacked I sympathise, but I need a better explanation than ''Didn't we do well, we changed your PW and protected you'' My question is, how did you get hacked in the first place and why has the personal data which I provided you with been possibly compromised?
whenever a computer system or network in the past has been hacked by a 3rd party i cant think of one case where the company that was hacked was held accountable.
if it turns out to be a CCP employee doing it then the company as a whole and the individual is responsible. if it is a result of (and what i believe it to be is) a keylogger, then there is little if no action that can be taken against ccp, only the perpitrators.
i think that a lot of people are thinking that this is a huge hack against the CCP database, but if that is the case, then a hell of a lot more than 57 accounts will have been affected.
chances are this is a malitious griefer who is taking advantage of the massive security holes in xp atm and used it to gain account logins.
--------------------------------------------------
BNC + KIA = The Ultimate Drunken Retard
|
Gunstar Zero
|
Posted - 2006.01.07 01:20:00 -
[16]
Originally by: SkaffenAmtiskaw
Originally by: Maya Rkell
They sent out a password for my account to to me, in plain text.
This alone is bluntly NOT good.
What do you suggest - that CCP require everyone to fly over to Reykjavik and form an orderly queue outside CCP HQ with passport, birth certificate and a photo signed by a priest, then wait a week for the DNA profiling to confirm your ID?
If that account had one of (if not the) best inty pilot in the game it's probably necessary.
|
dimensionZ
|
Posted - 2006.01.07 01:21:00 -
[17]
Originally by: Gunstar Zero
Originally by: SkaffenAmtiskaw
Originally by: Maya Rkell
They sent out a password for my account to to me, in plain text.
This alone is bluntly NOT good.
What do you suggest - that CCP require everyone to fly over to Reykjavik and form an orderly queue outside CCP HQ with passport, birth certificate and a photo signed by a priest, then wait a week for the DNA profiling to confirm your ID?
If that account had one of (if not the) best inty pilot in the game it's probably necessary.
May be they should note the password ?
----------------------------------------
|
Prof Bob
|
Posted - 2006.01.07 01:21:00 -
[18]
Originally by: Maya Rkell
Edited by: Maya Rkell on 07/01/2006 01:06:52
Originally by: My grandfather
CCP would never intetionally hand out info, and they handled this situation exceptionally well.
They sent out a password for my account to to me, in plain text.
This alone is bluntly NOT good.
What do you want them to use? ESP and tin-foil parabolic dishes to catch the signals?
|
KIAPieman
|
Posted - 2006.01.07 01:21:00 -
[19]
Originally by: Embattle
Edited by: Embattle on 07/01/2006 01:16:30
You'll never know the exact details so tough ****
PS Didn't realise Iceland was bound by the DPA.
it depends on where the account info is held, if its on the london servers then yes.
if in iceland then no.
--------------------------------------------------
BNC + KIA = The Ultimate Drunken Retard
|
Dave Day
|
Posted - 2006.01.07 01:23:00 -
[20]
Originally by: Embattle
Edited by: Embattle on 07/01/2006 01:16:30
You'll never know the exact details so tough ****
PS Didn't realise Iceland was bound by the DPA.
Ahhh....God bless the mature players. ''Tough ****'' makes it all OK I suppose? People like you are exactly the reason why a company that you entrust your security to can say ''Sorry, we got hacked and you're ****** but thanks for the subscription fees these last couple of years''
And yes, Iceland is bound by the terms of the Data Protection Act.
|
|
|
SkaffenAmtiskaw
|
Posted - 2006.01.07 01:23:00 -
[21]
Originally by: Gunstar Zero
Originally by: SkaffenAmtiskaw
Originally by: Maya Rkell
They sent out a password for my account to to me, in plain text.
This alone is bluntly NOT good.
What do you suggest - that CCP require everyone to fly over to Reykjavik and form an orderly queue outside CCP HQ with passport, birth certificate and a photo signed by a priest, then wait a week for the DNA profiling to confirm your ID?
If that account had one of (if not the) best inty pilot in the game it's probably necessary.
Noted.
______
|
Embattle
|
Posted - 2006.01.07 01:24:00 -
[22]
Edited by: Embattle on 07/01/2006 01:25:02
I do think some people are blowing this up Hot air balloon style, I'm sure some more information or some sort of blog will be providing at a later date.
BTW Thanks Pie....thats what I thought.
-----------
STFU Macromoaners |
Zenst
|
Posted - 2006.01.07 01:26:00 -
[23]
Originally by: SengH
Edited by: SengH on 07/01/2006 01:11:00
Your computer doesnt need to be connected to any network for anyone to monitor it if they want to. Look up TEMPEST Hardened systems and why TEMPEST hardening is needed for ultrasecure systems. Given any electronical device, if the need to get the data is critical enough, you CAN monitor remotely what a given user is doing on it.
Edit: OFC you could store all the data within a faraday cage but given CCPs finances are that of a small game company not the NSA. I dont think any of us expect them to do that.
I replaced my LCD monitor to test this and was able to gleam that my password was ***** using tempest. i then got lots and lots of monitors and attched them to the servers and made them display passwords and account details, coz I had to turn all flurecent lights of and unsheild the room which was located inside a colo with ALOT of other computers and monitors. I then removed the HD's out of the case but alass TEMPEST was unable to read them =D.
Having done this and knowing it was secure I then attached it all to the internet with an operating system that has been fully patched knowing that there will be no more patch's as there are no more security holes to be found =D.
Only secure computer is an off computer - FACT.
|
Zuma Vain
|
Posted - 2006.01.07 01:33:00 -
[24]
Well some might be allright with this but i sure aint... Ok i have couple of accounts witch i cant get back into since its on a company i used to work at and now i cant access it cause no 1 knows the email addy .. except 1 person and he aint reachable for the next generation since he kinda past away adn now i cant enter 5 accounts i got so im kinda lost ... and i know that ccp have banned for changeing email addys have happent before and now i cant access these accounts personally i cant think its really fair at all
gotta call ya now ccp ... thankfully im icelandic ..
bloody f*ck
|
Coranor
|
Posted - 2006.01.07 01:33:00 -
[25]
They'd be subject to the uk dpa because the actual data is stored in london.
--------------
|
Nyphur
|
Posted - 2006.01.07 01:33:00 -
[26]
Originally by: KIAPieman
Edited by: KIAPieman on 07/01/2006 01:30:56
Originally by: SkaffenAmtiskaw
Originally by: Dave Day
And yes, Iceland is bound by the terms of the Data Protection Act.
You sure? The data on the game servers, yes, given they are in London, but there's no obvious reason why Iceland should be bound by a UK law is there? (and Oveur hinted that the game cluster doesn't hold the billing info, so that might be out of the DPA's reach too)
(n.b. there may be some local law I'm not aware of )
theres the european DPA as well, but im not sure if the terms are the exact same as the UK one.
Also, there is an international version.
|
Dave Day
|
Posted - 2006.01.07 01:33:00 -
[27]
Edited by: Dave Day on 07/01/2006 01:35:08
Originally by: SkaffenAmtiskaw
Originally by: Dave Day
And yes, Iceland is bound by the terms of the Data Protection Act.
You sure? The data on the game servers, yes, given they are in London, but there's no obvious reason why Iceland should be bound by a UK law is there? (and Oveur hinted that the game cluster doesn't hold the billing info, so that might be out of the DPA's reach too)
(n.b. there may be some local law I'm not aware of )
I'm very sure...The Data Protection Act 1998 For the EUA (European Economic Area) came into effect on 1 March 2000. The European Economic Area is the EU plus Norway, Iceland and Lichtenstein ...
|
SkaffenAmtiskaw
|
Posted - 2006.01.07 01:33:00 -
[28]
Originally by: Embattle
Think the European DPA covers European Economic Area which includes Iceland.........although I should just point out I feel like we might be having a bad case of analitus coming on
Discussing things in order to increase one's understanding of a topic on the forums? It'll never catch on...
______
|
Zenst
|
Posted - 2006.01.07 01:33:00 -
[29]
Originally by: Prof Bob
Originally by: Zenst
Originally by: SengH
Edited by: SengH on 07/01/2006 01:11:00
Y<SNIP>
Only secure computer is an off computer - FACT.
Or one wraped in tin-foil! You know im right.
Actualy the tinfoil will act as an antanea and boost the signals /me points and laughs at teh tinfoil hat mobs.
|
KIAPieman
|
Posted - 2006.01.07 01:33:00 -
[30]
the main use (and the reason for its creation) is to stop companies making money off your personal info.
without the DPA they could sell your info to the highest bidder.
anything else on it seems to be like an afterthought.
--------------------------------------------------
BNC + KIA = The Ultimate Drunken Retard
|
|
|
|
|
| |
|
| Pages: [1] 2 :: one page |
| First page | Previous page | Next page | Last page |