| Pages: 1 2 :: [one page] |
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |

Spiderweb
|
Posted - 2006.06.15 14:55:00 -
[1]
Edited by: Spiderweb on 15/06/2006 14:56:14 I just got EveMON and installed it.
When I run it, My firewall popped up telling me this programm wants to connect to the internet etc. Now I have no reason to suspect a third person app thats been advertised and used by ppl in the EVE forums etc so I clicked OK to let it do whatever with the connection (I figured it might have to do with auto-update etc).
Then I saw that one of the options to use EveMON is to type in the Login information .
Login information INCLUDING password.
I dont know if ppl get it, but: One of the options to use the program (its actually the First 'how to' help window that pops up) it requires to let it use your connection by allowing it THROUGH the firewall and giving it your Login name and pass.
I cant really think of a more dodgy way of security compromise than leting a unofficial programm go through your firewall and letting it have your Login info.
Of course I didnt let it have my acc, and I instantly stopped its access to my connection as well, however I was concerned about the whole issue so I thought I will be a fair thing to share this with the rest of the community.
So take care guys, and I wonder what CCP's stance is on this issue about a programm that is freely available.
----------------------------------------------- We all live in a Yellow Submarine |

Aeon Valerii
|
Posted - 2006.06.15 14:56:00 -
[2]
There's nothing wrong with it. The code is open source, you can have a look at it. There's a lot of people using it.
|

HippoKing
|
Posted - 2006.06.15 14:56:00 -
[3]
eveMON is open source, and has been confirmed numerous times (unofficially though) to be secure. Its as reliably safe as anything third party can ever be.
|

Berak FalCheran
|
Posted - 2006.06.15 14:57:00 -
[4]
notes:
Things that connect to the internet often times have to go through your firewall (omg shock!)
Things that access your character sheet also need your login and password (omg more shock!)
The program is kosher, as I'm sure many people can vouch. (Not to mention you can just get the source and build it yourself if so inclined)
ZOMG switching hosting, fantastic sigs back soon
|

Kylania
|
Posted - 2006.06.15 14:58:00 -
[5]
Originally by: Spiderweb So take care guys, and I wonder what CCP's stance is on this issue about a programm that is freely available.
I'd say their stance would be to sticky this 11 page thread where your concerns were asked and answered over a month ago?  -- Lil Miner Newbie Skills Roadmap | Visual Building Guide (Both work in game too!) |

Jim McGregor
|
Posted - 2006.06.15 14:58:00 -
[6]
Edited by: Jim McGregor on 15/06/2006 14:59:16
It needs the details to download your character info from the eve-online website. I dont use the program, but im sure there are ways to download your character data manually and import it into the program as well.
The information is optional. Its not like its a Microsoft program or anything...
--- The Eve Wiki Project |

GeekWarrior
|
Posted - 2006.06.15 14:58:00 -
[7]
This program is open source, so take a look at the code if you want to know what it's doing. I use it all the time. It's perfectly legit.
If you don't want it to automate updates, you can login to the eve-o character page and download the XML file(s) manually. ----------------------------- EVE Addict |

Mercade
|
Posted - 2006.06.15 14:59:00 -
[8]
Of course it wants to connect to the internet. It wants to get your character XML's from myeve.eve-online.com
and of course it offers you a place to enter a password. You won't get far past eve-online.coms log in without one.
No different then the inputs and behaviors of other great reputable character software like falcon industries character manager. And like people said, open source and checked out. There will always be a limited threat. But this software is defintely not an obvious attempt at info theft.
Originally by: kieron ...possible causes for an extended downtime, I think playing WoW would be close to the bottom of the list, probably between shaving cats and having dental work done w/o anethesia.
|

infraX
|
Posted - 2006.06.15 15:03:00 -
[9]
It's all very well saying 'oh but it's open source' - how many of you have read through the entire source code and understood all of it and then compiled your own binary from it? At a guess, I would suggest very few of you. Not that I want to spread F.U.D. or anything, but if you are that paranoid about it, just don't enter your logon details.
|

Crumplecorn
|
Posted - 2006.06.15 15:04:00 -
[10]
If they really just wanted to harvest accounts they wouldn't have wasted so much development time on making it so great.  AFAIK it's safe. ----------
|

Mason X
|
Posted - 2006.06.15 15:05:00 -
[11]
firewalls suck.
the reason they suck is because clueless people use them and then whine in threads like this.
you have no idea what you are talking about.
|

Spiderweb
|
Posted - 2006.06.15 15:12:00 -
[12]
Edited by: Spiderweb on 15/06/2006 15:14:02 The fact that is open source also means that there are some problems with its use:
all that is needed is 1 person to change the code appropriately and in the right moment to repost "Useful progs in EVE etc" in the forums for ppl to dl
How many ppl you think will RECHECK the whole code for any underhand code ?
I agree that probably this isnt a program intented to be used that way, but Imo its just naive to think of it as green light.
Im not a scammer and I already got quite a few ideas how to use this program to scam. Including net cafe scams and others which I wouldnt want to share for fear of advertising them.
Critism on security shouldnt be taken lightly, and also its a sign of what could be done better.
----------------------------------------------- We all live in a Yellow Submarine |

Euye
|
Posted - 2006.06.15 15:12:00 -
[13]
Originally by: infraX It's all very well saying 'oh but it's open source' - how many of you have read through the entire source code and understood all of it and then compiled your own binary from it?
Actually I did...
|

BoinKlasik
|
Posted - 2006.06.15 15:13:00 -
[14]
Originally by: Mason X firewalls suck.
the reason they suck is because clueless people use them and then whine in threads like this.
you have no idea what you are talking about.
but firewalls try very hard, untill people hit allow on every popup 
*doh, I broke my edited sig :/* *cries* this signature was lacking pink, I'll provide it for you. There. Looks better doesn't it? -Eris Fixed it for you. Oh, btw, yarr! ~kieron Didn't I tell you? The damsel moved in with me, we're having a great time. - Wrangler The damsel may not be distressed any more, but how many times does the informant have to be silenced before he gets the message? - Cortes
|

Nials Corva
|
Posted - 2006.06.15 15:16:00 -
[15]
Originally by: Euye
Originally by: infraX It's all very well saying 'oh but it's open source' - how many of you have read through the entire source code and understood all of it and then compiled your own binary from it?
Actually I did...
As did I. Not that hard to look for socket connections and make sure they're going to known places.
|

Jim McGregor
|
Posted - 2006.06.15 15:24:00 -
[16]
Originally by: Spiderweb Edited by: Spiderweb on 15/06/2006 15:14:02 The fact that is open source also means that there are some problems with its use:
all that is needed is 1 person to change the code appropriately and in the right moment to repost "Useful progs in EVE etc" in the forums for ppl to dl
How many ppl you think will RECHECK the whole code for any underhand code ?
I agree that probably this isnt a program intented to be used that way, but Imo its just naive to think of it as green light.
Im not a scammer and I already got quite a few ideas how to use this program to scam. Including net cafe scams and others which I wouldnt want to share for fear of advertising them.
Critism on security shouldnt be taken lightly, and also its a sign of what could be done better.
Its still alot safer than trusting a binary. Even if alot of people dont have the energy to go through the code, there are always a handful of people that does. So if 10 different people say the code is OK, its more likely to be OK than a company saying it is, but not letting anyone see it.
--- The Eve Wiki Project |

Euye
|
Posted - 2006.06.15 15:26:00 -
[17]
Originally by: Spiderweb Edited by: Spiderweb on 15/06/2006 15:14:02 The fact that is open source also means that there are some problems with its use:
all that is needed is 1 person to change the code appropriately and in the right moment to repost "Useful progs in EVE etc" in the forums for ppl to dl
The same issue arises if someone hacks any software and attempts to republish it, so its not a problem because its open source.
I probably will be looking at diffs to see what (if any) code has changed in weird places, but then I'm a kinda open source fan geek with too much free time 
|

Yukiko Kura
|
Posted - 2006.06.15 15:29:00 -
[18]
Jeebus, if you're so worried about it simply use the xml import. Problem solved.
|

Hamshoe
|
Posted - 2006.06.15 15:29:00 -
[19]
I guess if you hand out your login and password to any non-CCP app, you get what's coming to you.
No point in griping about it, it's not like it came to your door and beat you up for them.
Kicked in the head by a horse, what's your excuse? |

Waragha
|
Posted - 2006.06.15 15:31:00 -
[20]
What is more stupid is that you download a program off the internet and you come here to whine about it having NO F**** idea of what its doing. Go download a virus.
|

Jim McGregor
|
Posted - 2006.06.15 15:33:00 -
[21]
Originally by: Euye
The same issue arises if someone hacks any software and attempts to republish it, so its not a problem because its open source.
Its actually surprising that there are so few attempts to distribute hacked versions of software. With bittorrent etc you could easily distribute a hacked version with a trojan in it. Most people seem to click "Allow all access" to programs using the internet in their firewall, since the documentation often is shady when it comes to what ports or internet addresses the software uses.
--- The Eve Wiki Project |

Spiderweb
|
Posted - 2006.06.15 15:42:00 -
[22]
People underestimate the amount of people that have money stolen from the because they were tricked, by some times silly ways, into giving their pins.
But now I see a few reasons to understand how people can disregard the obvious for that sense of personal security or the resistance to think of somethink which might make them feel uncomfortable.
Any way my intention was not to demonise the work of a member of the community to help us, but to pinpoint the caveats, and discuss about their 'severity' level. Its when you are informed better that your decisions count more.
----------------------------------------------- We all live in a Yellow Submarine |

Billy Sastard
|
Posted - 2006.06.15 15:42:00 -
[23]
What EveMon does is, at the core of things, essentially the same thing that you would do if you wanted to download the XML for your character. I don't see people freaking out because they have to enter their username and password when they log in to these forums.. Yea it is the CCP website... BUT you are entering the username and password in your web browser!!11!1oneone ZOMGz firefox is going to steal my password and ***** my EVE!!!
Just relax guy, there are thousands of people using EveMon with nothing but praise. If the software was shady, I am sure that with the Eve community being as vocal as it is, there would be many many many people screaming not to use it.
I personally am too lazy to go through all the code to verify for myself, but if 3 people that I know and trust have done so and say it is legit, I will take their word for it.
|

Splagada
|
Posted - 2006.06.15 15:45:00 -
[24]
just make sure you download it from the actual correct place
one of the favorite tricks of *******s is to clone websites to get people download bogus versions with trojans -
Member of [AAST]
Owner of eve-corps.net evemail me if you need a free forum for your corp
|

HippoKing
|
Posted - 2006.06.15 15:49:00 -
[25]
Originally by: Spiderweb People underestimate the amount of people that have money stolen from the because they were tricked, by some times silly ways, into giving their pins.
But now I see a few reasons to understand how people can disregard the obvious for that sense of personal security or the resistance to think of somethink which might make them feel uncomfortable.
Any way my intention was not to demonise the work of a member of the community to help us, but to pinpoint the caveats, and discuss about their 'severity' level. Its when you are informed better that your decisions count more.
I never use tools like this, but should I choose to use eveMON, I would look for the connections it makes in the source (not very hard if you have a copy of Visual Studio 2005) and compile my own binary. Total time used: not long checking the code, compiling while I'm asleep.
|

Jim McGregor
|
Posted - 2006.06.15 16:16:00 -
[26]
Originally by: HippoKing
I never use tools like this, but should I choose to use eveMON, I would look for the connections it makes in the source (not very hard if you have a copy of Visual Studio 2005) and compile my own binary. Total time used: not long checking the code, compiling while I'm asleep.
I usually just check the destinations of the connections it wants to make in my firewall. Even faster. --- The Eve Wiki Project |

HippoKing
|
Posted - 2006.06.15 16:53:00 -
[27]
Originally by: Jim McGregor
Originally by: HippoKing
I never use tools like this, but should I choose to use eveMON, I would look for the connections it makes in the source (not very hard if you have a copy of Visual Studio 2005) and compile my own binary. Total time used: not long checking the code, compiling while I'm asleep.
I usually just check the destinations of the connections it wants to make in my firewall. Even faster.
i don't have a software firewall. quick, flame me!
|

Emily Spankratchet
|
Posted - 2006.06.15 17:01:00 -
[28]
As mentioned briefly above, you don't have to give evemon your login and password.
The alternative is to:
- Download your character details as XML from the My Character Page
- When you add a character, use the "Saved Character XML" option
- Er, profit?
|

Hllaxiu
|
Posted - 2006.06.15 17:12:00 -
[29]
Originally by: Jim McGregor
Originally by: HippoKing
I never use tools like this, but should I choose to use eveMON, I would look for the connections it makes in the source (not very hard if you have a copy of Visual Studio 2005) and compile my own binary. Total time used: not long checking the code, compiling while I'm asleep.
I usually just check the destinations of the connections it wants to make in my firewall. Even faster.
Ethereal hasn't been mentioned yet. You can see where the packets are going.  --- Our greatest glory is not in never failing, but in rising up every time we fail. - Emerson |

Jim McGregor
|
Posted - 2006.06.15 17:16:00 -
[30]
Originally by: HippoKing
i don't have a software firewall. quick, flame me!
I dont believe in flaming as a method of education.  --- The Eve Wiki Project |

Hllaxiu
|
Posted - 2006.06.15 17:22:00 -
[31]
Just update for the paranoid, if you look at the packets sent by the program, it just opens a HTTPS session with 87.237.39.201, which just happens to be myeve.eve-online.com While I had the program open, no information was sent to any ip other than 87.237.39.201, and credentials were exchanged over HTTPS (the actual XML information was sent over HTTP).
So don't worry about it! --- Our greatest glory is not in never failing, but in rising up every time we fail. - Emerson |

Scorpyn
|
Posted - 2006.06.15 17:24:00 -
[32]
Originally by: HippoKing Total time used: not long checking the code, compiling while I'm asleep.
You either have a very slow compiler or not very much need for sleep.
|

Satomila Kunis
|
Posted - 2006.06.15 17:38:00 -
[33]
Edited by: Satomila Kunis on 15/06/2006 17:38:45 Spiderweb,
You do know that EVEMon can be run in a password safe method right? Just manually download your character xml file via a browser you trust and point EVEMon to it. Then you don't have to enter any account info whatsoever.
|

Kahlen Rahl
|
Posted - 2006.06.15 17:59:00 -
[34]
Originally by: Spiderweb Edited by: Spiderweb on 15/06/2006 15:14:02 The fact that is open source also means that there are some problems with its use:
all that is needed is 1 person to change the code appropriately and in the right moment to repost "Useful progs in EVE etc" in the forums for ppl to dl
Dude, the sticky about this tool has a direct link to the "official" site of EVEMon. If you decide NOT to download it from there, and subsequently download it from somewhere else, then that's a risk you're taking. So yes, someone *could* change the code, and host it himself for people to download, but if you're stupid enough to actually do that, then the only person you can blame is yourself.
For what it's worth tho I think that the binary download on the EVEMon site is pretty safe, or otherwise people would've publically lynched the guy who made it some time ago.
Originally by: Spiderweb Critism on security shouldnt be taken lightly, and also its a sign of what could be done better.
Tell me again what exactly could have been done better? Provide a source only download? As long as you know that where you download something from is the "official" site, you shouldn't worry too much about it. Not that I disagree on the criticism part there, but bring forth arguments. An argument like "oh noes, it could be used in netcafe scams!" doesn't hold much ground I think. Again, if someone was stupid enough to use an EVEMon installation already present in an internet cafe, it's his own risk. |

hydraSlav
|
Posted - 2006.06.15 18:00:00 -
[35]
Originally by: Spiderweb Edited by: Spiderweb on 15/06/2006 15:14:02 The fact that is open source also means that there are some problems with its use:
all that is needed is 1 person to change the code appropriately and in the right moment to repost "Useful progs in EVE etc" in the forums for ppl to dl
If anyone downloads a "republished" version from anywhere other than the original source, it is their own fault. No one can prevent people from falling for stupid tricks and losing money.
I downloaded my EVEMon from the original source, and didnt think twice when i entered the password
=================================== Above comments are my personal views, and do not represent my corporation or alliance, unless otherwise indicated |

Novarei
|
Posted - 2006.06.15 18:14:00 -
[36]
Originally by: Spiderweb Critism on security shouldnt be taken lightly, and also its a sign of what could be done better.
Such as... What pray-tell could they do better?
|

Michayel Lyon
|
Posted - 2006.06.15 18:20:00 -
[37]
Originally by: Spiderweb ... lots of funny stuff...
Quick, somebody call Seleene! Someone is in dire need of a tinfoil hat!
|

DukDodgerz
|
Posted - 2006.06.15 18:41:00 -
[38]
Originally by: Mason X firewalls suck.
the reason they suck is because clueless people use them and then whine in threads like this.
you have no idea what you are talking about.
ohboy! either you are clueless yourself or trolling.
the correct phrase should have been "software firewalls SUCKMAJORDONKY---uh---orbs!".
A firmware/hardware firewall is GREAT. Look at a Linksys broadband router. Cheap and effective firewall for most consumers, and it will not use your PC resources to popup worthless anoying BS messsages that an internet app is accessing the internet (omfgnoooooeees, Firefox is trying to access the intewebs, call da police! ).
What you install is up too you, but rule of thumb, only download from the original site(who made the app).
If unsure about the app, DO NOT INSTALL IT.
Simple rules that work very well unless you ignore them.
FRODO HAS FAILED; BUSH HAS THE RING!!! The Hippo mating ritual |

HippoKing
|
Posted - 2006.06.15 18:42:00 -
[39]
Originally by: Scorpyn
Originally by: HippoKing Total time used: not long checking the code, compiling while I'm asleep.
You either have a very slow compiler or not very much need for sleep.
I do EVERYTHING that is resource intensive which doesn't actually need me there all the time overnight, so it doesn't mess with my interwebs experience. My PC is usually on overnight on p2p most nights.
|

Scorpyn
|
Posted - 2006.06.15 18:48:00 -
[40]
Originally by: HippoKing
Originally by: Scorpyn
Originally by: HippoKing Total time used: not long checking the code, compiling while I'm asleep.
You either have a very slow compiler or not very much need for sleep.
I do EVERYTHING that is resource intensive which doesn't actually need me there all the time overnight, so it doesn't mess with my interwebs experience. My PC is usually on overnight on p2p most nights.
If you want to compile a whole OS, such as a linux system, then a nap could be in order. But for a small progam like EVEMon? You wouldn't make it to the bed with a proper compiler.
|

Drizit
|
Posted - 2006.06.15 19:15:00 -
[41]
Edited by: Drizit on 15/06/2006 19:15:33
Originally by: HippoKing I never use tools like this, but should I choose to use eveMON, I would look for the connections it makes in the source (not very hard if you have a copy of Visual Studio 2005) and compile my own binary. Total time used: not long checking the code, compiling while I'm asleep.
It even tells you where you can get an editor/compiler free on the web page along with the open source download. You don't need to pay megabucks for VC or VS. You can easily check the source code with notepad if you are really paranoid and don't trust the freebie download they suggest.
I've been using it for 3 months now and checked the source and compiled it so I know it's as safe as any internet based program can be.
Spiderweb: The simple answer is either use it with the XML downloads of your character or don't use it at all if you are that worried about it
--
|

HippoKing
|
Posted - 2006.06.15 19:17:00 -
[42]
Originally by: Scorpyn
Originally by: HippoKing
Originally by: Scorpyn
Originally by: HippoKing Total time used: not long checking the code, compiling while I'm asleep.
You either have a very slow compiler or not very much need for sleep.
I do EVERYTHING that is resource intensive which doesn't actually need me there all the time overnight, so it doesn't mess with my interwebs experience. My PC is usually on overnight on p2p most nights.
If you want to compile a whole OS, such as a linux system, then a nap could be in order. But for a small progam like EVEMon? You wouldn't make it to the bed with a proper compiler.
fair enough 
|

Splagada
|
Posted - 2006.06.15 22:49:00 -
[43]
Edited by: Splagada on 15/06/2006 22:49:29 edit : doh -
Member of [AAST]
Owner of eve-corps.net evemail me if you need a free forum for your corp
|

Lyra VX
|
Posted - 2006.06.15 23:13:00 -
[44]
People willingly hand over logins, passwords, bank details (etc) to Internet Explorer on a very frequent basis, and you can't even see the code for it.
Oh noes? |

Lord Derik
|
Posted - 2006.06.15 23:50:00 -
[45]
Edited by: Lord Derik on 15/06/2006 23:51:12 I installed EveMon on my machine and watched my firewall logs. Obviously it went to eve port 80, but why does EveMon go to the authors website?
207.44.198.28:80 static.evercrest.com www.evercrest.com
It did this 2 out of about 500 times it accessed the internet.
Why is this program calling home? |

MysticNZ
|
Posted - 2006.06.16 00:01:00 -
[46]
Microsoft have a free C# compiler. Just get a free IDE and compile it. Of course, the compilers that are charged for are usally faster. -=====-
|

MysticNZ
|
Posted - 2006.06.16 00:02:00 -
[47]
Originally by: Lord Derik Edited by: Lord Derik on 15/06/2006 23:51:12 I installed EveMon on my machine and watched my firewall logs. Obviously it went to eve port 80, but why does EveMon go to the authors website?
207.44.198.28:80 static.evercrest.com www.evercrest.com
It did this 2 out of about 500 times it accessed the internet.
Why is this program calling home?
Probably to see how many people are using it. Use a packet sniffer like ertheal to see. -=====-
|

SGXiphias
|
Posted - 2006.06.16 00:03:00 -
[48]
Probally calls home to let you know if theres updates, ran ethereal on it and everything checks out.
|

Lord Derik
|
Posted - 2006.06.16 00:14:00 -
[49]
Probably(s) and Maybe(s) Huh?
Did the Author state everything it is suppose to do, like check for updates and monitor how many users there are? |

Lojik
|
Posted - 2006.06.16 01:02:00 -
[50]
If your unsure about using the automatic skill system just go inot your character sheet on eve-online and download the xml file and save it as a .xml then load it manulayy into the eve-mon program, the xml fle does not contain any account information.
|

Talori'i
|
Posted - 2006.06.16 03:10:00 -
[51]
Originally by: Lord Derik Probably(s) and Maybe(s) Huh?
Did the Author state everything it is suppose to do, like check for updates and monitor how many users there are?
When it first came out EVEMon self-updated several times for me. So its just checking for updates.
4 8 15 16 23 42 |

Tachy
|
Posted - 2006.06.16 07:33:00 -
[52]
Download the code. Ccheck it. Compile and only use it if you find it does what you feel comfortable with. --*=*=*-- Megadon CCP wanted a well known artist and celebrity to test the new font so it's approval would be well known. They got Ray |

Lyra VX
|
Posted - 2006.06.16 09:28:00 -
[53]
It certainly does check for updates, but the message is still "if you aren't comfortable with using it, don't". |
| |
|
| Pages: 1 2 :: [one page] |