EVE Search - Security of EVE Programs?

All Channels

Market Discussions

Security of EVE Programs?

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Pages: [1] :: one page
Author	Thread Statistics \| Show CCP posts - 0 post(s)
Scipio Divinitus Minmatar	Posted - 2008.01.05 18:58:00 - [1] I am wondering how secure some of these applications are, like EVEMeep, EMMA, EVEmon, and others. I believe they require you to insert your password and username for EVE in order to use the application. Am I just being paranoid or is there a risk in doing that? From what I have seen a significant amount of people have used these applications but I really don't want to be jumping off the lemming's cliff here. If anyone address concerns about these applications I would be most grateful.
LaVista Vista Corporate Research And Production Pty Ltd Zzz	Posted - 2008.01.05 19:02:00 - [2] First: Wrong section Second: They just require your API key. Not username and password. And its completely safe. This signature is brought to you by EBankÖ, free space for moderators to brag.
Trilori Caldari GearBox Fleet Svcs	Posted - 2008.01.05 19:09:00 - [3] Originally by: LaVista Vista First: Wrong section Second: They just require your API key. Not username and password. And its completely safe. Indeed wrong section, they USED to require your username/password. No longer the case anymore.
Scipio Divinitus Minmatar	Posted - 2008.01.05 19:14:00 - [4] Thanks for responses, had no idea this even existed (or even that there was a forum for this). Sorry for misplaced post.
Tek'a Rain Gallente Collegium Mechanicae	Posted - 2008.01.06 02:44:00 - [5] worth repeating.. always be careful about what you allow on your machine. That awesome new mineral calculator (or whatever) might not ask for a password and username when you launch it.. but its hidden keylogger will certainly be able to pick up a few interesting things. This is likely why some of the more popular (that I have seen) programs are open-source. Open source meaning in this case that their code is available to anyone who wants to poke through it an compile it themselves. Thankfully, the Eve community has enough (or more then enough) of its share of computer savvy folks to make this a reliable method of knowing what your actually installing.
YunFu Yan Yan Enterprises	Posted - 2008.01.06 13:51:00 - [6] Originally by: Tek'a Rain This is likely why some of the more popular (that I have seen) programs are open-source. ... Thankfully, the Eve community has enough (or more then enough) of its share of computer savvy folks to make this a reliable method of knowing what your actually installing. Not completely true. I could release opensource code that would compile to the same MD5-hash or whatever checksum program you prefer than an exe-file containing a completely different piece of code if I put a bit of work into it. Releasing opensource programs means nothing in terms of security for those who only download precompiled programs anyways! ------------------------------------------------- Yan Enterprises - We mean business.
Motivated Prophet Zerodot Schools Power Corrupts Industry's	Posted - 2008.01.06 14:17:00 - [7] Originally by: YunFu Yan Originally by: Tek'a Rain This is likely why some of the more popular (that I have seen) programs are open-source. ... Thankfully, the Eve community has enough (or more then enough) of its share of computer savvy folks to make this a reliable method of knowing what your actually installing. Not completely true. I could release opensource code that would compile to the same MD5-hash or whatever checksum program you prefer than an exe-file containing a completely different piece of code if I put a bit of work into it. Releasing opensource programs means nothing in terms of security for those who only download precompiled programs anyways! This would be true if you had said "CRC32" or similar. But you cannot forge a program that compiles to an executable with the same cryptographic hash (MD5 and the SHA variants being the best-known cryptographic hashes), or the hash would be useless as a cryptographic measure. See the "cryptographic hash function" article on Wikipedia for more information, or if you don't believe me, prove me wrong. I will happily pay you $10,000 (or equivalent amount in isk if the former is a EULA violation) if you can provide an EveMon with any modified code that produces a hash collision with the "real" EveMon. MP -- Proud steward of 47 billion isk in public money, and counting. Ask me about mineral ~~compression~~expansion! WTF?
YunFu Yan Yan Enterprises	Posted - 2008.01.06 14:24:00 - [8] Edited by: YunFu Yan on 06/01/2008 14:25:27 Bah, if I wasn't looking forward to a bunch of exams, a 2 months internship and then some more exams I'd take on the challenge. MD5 is flawed. That's a fact. Even Wikipedia states that. I'm not sayint it's simple. It needs some serious mathematical and assembler code knowledge but it IS possible. ------------------------------------------------- Yan Enterprises - We mean business.
Robacz Essence Trade Essence Enterprises	Posted - 2008.01.06 14:48:00 - [9] Edited by: Robacz on 06/01/2008 14:48:51 Originally by: YunFu Yan Edited by: YunFu Yan on 06/01/2008 14:25:27 Bah, if I wasn't looking forward to a bunch of exams, a 2 months internship and then some more exams I'd take on the challenge. MD5 is flawed. That's a fact. Even Wikipedia states that. You need to read about that "MD5 flaw" more. Proving the fact that MD5 collisions exist is one thing, create MD5 collision "on demand" is another. (no one is able to do that)
Motivated Prophet Zerodot Schools Power Corrupts Industry's	Posted - 2008.01.06 14:55:00 - [10] Originally by: YunFu Yan Edited by: YunFu Yan on 06/01/2008 14:25:27 Bah, if I wasn't looking forward to a bunch of exams, a 2 months internship and then some more exams I'd take on the challenge. MD5 is flawed. That's a fact. Even Wikipedia states that. I'm not sayint it's simple. It needs some serious mathematical and assembler code knowledge but it IS possible. They're doing something similar to a birthday attack* on MD5, and it leaves very, very visible signatures (in the non-crytographic sense of the word) in the resultant altered executable. You are correct that it is possible for the official compiler of EveMon to compile it in a way that predisposes it to a collision with a program with different functionality, but this would be noticed by someone who compiled the program independently and arrived at a different MD5 value. Regardless, however, you could not create a program with different functionality that had the same output when run against MD5 as the "true" EveMon without conspiring with the original developer and finding a good excuse why nobody else would get the same MD5 as you when compiling it, which would quickly cause people to notice the strange additions of non-executing code to the end of the executable. MP : Okay, technically, it's more like the IV attack on WEP, but most people don't know that reference, and the real point is they're both narrowing the searchspace, not the actual technique. References: Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5 "History and Cryptanalysis", and "Vulnerability", in Wikipedia Article "MD5" -- Proud steward of 47 billion isk in public money, and counting. Ask me about mineral ~~compression~~expansion! WTF?*
YunFu Yan Yan Enterprises	Posted - 2008.01.06 15:12:00 - [11] I didn't want to engage into a discussion about cryptograhpy here. It's not my favourite area anyways. I just wanted to relativate this: Originally by: LaVista Vista First: Wrong section Second: They just require your API key. Not username and password. And its completely safe. The is no such thing as complete safety. And I think it's bad idea to claim that something is completely safe. It will make people careless. At the end of the day thou I use EveMon too and I think its a great tool. I even used it back when it needed the full account credentials. It's a matter of risk vs reward for me. ------------------------------------------------- Yan Enterprises - We mean business.
YunLi Yan	Posted - 2008.01.06 15:18:00 - [12] Edited by: YunLi Yan on 06/01/2008 15:18:06 Originally by: Robacz Edited by: Robacz on 06/01/2008 14:48:51 You need to read about that "MD5 flaw" more. Proving the fact that MD5 collisions exist is one thing, create MD5 collision "on demand" is another. (no one is able to do that) You're contradicting yourself here. Edit: Yay, wrong character.

Pages: [1] :: one page
First page \| Previous page \| Next page \| Last page

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.