Originally posted by Garkan The guy behind it seemed to have the best intentions, he made it public instead of exploiting it for his own advantage and when CCP ignored his petitions he forced CCP to take the forum down and potentially saved a lot of community members problems.
He is not in a position to force CCP to do anything, what he did is explicitly against TOS he signed up.
Best intentions are mitigation circumstances at best and are no excuse.
The guy behind it seemed to have the best intentions, he made it public instead of exploiting it for his own advantage and when CCP ignored his petitions he forced CCP to take the forum down and potentially saved a lot of community members problems.
He is not in a position to force CCP to do anything, what he did is explicitly against TOS he signed up.
Best intentions are mitigation circumstances at best and are no excuse.
Considering CCP's history of sweeping things like this under the carpet :LOLT20LOL: what other options did he have? he has claimed not only did he send in a bug report during beta, but also that he petitioned it. as have others yet CCP are denying everything with the usual "Our Logs Show Nothing" crap that they use all of the time....
Considering there were tons of reports about this issue, I'm surprised that forums were released at this state. Even for CCP, this is a new level of incompetence.
Even a CSM guy reported that loop whole during the first beta, I mean, leages of detailed reports was easy enough to ignore, sure, but a CSM? A person who is, more or less in a direct contact (as direct as one can be with CCP, ie not much but still).
They spent a whole year on this? A whole year of development, and result is a security whole even novice web designers wouldn't do. Screwing with YAF (yet another forum, go google it) to the point that it falls apart is a special ability.
Just lmao at whoever is responsible. That guy (If its a team, than those guys) should lose his(their) jobs over this. Must lose their job over this. You could learn web designing from scratch and design a whole new forum with 70000 hours of manpower.
Even while typing this post I'm still laughing hysterically .
Do you have links or pics to back up what you claim?
Specifically that CCP was aware of the security issue but went ahead with the launch anyway?
According you you there were "tons" of reports so finding them and posting them here shouldn't be a chore. It's not that I don't trust you but I find it hard to believe.
I can't post you a direct link because everything is buried under 40+ page threads. Look at SHC and other forums. Thing is, this loophole is very easy to exploit, this kind of thing is very, very easy to avoid. As I said before, even novice designers mostly have common sense enough to not store vital information on client side. Yes, they're storing vital log in information inside your cookies, in basic text. No encrpytion or anything. Thats how bad it is.
Check well known unofficial forums and you'll se enough proof to make your backside explode while laughing.
The guy behind it seemed to have the best intentions, he made it public instead of exploiting it for his own advantage and when CCP ignored his petitions he forced CCP to take the forum down and potentially saved a lot of community members problems.
He is not in a position to force CCP to do anything, what he did is explicitly against TOS he signed up.
Best intentions are mitigation circumstances at best and are no excuse.
Some times people just have to act, CCP have prove themselves incompetent time and time again and that they stick their fingers in their ears and go "blah blah blah blah" when people try to tell them there is a serious problem and I have no doubt if he didn't do what he did the forums would have stayed up for days or maybe even weeks and caused a lot of players trouble.
The only way to ever get CCP to act sometimes is to cause threadnoughts or shit storms and embarrass them and in this case the dude they are punishing did CCP and the community a massive service.
Imagine all the fires the GMs might have had to put out and the investigations they would have to unravel if this had gone on unpublished and malicious hackers had taken advantage of this.
Currently playing:
EVE online (Ruining low sec one hotdrop at a time)
Gravity Rush, Dishonoured: The Knife of Dunwall.
(Waiting for) Metro: Last Light, Company of Heroes II.
The guy behind it seemed to have the best intentions, he made it public instead of exploiting it for his own advantage and when CCP ignored his petitions he forced CCP to take the forum down and potentially saved a lot of community members problems.
He is not in a position to force CCP to do anything, what he did is explicitly against TOS he signed up.
Best intentions are mitigation circumstances at best and are no excuse.
Considering CCP's history of sweeping things like this under the carpet :LOLT20LOL: what other options did he have? he has claimed not only did he send in a bug report during beta, but also that he petitioned it. as have others yet CCP are denying everything with the usual "Our Logs Show Nothing" crap that they use all of the time....
If CCP wanted to "sweep it under the rug", they would have never banned the guy. Just sayin.
I do hope the guy was smart enough not to use a main. Either way, I kinda have to agree with Gdemami on this one. If you can't do the time, don't do the crime. I mean seriously, what is CCP supposed to do? Take the guy out to lunch, then find out he also hacked billing accounts?
Originally posted by SidJameswhat other options did he have?
File a bug report and wait for fix, like all other people did before him.
Once the serious bug was not fixed for launch, he could file a new bug report, contact someone directly or even try to push the thing through Internal Affairs or CSM.
In any case it is no excuse to breach the EULA.
Originally posted by GarkanSome times people just have to act, CCP have prove themselves incompetent time and time again
If you are not satisfied with the service and you feel the provider isn't listening to your needs, vote with your wallet. Simple as that.
The guy, as well as his supporters, fell to delusion that he was obligated to do whatever it takes to remedy CCPs ill attitude because of some higher moral ground. Such behavior and no respect for private property is unacceptable in any legal system.
If anyone wants to play Robin Hood or act as in Wild West, they will rightfully face the consequences.
I will wait to see what some of the IT security experienced community members say about account security issues rather than take CCPs word for it though.
Your forum login is the same as your account login.
Need I say more?
And this alone is a fucking ultra-extra retarded security hole that the players have been quietly asking CCP to change for years.
Jesus christ is it still necessary to rub their noses in their mess to get them to fix stuff like this? Really CCP? Really?
GJ on shooting the messenger once again :eyeroll: GJ on destroying the small, fragile amount of customer confidence you had started to rebuild since last summer at a stroke because once again you were too fucking arrogant to listen to your own customers. Seriously: someone has got to lose their job for a fuckup of this magnitude. This MUST be past the tolerable limit for the level of error.
Ehhh, chill out brah! It's just a game.
Just a game? Your credit card/account info being exposed is FAR from "just a game"
I can't be arsed to restate everything already mentioned but here's some "what the ****?" selections from a few moments of poking around.
18 external JS references per page. That means 18 HTTP requests per page, at least on first load, to get JS stuff up and running. Slloooow.
Gzip compression is not enabled. Could pull the page size down by ~100kb by enabling that, which is utterly trivial to do.
None of the static content (images, JS etc) have cache expiry times. This means browsers may well not cache them at all, redownloading every time they load a page. They're also not set to have cache-control:public.
You get cookies with all those images and CSS/JS files; 60kb a page load.
And according to Chrome's auditer, "122.90KB (94%) of CSS is not used by the current page." That's some prime wastage right there.
To load this thread page took 980 kilobytes. That's 4 seconds on my connection (50Mbit/s). 1 second of that is the server coming up with the page I asked for, which is pretty shoddy. Using what my browser's caching, it's still 150kb.
This whole thing stinks to high heaven of bad programming and poor understanding of what makes web applications tick.
I'm Begining to think CCP does this stuff on purpose.. just for the publicity it generates.
I think so too lol, i've been reading up on this and I don't even play EvE or any other CCP product! In any case, I guess it works, definetly not going to convince me to sign-up any faster though.
File a bug report and wait for fix, like all other people did before him.
Once the serious bug was not fixed for launch, he could file a new bug report, contact someone directly or even try to push the thing through Internal Affairs or CSM.
In any case it is no excuse to breach the EULA.
Originally posted by Garkan
Some times people just have to act, CCP have prove themselves incompetent time and time again
If you are not satisfied with the service and you feel the provider isn't listening to your needs, vote with your wallet. Simple as that.
The guy, as well as his supporters, fell to delusion that he was obligated to do whatever it takes to remedy CCPs ill attitude because of some higher moral ground. Such behavior and no respect for private property is unacceptable in any legal system.
If anyone wants to play Robin Hood or act as in Wild West, they will rightfully face the consequences.
He did file a bug report whilst the site was in beta, he also petitioned it as did other reputedly, yet nothing was done. There have also been claims by CSM members that they not only petitioned this but also phoned CCP to get something done as scripts could have been injected leaving peoples accounts and personal details vulnerable and still CCP did nothing....
Originally posted by SidJames He did file a bug report whilst the site was in beta, he also petitioned it as did other reputedly, yet nothing was done. There have also been claims by CSM members that they not only petitioned this but also phoned CCP to get something done as scripts could have been injected leaving peoples accounts and personal details vulnerable and still CCP did nothing....
And that's ok, no need for violating EULA.
If you still want to act heroic and breach the conduct, you cannot make riot about CCP taking action. It is as much their right as it is your right to breach the EULA, fair deal.
If one wanted to be sarcastic, you could say that you get what you pay for...
Catari didn't really make any complaints about being banned did he? On SHC he stated the bug existed and was being exploited by other users. He did not detail how to use the bug. Next he stated he filed a petition and Helicity stepped in implying he had also reported, attempted to call, etc etc to notify CCP of what was going on. If I recall, Hellicity detailed one of the exploits a bit more to show how easy it was to use. Catari then went on to get permission from another user to manipulate their post to show proof of concept and also stated they expected a ban and was fine with that. The people complaining about the ban seem to be all the people watching from the bleechers.
At any rate, if the bug(s) were being freely exploited then, purely in my opinion, what Catari did was in the customer's best interest although it had negative ramification for him and made CCP look bad. But, the old forums are back up so net positive to a lot of pople it seems. Maybe that is a "Robin Hood" point of view, but the alternative is that the security holes remain in use for the time being.
Ultimately, I hope this triggers a security review of all the "spacebook' related features. If nothing comes of the review, then perhaps it builds some confidence in those features. The alternative is they find and fix bugs before they become public knowledge. Either way, they come out better then they were.
-mklinic
"Do something right, no one remembers. Do something wrong, no one forgets" -from No One Remembers by In Strict Confidence
Considering there were tons of reports about this issue, I'm surprised that forums were released at this state. Even for CCP, this is a new level of incompetence.
Even a CSM guy reported that loop whole during the first beta, I mean, leages of detailed reports was easy enough to ignore, sure, but a CSM? A person who is, more or less in a direct contact (as direct as one can be with CCP, ie not much but still).
They spent a whole year on this? A whole year of development, and result is a security whole even novice web designers wouldn't do. Screwing with YAF (yet another forum, go google it) to the point that it falls apart is a special ability.
Just lmao at whoever is responsible. That guy (If its a team, than those guys) should lose his(their) jobs over this. Must lose their job over this. You could learn web designing from scratch and design a whole new forum with 70000 hours of manpower.
Even while typing this post I'm still laughing hysterically .
Do you have links or pics to back up what you claim?
Specifically that CCP was aware of the security issue but went ahead with the launch anyway?
According you you there were "tons" of reports so finding them and posting them here shouldn't be a chore. It's not that I don't trust you but I find it hard to believe.
I can't post you a direct link because everything is buried under 40+ page threads. Look at SHC and other forums. Thing is, this loophole is very easy to exploit, this kind of thing is very, very easy to avoid. As I said before, even novice designers mostly have common sense enough to not store vital information on client side. Yes, they're storing vital log in information inside your cookies, in basic text. No encrpytion or anything. Thats how bad it is.
Check well known unofficial forums and you'll se enough proof to make your backside explode while laughing.
Originally posted by Hazelle Originally posted by Nickless_man
Originally posted by Hazelle
Originally posted by Nickless_man Considering there were tons of reports about this issue, I'm surprised that forums were released at this state. Even for CCP, this is a new level of incompetence. Even a CSM guy reported that loop whole during the first beta, I mean, leages of detailed reports was easy enough to ignore, sure, but a CSM? A person who is, more or less in a direct contact (as direct as one can be with CCP, ie not much but still). They spent a whole year on this? A whole year of development, and result is a security whole even novice web designers wouldn't do. Screwing with YAF (yet another forum, go google it) to the point that it falls apart is a special ability. Just lmao at whoever is responsible. That guy (If its a team, than those guys) should lose his(their) jobs over this. Must lose their job over this. You could learn web designing from scratch and design a whole new forum with 70000 hours of manpower. Even while typing this post I'm still laughing hysterically .
Do you have links or pics to back up what you claim? Specifically that CCP was aware of the security issue but went ahead with the launch anyway? According you you there were "tons" of reports so finding them and posting them here shouldn't be a chore. It's not that I don't trust you but I find it hard to believe. I can't post you a direct link because everything is buried under 40+ page threads. Look at SHC and other forums. Thing is, this loophole is very easy to exploit, this kind of thing is very, very easy to avoid. As I said before, even novice designers mostly have common sense enough to not store vital information on client side. Yes, they're storing vital log in information inside your cookies, in basic text. No encrpytion or anything. Thats how bad it is. Check well known unofficial forums and you'll se enough proof to make your backside explode while laughing. So your answer is "no"?
Calmdown (ex CCP employee) who was running SHC went on an emorage and shut down the entire forum without notice.
I told them to shut the forums off ASAP and I told them why. I didn't give them reproduction steps but they never asked for them, either. And I didn't go on to abuse anything "until they had to shut me out". But all in all it's pretty tame, would have expected more coming my way. It's all cool.
He didn't even go full disclosure on their asses, which was pretty nice of him considering just how incompetent CCP acted.
Originally posted by batolemaeusHe didn't even go full disclosure on their asses, which was pretty nice of him considering just how incompetent CCP acted.
In response why he didn't file reproduction steps, like any concerned volunteer would do, he replied:
Originally posted by Catari TagaAgain, I'm not being paid to write perfect reports right away, whereas the people responding to them do this professionally.
So he does not bother to attach reproduction steps(and wonders why the report isn't taken seriously) because it is 'too much effort' and then on the other hand he finds himself obliged to take the responsibility for forum security into his own hands and breach the EULA.
This guy is just a retard full of himself showing off rather than anything else and anyone advocating for him is out of their minds.
I will wait to see what some of the IT security experienced community members say about account security issues rather than take CCPs word for it though.
Your forum login is the same as your account login.
Need I say more?
And this alone is a fucking ultra-extra retarded security hole that the players have been quietly asking CCP to change for years.
Jesus christ is it still necessary to rub their noses in their mess to get them to fix stuff like this? Really CCP? Really?
GJ on shooting the messenger once again :eyeroll: GJ on destroying the small, fragile amount of customer confidence you had started to rebuild since last summer at a stroke because once again you were too fucking arrogant to listen to your own customers. Seriously: someone has got to lose their job for a fuckup of this magnitude. This MUST be past the tolerable limit for the level of error.
Ehhh, chill out brah! It's just a game.
since when is eve a game?!
its a spreadsheet
i tried it, there was no dynamic combat, no aiming, hell you didnt even steer.
to be a game it would have had to have been fun!
all eve players out there agree eve is not a game, but more important than their real life according to surveys.
Originally posted by Gdemami This guy is just a retard full of himself showing off rather than anything else and anyone advocating for him is out of their minds.
While this is true, the same is true for CCP with their focus on ~awesome~ instead of excellence. This is bad on a level only surpassed by "new york times 40 million dollar paywall implemented in client side javascript"-bad.
Comments
He is not in a position to force CCP to do anything, what he did is explicitly against TOS he signed up.
Best intentions are mitigation circumstances at best and are no excuse.
Considering CCP's history of sweeping things like this under the carpet :LOLT20LOL: what other options did he have? he has claimed not only did he send in a bug report during beta, but also that he petitioned it. as have others yet CCP are denying everything with the usual "Our Logs Show Nothing" crap that they use all of the time....
I can't post you a direct link because everything is buried under 40+ page threads. Look at SHC and other forums. Thing is, this loophole is very easy to exploit, this kind of thing is very, very easy to avoid. As I said before, even novice designers mostly have common sense enough to not store vital information on client side. Yes, they're storing vital log in information inside your cookies, in basic text. No encrpytion or anything. Thats how bad it is.
Check well known unofficial forums and you'll se enough proof to make your backside explode while laughing.
Some times people just have to act, CCP have prove themselves incompetent time and time again and that they stick their fingers in their ears and go "blah blah blah blah" when people try to tell them there is a serious problem and I have no doubt if he didn't do what he did the forums would have stayed up for days or maybe even weeks and caused a lot of players trouble.
The only way to ever get CCP to act sometimes is to cause threadnoughts or shit storms and embarrass them and in this case the dude they are punishing did CCP and the community a massive service.
Imagine all the fires the GMs might have had to put out and the investigations they would have to unravel if this had gone on unpublished and malicious hackers had taken advantage of this.
Currently playing:
EVE online (Ruining low sec one hotdrop at a time)
Gravity Rush,
Dishonoured: The Knife of Dunwall.
(Waiting for) Metro: Last Light,
Company of Heroes II.
If CCP wanted to "sweep it under the rug", they would have never banned the guy. Just sayin.
I do hope the guy was smart enough not to use a main. Either way, I kinda have to agree with Gdemami on this one. If you can't do the time, don't do the crime. I mean seriously, what is CCP supposed to do? Take the guy out to lunch, then find out he also hacked billing accounts?
I'm Begining to think CCP does this stuff on purpose.. just for the publicity it generates.
File a bug report and wait for fix, like all other people did before him.
Once the serious bug was not fixed for launch, he could file a new bug report, contact someone directly or even try to push the thing through Internal Affairs or CSM.
In any case it is no excuse to breach the EULA.
If you are not satisfied with the service and you feel the provider isn't listening to your needs, vote with your wallet. Simple as that.
The guy, as well as his supporters, fell to delusion that he was obligated to do whatever it takes to remedy CCPs ill attitude because of some higher moral ground. Such behavior and no respect for private property is unacceptable in any legal system.
If anyone wants to play Robin Hood or act as in Wild West, they will rightfully face the consequences.
Just a game? Your credit card/account info being exposed is FAR from "just a game"
http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1493904&page=6
Moar stuff.
I think so too lol, i've been reading up on this and I don't even play EvE or any other CCP product! In any case, I guess it works, definetly not going to convince me to sign-up any faster though.
Turrible!
He did file a bug report whilst the site was in beta, he also petitioned it as did other reputedly, yet nothing was done. There have also been claims by CSM members that they not only petitioned this but also phoned CCP to get something done as scripts could have been injected leaving peoples accounts and personal details vulnerable and still CCP did nothing....
And that's ok, no need for violating EULA.
If you still want to act heroic and breach the conduct, you cannot make riot about CCP taking action. It is as much their right as it is your right to breach the EULA, fair deal.
If one wanted to be sarcastic, you could say that you get what you pay for...
Catari didn't really make any complaints about being banned did he? On SHC he stated the bug existed and was being exploited by other users. He did not detail how to use the bug. Next he stated he filed a petition and Helicity stepped in implying he had also reported, attempted to call, etc etc to notify CCP of what was going on. If I recall, Hellicity detailed one of the exploits a bit more to show how easy it was to use. Catari then went on to get permission from another user to manipulate their post to show proof of concept and also stated they expected a ban and was fine with that. The people complaining about the ban seem to be all the people watching from the bleechers.
At any rate, if the bug(s) were being freely exploited then, purely in my opinion, what Catari did was in the customer's best interest although it had negative ramification for him and made CCP look bad. But, the old forums are back up so net positive to a lot of pople it seems. Maybe that is a "Robin Hood" point of view, but the alternative is that the security holes remain in use for the time being.
Ultimately, I hope this triggers a security review of all the "spacebook' related features. If nothing comes of the review, then perhaps it builds some confidence in those features. The alternative is they find and fix bugs before they become public knowledge. Either way, they come out better then they were.
-mklinic
"Do something right, no one remembers.
Do something wrong, no one forgets"
-from No One Remembers by In Strict Confidence
So your answer is "no"?
Specifically that CCP was aware of the security issue but went ahead with the launch anyway?
According you you there were "tons" of reports so finding them and posting them here shouldn't be a chore. It's not that I don't trust you but I find it hard to believe.
I can't post you a direct link because everything is buried under 40+ page threads. Look at SHC and other forums. Thing is, this loophole is very easy to exploit, this kind of thing is very, very easy to avoid. As I said before, even novice designers mostly have common sense enough to not store vital information on client side. Yes, they're storing vital log in information inside your cookies, in basic text. No encrpytion or anything. Thats how bad it is.
Check well known unofficial forums and you'll se enough proof to make your backside explode while laughing.
So your answer is "no"?
Calmdown (ex CCP employee) who was running SHC went on an emorage and shut down the entire forum without notice.
But to end this retarded argument: here's a thread on fhc where Catari posts
He didn't even go full disclosure on their asses, which was pretty nice of him considering just how incompetent CCP acted.
In response why he didn't file reproduction steps, like any concerned volunteer would do, he replied:
So he does not bother to attach reproduction steps(and wonders why the report isn't taken seriously) because it is 'too much effort' and then on the other hand he finds himself obliged to take the responsibility for forum security into his own hands and breach the EULA.
This guy is just a retard full of himself showing off rather than anything else and anyone advocating for him is out of their minds.
since when is eve a game?!
its a spreadsheet
i tried it, there was no dynamic combat, no aiming, hell you didnt even steer.
to be a game it would have had to have been fun!
all eve players out there agree eve is not a game, but more important than their real life according to surveys.
While this is true, the same is true for CCP with their focus on ~awesome~ instead of excellence.
This is bad on a level only surpassed by "new york times 40 million dollar paywall implemented in client side javascript"-bad.
So they are stupid because they run their company for best profits? I don't think so.
I do not like where CCP is taking the game nor their practices but that's about all. I voted with my wallet, no hurt feelings, fair deal.
I hear wasting 72k manhours on a mediocre framework skinjob and having to take it down on launchday makes perfect business sense.
So you say you have exclusive internal info that would setup the base for such claims as what makes business sense or not?
{mod edit}