These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

New dev blog: Team Security - Now with 100% more Anti-RMT

First post First post First post
Author
CCP Sreegs
CCP Retirement Home
#221 - 2012-04-03 21:32:24 UTC
Tyke Orlieveit wrote:
CCP Sreegs wrote:
corestwo wrote:
CCP Sreegs wrote:
Jim Luc wrote:
By the way, is there any way we can put an end to the endless "Player Transfer" phishing spam? I've been getting lots of it and forward each to security@ccpgames.com - usually it all goes to the trash anyways. I generally don't even click any links in an Eve-related email, even if it's from CCP. They're offering free time but I won't take their survey simply because I don't trust any emails from ccp or related anymore.

Is there a way we can determine if an email link is authentic, and each email that's sent from CCP also be accessible via logging into our accounts without clicking through a link? It would be nice to see all CCP correspondence, even marketing & such, in our Account Settings pages. Just a thought - keep up the tremendous work Sreegs!


I'll look into this. I hadn't thought of it actually and I think it's a good idea. Unfortunately we don't own The Internet so we can't stop people from sending mails. We're working on the problem but there's no really easy solution given the technology involved.


You may want to look into the company my wife works at if you're looking for a solution to this. Interested to know more? ;)


Send an email to the security email address. We've looked into a lot of things but ultimately none of what we've seen in pretty much any case fits our unique environment and situation with this particular spam.


Stupid question: Simply signing the email content with a Publicly available PGP/GPG key is out of the window I guess? The recipient isn't affected by this, and the people with the capability or desire can confirm the signature?

I guess formatting issues might be a hurdle, I've not really experimented with anything but plain-text email being signed though.


What percentage of people do you suppose would actually use that? It's certainly feasible but adoption rates are abysmal out in the world.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#222 - 2012-04-03 21:33:52 UTC
Mioelnir wrote:
CCP Sreegs wrote:
I'll look into this. I hadn't thought of it actually and I think it's a good idea. Unfortunately we don't own The Internet so we can't stop people from sending mails. We're working on the problem but there's no really easy solution given the technology involved.


One doesn't need to own the internet for that. For example the CCP bulk mta often used for surveys and stuff is run under the cocos islands domain ccp.cc which - while it does indeed belong to CCP - is never ever used anywhere else that customers see, so it probably looks fishy to most users.

Then again, if you read your mails with full headers, you are probably already sufficiently paranoid.


The bulk mails use both SPF and DomainKeys (however it's been rebranded) so you can certainly verify the authenticity of those. Unfortunately not every mail we send is sent through this system.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Captain Thunk
Explode. Now. Please.
Alliance. Now. Please.
#223 - 2012-04-03 21:34:17 UTC
CCP Sreegs

Will Corporation CEOs be allowed to request a list of their members who've had Transaction reversals through RMT with the amount?

I'm pretty sure some corps would like to kick them.
corestwo
Goonfleet Investment Banking
#224 - 2012-04-03 21:34:24 UTC  |  Edited by: corestwo
Tyke Orlieveit wrote:
Stupid question: Simply signing the email content with a Publicly available PGP/GPG key is out of the window I guess? The recipient isn't affected by this, and the people with the capability or desire can confirm the signature?

I guess formatting issues might be a hurdle, I've not really experimented with anything but plain-text email being signed though.

The problem with a solution like this is that your average internet goer doesn't even know to check the sig much less how. Any such solution to this kind of problem is passive in the ideal case - as far as the recipient is concerned, the email should always be trustable.

Now, that's a very high ideal standard, but you get the idea - I shouldn't have to do anything to be sure my mail is from who it claims it's from.

CCP Sreegs wrote:
Mioelnir wrote:
CCP Sreegs wrote:
I'll look into this. I hadn't thought of it actually and I think it's a good idea. Unfortunately we don't own The Internet so we can't stop people from sending mails. We're working on the problem but there's no really easy solution given the technology involved.


One doesn't need to own the internet for that. For example the CCP bulk mta often used for surveys and stuff is run under the cocos islands domain ccp.cc which - while it does indeed belong to CCP - is never ever used anywhere else that customers see, so it probably looks fishy to most users.

Then again, if you read your mails with full headers, you are probably already sufficiently paranoid.


The bulk mails use both SPF and DomainKeys (however it's been rebranded) so you can certainly verify the authenticity of those. Unfortunately not every mail we send is sent through this system.


Welp. I am now, perhaps, not quite so sure how helpful what I sent you will be. Worth a shot anyway.

This post was crafted by a member of the GoonSwarm Federation Economic Cabal, the foremost authority on Eve: Online economics and gameplay.

fofofo

CCP Sreegs
CCP Retirement Home
#225 - 2012-04-03 21:36:07 UTC
Captain Thunk wrote:
CCP Sreegs

Will Corporation CEOs be allowed to request a list of their members who've had Transaction reversals through RMT with the amount?

I'm pretty sure some corps would like to kick them.


Not at this time. You're welcome to comment in the scarlet letter thread linked in the blog though as this would probably qualify.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Buzzy Warstl
Quantum Flux Foundry
#226 - 2012-04-03 21:36:17 UTC
CCP Sreegs wrote:
Tyke Orlieveit wrote:

Stupid question: Simply signing the email content with a Publicly available PGP/GPG key is out of the window I guess? The recipient isn't affected by this, and the people with the capability or desire can confirm the signature?

I guess formatting issues might be a hurdle, I've not really experimented with anything but plain-text email being signed though.


What percentage of people do you suppose would actually use that? It's certainly feasible but adoption rates are abysmal out in the world.

Debian signs their security announcements.

They are completely accessible to people not using PGP/GPG and are authenticated for people who are using them.

http://www.mud.co.uk/richard/hcds.htm Richard Bartle: Players who suit MUDs

Myz Toyou
Nekkid Inc.
#227 - 2012-04-03 21:36:51 UTC
I would like to see those faces when previous super pilots now suddenly have to downgrade to Drakes given by kind Alliance members Lol
Jim Luc
Deep Core Mining Inc.
Caldari State
#228 - 2012-04-03 21:38:04 UTC
CCP Sreegs wrote:


....LONG QUOTE

What percentage of people do you suppose would actually use that? It's certainly feasible but adoption rates are abysmal out in the world.


Personally I take a look at any outgoing links, and manually type them in as long as they have the correct subdomain in the url. Mostly though, and this is an unfortunate side-effect, I generally don't really bother with any links from an email.
CCP Sreegs
CCP Retirement Home
#229 - 2012-04-03 21:39:21 UTC
To clarify on the ETC question regarding Shattered Crystal and our other resellers from earlier.

You may purchase 60 day ETCs from official resellers: https://secure.eveonline.com/etc.aspx

Those may then be converted for PLEX. They cannot be converted directly into isk. Only PLEX may be converted to isk. The only place to buy PLEX is from the account management section of our website or ingame for is.

I hope that helps.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Merin Ryskin
Peregrine Industries
#230 - 2012-04-03 21:40:19 UTC
CCP Sreegs wrote:
I'm not in the habit of spending oodles of time defending our work against every conceivable nightmare scenario painted on the internet.


This is hardly "every nightmare scenario" we're talking about. I was able to think up these scenarios in just a few minutes while writing the post, so it doesn't exactly inspire confidence to hear that you (or anyone else at CCP) haven't considered them yet. Instead, it gives the impression that you are too focused on punishing the guilty and haven't spent enough time preparing for how to handle the consequences of those punishments.

This kind of vague "we'll deal with it as it happens" might have been fine when you were just handing out individual account bans on clearly guilty ISK sellers, but now you're talking about "ending alliances" and having a much bigger impact on the sandbox.
CCP Sreegs
CCP Retirement Home
#231 - 2012-04-03 21:40:38 UTC
Buzzy Warstl wrote:
CCP Sreegs wrote:
Tyke Orlieveit wrote:

Stupid question: Simply signing the email content with a Publicly available PGP/GPG key is out of the window I guess? The recipient isn't affected by this, and the people with the capability or desire can confirm the signature?

I guess formatting issues might be a hurdle, I've not really experimented with anything but plain-text email being signed though.


What percentage of people do you suppose would actually use that? It's certainly feasible but adoption rates are abysmal out in the world.

Debian signs their security announcements.

They are completely accessible to people not using PGP/GPG and are authenticated for people who are using them.


Yeah I know some people sign their emails, what I'm saying is given the work that would go into implementing such a system how many people would actually gain benefit from it.

PGP signing adoption rates are terrible or were at least the last time I checked.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#232 - 2012-04-03 21:41:36 UTC
Merin Ryskin wrote:
CCP Sreegs wrote:
I'm not in the habit of spending oodles of time defending our work against every conceivable nightmare scenario painted on the internet.


This is hardly "every nightmare scenario" we're talking about. I was able to think up these scenarios in just a few minutes while writing the post, so it doesn't exactly inspire confidence to hear that you (or anyone else at CCP) haven't considered them yet. Instead, it gives the impression that you are too focused on punishing the guilty and haven't spent enough time preparing for how to handle the consequences of those punishments.

This kind of vague "we'll deal with it as it happens" might have been fine when you were just handing out individual account bans on clearly guilty ISK sellers, but now you're talking about "ending alliances" and having a much bigger impact on the sandbox.


Then I guess we're just going to have to agree to disagree and leave it at that. :)

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

DeODokktor
Dark Templars
The Fonz Presidium
#233 - 2012-04-03 21:41:47 UTC
Regarding the loans.

Secured loans are an easy fix.
Add a contract section for Loans. Sadly CCP tried this but as it wasnt combat related it was utter shite.... Much like the auction system of contracts are.

There's a lot of key things ccp has not fixed that are things that isk sellers are no doubt using.
Adding a Secure Loan (Where the game holds all ITEMS in Escrow until the loan is repaid according to terms) would mean that all of my loans are 100% secure. On top of that it would remove any risk that someone will use this method for transferring goods from char to char.

Getting rid of the trade window (Hello private contracts, derrrr) is a no-brainer; but again, CCP has left this system in place for so long now that you have to question why it's there.

Character trades should have the same SecureTrading system that SecureGTC uses.. Character to CHARACTER and not requring users to supply account names (How dumb is that??). The isk should be held in escrow for say 24 hours after the deal is done (this would KILL character scamming and also add a lot of hassle those who manage to steal account details, with the plus side of hiding the account name making account details more secure).. For anyone who wants to know my account name might be something like mephysto_luvsme_even_tho_he_says_no .....

What also happens when (like recently) my pal who was on military deployment had his account hacked. I am sure that it was a breach of his email due to the fact that they logg'd into more than one of his accounts, but his isk would have been moved off for RMT, does this mean he's now under a perm ban and will never be able to return?...
Buzzy Warstl
Quantum Flux Foundry
#234 - 2012-04-03 21:45:46 UTC
CCP Sreegs wrote:
Buzzy Warstl wrote:
CCP Sreegs wrote:
Tyke Orlieveit wrote:

Stupid question: Simply signing the email content with a Publicly available PGP/GPG key is out of the window I guess? The recipient isn't affected by this, and the people with the capability or desire can confirm the signature?

I guess formatting issues might be a hurdle, I've not really experimented with anything but plain-text email being signed though.


What percentage of people do you suppose would actually use that? It's certainly feasible but adoption rates are abysmal out in the world.

Debian signs their security announcements.

They are completely accessible to people not using PGP/GPG and are authenticated for people who are using them.


Yeah I know some people sign their emails, what I'm saying is given the work that would go into implementing such a system how many people would actually gain benefit from it.

PGP signing adoption rates are terrible or were at least the last time I checked.

True, I'd be surprised if the Debian security mailing list had more than a few thousand subscribers, and that may include everyone who uses GPG who isn't on FreeBSD.

http://www.mud.co.uk/richard/hcds.htm Richard Bartle: Players who suit MUDs

Merin Ryskin
Peregrine Industries
#235 - 2012-04-03 21:46:14 UTC
DeODokktor wrote:
Adding a Secure Loan (Where the game holds all ITEMS in Escrow until the loan is repaid according to terms) would mean that all of my loans are 100% secure.


And also 100% pointless, since if I can allow you to hold on to items worth what you're loaning me then I can just sell those items on the market myself (other than rigged ships, I suppose) and get the money.
Vaerah Vahrokha
Vahrokh Consulting
#236 - 2012-04-03 21:47:13 UTC
corestwo wrote:
Vaerah Vahrokha wrote:
Teach me how to avoid this, I am all ears.


Just stick to the technical analysis you're so fond of. Lol


Another elusive reply to a concrete RMT affected case (Cosmoray).

Tyke Orlieveit
Republic Military School
Minmatar Republic
#237 - 2012-04-03 21:47:24 UTC
CCP Sreegs wrote:
Buzzy Warstl wrote:
CCP Sreegs wrote:
Tyke Orlieveit wrote:

Stupid question: Simply signing the email content with a Publicly available PGP/GPG key is out of the window I guess? The recipient isn't affected by this, and the people with the capability or desire can confirm the signature?

I guess formatting issues might be a hurdle, I've not really experimented with anything but plain-text email being signed though.


What percentage of people do you suppose would actually use that? It's certainly feasible but adoption rates are abysmal out in the world.

Debian signs their security announcements.

They are completely accessible to people not using PGP/GPG and are authenticated for people who are using them.


Yeah I know some people sign their emails, what I'm saying is given the work that would go into implementing such a system how many people would actually gain benefit from it.

PGP signing adoption rates are terrible or were at least the last time I checked.



Aye, even with GPG as a free alternative, it's not exactly something a basic end-user can easily configure and get going I suppose.

Shy of having something in the actual Character management section as a list of emails sent to the email address as a secondary verification, but again would be a possible pain to implement for a limited benefit :(
orphenshadow
The Scope
Gallente Federation
#238 - 2012-04-03 21:49:17 UTC
Sounds sexy..

One thing I'm curious about.. It's kind of a hypothetical scenario but...

How does one figure out what isk was generated with a bot vs actual work..

For instance. If a player spent a lot of time actually ratting and doing stuff. But decided to run a bot for a few hours while he/she goes pvp on another toon..

How would CCP know that x isk was from bot, and y isk was legit?

Not that this scenario is even realistic. I'm pretty sure those with access to bots would never have the desire to rat :P
Shandir
EVE University
Ivy League
#239 - 2012-04-03 21:49:39 UTC
CCP Sreegs wrote:
To clarify on the ETC question regarding Shattered Crystal and our other resellers from earlier.

You may purchase 60 day ETCs from official resellers: https://secure.eveonline.com/etc.aspx

Those may then be converted for PLEX. They cannot be converted directly into isk. Only PLEX may be converted to isk. The only place to buy PLEX is from the account management section of our website or ingame for is.

I hope that helps.

I believe this is inaccurate given there's a GTC > ISK trading forum and feature in account management on EVE's site.

Legal ways to get 3rd party GTCs into ISK. Either GTC > PLEX conversion feature in game > ISK, or GTC > GTC trading feature on EVE's site > ISK.
Merin Ryskin
Peregrine Industries
#240 - 2012-04-03 21:50:10 UTC
CCP Sreegs wrote:
Then I guess we're just going to have to agree to disagree and leave it at that. :)


Yeah, I get the point, you're the CCP employee and I'm not, and I can't force you to publish the information I want to see.

However, you're going to see impressive new levels of outrage if you start "ending" alliances for RMTing without clearly defined procedures for how to do it and how to handle the impact on players who were not involved in RMTing themselves.