EVE General Discussion

Because it is still a setback. And a small security precaution like asking for an API can help dissuade it from happening.
No its not a perfect system, but just because it's not perfect doesn't mean it's useless.

Locking your door at night isn't perfect protection from someone breaking into your house. And most things you own are probably relatively easy to replace. So why bother locking your door at night? Why do you care?

It takes as long as you want it to take. Sure you could pour over every little detail. Read every single mail etc. And if your doing that then yes it's probably a waste of time. All that you really need though is a quick look, see if anything suspicious stands out. Regular or large deposits of money, frequent communications with a potentially hostile group, etc. Generally It takes less time to do than the interview itself. 5-10 minutes or so in most cases. And I've reviewed probably about 200 applications in my eve career.

So yeah, that can add up, but it's a small price to pay for the added security. And as I said can easily be worked directly into the interview process.

This was before my time at eve uni. Back when i ran my own corp And yeah over the 2-3 years the Corp was active, only had one case of "theft" and that was a newer player who had borrowed a barge from the fleet hangar. Logged off for the night and never logged back on.

33 hours over 3 years is less than an hour per month. I spend more time than that ship spinning. So it's a small price to pay for even the little bit of extra security when billions in assets are on the line.

This.

Although having said that, some progress was made with the citadel permissions system.

Ultimately, eve corps / alliances assets will continue to be "insecure" until CCP opens those functions up to writable API so we can write our own logic for who gets access to what.

I'd happily dump 100 fitted ships in a hanger that my corp could take... so long as I could write my own logic on top of it.

Click Button > Request Ship > Writable API is used to contract you one immediately.

Already requested a ship 5 minutes ago? No more ships for you for a while.

Vs Click > Drag > You now own 100 fitted ships.

Ccp is unlikely to ever do that though. Because theft and espionage are part of the game. It's what makes it unique. If you want perfect asset safety then there are plenty of other games you can go and play.

But they do have tools in place, the API being one of them, that can help with that safety. But only if you choose to use it.

You seem to think that the API is something completely separate from the game. When it is a tool developed for us to use by ccp.
There are many things you can do with it, or not. But that doesn't make it any less valid as a tool.

Is it because you need to use an outside browser to view it? Would you prefer if ccp implemented a way to view people's API information from inside the game? Because that is actually an idea I could get behind. Especially since the IG browser went away.

That's not how security works most of the time.

I could give you the keys to a warehouse and you might be able to go in there and take a few things, but security is going to stop you if you bring in 500 trucks and try to clear the place out in 5 minutes without any written authorisation to do it from the higher-ups.

Limits and triggers are an essential part of any modern security system, EVE has neither (in-game).

I wonder what's the rough percentage of the players who have skimmed the ELUA.



There. I always had the reason to suspect that the Big Brother is watching. Since handing my API to a looming malevolent presence, I -know- he does. Feels better already.

I just hope they slap on my wrist before I do something that warrants Room 101 treatment.

Why do you feel people should let you join a corp without provide some basic background info?

Sure a spy/thief can still get in if they really want but it requires more effort to maintain a clean api rather than corp hoping and stealing everything they can

In terms of how it helps:

1. As a measure of demonstrating commitment to the Corp/Alliance you are joining

Take Goons for example. They have just under 25,000 members based on Dotlan. Before the war last year, lots of people who started EVE, just wanted to join Goons to rat in null and make plenty of ISK. They weren't joining because they wanted to be a Goon. They wanted to get something, but not give much. If you are in the Leadership and completely committed to providing for your Alliance, wouldn't you also want people who join to show some commitment also. Effort should go both ways?

By requiring a full account API for every account, the receruits demonstrate a willingness to put some skin in the game so to speak. Without an API, all the commitment comes from the Alliance only, by accepting them. So the API is a kind of a way that both the Alliance and the members give something to each other.

2. As a measure of honesty

Particularly when it comes to climbing the ladder of the larger Alliances and getting into more key positions, the full API key lets issues be spotted relatively easily, because people often slip up.


3. As a deterrent

Spies, awoxers, etc. aren't always people that join for that specific purpose. People can be opportunistic too. Having your API already on record can be a deterrent to people who are normally honest, but who get tempted in a moment of weakness.

It also helps track who different contacts are and who might be getting contacted from outside by someone else, who does have ulterior motives.

4. As a way to know if people really can fly doctrines

Doctrines can be key in some Alliances, so being able to confirm what people can actually fly helps, because a lot of people say they can fly something, but then find that there's a skill they are missing, etc. Knowing what skills people have helps focus their training and/or see whether they really can be part of certain fleets

5. As a way to monitor/confirm alt abilities and activities

Take me, I have an industry/hauling alt that has almost every industrial ship available in the game. She isn't on this account and isn't in my Corp. She flies as a neutral, mostly NPC Corp alt. Knowing through an API check who she is, allows her to be more easily be set to blue status, to help with logistics without being killed. Additionally, having her API on record provides a good way to see how reliable I am when it comes to industry and logistics, because completed jobs and contracts are tracked.

In many Alliances, capital manufacture relies on alts too. Having access to the API for those alts (even if on the same account), helps monitor capital component manufacture, other industry work, POS related reaction work, etc. which are completed individually, but often using Corp/Alliance owned blueprints, resources, etc.

Also, key for Capital capable alts. They aren't always members of the Corp/Alliance.

______

Those are just some reasons I can think of, off the top of my head, but there are others too.

As to how the API is used, the easiest way to see if to go to API jackknife, create a temporary API for yourself and put it in (then delete it immediately after you finish - recognising that APIJackknife might already log your current info):

http://ridetheclown.com/eveapi/audit.php

There's lots that can be tracked, from your basic character information to full access to evemail history, contacts, jobs, ISK, etc.

For the major Alliances that really do have a reason to be paranoid, a lot of the work is automated, so the API goes into their system and it will automatically generate a report for recruitiers that identify anything to ask about (eg. character purchases and sales, ISK transfers to chacracters in and out, possible alts not reported, etc.).

On top of that, there are other measures that some Alliances use with their out of game services. Here's a good one from a while back on PL's security on their forums for example:

https://www.reddit.com/r/Eve/comments/1ftvub/pl_forum_watermarking_unmasked_and_explained/ (images are gone now)

IP tracking and voice analysis on comms have also been used in the past to identify spies. Anything that can be done in the IT field in terms of security, probably has been done at some point in EVE. There's some pretty smart people that play.


________

As a last point, in terms of why. Particularly for the larger Alliances, there is a point at which the intelligence available by having everyones APIs, becomes it's own asset.

For example, I have 8 accounts total now, with characters in a mix of different Corps. If I was to join Goons, they would get the intel across all of those potentially 24 characters, including all information sent in Corp/Alliance evemails, etc.

Multiple that by their near 25,000 members and the volume of intel available on other Corps and Alliances becomes it's own thing. The API becomes less about knowing about me, and a way to know about everyone.

So, if I had any characters in Goons and in some Alliance that was at war with them for example, my APIs become a way for them to monitor their enemies, without ever bothering me directly. They just monitor evemails for all characters they have on record in other Corps/Alliances and they can potentially see what is being planned, where operations might be occuring, etc. It can be a valuable tool once you scale it up.

Would you expect to get a job after going to the interview and saying "trust me" with nothing more?

The only large corp I know of that doesn't care about APIs is Horde, but they've nothing worth stealing nor do they care about spies.

Having api checks isn't a foolproof way of prevent people joining your corp for malicious reasons (if they want in they'll find a way) but it does add increased effort on their part. Maintaining a meticulously clean api to spy with requires a bit of effort and once burned it's useless. Useless as long as people are checking apis. It can still get into the more lax corps.

Having done recruitment stuff in the past you'd be surprised what you can learn from someone's apis. Personally I view it as a trust thing. If you've nothing to hide from the corp then you have no issue giving your api. If you don't want to show your api then you've a reason for doing so and shouldn't be trusted and should not get invited.