These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

Stop using siggy, it is leaking your information

First post
Author
Previous Topic Next Topic
Terrorfrodo
Interbus Universal
#21 - 2014-04-09 23:20:23 UTC
Two step wrote:
as you are basically broadcasting your location to anyone who cares to find out.

That might be a slight exaggeration. I for one have no idea how to exploit this bug to hack Siggy and the same is true for probably 99.7% of the rest of the EVE population.

Also, that one guy developing a gaming tool for fun has not yet fixed his tool two days after the most severe vulnerability in the history of the real-life internet has been discovered, might maybe be forgiven. Even if it allowed poor Maes Trent to be exposed as a Cerberus pilot.

.
Daimian Mercer
Deep Core Mining Inc.
Caldari State
#22 - 2014-04-09 23:27:29 UTC
Terrorfrodo wrote:
Two step wrote:
as you are basically broadcasting your location to anyone who cares to find out.

That might be a slight exaggeration. I for one have no idea how to exploit this bug to hack Siggy and the same is true for probably 99.7% of the rest of the EVE population.

Also, that one guy developing a gaming tool for fun has not yet fixed his tool two days after the most severe vulnerability in the history of the real-life internet has been discovered, might maybe be forgiven. Even if it allowed poor Maes Trent to be exposed as a Cerberus pilot.


There is a firefox plugin that can do all the "hacking" for you - though calling it hacking isn't accurate because there is nothing illegal about just listening to what a server is broadcasting the the world.

Also this did not require most secure servers to have to change or update anything, it was not a very big vulnerability... most tech news sites never even posted anything about it.

Lastly - Siggy has had major security issues for years... and I'm talking about JUST web server security, not the creator handing out personal data to friends.

Creator of Tripwire mapping tool - EVE-O thread

Twitter | daimian.mercer@gmail.com
Hidden Fremen
Lazerhawks
L A Z E R H A W K S
#23 - 2014-04-09 23:34:57 UTC
GRIM SOAR wrote:
Slander. Interesting.

I've used both. I prefer siggy.



Lolrip
Hidden Fremen
Lazerhawks
L A Z E R H A W K S
#24 - 2014-04-09 23:37:13 UTC
Double post...
Two step
Aperture Harmonics
#25 - 2014-04-10 01:16:53 UTC  |  Edited by: Two step
Terrorfrodo wrote:
Two step wrote:
as you are basically broadcasting your location to anyone who cares to find out.

That might be a slight exaggeration. I for one have no idea how to exploit this bug to hack Siggy and the same is true for probably 99.7% of the rest of the EVE population.

Also, that one guy developing a gaming tool for fun has not yet fixed his tool two days after the most severe vulnerability in the history of the real-life internet has been discovered, might maybe be forgiven. Even if it allowed poor Maes Trent to be exposed as a Cerberus pilot.


As was mentioned, it is quite easy to exploit it.

He isn't doing it "for fun", he is being paid by the corps and alliances that are using it.

CSM 7 Secretary CSM 6 Alternate Delegate @two_step_eve on Twitter My Blog
Rengas
AQUILA INC
#26 - 2014-04-10 01:24:37 UTC
I for one would like to thank Two Step Snowden for bravely exposing the creator of Siggy as a fiendish treacherous mastermind.

Too long have we suffered under the vindictive rule of Mess Who Shall Not Be Named.
Jack Miton
School of Applied Knowledge
Caldari State
#27 - 2014-04-10 02:12:26 UTC
Siggy's security has been lacking since it got released, it's nothing new.
That said, there are no alternatives to it that are anywhere close so people don't care.

There is no Bob.

Stuck In Here With Me:  http://sihwm.blogspot.com.au/

Down the Pipe:  http://feeds.feedburner.com/CloakyScout
Alundil
Rolled Out
#28 - 2014-04-10 02:31:33 UTC
Jack Miton wrote:
Siggy's security has been lacking since it got released, it's nothing new.
That said, there are no alternatives to it that are anywhere close so people don't care.

w-space is actually pretty decent imo. We had a private instance in our last corp.

I'm right behind you
Jack Tronic
borkedLabs
#29 - 2014-04-10 02:56:32 UTC  |  Edited by: ISD Ezwal
1. Give me the private key :P
2. The packages I needed to update the server were released late last night, they have been applied now.
3. I bought a new certificate so I don't have to wait for the old one to be revoked


Quote:

Also, that one guy developing a gaming tool for fun has not yet fixed his tool two days after the most severe vulnerability in the history of the real-life internet has been discovered, might maybe be forgiven. Even if it allowed poor Maes Trent to be exposed as a Cerberus pilot.


see #2

In other news I will be ditching openssl entirely from the server because I didn't realize the fudgeheads wrote their own malloc implementation which is beyond comprehension and idiotic.

In hindsight I should have disabled SSL earlier but meh, who knew an CSM member would actively spy on wormhole people beyond just reporting an exploit?


Quote:
First:
I tried to warn Siggy's creator about some of the security flaws months ago...

Second:
I'm sorry for the delay for all those who were requesting access to Tripwire - got kind of flooded with requests :) I am nearly caught up and will be available for further pummeling for the next 6 hours.

And for the record Tripwire is now used by over 150 corps/alliances. Some big names in that list are testing it.


O yes, you warned me of the fact someone could sniff HTTP traffic on YOUR OWN NETWORK. Geee, that's the risk of playing in starbucks. I guess the NSA may also play EVE and want to gank you.

Yes I did end up implementing HTTPS for those that are so worried while sipping their coffee. It's funny because you only announced you had HTTPS a few hours after I convoed you in response to that sniffing allegation.

*Snip* Please refrain from posting private in game correspondence. ISD Ezwal.

I could also ding you for calling them PHP session id cookies when they aren't in any form, those cookies have the form of PHP_SESSID. Mine are called sessionID, they are verified with additional data such as your current IP address and user agent which while isn't much for protection, does add some limitations.

Honestly, I don't care who uses it as I want to remain neutral as possible, in fact I don't know who uses it beyond the times when I'm asked for help. Never do I say who uses it in it's history. You seem to be REALLY interested in bragging however.

If people give me feedback I take it and improve. I know not that communicative as I do have a life and a job and multiple projects. The last month has been taken up submitting patches for the Atmel SAMA5 microprocessor to the Linux Kernel and also developing a patch set to implement per i2c device clock frequency in the i2c subsystem.
Ayeson
State War Academy
Caldari State
#30 - 2014-04-10 03:57:21 UTC  |  Edited by: Ayeson
Daimian Mercer wrote:

Lastly - Siggy has had major security issues for years... and I'm talking about JUST web server security, not the creator handing out personal data to friends.


get off your high horse, there is no "Backdoor" into siggy for bros

While we're slandering, Tripwire makes me want to vomit the UI is atrocious and Its lack of customizability makes me want to abort it with a coathanger.

Yes i'm in a bad mood.

I ♥ the orthrus
Jack Tronic
borkedLabs
#31 - 2014-04-10 04:08:17 UTC  |  Edited by: Jack Tronic
Ayeson wrote:
Daimian Mercer wrote:

Lastly - Siggy has had major security issues for years... and I'm talking about JUST web server security, not the creator handing out personal data to friends.


get off your high horse, there is no "Backdoor" into siggy for bros

While we're slandering, Tripwire makes me want to vomit the UI is atrocious and Its lack of customizability makes me want to abort it with a coathanger.

Yes i'm in a bad mood.


Well, got to slander people in order to get attention I suppose.
Tetsuo Tsukaya
Perkone
Caldari State
#32 - 2014-04-10 04:26:46 UTC


Woops. Siggy just updated, this is the wrong place for the badger CTA after all
Winthorp
#33 - 2014-04-10 05:05:49 UTC
I honestly don't know why Two Step would be a douche and post this on a public forum first? Did you even approach the siggy guy to tell them what is possible and ask that it be fixed before you spurged it over here for everyone to see?

Seems to me that you have some personal issue with this guy and you have done this spurge to ruin the in game business he has going for a lot of work invested by him regardless of peoples views on siggy (personally i don't like siggy) It just seemed a douche way to go about this Two Step.
Sith1s Spectre
Imperial Academy
Amarr Empire
#34 - 2014-04-10 05:07:31 UTC
Wow,

Just looks like two step has a grudge against the operator of siggy.

Reality is the majority of large WH groups have their security comprimised in some way and the apparent leaking of information is no worse than some dude in your corp being a spy.

You only have to look at eve skunk to see what i'm talking about.

Anyways, Siggy has been a great program over the years I have been using it and IMO none of the other mappers can match it in features or being user friendly.

Sith


Resident forum troll and fashion consultant
Jack Miton
School of Applied Knowledge
Caldari State
#35 - 2014-04-10 05:38:58 UTC
Winthorp wrote:
I honestly don't know why Two Step would be a douche and post this on a public forum first? Did you even approach the siggy guy to tell them what is possible and ask that it be fixed before you spurged it over here for everyone to see?

Seems to me that you have some personal issue with this guy and you have done this spurge to ruin the in game business he has going for a lot of work invested by him regardless of peoples views on siggy (personally i don't like siggy) It just seemed a douche way to go about this Two Step.

Two Step has personal competitive issues with siggy since he wrote the AHARM mapper (no idea if they still use it), he's never been a fan.
His mapper was great in 2010 but it didnt keep up with siggy at all.

There is no Bob.

Stuck In Here With Me:  http://sihwm.blogspot.com.au/

Down the Pipe:  http://feeds.feedburner.com/CloakyScout
Jess Tanner
Bangworks Systems Inc.
#36 - 2014-04-10 05:58:32 UTC
Paikis
Vapour Holdings
#37 - 2014-04-10 07:32:46 UTC
Glyndi wrote:
In other traffic related news, I'm in Phoenix waiting on a corner for Proc to give me a handy.


Can confirm that the only use for the Phoenix is in waiting on corners.
Jack Miton
School of Applied Knowledge
Caldari State
#38 - 2014-04-10 07:49:27 UTC
well we used tripwire for about 3 hours before switching back to siggy, buggy or not.
tripwire... yeah... >_<

There is no Bob.

Stuck In Here With Me:  http://sihwm.blogspot.com.au/

Down the Pipe:  http://feeds.feedburner.com/CloakyScout
Terrorfrodo
Interbus Universal
#39 - 2014-04-10 08:04:20 UTC
Daimian Mercer wrote:


Also this did not require most secure servers to have to change or update anything, it was not a very big vulnerability... most tech news sites never even posted anything about it.

Are you kidding me? Hundreds of major sites including Googlemail, Adobe, many banks and even Verisign itself have been vulnerable and all data including access passwords for email and banking are now potentially in the hand of criminals. Also private keys could have been stolen so that any "secure" website that does not change its keys is potentially open to attack at any time, even if the site itself was not vulnerable to this bug.

And of course this is top news at every tech site I read. Also it was on the New York Times.

.
Tasiv Deka
Royal Amarr Institute
Amarr Empire
#40 - 2014-04-10 08:09:09 UTC
Jack Miton wrote:
well we used tripwire for about 3 hours before switching back to siggy, buggy or not.
tripwire... yeah... >_<


Literally they started toying with it while i was moving in... by time i logged they had decided it was **** and we would just deal with siggy.

Oh, Do go on... no seriously ive got nothing better to do then listen to all the petty arguments and feeble trolling attempts... 

The sad thing is i'm not sure if i'm telling the truth.