Wormholes

Resolved topic:
"The day / timing of when you accessed our chain pretty much matches up with when peter moonlight reported problems. I am happy to admit that it looks like i am / we were probably wrong. I didn't look close enough to see the timings were similar, my bad.

I will update the original post accordingly, and feel free to bury this topic.

Keep up the good work o7"


Original Post for Reference:
Following the invasion of noho by QEX / BU / Hardknocks and Lazerhawks, I wanted to highlight something to the w-space community about the mapping tool we all know as siggy in case you are unaware.

When siggy is used in an out of game browser, you don't need password authentication (if that's how you have it set up). What this means is that anyone with a very limited api for a character in your corp or alliance can register an account and access your siggy without the need for a password or the need to log into eve.

Ok now that's out of the way, let me show you our suspicions as to why we have stopped using siggy.

The moment we suspected capitals were being seeded into Polaris, we were obviously trying to keep eyes open as much as possible, and from what we saw, it almost felt like the hostiles seemed to already know our chain sometimes. But that was all speculation until we noticed a character called Azbogah monitoring our siggy from out of game:

http://s12.postimg.org/oiwozao71/Screenshot.png

To my knowledge, Azbogah is an alt of the creator of siggy. Notice that his account ID is 1... And the corp Interstellar Alcohol Conglomerate has some relation to one of the entities involved in invading us (farming corp?). This means that either through a leaked API or abuse of siggy admin, the owner of siggy was peeking into our chain, and considering the timing of it... its kind of obvious why don't you think?

Some of this will likely be speculation to you, but I will leave you all to make your own minds up on your continued use of siggy, and whether you can trust the guy running it.

Cheers o7

messoroz is my dad he would never do something so underhanded

mess is a **** but im p sure he wouldn't do this

a counter thing to your post: it might be that his account has rights to all siggy maps/orgs and that the session list shows online users which can access your thing?

Look internally before you start blaming external sources.

Let me say this again.

The way people get access to your maps is when people NEVER DELETE THEIR OLD API KEYS.

You know how Hard Knocks gets your API keys? Various other eve sites have been breached over the years and theres literally API key dumps you can download.

I have no way of policing API keys. CCP has to implement requester url/ip lockdowns on keys. It is the only way to fix the current disaster everyone is ignoring with the keys.


Don't even get me started on how difficult it is to even get to the API key page. It should extremely visible in Account Management . It shouldn't be listed under "Support", it has nothing to do with Support. It should not be part of some obscure community portion of the website that nobody visits. API key access history should be a giant button of doom in account management if CCP gave two turds about security.


If you use tripwire you are just as vulnerable. Heck if you use any auth system that allows API keys, you are vulnerable. Yes, people get access to API protected teamspeak this way.



As soon as CCP fixes their oAuth implementation(renewal tokens actually work) and make it public for TQ, I will ditch the API system entirely because it's inherently insecure.





I had to add myself to your chainmap to verify the issue you were experiencing because it wasn't immediately obvious. As you can see if I ever do this, I don't hide it. I am fully visible to all users and am visible in the admin options as well.

http://i.imgur.com/4V6k1st.jpg

I did end up fixing all the memory leaks since then.

People still use API keys for verification?

My server and the siggy server live in the same rack and I can't even access it. This argument is invalid. Siggy is uber secure. (Unless the rack manager is mad at HK and decides he wants to just power down the box to make our lives miserable, but that's more of a problem with us being assholes than a security flaw)

Hi! So, IAC is actually an alliance. One with a long and prestigious history at that. We don't do any bearing whatsoever. At this point we have only a handful of people keeping the name alive as it's very much a shell of its former glory. Tyrrax isn't involved in its current operations.

Currently the few that are active reside with HK. Your invasion however was not aided in any way by us through handing out siggy data. HK/BU/etc did all the hard work on their own (read: spies). There are only two people that have access to siggy's raw data and only one that has physical access to the server (that would be me).

We have a vested interest in our product to keep our clients confidence. We think it will be unfortunate that we might lose you as a customer due to our relations with those who decided to invade you, but I can assure you that we provided them no assistance. They don't even bother asking us for data because they're aware of our position in all of this. It would be foolish to throw away years of work and money spent (servers aren't free) just for something like that.

If you have any further questions regarding siggy or my alliance, I'll be more than glad to explain.