These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

evewho.com - Showing more than I want to show. No privacy !

First post First post
Author
Previous Topic Next Topic
Azitek
Serenity Labs
#21 - 2011-09-20 15:47:51 UTC
Othran wrote:

so unless you can tell the characters on an account which you don't have the limited API key for, its leaked from one of them. Straight


This is exactly what he's doing: creating a program that guesses massive amounts API keys. When it happens on one that's in use, it records what it finds. No leaks needed, just some dedicated CPU power.
Othran
Route One
#22 - 2011-09-20 15:49:13 UTC
Azitek wrote:
Othran wrote:

so unless you can tell the characters on an account which you don't have the limited API key for, its leaked from one of them. Straight


This is exactly what he's doing: creating a program that guesses massive amounts API keys. When it happens on one that's in use, it records what it finds. No leaks needed, just some dedicated CPU power.


Ta - I understand now. Shouldn't have expected anything else from CCP mmm? Roll
Miilla
Hulkageddon Orphanage
#23 - 2011-09-20 15:49:53 UTC
Azitek wrote:
Othran wrote:

so unless you can tell the characters on an account which you don't have the limited API key for, its leaked from one of them. Straight


This is exactly what he's doing: creating a program that guesses massive amounts API keys. When it happens on one that's in use, it records what it finds. No leaks needed, just some dedicated CPU power.



So if he is abusing the API, and attempting to scan it for API keys, then he should be banned according to the rules no?
Adrenaline Reaper
The Scope
Gallente Federation
#24 - 2011-09-20 15:52:08 UTC
Azitek wrote:
Othran wrote:

so unless you can tell the characters on an account which you don't have the limited API key for, its leaked from one of them. Straight


This is exactly what he's doing: creating a program that guesses massive amounts API keys. When it happens on one that's in use, it records what it finds. No leaks needed, just some dedicated CPU power.


He is not cracking the API keys, that would not be allowed as you have effectively hacked someone's account. But you are on the right lines, he is just guessing char ids and seeing if they work, its not even that compute intensive.
Miilla
Hulkageddon Orphanage
#25 - 2011-09-20 15:56:52 UTC
Adrenaline Reaper wrote:
Azitek wrote:
Othran wrote:

so unless you can tell the characters on an account which you don't have the limited API key for, its leaked from one of them. Straight


This is exactly what he's doing: creating a program that guesses massive amounts API keys. When it happens on one that's in use, it records what it finds. No leaks needed, just some dedicated CPU power.


He is not cracking the API keys, that would not be allowed as you have effectively hacked someone's account. But you are on the right lines, he is just guessing char ids and seeing if they work, its not even that compute intensive.


Scanning the API's by brute force SCRAPING DATA.

Reported for abuse and hacking :)

I wondered why the API was taking longer, it is probably him scanning it.
Othran
Route One
#26 - 2011-09-20 15:57:41 UTC  |  Edited by: Othran
I think this requires fixing. Its ludicrous that its possible to datamine in this manner.

What on earth was the designer thinking?

Edit - change API such that a call without limited API key returns no data. Isn't that the logical default?
malaire
#27 - 2011-09-20 16:00:59 UTC  |  Edited by: malaire
Practical example how this might be done:

1) get few character names (e.g. malaire, Miilla, Adrenaline Reaper)
2) use API to get characterIDs of those character (e.g. this link for those 3 characters)
*) malaire = 1628541932, Miilla = 1365934490, Adrenaline Reaper = 916738779
4) use those IDs to get character information (malaire info, Miilla info, Adrenaline Reaper info)
5) this step was removed since it is not allowed

New to EVE? Don't forget to read: The Manual * The Wiki * The Career Options * and everything else
malaire
#28 - 2011-09-20 16:02:20 UTC  |  Edited by: malaire
Othran wrote:
I think this requires fixing. Its ludicrous that if you can present a user ID and no key then you get the characters on that account returned.

Its beyond ludicrous in fact - its incompetence.

It doesn't work like that, see my example above. You can just get information for single character (not account) when you guess characterID of that character.

Also, that characterID is NOT same as userID used with old API keys.

New to EVE? Don't forget to read: The Manual * The Wiki * The Career Options * and everything else
Othran
Route One
#29 - 2011-09-20 16:06:35 UTC  |  Edited by: Othran
malaire wrote:
Othran wrote:
I think this requires fixing. Its ludicrous that its possible to datamine in this manner.

What on earth was the designer thinking?

It doesn't work like that, see my example above. You can just get information for single character (not account) when you guess characterID of that character.


Yeah and that's fine - from your example you are required to know the name of the char to get the charID, no problem with that at all.

Doing it the reverse way, randomly trying charID to get a result - no, I'm not at all happy with that. Its ****-poor design.
Tippia
Sunshine and Lollipops
#30 - 2011-09-20 16:25:03 UTC
…on the other hand, if he was just scraping characterIDs, there shouldn't be so many characters missing.
Othran
Route One
#31 - 2011-09-20 16:33:22 UTC
Tippia wrote:
…on the other hand, if he was just scraping characterIDs, there shouldn't be so many characters missing.


Doesn't matter whether he's scraping or guessing.

Any system which confirms or refutes the existence of a user (or character in this case) by providing a user id of some description but no key/pw is broken beyond belief.

What's more, the designer who thought that would be OK is quite clearly not competent.

Its absolutely ****-poor design, appallingly bad.

There's nothing else to be said Tippia - there's no good reason for this API behaviour. None.
Adrenaline Reaper
The Scope
Gallente Federation
#32 - 2011-09-20 16:38:55 UTC
Othran wrote:
Tippia wrote:
…on the other hand, if he was just scraping characterIDs, there shouldn't be so many characters missing.


Doesn't matter whether he's scraping or guessing.

Any system which confirms or refutes the existence of a user (or character in this case) by providing a user id of some description but no key/pw is broken beyond belief.

What's more, the designer who thought that would be OK is quite clearly not competent.

Its absolutely ****-poor design, appallingly bad.

There's nothing else to be said Tippia - there's no good reason for this API behaviour. None.


The whole point of the API is to provide the same data you can get ingame, but accessible to other applications. You can check the corp of each char manually ingame, so why should you not be able to do it on a website?
Othran
Route One
#33 - 2011-09-20 16:44:48 UTC  |  Edited by: Othran
Adrenaline Reaper wrote:
The whole point of the API is to provide the same data you can get ingame, but accessible to other applications. You can check the corp of each char manually ingame, so why should you not be able to do it on a website?


So he's doing it all manually?

Pull the other one, it has bells on it.

The point is that this ISN'T MANUALLY OBTAINED INFO. Its obtained through "guessing" (yeah right) charID keys and seeing whether you guess right - and with over 2 million characters on there (supposedly) there is no way its not automated.

Needs fixing and I sadly agree with Milla - ban is in order in this case.

Edit - let him guess the character names mmm? That'd be fair. Of course nobody in their right mind is going to do that.

Edit2 - he's scraping Tippia. Too many characters that I know of who have been inactive from 2003/2004 show up there for it to be anything else.
Tippia
Sunshine and Lollipops
#34 - 2011-09-20 16:49:17 UTC
Adrenaline Reaper wrote:
The whole point of the API is to provide the same data you can get ingame, but accessible to other applications. You can check the corp of each char manually ingame, so why should you not be able to do it on a website?
Not quite. The point is that this behaviour can provide data that isn't available otherwise.

For instance, if you do not know that a character exists, you cannot find it in-game nor can you discover who's in those "unknown" corp slots; using the charID and API calls, you can discover its existence and tie it back to the corp that way.

SLOPS has four members; three are easily divined by looking at the corp info. The fourth is not since he's been hiding fairly well (and he isn't even on evewho as far as I can tell), and there is no way to ferret him out by going on an Info-screen trek. However, guess his characterID, and he'll pop up, and information that is not otherwise available will be revealed.
Messoroz
AQUILA INC
Verge of Collapse
#35 - 2011-09-20 16:53:18 UTC
I'm surprised the site hasnt been blacklisted from the API for brute forcing the character IDs.
Othran
Route One
#36 - 2011-09-20 16:56:41 UTC  |  Edited by: Othran
Messoroz wrote:
I'm surprised the site hasnt been blacklisted from the API for brute forcing the character IDs.


I don't think he is - I think he's scraping a range +/- on each character found on other sites or obtained from local (I can see a macro working VERY well here).

Definitely deserves the banstick though - and this needs changing ASAP, as does the dev who thought this was OK Straight
Nyio
Federal Navy Academy
Gallente Federation
#37 - 2011-09-20 16:59:13 UTC
This thread is now called: Geniuses Speculating ..

GolemCCP In-Game Event 2011.11.23NyioGrenade?
Miilla
Hulkageddon Orphanage
#38 - 2011-09-20 17:16:27 UTC
WIN for PRIVACY LEAKS!

Go CCP!
Zagam
Caldari Provisions
Caldari State
#39 - 2011-09-20 17:20:23 UTC
Shionoya Risa wrote:
Zagam wrote:

Why is it so important that the info is hidden?


Apart from the massive intel boost it gives?

To both sides.

Evewho can be used against you, or it can be used for you. I've been on both sides of it.
Miilla
Hulkageddon Orphanage
#40 - 2011-09-20 17:22:14 UTC
So what was the point of having API Keys controlled by the CUSTOMER if it is being leaked all over the API surface.