These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

evewho.com - Showing more than I want to show. No privacy !

First post First post
Author
Previous Topic Next Topic
malaire
#61 - 2011-09-20 17:59:29 UTC
Other site, EVE Central Intelligence, collected 3.9 million valid characterIDs without using characterID guessing.

New to EVE? Don't forget to read: The Manual * The Wiki * The Career Options * and everything else
CCP Stillman
C C P
C C P Alliance
#62 - 2011-09-20 18:00:30 UTC
Miilla wrote:


So it is allowed if we generate a low ratio of errors to success API calls.

Just to clarify.



That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.

Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Blink

Just a random dude in Team Security.
Zaraki Kenpachi
Doomheim
#63 - 2011-09-20 18:01:28 UTC
oh boy.. surprised to find some of my alt ... they never did **** but here they are

I'll just leave the disclaimer of evewho here :
Quote:

All numbers based on known characters and may differ from in game values. All characters found by scavenging killboards, eve-search, and finding holes in character id sequence data and filling them.


now what..? What?
Othran
Route One
#64 - 2011-09-20 18:02:10 UTC  |  Edited by: Othran
CCP Stillman wrote:
Miilla wrote:


So it is allowed if we generate a low ratio of errors to success API calls.

Just to clarify.



That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.

Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Blink


Do you consider it good design that the API confirms or refutes the existence of a character ID without a key?

Edit - and I could distribute requests all over the place, as could LOTS of Eve players. You going to check the error rate over what (for example) is the known PL IP addresses? No of course you're not. NB-not suggesting PL are involved, but I know you guys log all your IP addresses on comms/forums/etc hence the example.
Miilla
Hulkageddon Orphanage
#65 - 2011-09-20 18:02:34 UTC  |  Edited by: Miilla
CCP Stillman wrote:
Miilla wrote:


So it is allowed if we generate a low ratio of errors to success API calls.

Just to clarify.



That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.

Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Blink


So spread them over multiple proxies, API calls are lightweight on a proxy/VPN.

The API can be called from Amazon's Elastic Cloud VM's :)
Messoroz
AQUILA INC
Verge of Collapse
#66 - 2011-09-20 18:02:58 UTC
CCP Stillman wrote:
Miilla wrote:
CCP Navigator wrote:
I have spoken with the developers who manage and maintain the EVE API. They have assured me that evewho is not conducting any illegal or underhand method of obtaining API information. All information gathered has been posted publicly in one form or another. We maintain a very close eye on what is happening with the API and will continue to do so.




So it is ok to scan the API?

CONFIRMED, get those API scanners going people

I just want to clarify:

We have very clear policies about what's allowed and not. As you will know, we will throttle invalid calls, as we do not allow throwing 10 million random IDs at the API and hoping they return data.

Scraping through characterIDs hoping to hit a valid one is NOT allowed. Doing so will get your IP blocked from the API. But if you do valid calls because you know it's a valid ID is fine. But generating excess errors will get your IP blocked.



But they had to scrape, they have npc corp alts never even logged into listed that should otherwise not exist. Unless they got access to an set of api keys from other sources they shouldnt have.
CCP Stillman
C C P
C C P Alliance
#67 - 2011-09-20 18:05:11 UTC
Othran wrote:
CCP Stillman wrote:
Miilla wrote:


So it is allowed if we generate a low ratio of errors to success API calls.

Just to clarify.



That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.

Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Blink


Do you consider it good design that the API confirms or refutes the existence of a character ID without a key?

The fact it doesn't require a key is an issue in the original design we wanted to changed for the Incarna release, but wasn't done soon enough.

We're of course concerned with backwards compatibility, and doing such changes late in the development cycle would not be good.

But then again, a key is very easy to get hold of.

Just a random dude in Team Security.
Miilla
Hulkageddon Orphanage
#68 - 2011-09-20 18:06:57 UTC
Are you going to require that applications be "authorised" by some kind of unique APP certificate so you can tell which apps are putting what loading on the servers etc?
CCP Stillman
C C P
C C P Alliance
#69 - 2011-09-20 18:07:47 UTC
Miilla wrote:
CCP Stillman wrote:
Miilla wrote:


So it is allowed if we generate a low ratio of errors to success API calls.

Just to clarify.



That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.

Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Blink


So spread them over multiple proxies, API calls are lightweight on a proxy/VPN.

What you're pointing to is an inherent issue with the internet: Anonymity.

The developer license, as discussed at fanfest, was one aspect of ensuring that any traffic can always be tracked back to a developer. But of course, there were some fundamental issues with that system, as I'm sure we all remember. But we of course want to keep people responsible if they're abusing the API service. And we do so, on a regular basis. If people abuse the characterInfo/CharacterName calls, then they WILL feel the consequences

Just a random dude in Team Security.
okst666
Federal Navy Academy
Gallente Federation
#70 - 2011-09-20 18:08:07 UTC
I think this service is perfect.

please make a button to extract the date and automagically paste it into eveclient, and set given corpmembers to -10 and check that little notification when they go on/offline.

It would also be quite usefull to know where those people are at any moment.

[X] < Nail here for new monitor
Othran
Route One
#71 - 2011-09-20 18:08:42 UTC
CCP Stillman wrote:
Othran wrote:
CCP Stillman wrote:
Miilla wrote:


So it is allowed if we generate a low ratio of errors to success API calls.

Just to clarify.



That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.

Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Blink


Do you consider it good design that the API confirms or refutes the existence of a character ID without a key?

The fact it doesn't require a key is an issue in the original design we wanted to changed for the Incarna release, but wasn't done soon enough.

We're of course concerned with backwards compatibility, and doing such changes late in the development cycle would not be good.

But then again, a key is very easy to get hold of.


Would you like to stop with weasel words?

Its appallingly bad design practice is it not? The fact you seem to consider it acceptable makes me wonder what else in your infrastructure you consider acceptable.

So when will it be fixed?
CCP Stillman
C C P
C C P Alliance
#72 - 2011-09-20 18:08:50 UTC
Miilla wrote:
Are you going to require that applications be "authorised" by some kind of unique APP certificate so you can tell which apps are putting what loading on the servers etc?


I can't speak in certain terms, as the plans aren't done at this point. But does it make sense to me? Yes.

Just a random dude in Team Security.
Miilla
Hulkageddon Orphanage
#73 - 2011-09-20 18:10:11 UTC
How about this for an idea, NO API INFO without a valid KEY. Period. NOTHING; absolutely ZERO output.

If they have a valid reason to query the API, they would have a key.

Miilla
Hulkageddon Orphanage
#74 - 2011-09-20 18:11:41 UTC  |  Edited by: Miilla
CCP Stillman wrote:
Miilla wrote:
Are you going to require that applications be "authorised" by some kind of unique APP certificate so you can tell which apps are putting what loading on the servers etc?


I can't speak in certain terms, as the plans aren't done at this point. But does it make sense to me? Yes.



Which would also allow the API to be load balanced based on app and also a SHARDED API by having a "Pro" level developer license with "enhanced APIs" and a "FREE" API license with minimal APIs

Which would also make App certificate/key hijacking a reality to deny authorised apps access by abusing a "lock out" mechanism.
Othran
Route One
#75 - 2011-09-20 18:11:45 UTC
Miilla wrote:
How about this for an idea, NO API INFO without a valid KEY. Period. NOTHING; absolutely ZERO output.

If they have a valid reason to query the API, they would have a key.




Agreed.

For any character-specific query a key should be mandatory.
Leona Elum
The Scope
Gallente Federation
#76 - 2011-09-20 18:12:07 UTC
CCP Stillman wrote:
generating excess errors will get your IP blocked.


I can confirm this to be true, and also say that it is VERY VERY hard to get it unblocked again.
In my case it was excessively updating of a "scammer list", in combination with bad settings in Excel that did the trick.
Miilla
Hulkageddon Orphanage
#77 - 2011-09-20 18:14:34 UTC  |  Edited by: Miilla
Leona Elum wrote:
CCP Stillman wrote:
generating excess errors will get your IP blocked.


I can confirm this to be true, and also say that it is VERY VERY hard to get it unblocked again.
In my case it was excessively updating of a "scammer list", in combination with bad settings in Excel that did the trick.



Which is a concern as I am on a mobile internet and many times the API calls fail or partially completed due to connection drop outs.

That wasnt for Save jita was it? lol at least put a picture of a hulk contract that I sold for lulz. PS: Im never in jita.
Othran
Route One
#78 - 2011-09-20 18:19:32 UTC  |  Edited by: Othran
Leona Elum wrote:
CCP Stillman wrote:
generating excess errors will get your IP blocked.


I can confirm this to be true, and also say that it is VERY VERY hard to get it unblocked again.
In my case it was excessively updating of a "scammer list", in combination with bad settings in Excel that did the trick.


This is likely to become more of a problem soon(ish). Reason being its quite likely that as IPv6 (finally) gets introduced in Europe/North America its more likely that all the legacy IPv4 modem/routers consumers have will be proxied through a gateway.

For anyone in the UK, all your mobile phone stuff works like this - its all proxied and logged due to rules about under 18s, more to do with contracts than morality IMHO ;)
CCP Stillman
C C P
C C P Alliance
#79 - 2011-09-20 18:19:49 UTC
Othran wrote:
CCP Stillman wrote:
Othran wrote:
CCP Stillman wrote:
Miilla wrote:


So it is allowed if we generate a low ratio of errors to success API calls.

Just to clarify.



That is easy to do. Just keep repeating SUCCESSFUL calls if you see 2 or 3 errors.

Nice try. But no. Just doing simple valid calls won't make us forget that you just did 3 bad calls Blink


Do you consider it good design that the API confirms or refutes the existence of a character ID without a key?

The fact it doesn't require a key is an issue in the original design we wanted to changed for the Incarna release, but wasn't done soon enough.

We're of course concerned with backwards compatibility, and doing such changes late in the development cycle would not be good.

But then again, a key is very easy to get hold of.


Would you like to stop with weasel words?

Its appallingly bad design practice is it not? The fact you seem to consider it acceptable makes me wonder what else in your infrastructure you consider acceptable.

So when will it be fixed?

I'm not saying it's acceptable. I'm saying that it's how the API was originally designed and that changing that shouldn't be done over night, as we don't want to break applications from functioning. We want to give people a heads up and make sure they can adjust their applications in time before a such change hits. Doing so in the Incarna patch would be too many changes at once.

I can't confirm exactly when we'd deploy a such change. But I'll have a talk with Elerhino and see what we can do.

Just a random dude in Team Security.
malaire
#80 - 2011-09-20 18:19:58 UTC
Othran wrote:
Miilla wrote:
How about this for an idea, NO API INFO without a valid KEY. Period. NOTHING; absolutely ZERO output.

If they have a valid reason to query the API, they would have a key.




Agreed.

For any character-specific query a key should be mandatory.

What would it change? Just create any key and use it to obtain information about all the characters whose charaterID you know.

New to EVE? Don't forget to read: The Manual * The Wiki * The Career Options * and everything else