These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

New dev blog: Responsible Disclosure - Reporting Security Issues

First post First post
Author
CCP Sreegs
CCP Retirement Home
#21 - 2011-09-21 19:03:08 UTC
Callic Veratar wrote:
I would like to see two new classes of petiton created:

- A Bug Petition, so that I don't have to leave the game, figure out where to go, created the bug report and flip back and forth to capture it in full detail. (Even better would be the ability to capture user input that triggers the bug.)

- A Security Petition, so that there's no question to where I go to report things. (Again, allowing me to log info through some form of capture mechanism would be great here too.)


Whether it's in the form of a petition or not this is something that we've been discussing internally and I know that removing the ambiguity is necessary. The other poster and yourself are right on in that reporting security incidents should be something that's more clear from an end-user perspective than being something that's just communicated in dev blogs and we do have some things in motion to rectify this. I'll be more comfortable speaking about what that will look like when it's finalized.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#22 - 2011-09-21 19:03:59 UTC
Orisa Medeem wrote:
I think one of the main problems is that a dev-blog only gets so much visibility, and only for so long.

If someone wants to report a security issue some six months from now there is some 95% chance he won't have read this blog (or any other blog from the security team for that matter), and even if he did it is quite possible he won't remember it.

That's probably why those four ways people try to raise security issues are so common.

The petition system is always there. You can create a petition from inside or outside the game.

I think promoting that "Exploits" sub-category to a category by its own would give it more visibility and, upon selecting it, the system could give the player better instructions of how to properly submit a security related issue. This would go a long way to ensure that the information reach the right people.


Quoting the other person who was right for great justice.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#23 - 2011-09-21 19:09:52 UTC
Sentient Blade wrote:
This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.


Actually I think I'm pretty clear on that point, though it's not the point of the blog, and it brings me to a topic we didn't discuss mainly because I haven't confirmed that we can do it.

In essence, as I mentioned, we're not giving you license to hack our servers and any indication that this is being attempted will be treated as exactly that, you trying to hack our servers. There's not much I can do about that, as was stated in the blog. The logs are what the logs are and in a production environment it would be absolutely terrible practice to allow people to cause disruption or risk.

That being said, the point is 100% correct that part of the incentive should also be providing an atmosphere where you don't place yourself at risk via experimentation. What I'd like to facilitate is some form of environment where experimentation is possible without risk to the account. As it stands today if an exploit does occur the only thing that stands between yourself and administrative action is you letting us know that the exploit exists. If you discover something and you do not make us aware of it then our sole perspective both will and has to be that your intent was malicious.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Ammzi
Dreddit
Test Alliance Please Ignore
#24 - 2011-09-21 19:10:28 UTC
CCP Screegs,

These security issues that you mention and hope to be able to identify a lot quicker now with the help of the player base, are they issues that you believe ordinary non-technical pilots can attempt to find/locate?
In my opinion this opportunity for reward and helping CCP is more oriented towards the technical playerbase. Software engineers and similar.

What do you think?

regards
Ammzi
lceman
The Scope
Gallente Federation
#25 - 2011-09-21 19:12:27 UTC
snitches get stitches

Twisted
Grimpak
Aliastra
Gallente Federation
#26 - 2011-09-21 19:14:29 UTC
The Mittani wrote:
A reliable source informed me that since Soundwave likes anime and manga so much, when the CCP office began playing 40k, he insisted upon being the Tau player. He just can't get enough battlesuits!



if it's battlesuits then he needs gundams or macrosses

[img]http://eve-files.com/sig/grimpak[/img]

[quote]The more I know about humans, the more I love animals.[/quote] ain't that right

CCP Sreegs
CCP Retirement Home
#27 - 2011-09-21 19:17:35 UTC
Aineko Macx wrote:
malaire wrote:
Sentient Blade wrote:
This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.


Permanent ban of all your accounts on first offense of client exploiting.

from Current Botting and Exploit/Client Modification Policies - 12/5/2011:
Quote:

One other thing to note is that at ALL levels all actions are levied against all of your accounts.

Client Modification or exploiting – First Offense – Permanent Ban

Unless this is changed people will be wary of reporting issues. It's not like people didn't learn from CCPs reactions... *cough*


Without getting into individual detail, as I've said before, never has their been a case where an exploit has been responsibly reported to us without abuse that anyone has ever been at risk or actioned against. I find it unfortunate that I can't wield godlike powers that prevent people from lying on the internet and I don't get a bonus for banning people and would prefer not to. I'd much rather have that creative energy channeled into making all of us a better product than investigating bad guys or playing he-said she-said with attention seeking criminals.

At the end of the day this is my initiative and if I didn't earnestly believe it was the best course of action I could have pumped out a pile of words about something else. Big smile

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#28 - 2011-09-21 19:20:38 UTC
Ammzi wrote:
CCP Screegs,

These security issues that you mention and hope to be able to identify a lot quicker now with the help of the player base, are they issues that you believe ordinary non-technical pilots can attempt to find/locate?
In my opinion this opportunity for reward and helping CCP is more oriented towards the technical playerbase. Software engineers and similar.

What do you think?

regards
Ammzi


That may be true in some respects but one of the great beauties of EVE is the social aspect and skullduggery, which may help explain the joking use of the word "snitches" in the blog. The fact is that if you give me an exploit and detail I'm going to reward you whether you discovered it or not. The reward is for the disclosure, not the discovery, if that spells it out any clearer. I'd like to encourage discovery as well in the long term, but at the end of the day my primary concern is fixing something that's broken.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Tork Norand
Perkone
Caldari State
#29 - 2011-09-21 19:42:57 UTC
CCP Sreegs wrote:

In essence, as I mentioned, we're not giving you license to hack our servers and any indication that this is being attempted will be treated as exactly that, you trying to hack our servers. There's not much I can do about that, as was stated in the blog. The logs are what the logs are and in a production environment it would be absolutely terrible practice to allow people to cause disruption or risk.

That being said, the point is 100% correct that part of the incentive should also be providing an atmosphere where you don't place yourself at risk via experimentation. What I'd like to facilitate is some form of environment where experimentation is possible without risk to the account. As it stands today if an exploit does occur the only thing that stands between yourself and administrative action is you letting us know that the exploit exists. If you discover something and you do not make us aware of it then our sole perspective both will and has to be that your intent was malicious.


Sreegs, a (larger) thought....

Open up a new set of servers for EXACTLY that purpose...to let people hack on them in any way they want. To do this right, the user database would need to be scrubbed (in case someone did get in) but point to it and say, "That....That is where you can try and hack into. You find a route, you report it. If we see it used anywhere else, everyone using it on any server is banned."

I would go a few steps further...place it on it's own network with not access to the production or other test environments. Completely isolate it from anything else. To use it for any testing, the users need to reset their password on that cluster using a tool from outside that then updates their account on that cluster within the next 24 hours. Doing all of this would be a little time consuming, but not difficult. Updates of passwords could be performed by sending the hash in an email going from the registration page to the new cluster.....I could go on and on with this but that should be a good start for discussion.

--Tork. CEO and Herder of Cats.

CCP Sreegs
CCP Retirement Home
#30 - 2011-09-21 19:49:09 UTC
Tork Norand wrote:

Sreegs, a (larger) thought....

Open up a new set of servers for EXACTLY that purpose...to let people hack on them in any way they want. To do this right, the user database would need to be scrubbed (in case someone did get in) but point to it and say, "That....That is where you can try and hack into. You find a route, you report it. If we see it used anywhere else, everyone using it on any server is banned."

I would go a few steps further...place it on it's own network with not access to the production or other test environments. Completely isolate it from anything else. To use it for any testing, the users need to reset their password on that cluster using a tool from outside that then updates their account on that cluster within the next 24 hours. Doing all of this would be a little time consuming, but not difficult. Updates of passwords could be performed by sending the hash in an email going from the registration page to the new cluster.....I could go on and on with this but that should be a good start for discussion.


That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Zhilia Mann
Tide Way Out Productions
#31 - 2011-09-21 20:38:15 UTC
Three positive dev blogs in a row and in under a week. Ok, I'm convinced this whole thing isn't dying just yet. So far so good.
Sered Woollahra
No Fixed Abode
Solyaris Chtonium
#32 - 2011-09-21 21:01:20 UTC  |  Edited by: Sered Woollahra
Tork Norand wrote:
A few reward options come to mind....

1) Skill Points for small things. Hell, this would work great for reporting bots (at 1,000 SP for each verified bot report, you may just introduce a new profession....) but for the "small things", I think SP would be appropriate.

2) PLEX, but in 1-week increments....not only the 30-day version.

3) For people who actually use AUR (meaning they ask for this reward type), a deposit into their AUR account. Since the items aren't game changing anyway, this would let those who want to use it to have a way to increase what they have now.

Just what comes to mind...


I like this suggestion, of different levels of rewards depending on the severity of the issue discovered. Other parties do this as well: Google for instance has a policy of paying between 500 and 1337 USD per Chrome bug found according to this blog entry: http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html
And Facebook, whose normal bounty is 500 USD per bug found, has paid up to 5000 USD for single bugs as they mention here https://www.facebook.com/notes/facebook-security/updates-to-the-bug-bounty-program/10150270651335766.

And although slighly OT, the idea of rewarding bot hunting with skill points or AUR sounds very interesting too. A new profession indeed..
darmwand
Repo.
#33 - 2011-09-21 22:39:16 UTC
Quote:
That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it.


Sounds interesting. Or at least allow people to easily get permissions to poke around a little, basically a mechanism where I could say "I'd like to do some weird things to your forums and, if I find anything, I'll report it back to you. In turn, you won't ban me for trying" would be cool.

That said, I'm glad you are trying to get the community involved. Nice devblog.

"The pen is mightier than the sword if the sword is very short, and the pen is very sharp."

Manfred Sideous
H A V O C
Test Alliance Please Ignore
#34 - 2011-09-21 23:33:41 UTC
Screegs


YOU BEEN HAZED!

@EveManny

https://twitter.com/EveManny

CCP Sreegs
CCP Retirement Home
#35 - 2011-09-21 23:44:18 UTC
Manfred Sideous wrote:
Screegs


YOU BEEN HAZED!


stop hazing me man

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#36 - 2011-09-21 23:49:40 UTC
darmwand wrote:
Quote:
That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it.


Sounds interesting. Or at least allow people to easily get permissions to poke around a little, basically a mechanism where I could say "I'd like to do some weird things to your forums and, if I find anything, I'll report it back to you. In turn, you won't ban me for trying" would be cool.

That said, I'm glad you are trying to get the community involved. Nice devblog.


The idea of whitelisting is certainly something I'd take into consideration, but I do have concerns about availability of services in that scenario. Something else I've considered to ease the burden is rotating services, which can be difficult due to interdependence, and running contests or something. Really this is exactly the type of feedback I'm hoping to obtain.

I really want to establish something that can harness the community, but I also want it to be interesting and worth everyone's while. I really don't just want to be like "Test crap is up" then a week later "ok I updated the list of guys here's your gold star". I want to facilitate engagement and a sense of ownership, but also give people a chance to contribute to something they enjoy and in some cases further their education. Our community has a ridiculous number of security professionals and security professional-to-be's.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Ubee Rubiks
Caldari Provisions
Caldari State
#37 - 2011-09-22 00:53:00 UTC
Sorry to detail this thread a little bit but it made me wonder, if reporting forum security in the petition system does not get sorted to the right people in a speedy manner then what happens when someone petitions for a stolen account? Does that get sorted and investigated in the same way?
Blazde
Sebiestor Tribe
Minmatar Republic
#38 - 2011-09-22 05:36:52 UTC
Great initiative that's very needed. I'll cover some of my worst experiences reporting bugs in EVE and why I became so disillusioned with it I wouldn't even report a serious security vulnerability because it's a clear waste of time. Not all of this is security related and it's not clear how much you consider ingame exploits 'security' stuff, but I did always prioritise security bugreports anyway, and just perhaps if you make a success of the security stuff you can use it to trigger fixing the wider bugreporting problem. Edit: And sorry it got really long, this is mostly my entire reason for becoming a bitter CCP-hating vet ^^ and you're the first dev I've seen even acknowledge the problem in 6 years so maybe my rant can help Smile


Incentive wise I think the most important thing to begin with is convincing people submitting the bugreport has any effect at all and is worth their effort. This goes most quality bugreports that take time to make which is probably why the bugreport system is flooded with low-quality no-effort, frustrated "You guys are idiots the whole thing is broken" type reports atm (and I can't help noticing you basically confirmed devs don't read bugreports because it's not worth their time)

So that means:

1) The report isn't rejected or important details edited out of it by a bughunter who doesn't understand it. [email protected] sounds promising but still if there is any kind of screening then feedback on that is needed. At least under the current system if a bughunter edits your report you get to see how and if they've royally screwed it up you can reedit and explain where they went wrong. Ideally I think a special security category in the existing bugreporting system that explicitly bypasses bughunters and goes straight to security-conscious devs (but otherwised functions the same for report feedback) would be best

2) The problem must be actually fixed reasonably quickly (not incorrectly filed under the 'UI related - ignore' category forever). There's a knock on effect here: not only is it disheartening to spend effort reporting a problem and it not be fixed but also if you know reported problems often aren't fixed then the chances are much higher the problem you're about to report has already been reported by someone else, potentially years ago - so why waste time reporting it again

Way back in 2004 I reported a whole clutch of security-related problems. Mostly it was a satisfying experience (the most serious server-crashing bugs were fixed very fast and I dodged a deserved perma-ban) but 5-6 years later I learnt two of those exploits (related to the directional-scanner) hadn't been fixed and were being used fairly widely in client hacks. I had my local CSM rep raise it and he got zero feedback. They may or may not be fixed now - I don't know - but after spending time investigating, writing-up and chasing-up obviously I stopped caring

3) Some reasonable feedback on whether the report was useful. Some people might like a quick mention in the patch notes which should be easy enough, but even a quick one-line private evemail/email saying 'thanks - your report helped' if that's actually the case, from the dev who fixed it would be awesome. If 100 people report an obvious bug then the current bugreport feedback is fine, but if 2 people's reports were absolutely instrumental in it getting fixed they deserve to know that so tell them that and give them the warm fuzzy feeling of knowing they made a difference, so they can do it again

Couple of years ago I set out to investigate the huge descyncing that was happening at the time. It was already a 12 month old problem that was becoming worse as capital fleets grew in size and was disrupting every op often causing lost capitals (that never got reimbursed even under the pre-Dominion policies, GMs often blamed client-lag). Pretty quickly I had a reproduction case but knew it would be a lot of effort to refine it and write it up properly - this is important btw: investigating bugs is fun (for some of us), writing them up is tedious. So I poked some devs and BHs in #eve-chaos to see if they already had a reproduction case, fairly sure they must because it was obvious. The only dev I got a response from said he couldn't talk about the current status of bugs in case what he said was spun by players as a promise - something like that, it was unhelpful anyway :) A helpful BH (these are rare!) lacked access to check. However another player said he had reported desync with a solid reproduction case so I dropped it for a few months. When it still wasn't fixed given it was a well-known bug with reproduction I figured CCP were just being lazy so pushed Vuk to raise it on the CSM, even helping write some of his campaign material specifically about desync. At the CSM summit they said they had no reproduction case and would I submit one, so I went to work writing up the case and motivated by the fact the devs had got nowhere in 18 months also reverse-engineered the heck out of the client and pin-pointed the most major cause of the bug. By now it was dozens of hours of effort, a lot of it was fun of course or I wouldn't have done it, but some tedious and I submitted the report happy that I'd worked to fix a serious bug in a game I loved. A couple of months and an expansion later it still wasn't fixed so I poked through the CSM again and got told it'd been deprioritised in the rush to expansion

...
Blazde
Sebiestor Tribe
Minmatar Republic
#39 - 2011-09-22 05:38:53 UTC  |  Edited by: Blazde
...

A long time later it was eventually fixed, however then a devblog appeared telling in excruciating detail how this long-running difficult bug had been squashed by the extreme determination of our awesome CCP devs. Apparently a former-bughunter (then dev) had discovered a reproduction case and they'd gone on a difficult journey over many weeks to discover exactly what I'd reported 6 months earlier (and then a little further and actually fix it and quite a bit further to fix related issues). I don't doubt the devs put a lot of effort into fixing it and I personally didn't want a public mention especially not in a devblog, but it was hugely insulting that there was zero reference to player bugreports (and I'm sure there were plenty on the issue besides mine). Either the devblog was fictional or my weeks spent on the bugreport were wasted because it was never read by the right people and they had to duplicate my effort (not just wasting my time but wasting valuable dev resources)

Either way it was a monumental disincentive to ever report a bug again, security or otherwised. The worst thing is desync still exists and with plenty of experience, leads and a custom tool I could have helped fix more of it with just a little technical feedback to avoid investigating dead-ends and some indication that the effort was worth spending at all


Other stuff that might help:

Reimbursement - There was a 'decloak-in-warp and gain mass to bump stuff violently' exploit a while back. Again I reported and 6 months later it was still unfixed when a corp-mate lost a titan over it. It was stolen rather than destroyed which made it a difficult/impossible reimbursement case but I think in similar cases where reimbursement is at least possible then a bugreport related to the issue that caused the loss should influence the reimbursement. I lost a nid to the desync and if a dev ever approached me about a 'reward' then reimbursement of it would have been very appropriate. Another non-security example that comes to mind is ships dying >15 minutes after log off which I could have gotten a token-Devoter reimbursement over. For me at least the ISK-value is irrelevant but the acknowledgement from CCP that bugs in EVE probably caused the loss and that instead of whining in a petition the player set out to solve the bugs and get them fixed is. Spending the bugreporting time making ISK instead would have covered the loss a lot quicker, so reward that choice. And players are already most motivated to report bugs that affect them directly in a negative way so reversing that affect where possible as a reward seems like a no-brainer

Assistance in investigating - In the past I've tried to get help from BHs to spawn items or move characters and been told they're not allowed to, even when it's very clear that it's for investigating bugs. Other players have had better experiences but at the least it could be improved. I even applied to the BHs to try to get the abilities myself while following up the desync, but got rejected because (apparently): Bughunters are primarily filing-secretaries for bugreports and saying you actually want to hunt bugs on your application will hurt it. If I could have just gotten an extra account or two on Sisi, or even just a couple more supercaps and some fast-anchoring test towers it would have been hugely time-saving

Game mechanic exploits - I've always been nervous of submitting exploits to the bugreporting system because they will get seen by unaccountable player-volunteers and as a result very possibly exploited by enemy alliances (especially when the problem isn't fixed for 6+ months). There is a perception that using exploits in EVE is intentionally part of the metagame and they don't get fixed until they're widely abused, allowing those that discover them to benefit from them. Back in the day the F11 deep-safespot bug was considered treasured knowledge and CCP didn't rush to fix it or ban it's use. At the other end of the scale the ferrogel exploit was obviously considered much more serious. Somewhere in the middle is a grey area and if your exploit falls in that area you need to be able to contact a dev not a player-volunteer (devs might leak the info to their player-friends too of course but their job is on the line so it's less likely)

gl
Davelantor
Deep Core Mining Inc.
Caldari State
#40 - 2011-09-22 07:44:44 UTC
3 DEV blogs in 3 days ... I am so happy .... i think now i will stop killing for today ...