These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

New dev blog: Responsible Disclosure - Reporting Security Issues

First post First post
Author
Florestan Bronstein
Ministry of War
Amarr Empire
#41 - 2011-09-22 10:04:37 UTC  |  Edited by: Florestan Bronstein
CCP Sreegs wrote:
Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums.

not like the system is already vulnerable to exploitation before the vulnerability is discovered & reported, amirite?

I don't have a set position on responsible vs immediate (full) disclosure but I think it needs to be acknowledged that while immediate disclosure may increase the probability of the vulnerability being actually exploited it also tends to minimize the time that the system is vulnerable (by applying maximum pressure to the developers) and gives users the ability to take precautions much faster/earlier than any company could issue them an advisory.

The vulnerability does not start to exist when it is reported for the first time - if anything it becomes much less threatening once it has been reported and is known about (as users can then start to take precautions/use workarounds).
Florestan Bronstein
Ministry of War
Amarr Empire
#42 - 2011-09-22 11:23:04 UTC  |  Edited by: Florestan Bronstein
CCP Sreegs wrote:
Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports.

Assume I experience a bug "visiting website xyz in the IGB does sometimes make the browser "hang" (have to restart client to fix this) and leads in rare cases to a BSoD".
I file a bug report describing this behavior and expressing mild annoyance at CCP for releasing such a shoddy product, the bug gets verified by volunteers or CCP staff, gets assigned to CCP's IGB team, gets prioritized ("only one website of over 9000 is known to cause this issue, telemetry says only three users experienced client crashes due to it in the last month") and some CCP dev will grab the bug report and look into it whenever he gets around to doing so.

My guess would be that many users experience glitchy behavior due to accidentally triggering vulnerabilities and (if you are lucky) report it as a bug without thinking of it as more than a harmless but annoying glitch.

Shouldn't there be some process of screening incoming bug reports for signs of potential vulnerabilities and fast-track those that might point towards a security issue?
CCP Sreegs
CCP Retirement Home
#43 - 2011-09-22 12:07:39 UTC  |  Edited by: CCP Sreegs
Florestan Bronstein wrote:
CCP Sreegs wrote:
Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums.

not like the system is already vulnerable to exploitation before the vulnerability is discovered & reported, amirite?

I don't have a set position on responsible vs immediate (full) disclosure but I think it needs to be acknowledged that while immediate disclosure may increase the probability of the vulnerability being actually exploited it also tends to minimize the time that the system is vulnerable (by applying maximum pressure to the developers) and gives users the ability to take precautions much faster/earlier than any company could issue them an advisory.

The vulnerability does not start to exist when it is reported for the first time - if anything it becomes much less threatening once it has been reported and is known about (as users can then start to take precautions/use workarounds).


I disagree with you completely. While you may personally have the capacity to react the average user may not.

If the developers respond responsibly then there's really no point to disclosing openly immediately. There are certainly many documented cases of developers of various applications not reacting to security notifications in time, what we're trying to enable is a framework to prevent that.

:edit: In the absence of the developer actively shirking their responsibility the claim that they may potentially do so is dubious. One can't simply go through life using assumptions about how people or companies may or may not react to a situation as the basis for their decisions, which seems to be the crutch the most extreme full disclosure advocates cling to.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#44 - 2011-09-22 12:09:28 UTC
Florestan Bronstein wrote:
CCP Sreegs wrote:
Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports.

Assume I experience a bug "visiting website xyz in the IGB does sometimes make the browser "hang" (have to restart client to fix this) and leads in rare cases to a BSoD".
I file a bug report describing this behavior and expressing mild annoyance at CCP for releasing such a shoddy product, the bug gets verified by volunteers or CCP staff, gets assigned to CCP's IGB team, gets prioritized ("only one website of over 9000 is known to cause this issue, telemetry says only three users experienced client crashes due to it in the last month") and some CCP dev will grab the bug report and look into it whenever he gets around to doing so.

My guess would be that many users experience glitchy behavior due to accidentally triggering vulnerabilities and (if you are lucky) report it as a bug without thinking of it as more than a harmless but annoying glitch.

Shouldn't there be some process of screening incoming bug reports for signs of potential vulnerabilities and fast-track those that might point towards a security issue?


In your example you directly state that the bug simply looks like glitchy behavior. In a world where a potential security (or not) vulnerability could mimic any behavior how would you propose this screening should work?

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Andski
GoonWaffe
Goonswarm Federation
#45 - 2011-09-22 13:15:36 UTC
hey cool now whoever manages to figure out the Ev0ke Cheetah gets a multibillion ISK bounty and a PLEX!!!

Twitter: @EVEAndski

"It's easy to speak for the silent majority. They rarely object to what you put into their mouths."    - Abrazzar

MailDeadDrop
Archon Industries
#46 - 2011-09-22 22:07:45 UTC
CCP Sreegs wrote:
All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published.

Given how things played out with the first release of the new forums, I can conclude one of several things:

1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur.
2. The procedures were in place but were not followed.
3. The "peers" and "reputable third parties" were incompetent.
4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing.

Care to tell us which it was?

MDD
CCP Sreegs
CCP Retirement Home
#47 - 2011-09-22 23:03:30 UTC
MailDeadDrop wrote:
CCP Sreegs wrote:
All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published.

Given how things played out with the first release of the new forums, I can conclude one of several things:

1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur.
2. The procedures were in place but were not followed.
3. The "peers" and "reputable third parties" were incompetent.
4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing.

Care to tell us which it was?

MDD


Yeah let me get right on that.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

MailDeadDrop
Archon Industries
#48 - 2011-09-22 23:14:07 UTC
CCP Sreegs wrote:
MailDeadDrop wrote:
CCP Sreegs wrote:
All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published.

*snip*
MDD


Yeah let me get right on that.


While I'm not exactly pleased with the tone of your reply, I'll have to say I am glad you did reply. Really.

So maybe my initial posting was more snide than it should have been. And perhaps this topic doesn't exactly follow the main thrust of the dev blog. Hopefully you'll agree that the initial rollout was rather calamitous, and that there are lessons to be learned from how it came to happen. I suppose the root of my question is: did you (as The Security Guy) determine how it came to happen? A simple "yes", "partially", or "no" response is all that I'm seeking. Well, that and the realization that if the answer is "no" that maybe you should go ask those questions.

On a completely tangential topic, I've seen recent discussions on the petition queues, and how the security-related (non-exploit) petitions take a substantially larger share of :effort: to disposition. I also recall that the 2010 FanFest goodie bag included an authenticator (a la RSA SecureId fob). It seems to me that allowing, perhaps even mandating, the use of those fobs for login would dramatically reduce the incidence of the "hacked account" security petitions. Would you please add "login security" to the list of topics for you to cover in the next dev blog you write (hopefully Soon™)?

Thanks for your time.

MDD
CCP Sreegs
CCP Retirement Home
#49 - 2011-09-22 23:21:20 UTC
Yeah sorry dude, but framing a question in such a way that there's no good, or even honest answer isn't really going to get you the rosiest of replies on my best day. :)

The answer is that yes we did determine how we could improve the process and the process today is different from what it was then. The process today is what I'm describing. I think I went over some of the changes as well during a presentation at EVE Vegas which I think is being hosted by EVE Radio somewhere if you're curious. We knew what the issue was within an hour or two of it occurring, figuring out what needed to change in order to prevent that didn't really require a great deal. My shoe is on backwards how to I prevent? Put it on the right way.

Regarding the two factor tokens, let's just say I'm looking forward wholeheartedly to the day where I can say when they'll be deployed. :)

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

buck herrick
Brutor Tribe
Minmatar Republic
#50 - 2011-09-23 00:05:34 UTC
i am liking this sreegs more and more (although his singing is terrible and i dont beleive that the recent hazing will help)

he posts and the actually reads responses to said post and then he even replies to said post.

this is a step forward, please ensure that we are able to have a new petition category where we can request all CCP'ers to act in this fashion. our security may depend on it.

T'Laar Bok
#51 - 2011-09-23 04:23:06 UTC
CCP Sreegs wrote:
incentivizing


I cant decide if you got that from The Buzzword Dictionary or The Dictionary of Corporate Bullsh!t.


Both available on Amazon if anyone is interested.



Amphetimines are your friend.

http://eveboard.com/pilot/T'Laar_Bok

T'Laar Bok
#52 - 2011-09-23 04:23:13 UTC  |  Edited by: T'Laar Bok
Double post

Amphetimines are your friend.

http://eveboard.com/pilot/T'Laar_Bok

CCP Sreegs
CCP Retirement Home
#53 - 2011-09-23 11:45:44 UTC
T'Laar Bok wrote:
CCP Sreegs wrote:
incentivizing


I cant decide if you got that from The Buzzword Dictionary or The Dictionary of Corporate Bullsh!t.


Both available on Amazon if anyone is interested.





It means to give incentive. Hope that helps.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

mazzilliu
Perkone
Caldari State
#54 - 2011-09-23 15:18:58 UTC  |  Edited by: mazzilliu
Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.

sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?

edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go?
Internet Knight
Deep Core Mining Inc.
Caldari State
#55 - 2011-09-24 01:15:28 UTC  |  Edited by: Internet Knight
Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up

Report multiple issues: offer them a job because clearly it's better to have them on NDA than not.
mazzilliu
Perkone
Caldari State
#56 - 2011-09-24 01:31:46 UTC  |  Edited by: mazzilliu
Internet Knight wrote:
Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up


this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is.

the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that.

Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue.
Garia666
CyberShield Inc
HYDRA RELOADED
#57 - 2011-09-24 20:50:22 UTC
Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap
Knalldari Testpilot
#58 - 2011-09-25 15:13:23 UTC
Asking the EVE community for help in fixing security issues after banning Helicity Bonson for doing exact this could only be some kind of a hilarious troll.

You guys have some strange humor... Roll

//off topic
The new forum is less useful/handy/effective than the old one.
CCP Sreegs
CCP Retirement Home
#59 - 2011-09-26 16:20:34 UTC
Knalldari Testpilot wrote:
Asking the EVE community for help in fixing security issues after banning Helicity Bonson for doing exact this could only be some kind of a hilarious troll.

You guys have some strange humor... Roll

//off topic
The new forum is less useful/handy/effective than the old one.


Can you please let me know what part of "We've never banned anyone for reporting a security issue" was unclear? I can't speak to the specifics of any user you might be referring to as we don't publically discuss administrative actions as a matter of policy, but I can categorically define your post as patently false and ask you to refrain from spreading such falsehoods on this forum as it can be detrimental to what we're trying to do, which is encourage people to participate.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#60 - 2011-09-26 16:23:31 UTC
mazzilliu wrote:
Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.

sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?

edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go?


What's not sanctioned at this time is any active exploitation or testing in any CCP owned environments. This thread is merely for comment so that we can gauge how best to institute, perhaps, a testing environment. Attacking our infrastructure was and remains a crime.

What I'd like to hear are thoughts as to what type of environment you feel would be useful. In addition we do get reports of things discovered anecdotally and those we encourage and reward.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012