These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

New dev blog: Responsible Disclosure - Reporting Security Issues

First post First post
Author
CCP Sreegs
CCP Retirement Home
#61 - 2011-09-26 16:26:00 UTC
Internet Knight wrote:
Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up

Report multiple issues: offer them a job because clearly it's better to have them on NDA than not.


The "hire the hacker" mentality simply has no real world application when you start to discover that you need to be able to trust the person you'd be hiring and they've already shown themselves to be willing to break laws. Where it starts to make more sense is when you can set up a controlled environment where they can operate ethically.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#62 - 2011-09-26 16:27:19 UTC
mazzilliu wrote:
Internet Knight wrote:
Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up


this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is.

the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that.

Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue.


CCP isn't going to be throwing you hundred dollar bills ever so we can go ahead and write that off for the time being. :)

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

CCP Sreegs
CCP Retirement Home
#63 - 2011-09-26 16:29:06 UTC
Garia666 wrote:
Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap


I'm pretty sure there are threads for conspiracy theories or trolling somewhere on this forum, but this one isn't it. Please refrain and stick to the topic. Big smile

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

mazzilliu
Perkone
Caldari State
#64 - 2011-09-27 02:24:46 UTC  |  Edited by: mazzilliu
CCP Sreegs wrote:
mazzilliu wrote:
Internet Knight wrote:
Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up


this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is.

the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that.

Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue.


CCP isn't going to be throwing you hundred dollar bills ever so we can go ahead and write that off for the time being. :)

not cash. plex. if you're talking about a monetary reward, and if you make it piddlingly small, you're really better off with no monetary reward at all.

of course there are some people who a 15$ plex might be a big deal, especially in poorer countries, so wether this is enough really is something you'll only see over time.
mazzilliu
Perkone
Caldari State
#65 - 2011-09-27 02:25:56 UTC  |  Edited by: mazzilliu
CCP Sreegs wrote:
mazzilliu wrote:
Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.

sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?

edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go?


What's not sanctioned at this time is any active exploitation or testing in any CCP owned environments. This thread is merely for comment so that we can gauge how best to institute, perhaps, a testing environment. Attacking our infrastructure was and remains a crime.

What I'd like to hear are thoughts as to what type of environment you feel would be useful. In addition we do get reports of things discovered anecdotally and those we encourage and reward.

finding some xss in your site or something like that is attacking your infrastructure and also a crime(and also has been rewarded by CCP in the past). needs more clarification.

edit: to clarify my own point, we need some clarification of what is and is not acceptable. the guy who got banned did so because he was reading secret forums, while being "logged in" as an employee, which clearly shows he didn't understand the situation as he would have either concealed his identity or else didn't try to find secret information if he did. i'm not asking ccp to "talk about administrative actions" but it's clear that there was misunderstanding going on and there need to be clearly laid out rules for people to report weaknesses and guarantee their own safety in doing so.

whether a javascript alert box is thought of as active malicious exploitation or agreeable proof of concept for vulnerability reporting, is entirely in the eye of the beholder, in this case CCP. other entities would wholly disagree with whatever definition you come up with, so you must be crystal clear in what you say.

you have a singularity test server, where AFAIK it's anything goes except taking down services, however most of your web resources do not have a publicly available backup, so any actual vuln testing has to be done on production machines. which could or could not be a big deal, depending on the vulnerability and your current stance. if you are asking people to test on production servers, if there is a denial of service or sql injection bug the question really becomes, how do we report this without being malicious or getting banned, and will ccp need to conduct an investigation to ensure the bug(now known by 3rd parties) was never maliciously exploited?

as i understand it this blog is basically an invitation for people to go around vuln scanning(be it manual or automated) on production servers and try to find vulnerabilities without taking down services or stealing secret information, etc. if this is a mistaken idea, then i apologize and you really need to clarify.

also a list of acceptable locations where rewards will be given for vulnerabilities would be appreciated. nobody likes their time being wasted, and i'm sure you don't like getting vuln reports for web resources you don't even manage.
CCP Sreegs
CCP Retirement Home
#66 - 2011-09-27 12:12:14 UTC  |  Edited by: CCP Sreegs
mazzilliu wrote:
CCP Sreegs wrote:
mazzilliu wrote:
Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.

sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com?

edit: to clarify, we need a specific list of what is sanctioned and what is not. because currently any hacking involving the client itself is bannable at the same time as this rewards program for hacking web resources, even when the activity isn't malicious or used to generate illegitimate isk. can i attack client network traffic without injecting code into the running process itself? how far does this go?


What's not sanctioned at this time is any active exploitation or testing in any CCP owned environments. This thread is merely for comment so that we can gauge how best to institute, perhaps, a testing environment. Attacking our infrastructure was and remains a crime.

What I'd like to hear are thoughts as to what type of environment you feel would be useful. In addition we do get reports of things discovered anecdotally and those we encourage and reward.

finding some xss in your site or something like that is attacking your infrastructure and also a crime(and also has been rewarded by CCP in the past). needs more clarification.

edit: to clarify my own point, we need some clarification of what is and is not acceptable. the guy who got banned did so because he was reading secret forums, while being "logged in" as an employee, which clearly shows he didn't understand the situation as he would have either concealed his identity or else didn't try to find secret information if he did. i'm not asking ccp to "talk about administrative actions" but it's clear that there was misunderstanding going on and there need to be clearly laid out rules for people to report weaknesses and guarantee their own safety in doing so.

whether a javascript alert box is thought of as active malicious exploitation or agreeable proof of concept for vulnerability reporting, is entirely in the eye of the beholder, in this case CCP. other entities would wholly disagree with whatever definition you come up with, so you must be crystal clear in what you say.

you have a singularity test server, where AFAIK it's anything goes except taking down services, however most of your web resources do not have a publicly available backup, so any actual vuln testing has to be done on production machines. which could or could not be a big deal, depending on the vulnerability and your current stance. if you are asking people to test on production servers, if there is a denial of service or sql injection bug the question really becomes, how do we report this without being malicious or getting banned, and will ccp need to conduct an investigation to ensure the bug(now known by 3rd parties) was never maliciously exploited?

as i understand it this blog is basically an invitation for people to go around vuln scanning(be it manual or automated) on production servers and try to find vulnerabilities without taking down services or stealing secret information, etc. if this is a mistaken idea, then i apologize and you really need to clarify.

also a list of acceptable locations where rewards will be given for vulnerabilities would be appreciated. nobody likes their time being wasted, and i'm sure you don't like getting vuln reports for web resources you don't even manage.


I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.

The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)

The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

mazzilliu
Perkone
Caldari State
#67 - 2011-09-27 12:55:00 UTC  |  Edited by: mazzilliu
CCP Sreegs wrote:


I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.

The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)

The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such.

I think the issue is that we don't agree on the definition of attack or testing. for me, i have to operate under the assumption that an attack is a single 'or 1=1, or a single unauthorized failed login. based on my knowledge of past happenings with ccp, something seems to only be considered an attack when secret info is viewed, or there is a denial of service.

IMO, "testing" and "attacking" would be required to accomplish this:
Quote:
The Good Example - User sends an email to [email protected] which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept"


People in different roles than either of us probably have an even different idea of what these words mean. Clearly some users at the release of this forum software had a vastly different idea of what malicious activity meant.

I propose the following rules to clarify for all parties regardless of their knowledge of how to handle security incidents:
-no taking down services
-no viewing secret information, as you can't undo your actions on the internet don't even try to get close
-if you must test if something can be used against another user, use it only on your alt and not even a consenting 3rd party, as knowledge of the exploit could spread
-no sharing knowledge of a live exploit with any other person
-no exploiting for personal gain
-no corrupting the integrity of information owned by other users.

i think this sort of thing needs to be crystal clear for the users out there.
Blazde
Sebiestor Tribe
Minmatar Republic
#68 - 2011-09-27 13:03:04 UTC
If you really want players to actively seek out security issues for rewards (as opposed to just responsibly turning in any info that might be 'in the community' anyway as a result of a non-authorised 'testing') then absolutely the most effective option is to open-source the relevant bits of infrastructure you want tested in some limited way, and preferably also setup a test environment, and then also offer rewards

It's not effective, nevermind efficient to blackbox pentest a big network for the token rewards you're likely to be able to offer. You just won't provoke the level of commitment needed, as mazz says to systematically stress every single input with quotes and angular brackets and so on, guessing hidden variable names and inferring the backend logic from little clues, going on huge detours to provoke errors to get those clues. It all takes an immense amount of time, which ultimately means that if a hundred undermotivated testers mostly replicating each others work can't find a vulnerability you really haven't achieved much confidence that one properly motivated individual won't

Whereas the whole test could be conducted an order or two magnitude more efficiently by simply auditing the code/config
CCP Sreegs
CCP Retirement Home
#69 - 2011-09-27 14:27:53 UTC  |  Edited by: CCP Sreegs
mazzilliu wrote:
CCP Sreegs wrote:


I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.

The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)

The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such.

I think the issue is that we don't agree on the definition of attack or testing. for me, i have to operate under the assumption that an attack is a single 'or 1=1, or a single unauthorized failed login. based on my knowledge of past happenings with ccp, something seems to only be considered an attack when secret info is viewed, or there is a denial of service.

IMO, "testing" and "attacking" would be required to accomplish this:
Quote:
The Good Example - User sends an email to [email protected] which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept"


People in different roles than either of us probably have an even different idea of what these words mean. Clearly some users at the release of this forum software had a vastly different idea of what malicious activity meant.

I propose the following rules to clarify for all parties regardless of their knowledge of how to handle security incidents:
-no taking down services
-no viewing secret information, as you can't undo your actions on the internet don't even try to get close
-if you must test if something can be used against another user, use it only on your alt and not even a consenting 3rd party, as knowledge of the exploit could spread
-no sharing knowledge of a live exploit with any other person
-no exploiting for personal gain
-no corrupting the integrity of information owned by other users.

i think this sort of thing needs to be crystal clear for the users out there.


I'm telling you in no uncertain terms, again, that from the log's perspective there's no difference between a "test" and an "attack". If that's too difficult or nuanced to be clear then let's just say don't "test" either. I don't think it's clear what anyone thought at any time because I'm not psychic and I'm not going to ever be unless something awesome happens.

I propose the following:

Don't test, don't attack and don't in any way shape or form attempt to use systems for anything other than their intended purpose.

That is production systems. When it comes to a system specifically built for this purpose then the bulk of your proposed rules would make sense with some additions that I'll touch on when I have a free minute.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

mazzilliu
Perkone
Caldari State
#70 - 2011-09-27 14:33:53 UTC
CCP Sreegs wrote:
mazzilliu wrote:
CCP Sreegs wrote:


I just did tell you what's acceptable. :) Don't attack our infrastructure. I understand that's not an optimal answer from a wanting to help perspective, and it's something I'm working to get around, but at the end of the day we can't have people wantonly attacking our systems. In the long term I'm looking into setting up an environment to be used for these purposes.

The only misunderstanding seems to stem from the fact that people want to believe that attacking systems is ok if they claim they were trying to help after the fact. I'm telling you in no uncertain terms, with no ambiguity whatsoever, that attacking our systems FOR ANY REASON is not allowed. Be that a website, the EVE servers or any other property belonging to CCP hf. As I said in the blog logs don't tell me what your intent is. If you want to help I want to work with you on a framework to enable it. That's not open license to attack a company's systems and shouldn't be misinterpreted as such. Prior to this there was no conversation at all regarding such and no reason for ANYONE to believe they had any license to do so. License was never in the past and will never in the future be given to do ANY kind of testing on production systems. I don't see any way to misunderstand that but give it a shot! :)

The blog, as is stated is a request for information about what you'd like to see in a system set up for this, and a statement about rewards for data collected anecdotally. I really don't see it as a license to attack our systems and it shouldn't be interpreted as such.

I think the issue is that we don't agree on the definition of attack or testing. for me, i have to operate under the assumption that an attack is a single 'or 1=1, or a single unauthorized failed login. based on my knowledge of past happenings with ccp, something seems to only be considered an attack when secret info is viewed, or there is a denial of service.

IMO, "testing" and "attacking" would be required to accomplish this:
Quote:
The Good Example - User sends an email to [email protected] which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept"


People in different roles than either of us probably have an even different idea of what these words mean. Clearly some users at the release of this forum software had a vastly different idea of what malicious activity meant.

I propose the following rules to clarify for all parties regardless of their knowledge of how to handle security incidents:
-no taking down services
-no viewing secret information, as you can't undo your actions on the internet don't even try to get close
-if you must test if something can be used against another user, use it only on your alt and not even a consenting 3rd party, as knowledge of the exploit could spread
-no sharing knowledge of a live exploit with any other person
-no exploiting for personal gain
-no corrupting the integrity of information owned by other users.

i think this sort of thing needs to be crystal clear for the users out there.


I'm telling you in no uncertain terms, again, that from the log's perspective there's no difference between a "test" and an "attack". If that's too difficult or nuanced to be clear then let's just say don't "test" either. I don't think it's clear what anyone thought at any time because I'm not psychic and I'm not going to ever be unless something awesome happens.

I propose the following:

Don't test, don't attack and don't in any way shape or form attempt to use systems for anything other than their intended purpose.

That is production systems. When it comes to a system specifically built for this purpose then the bulk of your proposed rules would make sense with some additions that I'll touch on when I have a free minute.

so, we'll soon be getting a 'singularity' of eve's web resources?
CCP Sreegs
CCP Retirement Home
#71 - 2011-09-27 14:48:59 UTC
It's something I'm looking into. I haven't decided how to structure it yet though really so sisi may not be the best example. For instance, does it make more sense to have a sisi up all the time or to hold a kind of contest? For the next x time pound away at this here's where it is, and rotate those things out with maybe larger prizes going to winners.

I'm curious whether you think that might be more impactful than just having it up and running 24/7, and also provide a lot more incentive to the individual.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

T'Laar Bok
#72 - 2011-09-27 17:29:14 UTC
CCP Sreegs wrote:
I'm not psychic and I'm not going to ever be unless something awesome happens..


This thread shows you have the patients of a saint so you never know. Smile

Amphetimines are your friend.

http://eveboard.com/pilot/T'Laar_Bok

Garia666
CyberShield Inc
HYDRA RELOADED
#73 - 2011-09-28 14:00:42 UTC
CCP Sreegs wrote:
Garia666 wrote:
Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap


I'm pretty sure there are threads for conspiracy theories or trolling somewhere on this forum, but this one isn't it. Please refrain and stick to the topic. Big smile



what are you smoking this is no conspiracy, this is true facts. and we are talking about security this a very helpfull tip for the people playing this game.. Not something you might want to hear i am sure..
CCP Sreegs
CCP Retirement Home
#74 - 2011-09-29 11:22:04 UTC  |  Edited by: CCP Sreegs
Garia666 wrote:
CCP Sreegs wrote:
Garia666 wrote:
Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap


I'm pretty sure there are threads for conspiracy theories or trolling somewhere on this forum, but this one isn't it. Please refrain and stick to the topic. Big smile



what are you smoking this is no conspiracy, this is true facts. and we are talking about security this a very helpfull tip for the people playing this game.. Not something you might want to hear i am sure..


Yes, because clearly from an account security perspective it is a good idea for you to maintain 12 different email accounts, or use one you could lose access to, which would then leave you in the position of not being able to access your account. Nevermind the fact that your insinuation that we randomly ban people is a flat-out falsehood. Not liking why you were banned or choosing not to recognize that you've violated the terms of an agreement don't mean there was no reason.

In short, I've asked you once not to mislead our customers, provide them with bad information or mischaracterize our actions with conspiracy theories about account actions. Your advice is simply terrible for the end user and has no place in this thread regardless.

If you have an opinion on disclosures or security testing I'd love to hear them. Otherwise take the less than subtle hint and refrain from posting unrelated FUD in the thread devoted to security testing and disclosures.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Chanina
ASGARD HEAVY INDUSTRIES
#75 - 2011-09-30 08:46:36 UTC
I don't know how your system for petition and bugreports is working but there are plans to make changes to it you might consider a common database were all reports come together and are sorted by labels. Combine that with a tag system so a BH, GM or DEV can sign it with "Browser Crash" or "POS Exploit". To keep it clearly arranged us several levels of tags.

Use-Case:
You are looking into some trouble considering POS. Once you melted down all the reports to POS related only you can see the lower level POS Tags like "POS Exploit" or even some more detailed ones with more information in the tag (e. g. "Hybrid weapon ammo exploit")

Why?
Everyone describing a problem or bug will name it different. Also one problem might be related to more than one scenario. The person who processes the issue might change too, with tags applied to the reports you can find related issues or reports that may provide the missing information.
Describing a problem is pretty hard. Most of the time you assume something is standard and don't mention it. The next person don't know your "standard" and fails to follow your description.


Banns: Is there a public list of character/accounts which have been band? If not it might help to prevent reselling those accs/chars if it is clear that it was abused. Maybe even an entry in the employment history of the character? ("Was sent to Vacation" Blink)
At least I would never buy a character which got band for what ever cause.