These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Assembly Hall

 
  • Topic is locked indefinitely.
 

[CSM] December Summit - Security

First post
Author
Previous Topic Next Topic
Trebor Daehdoow
The Scope
Gallente Federation
#1 - 2011-11-23 16:24:14 UTC
Please discuss issues related to this session in this thread. We look forward to your comments and suggestions.

Private Citizen • CSM in recovery
MNagy
Yo-Mama
#2 - 2011-11-23 17:07:33 UTC
In general, security needs to be overhauled totally.

If you look at the way security is now, it is MADE so someone has the option of theiving or stealing from you.
Currently you technically need to give too many rights to someone so they can 'do their job'.

Current rights is also unfair to an individual. As an individual must "TRUST" a corp with their own BPO's for research.
-Again - very easy for these to be stolen.

My first solution to the above is a simple change.... Any corp hanger ( the div tabs ) should be given 1 extra tab. A "PERSONAL" tab. Only you can access it if its at an NPC station. If its at an actaul pos, then the items can be accessed by admin as there would be no way to offline the hanger.

By doing the above, an Individual can go to the 'Corp Hanger' at an NPC pos, and put his/her BPO's in there safely cause nobody can touch them. From here you can do research at the POS remotely.
Your YEARS of investing into your OWN bpo's that YOU purchased with your OWN ISK is SAFE!.

You ever wonder why you have so many 1 man corps or tiny corps around - its so none of their YEARS worth of investments don't get stolen.
Trebor Daehdoow
The Scope
Gallente Federation
#3 - 2011-11-24 11:31:03 UTC
The security session is more about external security -- protecting your account, fighting botters and RMT, etc.

Private Citizen • CSM in recovery
Eperor
Machiavellian Empire
Test Alliance Please Ignore
#4 - 2011-11-24 11:33:51 UTC
but wie need ingame securety to that waits already very very long:(
Takara Mora
University of Caille
Gallente Federation
#5 - 2011-11-24 16:47:23 UTC  |  Edited by: Takara Mora
Trebor Daehdoow wrote:
The security session is more about external security -- protecting your account, fighting botters and RMT, etc.


Great area for improvement, and the technology is now RIPE to implement something low cost and easy for everyone, that could also provide a much higher degree of security.

The best idea I've seen lately, is the new mobile phone account validation function that has recently appeared for competing MMO's ... yeah, it may be patented or whatever already, but maybe a different design or licensing agreement could be arranged:

- you install a "validator" app on your smartphone (iPhone, Windows Phone, Android)
- you set your account to require phone validation ( let the account owner choose whether to require validation code upon any number of scenarios)
- when prompted at login for the phone validation code, you have to go run the phone app, and it generates a temporary validation key based on phone hardware, time function, and some parameter stored on the server side unique to your login account (a parameter passed to the phone app from the server at initial phone app setup), etc., that will only work with your account.
- input the phone validation code in addition to your normal userid and password

The scheme could include options for higher or lower security based on the desires of the user.
The app does not require an active phone connection each time it is run, but only upon initial setup.

This is similar to the old "login dongle" idea used by many high dollar or high security firewall validation systems, where, in addition to a userid and password, the server would present a temporary timebound encryption code to the user logging in, and the user would have to input the code into a small smart dongle device, and the device spits out a reply code that the user then inputs in reply to the server prompt .... but thanks to the prevalence of smartphones, dongles are no longer required!
Endovior
PFU Consortium
#6 - 2011-11-24 18:26:45 UTC
Uh... how does that help with anything? All it proves is that you have a smartphone, and not everyone does.

More useful would be code to check to see if any of the known botting programs are currently running on your computer. If so, then your client will automatically flag your account as a suspected bot, allowing easier investigations into botting. Or, of course, you could just automatically ban everyone who triggers that bot flag, but since it seems unlikely that you'd manage the feat without some false positives, it's better on the whole for there to be a bit of oversight.
StukaBee
Native Freshfood
Minmatar Republic
#7 - 2011-11-24 23:17:02 UTC  |  Edited by: StukaBee
The keychain account authenticator thingies that were given out at last Fanfest: what is happening with these?
Evei Shard
Shard Industries
#8 - 2011-11-25 05:35:59 UTC
Trebor Daehdoow wrote:
The security session is more about external security -- protecting your account, fighting botters and RMT, etc.


CCP's stance on botting goes back to Hilmar's infamous statement earlier this year. Players are watching what CCP does, not what they say. Judging by threads on this forum, CCP is saying a lot and doing nothing about bots. Thus it is a waste of CSM time to even bring it up (half of you stand accused of being mass botters yourselves if various comments are to be believed).

Profit favors the prepared
Abdiel Kavash
Deep Core Mining Inc.
Caldari State
#9 - 2011-11-25 14:10:16 UTC
Publishing the number of accounts banned temporarily and permanently for botting every, say, quarter would surely improve trust in CCP's measures. There's no need to publish any details about the accounts or the detection methods, just a pair of numbers.
Takara Mora
University of Caille
Gallente Federation
#10 - 2011-11-25 15:15:58 UTC
Endovior wrote:
Uh... how does that help with anything? All it proves is that you have a smartphone, and not everyone does.

More useful would be code to check to see if any of the known botting programs are currently running on your computer. If so, then your client will automatically flag your account as a suspected bot, allowing easier investigations into botting. Or, of course, you could just automatically ban everyone who triggers that bot flag, but since it seems unlikely that you'd manage the feat without some false positives, it's better on the whole for there to be a bit of oversight.



The smartphone authenticator is to improve security against account theft, nothing to do with the botting topic obviously.
Takara Mora
University of Caille
Gallente Federation
#11 - 2011-11-25 15:24:49 UTC
StukaBee wrote:
The keychain account authenticator thingies that were given out at last Fanfest: what is happening with these?


Keychain authenticators would be a good step in the right direction, tho a bit outdated and with the drawback of having to add yet another dangly bit to your keychain. Maybe still good if there are still a lot of ppl lacking smartphones ....

A smartphone authenticator app wouldn't take long to write .... heck, they could even charge money for it ... and even enhance the thing over time with some nice functions like displaying EVEMail & Alert notifications, or even some EVEMON type functionality.
Akrasjel Lanate
Immemorial Coalescence Administration
Immemorial Coalescence
#12 - 2011-11-25 17:35:08 UTC
For me it's simple BAN bots and and dudes that sell ISK for $, amnesty for those that buy ISK but if they will be doing it. BAN

CEO of Lanate Industries

Citizen of Solitude
Khudin Hadashur
Doomheim
#13 - 2011-11-25 20:24:21 UTC
An update on the keychain authenticator devices would be very good, but I'm pretty sure this topic will come up.

While I realise there are a great deal of limitations on what can be discussed in terms of detection methods, measures taken etc in regards to botting and RMT, some more snippets of information would really help. As it stands now, from the moment you press a 'report bot' button on Raven Navy Issue user Thuwgzkznw who is in Thuwgzkznw Corp as it's only member it is unclear what happens next. Any feedback on this, however small, is good.


You may also log on to EVE during this session land a brutix on a mackinaw.
Avila Cracko
#14 - 2011-11-27 11:56:34 UTC
Whats with anti Bot fight???
that was only PR thing???

and when will they change that 3-strike anti bot mechanic that don't work to 1-strike and out...

truth, the whole truth and nothing but the truth.
Dutarro
Ghezer Aramih
#15 - 2011-11-27 21:20:52 UTC
Let a player flag some number of items as 'critical' ... If there is any attempt to transfer that item to another character, it triggers a security question. Account hackers would not be able to loot a character as easily
Wolodymyr
Breaking Ambitions
#16 - 2011-11-28 02:06:38 UTC
Take a look at that "Punkbuster" program that is used to catch cheaters in FPS games. We could use something similar to catch botters.

Yeah it's kind of an invasion of privacy. What would you guys think if CCP came out with some sort of program that specifically looked for eve botting programs and didn't do any Origin style datamining?

I honestly think PoCo based sov is a good idea https://forums.eveonline.com/default.aspx?g=posts&m=1417544
Endovior
PFU Consortium
#17 - 2011-11-28 02:31:41 UTC
I would be in favour of Eve code that looked for the major botting programs and flagged the relevant account if they detected them. It wouldn't hurt anyone but bots, after all, and botters can die in a fire.

Also, not a fan of the RMT thing. Why would you give any amnesty to the buyers of ISK? Without them, there'd be no sellers, so both need to die.