Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

Advertisement

Hello, visitor! These forums are run off of the revenue generated from these ads. If you'd like to support us, please whitelist us or consider donating:

#1 Re: Questions and Answers » help pls » Today 11:57:01

Nexus221 wrote:

can someone remove all worlds from my account which have no data (like untitled worlds that i bought but never entered them or edited them)  becuase i cnat launch ee properly

What do you mean by can't launch EE properly? Worlds that have never been entered should make almost no difference to loading times, as if theres no data in them, no data needs to be downloaded.

#2 Re: Game Business » Information on EE Offline & Happy Easter! » Today 11:54:39

Zumza wrote:

The world-downloading challenge has been proposed by the community a while ago, https://forums.everybodyedits.com/viewt … p?id=40902
And the solution that was found not only produces far-shorter files, but also allows levels to be simply shared by text, and not exclusively by binary files.

This algorithm was solved in 72 hours time, but it took Cercu1l 3 moths to come out with a worse version, that is indeed an achievement!

The idea with EE Offline is that it should be a fairly simple conversion, as to not waste EEU development time, so the file format we ended on is just what was easiest to use (most of a compressed init message) so it can just be plugged into the current initialisation code without any major changes.

Processor's format is slightly more compact, but also much more difficult to use (for both us and any botters that may want to use the files), and when the whole of EE fits into something like 1-2GB, the size difference really doesn't matter.

#3 Re: Game Suggestions » global team gates / door » 2019-04-14 15:45:44

We usually try to keep things simple by only having blocks with basic features which you can use together to do more complicated things.

In this case, I would suggest toggling a global switch when someone gets the green team, then you can use that switch to allow access to the red team. This should work in pretty much all cases apart from when someone leaves the world, which we know is a limitation a lot of action blocks have. Unfortionately theres not an easy way to solve that currently without changing the behaviour of existing blocks or making things more complicated than we'd like, so we're planning on leaving it until EEU, when we'll try to make sure we provide a more versatile set of action blocks.

#4 Re: Bug Reports » It didn't load. Only in my account » 2019-04-11 15:40:55

Linked accounts have temporarily been disabled while we look into a potential security problem, we'll re-enable them when we've either fixed the problem, or confirmed that the linked account system isn't the cause of the problem.

#5 Re: Bug Reports » EE lags » 2019-04-08 01:37:28

we'll fix it for EEU //forums.everybodyedits.com/img/smilies/smile

#6 Re: Game Discussion » hey did we get hacked again? » 2019-04-07 12:44:45

The failing to load the image is caused by a 'feature' of PlayerIO that allows anyone to change the credentials of the guest account (which is what is used to load things before you've logged in), which prevents normal players from being able to use it. Unfortunately we don't really have a way to fix this, so we'll have to tolerate it until EEU is released, when we'll be able to make sure we don't have any of these problems.

The reason you've been logged out is that yesterday we changed the way 'remember me' functions due to some potential security concerns, so you'll need to re-enter your credentials the first time you play since that update.

As for the email not registered, double check all the email addresses it could be, and if none of them work email [email protected] from the email you believe it to be, including your in-game username (but not your password) and a short summary of the issue just in case whoever reads the email hasn't seen this, and we'll see what we can do.

#7 Re: Forum Discussion » Remove the close feature. » 2019-04-02 20:30:10

I see why you would want to allow people to close their topics in most places, but in places where you're putting forward ideas/information (Feedback + Q&A) topics are being closed for bad reasons more often than not, so allowing people to close topics both prevents people from contributing and means more work for forum staff.

#8 Re: Bug Reports » Scrolling through EE client moves you down to the website page » 2019-04-02 16:53:46

Just checking I understood this correctly, the scrolling in game is working correctly, it just also scrolls the page too?
If so, is this all the time or just when theres nothing to scroll (or you've reached the end of a scroll bar) in game?

#9 Re: Forum Discussion » Former staff member closed the topic in past, and can't open it again? » 2019-04-02 15:48:15

Theres a good reason not to allow unlocking topics after a staff member has locked them, it doesn't really matter how long has passed or whether whoever locked it is still a staff member or not.

If you flag the topic then it can probably be unlocked, which would give you back the lock topic privileges.

#10 Re: Bug Reports » Scrolling through EE client moves you down to the website page » 2019-04-02 15:45:30

Scrolling is a bit weird in flash, it acts differently for different browsers and sometimes even the same browser on different computers.

We're doing everything you're supposed to do to capture scrolling, so if its still acting weirdly theres not much more we can do, I'd advise just using the minimal website or something //forums.everybodyedits.com/img/smilies/tongue

#11 Re: Game Business » The Data Security Breach - Please Update Your Passwords » 2019-03-29 22:41:16

Edilights wrote:

I'm confused about my EE account ... What i am suppose to do?Or maybe not... //forums.everybodyedits.com/img/smilies/neutral

If you can currently log in fine, and you're using a secure password, you don't need to do anything.

If you can no longer log in (because your password is 'incorrect'), that means that we temporarily disabled your account because you shared your password with someone through the in-game mail system, which was recently breached. To recover your account, use the 'change or recover password' feature in the login screen to set a new password.

#12 Re: Game Suggestions » Awards for returned player. » 2019-03-29 13:09:49

The invite thing is a good idea IMO (although it might be better just for new players), but I can't really think of a way you could prevent the abuse problems...

Giving away anything just encourages people to create alt accounts, which isn't something we want to do //forums.everybodyedits.com/img/smilies/tongue

The news summary is a good idea though (for EEU not EE), I'll suggest it to the rest of the staff //forums.everybodyedits.com/img/smilies/smile

#13 Re: World Creation » Binary Calculation Tutorial v1.1 » 2019-03-29 12:55:05

ILikeTofuuJoe wrote:

^ Alright! I'll add some text for calculation negative numbers (as soon as i figure out how to do that).
So for binary numbers, value = (non sign bits' sum) - sign bit?

The most significant bit counts for negative what it used to, yes. So if it was an 8 bit number then the most significant bit would be -128 instead of 128, and the rest of the bits would stay the same.

The easiest way to negate a number that I know of is to flip all the bits then add one (effectively flipping all the bits after the first one from right to left):
34 = 00100010
   -> 11011101
     + 00000001
     = 11011110
= -128 + 64 + 16 + 8 + 4 + 2 = -34

#14 Re: Game Business » The Data Security Breach - Please Update Your Passwords » 2019-03-29 12:49:12

From my experience it's not that he doesn't want to address the problems, he just wants to have all the information ready before he does. The post was made within 24 hours of PlayerIO getting back to us on the rest of the issues, so it was pretty soon after we got all the information we needed.

If you do want the information as we get it then I generally reply to most questions on the forums about the issues (as I've been doing for the past week), and a couple other staff members and I are active on both the official and unofficial discord servers, and try to reply to most of the questions there too. Usually we do the informal conversations, and Xenonetix does the formal statement at the end.

#15 Re: Game Suggestions » Inbox Encryption » 2019-03-28 14:59:04

Processor wrote:

Use the salted hash of the password to encrypt an RSA private key. Publicize the public key.
Upload a new keypair when the account password changes.

In this case, that would be an incredibly unsafe thing to do...

Currently the person who had access to the database got a list of all messages, if we followed your procedure they would effectively get a list of 'hashes' of passwords. (Not hashes exactly, but things that could be used to crack a user's password in the same way as a hash could be)

If the level of security was the same for both the password system database and the mail system database then maybe, but the password system database is massively more secure than the rest of the game's database, so its really not a good idea.

#16 Re: Game Suggestions » Inbox Encryption » 2019-03-28 13:00:25

The problem is that the key needs to be stored somewhere, and as EE is a web game that would have to also be in the database, so it wouldn't really be any safer than before.

Yes there are products that work around this, but there are massive limitations when it comes to viewing messages on a device other than the one you started on, and we can't really have this be the case for EE.

Edit: Found some background info if you're interested: https://core.telegram.org/tsi/e2ee-simp … are-a-mess

#17 Re: Game Discussion » Regarding the data breach » 2019-03-27 18:12:15

Charlie59876EE wrote:

they haven't even added a way to change the password.

If you go to the login page, theres a button "Change or recover password":
hSYyoyo.png

#18 Re: Game Business » Recent Events & Accounts Restored! » 2019-03-25 20:08:51

Just clearing up some terms:

The "DB" (which they have access to) refers to the PlayerIO game BigDB, which is what stores in-game information like worlds, campaign progress, mail, reports, bans, last known IP addresses, etc. (although for the time being we've disabled mail and the collection of IP addresses)

The "backend console" (which we strongly believe has been secure since early January, when the export was made) is what is used to upload new versions of the client and server, and can be used to access account emails / FB names.

peace wrote:

passwords are not in the client im aware of ( i think)

The idea is that if they managed to upload a modified version of the client, it could send them your account info when you type it in. We are very sure that they do not have the ability to do this though, which is why we've kept the game running.

#19 Re: Game Discussion » Regarding the data breach » 2019-03-25 15:56:04

TheSource85 wrote:
LukeM wrote:

How about forcing a strong random password on all accounts and sending reactivation links to all users?
Small, but significant..

1. Passwords are safe, this really won't change anything //forums.everybodyedits.com/img/smilies/tongue
2. A very large proportion of people use a fake email address, so if we did this we'd effectively be locking a huge number of players out of their account, which is really not something we want to do.

#20 Re: Game Discussion » Regarding the data breach » 2019-03-25 15:25:11

2B55B5G TNG wrote:

Okay. What if the hackers plan to attack again, what will you do?

We've made sure that in the meantime while we fix this no private information is being stored in the database, so all of the data they could extract is either public anyway, or internal data we don't really care about being accessed (the only time this is anywhere near important is leading up to an update or something)

#21 Re: Game Discussion » Regarding the data breach » 2019-03-25 14:52:53

2B55B5G TNG wrote:

“EEU will be better!”

You can’t even solve the current problem, how can you ensure EEU will be better? Tell me, do you devs really know about the problem?

We've identified an exploit that would allow the current attacks to be performed, we have shown this by recreating the attack on our development server, and we have found a solution to the problem that we just need PlayerIO to complete the last few steps of, so yes, we know about the problem //forums.everybodyedits.com/img/smilies/tongue

#22 Re: Game Discussion » Regarding the data breach » 2019-03-25 14:11:37

TheSource85 wrote:
LukeM wrote:

So.. You're not even sure it's fixed yet //forums.everybodyedits.com/img/smilies/neutral
Way to publicize the system is still vulnerable.. @Hackers: You just got the go-ahead! Well.. Not literally, but you could translate it that way //forums.everybodyedits.com/img/smilies/tongue

Dude! Just.. I need to be sure that my data in your system is safe.. Is it? Can you provide proof for that? Can you also tell me (under the rules of the new GDPR law) who has and had access to my personal data?
If not, I am allowed to claim you delete everything related to my personal data, in Every system you have, including backups, IP logs, you name it.. Luckily you don't have to prove it if we ever get to that point, but if my data somehow still leaked after that, you lied and that means good times for my wallet.. (hypothetically).
Oh right, and if I'm allowed: Everyone is!

Just a quick note.. Will you stop the science can't be proven stuff.. The more you say it, the more rediculous it gets.. I know science, I know how it works, don't presume/assume I don't..
Science works on the principle of creating a theory and trying your best to disprove it, while others join in. If nobody is able to disprove it, the conclusion is (until a time it can be disproven) considered a proven fact. Yay science!

I'm not talking about science or logic: I'm talking about data. (no Star Trek vs. Star Wars jokes here.. that's just too easy)

Okay, so you think you've done enough to combat the issue.. Or at least you've done stuff so the issue can eventually be combatted.. Well, good for you.. Now disprove it, or let someone else do it! (@Hackers.. you're queue //forums.everybodyedits.com/img/smilies/tongue )

We're as sure as we can be that the attacker does not have access to new account information, but we know that the attacker still has access to the database. We're currently in the process of getting PlayerIO to make the changes needed to fix this issue.

And at this point little more damage can be done to the database, we've disabled the collection of any private information at risk (in-game mail, IP addresses, etc), and we've made backups of everything that is at risk of being deleted.

As I've said several times, we strongly believe that all new account information is safe (emails and real names), but it is impossible to prove that. And yes, if anyone wants all their data deleted then we can do that, but we collect as little information as possible, so what has already been leaked is all we have (assuming your account was created before the 5th January, and excluding things like passwords because they are stored securely by PlayerIO entirely seperately from the rest of the game).

As for the science stuff, as I said, we've been testing all the data we gather against our hypothesis, and so far everything we have points towards it being correct. Until PlayerIO make the changes we believe will fix the problem this is all we can do.

Gosha wrote:
LukeM wrote:

But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database.

Just because they haven't touched database in a while doesn't mean they don't have access to it, thus you can't claim that the flow of player data is under control (which is proc's main argument for shutting down the game)

Thats what I said, its not. What is safe is the game files and the account information. I was saying that the fact that they still have access shows that it physically cannot be what Atilla was suggesting it was.

XxAtillaxX wrote:

If they do have access to any of your developers' systems, then there is nothing that I can think of that would prevent them from performing the same series of attacks in the future.

What we are currently doing will fix the exploit that we've found and demonstrated on the development server.

#23 Re: Game Discussion » Regarding the data breach » 2019-03-25 13:24:49

TheSource85 wrote:

"the only logical conclusion"... I love those kind of statements.. It's in the same lane as assumptions and you all know well, assumptions are the mother of all f*ck-ups.. Please... Just.. You know.. DON'T!
If you're not able to prove your 'logic', it can never EVER apply, because its foundation is based on things like hopes, wishes, fairytales, magic, probably some Walt Disney Princesses, pure assumptions (which are based on the maximum capability of the people making those assumptions.. they're probably calling it experience or something) and other senseless stuff..

Perhaps in stead of trying to keep all relevant data to yourselves and trying to get everyone off your back by stating wall-of-text-like nonsense, you could make public what you've found, what you've done, what your thought processes were and what is actually being done to prevent this.
And I'm not even talking about legal stuff.. Some people mentioned GDPR before. That's just 1 of the many legal documents present on the great big Internetz regarding the security of personal data.
If you're offering a 3rd party solution, you are still responsible to your clients.. That 3rd party is responsible to you and you need to be absolutely sure that your client data is secure..
If you're not sure, then the Only option is to not use that 3rd party thing and if you continue using it: YOU are legally at fault, no matter how much you point your finger to said 3rd party..

Firstly, we know about all the legal stuff, we're not trying to suggest that we don't need to follow the laws because it was PlayerIO that allowed the attack to happen, we will continue to take this seriously and will do everything we're required to do.

As for the proof stuff, logic can be proven, yes, but science can't be. The whole field of science is trying to find the conclusion that fits the data you have the best, which is what we've done. The hypothesis we have works; It explains perfectly what the attacker is able to do, and we've gone ahead and performed one of these attacks on our development server to show this. I may be taking the word 'prove' more seriously than some other people, and its likely that others would have claimed that they had proven that this was how the attack was performed at this point, but that would technically be a false claim so we're not going to make it.

We want to reveal more information about the attack, but we really can't at this point. If we gave out more information before we've ensured that the vulnerability is fixed we'd be putting ourselves in even more danger of attack, and I think we can all agree that thats not a good idea //forums.everybodyedits.com/img/smilies/tongue

XxAtillaxX wrote:

I don't think you quite understand, Luke. If an attacker has remote access to one or more of your developers workstations then changing passwords would be completely ineffectual in preventing future attacks.

But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database. Xenonetix has even been doing all management from a different computer as we can't remove his permissions, so you can trust us when we say that we've done all we can to narrow down the number of ways the attacks could have been performed.

#24 Re: Game Discussion » Regarding the data breach » 2019-03-25 13:04:55

XxAtillaxX wrote:

I would think Occam's razor would readily apply in this instance. You can audit yourselves whilst awaiting a response from Player.IO, rather than speculating and fiddling your thumbs, since that clearly isn't helping.

We did, and we made all the changes we are able to do ourselves (changing passwords, removing all permissions we could that would allow anyone with a developer's login credentials to perform an attack, etc) after the first time data was modified (which obviously didn't prevent their access).

As I said earlier, we're not suggesting that PlayerIO is completely to blame, our conclusion puts at least a small part of the fault on us, but it certainly wouldn't have been possible without significant security flaws on their side, and is not fixable without their help.

As for 'twiddling our thumbs', we're not just sitting by spectating, we're doing all we can to prevent further damage, and we're still collecting as much information about the attacks as possible (and trying to fill in the rest of the smaller details about who is involved with the attacks)

#25 Re: Game Discussion » Regarding the data breach » 2019-03-25 12:15:40

(Mostly in response to Atilla, but also TheSource):

We have done several investigations into how the attacks could have been performed, and the only logical conclusion is the one that we've made (that they are to blame for the things that we've blamed them for).

That said, we are not suggesting that the entirety of PlayerIO (or that Henrik) is compromised, and I'd strongly advise against extrapolating anything like this from the claims we've made until we release further information.

We may not have 100% proof that this is the how the attacks were performed, but thats next to impossible without some miracle like the attacker actively giving us evidence to prove how they performed the attack, and even then it would be difficult to prove that its not fabricated...

However, the scientific method is what you use in situations like this, and although it can't be used to prove things (nothing in science is, or can ever be, proven), it can be used as VERY good evidence that something is true. We first made our current hypothesis for how the attacks are performed very early on in the process, and we've shown that it does explain every single piece of evidence we've gathered so far, to the extent that we've even performed one of these attacks ourselves on one of our development servers, which is enough to convince all of us beyond any doubt that it is what the attacker is doing.

So sorry, we're not able to prove anything conclusively, but I hope that explaining what evidence we have and our method that brought us to these conclusions will help convince you that what we are saying is true.

Board footer

Powered by FluxBB

[ Started around 1555780438.1649 - Generated in 0.214 seconds, 9 queries executed - Memory usage: 1.62 MiB (Peak: 1.99 MiB) ]