Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
TheSource85 wrote:"the only logical conclusion"... I love those kind of statements.. It's in the same lane as assumptions and you all know well, assumptions are the mother of all f*ck-ups.. Please... Just.. You know.. DON'T!
If you're not able to prove your 'logic', it can never EVER apply, because its foundation is based on things like hopes, wishes, fairytales, magic, probably some Walt Disney Princesses, pure assumptions (which are based on the maximum capability of the people making those assumptions.. they're probably calling it experience or something) and other senseless stuff..Perhaps in stead of trying to keep all relevant data to yourselves and trying to get everyone off your back by stating wall-of-text-like nonsense, you could make public what you've found, what you've done, what your thought processes were and what is actually being done to prevent this.
And I'm not even talking about legal stuff.. Some people mentioned GDPR before. That's just 1 of the many legal documents present on the great big Internetz regarding the security of personal data.
If you're offering a 3rd party solution, you are still responsible to your clients.. That 3rd party is responsible to you and you need to be absolutely sure that your client data is secure..
If you're not sure, then the Only option is to not use that 3rd party thing and if you continue using it: YOU are legally at fault, no matter how much you point your finger to said 3rd party..Firstly, we know about all the legal stuff, we're not trying to suggest that we don't need to follow the laws because it was PlayerIO that allowed the attack to happen, we will continue to take this seriously and will do everything we're required to do.
As for the proof stuff, logic can be proven, yes, but science can't be. The whole field of science is trying to find the conclusion that fits the data you have the best, which is what we've done. The hypothesis we have works; It perfectly explain what the attacker is able to do, and we've gone ahead and performed one of these attacks on our development server to show this. I may be taking the word 'prove' more seriously than some other people, and its likely that others would have claimed that they had proven that this was how the attack was performed at this point, but that would technically be a false claim so we're not going to make it.
We want to reveal more information about the attack, but we really can't at this point. If we gave out more information before we've ensured that the vulnerability is fixed we'd be putting ourselves in even more danger of attack, and I think we can all agree that thats not a good idea
XxAtillaxX wrote:I don't think you quite understand, Luke. If an attacker has remote access to one or more of your developers workstations then changing passwords would be completely ineffectual in preventing future attacks.
But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database. Xenonetix has even been doing all management from a different computer as we can't remove his permissions, so you can trust us when we say that we've done all we can to narrow down the number of ways the attacks could have been performed.
So.. You're not even sure it's fixed yet
Way to publicize the system is still vulnerable.. @Hackers: You just got the go-ahead! Well.. Not literally, but you could translate it that way
Dude! Just.. I need to be sure that my data in your system is safe.. Is it? Can you provide proof for that? Can you also tell me (under the rules of the new GDPR law) who has and had access to my personal data?
If not, I am allowed to claim you delete everything related to my personal data, in Every system you have, including backups, IP logs, you name it.. Luckily you don't have to prove it if we ever get to that point, but if my data somehow still leaked after that, you lied and that means good times for my wallet.. (hypothetically).
Oh right, and if I'm allowed: Everyone is!
Just a quick note.. Will you stop the science can't be proven stuff.. The more you say it, the more rediculous it gets.. I know science, I know how it works, don't presume/assume I don't..
Science works on the principle of creating a theory and trying your best to disprove it, while others join in. If nobody is able to disprove it, the conclusion is (until a time it can be disproven) considered a proven fact. Yay science!
I'm not talking about science or logic: I'm talking about data. (no Star Trek vs. Star Wars jokes here.. that's just too easy)
Okay, so you think you've done enough to combat the issue.. Or at least you've done stuff so the issue can eventually be combatted.. Well, good for you.. Now disprove it, or let someone else do it! (@Hackers.. you're queue )
Any kind of management not willing to listen is no management at all..
Offline
But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database.
Just because they haven't touched database in a while doesn't mean they don't have access to it, thus you can't claim that the flow of player data is under control (which is proc's main argument for shutting down the game)
Offline
A lack of evidence for an exploit isn't evidence of a lack of an exploit.
I think the majority of responsible companies would do all they can to limit the potential attack surface regardless of whether they have direct evidence that a particular attack was mechanized.
If they do have access to any of your developers' systems, then there is nothing that I can think of that would prevent them from performing the same series of attacks in the future.
In addition, you have zero evidence that they are unable to overwrite the flash client with a zero-day vulnerability and directly affect the security of the users.
You are playing dice with the security of yourselves and the people who play the game. I think it's very irresponsible to continue doing so.
*u stinky*
Offline
▼LukeM wrote:So.. You're not even sure it's fixed yet
Way to publicize the system is still vulnerable.. @Hackers: You just got the go-ahead! Well.. Not literally, but you could translate it that wayDude! Just.. I need to be sure that my data in your system is safe.. Is it? Can you provide proof for that? Can you also tell me (under the rules of the new GDPR law) who has and had access to my personal data?
If not, I am allowed to claim you delete everything related to my personal data, in Every system you have, including backups, IP logs, you name it.. Luckily you don't have to prove it if we ever get to that point, but if my data somehow still leaked after that, you lied and that means good times for my wallet.. (hypothetically).
Oh right, and if I'm allowed: Everyone is!Just a quick note.. Will you stop the science can't be proven stuff.. The more you say it, the more rediculous it gets.. I know science, I know how it works, don't presume/assume I don't..
Science works on the principle of creating a theory and trying your best to disprove it, while others join in. If nobody is able to disprove it, the conclusion is (until a time it can be disproven) considered a proven fact. Yay science!I'm not talking about science or logic: I'm talking about data. (no Star Trek vs. Star Wars jokes here.. that's just too easy)
Okay, so you think you've done enough to combat the issue.. Or at least you've done stuff so the issue can eventually be combatted.. Well, good for you.. Now disprove it, or let someone else do it! (@Hackers.. you're queue )
We're as sure as we can be that the attacker does not have access to new account information, but we know that the attacker still has access to the database. We're currently in the process of getting PlayerIO to make the changes needed to fix this issue.
And at this point little more damage can be done to the database, we've disabled the collection of any private information at risk (in-game mail, IP addresses, etc), and we've made backups of everything that is at risk of being deleted.
As I've said several times, we strongly believe that all new account information is safe (emails and real names), but it is impossible to prove that. And yes, if anyone wants all their data deleted then we can do that, but we collect as little information as possible, so what has already been leaked is all we have (assuming your account was created before the 5th January, and excluding things like passwords because they are stored securely by PlayerIO entirely seperately from the rest of the game).
As for the science stuff, as I said, we've been testing all the data we gather against our hypothesis, and so far everything we have points towards it being correct. Until PlayerIO make the changes we believe will fix the problem this is all we can do.
LukeM wrote:But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database.
Just because they haven't touched database in a while doesn't mean they don't have access to it, thus you can't claim that the flow of player data is under control (which is proc's main argument for shutting down the game)
Thats what I said, its not. What is safe is the game files and the account information. I was saying that the fact that they still have access shows that it physically cannot be what Atilla was suggesting it was.
If they do have access to any of your developers' systems, then there is nothing that I can think of that would prevent them from performing the same series of attacks in the future.
What we are currently doing will fix the exploit that we've found and demonstrated on the development server.
Offline
It’s a shame the owner of this game and the staff can not handle responsibility. In cases like this it is important to send clear messages to the public and to not leave everyone in the dark. It is shameful that the owner has not yet made a statement, as it is clear that people should be notified as soon as he knew that there’s a risk when logging in or making an account on everybody edits. It does not matter if this risk is small.
It is also shameful that he decided to block a person that was willing to help by giving information, not matter how this person might have hurted the owners feelings. When a security breach happens, the owner must be able to sacrifice his own pride to minimize the damage.
My advice is that Xenotix reflects on what they are doing, and what it means to have the responsibility they have. Are they competent enough to hold this responsibility? And how will they change their way of handling this situation?
My respect they have lost. I believe this has greatly influenced the way I will look at this game in the future.
Pm me with anything math related please
Offline
Just to remind you: people who don't use forums or discord still have no idea about the leak, because there is no information about it on ee.com or in game itself.
Offline
Pointing fingers at who is at fault for the holes in EE's security is pointless. What is more concerning to me is that staff has known for the last few weeks that there have been security problems and seemingly portrayed to the public that there is nothing to be concerned about. Even if it was all Player.io's fault you are still willingly using Player.io's services knowing that their security isn't good, and thus making people's accounts more at risk. This shows some form of negligence on your end and the fact that staff keeps saying "security will be better in EEU!" doesn't take away from the seriousness of the issue.
Offline
“EEU will be better!”
You can’t even solve the current problem, how can you ensure EEU will be better? Tell me, do you devs really know about the problem?
she/her
also known as DevilCharlotte
search 2bisniekitastan if you wanna find my worlds on ArchivEE
Offline
“EEU will be better!”
You can’t even solve the current problem, how can you ensure EEU will be better? Tell me, do you devs really know about the problem?
Ehm - how to ensure? If you trust the staff - they'll move from PIO
If you don't trust the staff - why do you ask? - They will answer you something, and you will not trust them.
E:
Pointing fingers at who is at fault for the holes in EE's security is pointless. What is more concerning to me is that staff has known for the last few weeks that there have been security problems and seemingly portrayed to the public that there is nothing to be concerned about. Even if it was all Player.io's fault you are still willingly using Player.io's services knowing that their security isn't good, and thus making people's accounts more at risk. This shows some form of negligence on your end and the fact that staff keeps saying "security will be better in EEU!" doesn't take away from the seriousness of the issue.
ur right now saying this only because you were demoted, trust me if you stayed a staff moderator you would not have said this.
“EEU will be better!”
You can’t even solve the current problem, how can you ensure EEU will be better? Tell me, do you devs really know about the problem?
We've identified an exploit that would allow the current attacks to be performed, we have shown this by recreating the attack on our development server, and we have found a solution to the problem that we just need PlayerIO to complete the last few steps of, so yes, we know about the problem
Offline
Okay. What if the hackers plan to attack again, what will you do?
she/her
also known as DevilCharlotte
search 2bisniekitastan if you wanna find my worlds on ArchivEE
Offline
Okay. What if the hackers plan to attack again, what will you do?
We've made sure that in the meantime while we fix this no private information is being stored in the database, so all of the data they could extract is either public anyway, or internal data we don't really care about being accessed (the only time this is anywhere near important is leading up to an update or something)
Offline
2B55B5G TNG wrote:Okay. What if the hackers plan to attack again, what will you do?
We've made sure that in the meantime while we fix this no private information is being stored in the database, so all of the data they could extract is either public anyway, or internal data we don't really care about being accessed (the only time this is anywhere near important is leading up to an update or something)
How about forcing a strong random password on all accounts and sending reactivation links to all users?
Small, but significant..
Any kind of management not willing to listen is no management at all..
Offline
can poeple stop wasting lukems time he needs it to fix the severs
thanks hg for making this much better and ty for my avatar aswell
Offline
▼LukeM wrote:How about forcing a strong random password on all accounts and sending reactivation links to all users?
Small, but significant..
1. Passwords are safe, this really won't change anything
2. A very large proportion of people use a fake email address, so if we did this we'd effectively be locking a huge number of players out of their account, which is really not something we want to do.
Offline
Peace do you even know what’s going on? LukeM is NOT fixing the servers, he is waiting for Player.IO.
she/her
also known as DevilCharlotte
search 2bisniekitastan if you wanna find my worlds on ArchivEE
Offline
Can we just wait, instead of pointing our fingers? This thread is suddenly so popular and intruging, but if we continue to agrue this will get us nowhere.
I know that this situation is dire but at this point it feels like we're just panicing and attacking LukeM, a dev team. Even if he can't fix the issue without PlayerIO help, he's at least trying to control this situation and making sure that the damage is as low as possible. Can we please not?
Actually, I think this thread should be locked to only moderators and dev teams, since we're just wasting time by doing that to him.
One moment, please.
ONE MOMENT. GIVE THE FREAKING DEV TEAM ONE MOMENT.
Offline
Whatever, my EE account was made when I was like 11, it contains nothing but my email in there, and that's only because I recently changed it to my new email. My password, and username literally isn't used anywhere else. (Also, it's not like I had friends to message for there to be messages to leak anyway.)
Despite what people say, Different55 is the best mod.
Offline
This is a meme checkpoint. Funposters beyond this point will be shot on sight.
One bot to rule them all, one bot to find them. One bot to bring them all... and with this cliché blind them.
Offline
Peace do you even know what’s going on? LukeM is NOT fixing the servers, he is waiting for Player.IO.
he doesn tget tiem i fe needs to answer here an dhe cant do more thigns then he did he can tchnage things in PIO itself
thanks hg for making this much better and ty for my avatar aswell
Offline
Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.
Again, xeno made the wrong descissions as always. Good job X.
Hi.
Offline
Where did you find out all the information, did the staff tell it on the discord server?
I'll take that as a "yes"
Time before becoming a Member - Leaderboard
1. Whirl - 9 months
2. KirbyKareem - 8 months
3. pwnzor - 2.4 months
4. MWstudios - 2 months
5. ILikeTofuuJoe - 1.5 months
Piskel is the best GIF maker I've seen
HG's signature for me - Anatoly's signature for me
The Mashed Potatoes Song - The longest post on EE forums - Play my Minesweeper
Offline
Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.
Again, xeno made the wrong descissions as always. Good job X.
You're a member... how can you be this sure? Or is it this /r/woosh again?
Offline
Helvi wrote:Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.
Again, xeno made the wrong descissions as always. Good job X.
You're a member... how can you be this sure? Or is it this /r/woosh again?
He's talking about the lobby update which already happened.
Click the image to see my graphics suggestions, or here to play EE: Project M!
Offline
Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.
Again, xeno made the wrong descissions as always. Good job X.
dude the staff has NOT choosen for this its an dpleyr or ro outside e epersosn who t hoguht hey its fun to attack thi sgame whcih is not fun
thanks hg for making this much better and ty for my avatar aswell
Offline
[ Started around 1732504217.435 - Generated in 0.294 seconds, 12 queries executed - Memory usage: 1.91 MiB (Peak: 2.23 MiB) ]