Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

Donate!

pls donate


#101 2019-03-25 13:38:59

TheSource85
Member
From: Apeldoorn, Netherlands
Joined: 2015-06-07
Posts: 41

Re: Regarding the data breach

LukeM wrote:
TheSource85 wrote:

"the only logical conclusion"... I love those kind of statements.. It's in the same lane as assumptions and you all know well, assumptions are the mother of all f*ck-ups.. Please... Just.. You know.. DON'T!
If you're not able to prove your 'logic', it can never EVER apply, because its foundation is based on things like hopes, wishes, fairytales, magic, probably some Walt Disney Princesses, pure assumptions (which are based on the maximum capability of the people making those assumptions.. they're probably calling it experience or something) and other senseless stuff..

Perhaps in stead of trying to keep all relevant data to yourselves and trying to get everyone off your back by stating wall-of-text-like nonsense, you could make public what you've found, what you've done, what your thought processes were and what is actually being done to prevent this.
And I'm not even talking about legal stuff.. Some people mentioned GDPR before. That's just 1 of the many legal documents present on the great big Internetz regarding the security of personal data.
If you're offering a 3rd party solution, you are still responsible to your clients.. That 3rd party is responsible to you and you need to be absolutely sure that your client data is secure..
If you're not sure, then the Only option is to not use that 3rd party thing and if you continue using it: YOU are legally at fault, no matter how much you point your finger to said 3rd party..

Firstly, we know about all the legal stuff, we're not trying to suggest that we don't need to follow the laws because it was PlayerIO that allowed the attack to happen, we will continue to take this seriously and will do everything we're required to do.

As for the proof stuff, logic can be proven, yes, but science can't be. The whole field of science is trying to find the conclusion that fits the data you have the best, which is what we've done. The hypothesis we have works; It perfectly explain what the attacker is able to do, and we've gone ahead and performed one of these attacks on our development server to show this. I may be taking the word 'prove' more seriously than some other people, and its likely that others would have claimed that they had proven that this was how the attack was performed at this point, but that would technically be a false claim so we're not going to make it.

We want to reveal more information about the attack, but we really can't at this point. If we gave out more information before we've ensured that the vulnerability is fixed we'd be putting ourselves in even more danger of attack, and I think we can all agree that thats not a good idea //ee.failforums.me/img/smilies/tongue

XxAtillaxX wrote:

I don't think you quite understand, Luke. If an attacker has remote access to one or more of your developers workstations then changing passwords would be completely ineffectual in preventing future attacks.

But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database. Xenonetix has even been doing all management from a different computer as we can't remove his permissions, so you can trust us when we say that we've done all we can to narrow down the number of ways the attacks could have been performed.

So.. You're not even sure it's fixed yet //ee.failforums.me/img/smilies/neutral
Way to publicize the system is still vulnerable.. @Hackers: You just got the go-ahead! Well.. Not literally, but you could translate it that way //ee.failforums.me/img/smilies/tongue

Dude! Just.. I need to be sure that my data in your system is safe.. Is it? Can you provide proof for that? Can you also tell me (under the rules of the new GDPR law) who has and had access to my personal data?
If not, I am allowed to claim you delete everything related to my personal data, in Every system you have, including backups, IP logs, you name it.. Luckily you don't have to prove it if we ever get to that point, but if my data somehow still leaked after that, you lied and that means good times for my wallet.. (hypothetically).
Oh right, and if I'm allowed: Everyone is!

Just a quick note.. Will you stop the science can't be proven stuff.. The more you say it, the more rediculous it gets.. I know science, I know how it works, don't presume/assume I don't..
Science works on the principle of creating a theory and trying your best to disprove it, while others join in. If nobody is able to disprove it, the conclusion is (until a time it can be disproven) considered a proven fact. Yay science!

I'm not talking about science or logic: I'm talking about data. (no Star Trek vs. Star Wars jokes here.. that's just too easy)

Okay, so you think you've done enough to combat the issue.. Or at least you've done stuff so the issue can eventually be combatted.. Well, good for you.. Now disprove it, or let someone else do it! (@Hackers.. you're queue //ee.failforums.me/img/smilies/tongue )


Any kind of management not willing to listen is no management at all..

Offline

Wooted by: (2)

#102 2019-03-25 13:47:14

Gosha
Member
From: Russia
Joined: 2015-03-15
Posts: 5,860

Re: Regarding the data breach

LukeM wrote:

But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database.

Just because they haven't touched database in a while doesn't mean they don't have access to it, thus you can't claim that the flow of player data is under control (which is proc's main argument for shutting down the game)

Offline

Wooted by: (4)

#103 2019-03-25 13:55:27, last edited by XxAtillaxX (2019-03-25 13:56:33)

XxAtillaxX
Member
From: Canada
Joined: 2015-11-28
Posts: 3,974

Re: Regarding the data breach

A lack of evidence for an exploit isn't evidence of a lack of an exploit.

I think the majority of responsible companies would do all they can to limit the potential attack surface regardless of whether they have direct evidence that a particular attack was mechanized.
If they do have access to any of your developers' systems, then there is nothing that I can think of that would prevent them from performing the same series of attacks in the future.

In addition, you have zero evidence that they are unable to overwrite the flash client with a zero-day vulnerability and directly affect the security of the users.
You are playing dice with the security of yourselves and the people who play the game. I think it's very irresponsible to continue doing so.


signature.png

Offline

Wooted by: (3)

#104 2019-03-25 14:11:37, last edited by LukeM (2019-03-25 14:15:37)

LukeM
Dev Team
From: England
Joined: 2016-06-03
Posts: 2,839
Website

Re: Regarding the data breach

TheSource85 wrote:
LukeM wrote:

So.. You're not even sure it's fixed yet //ee.failforums.me/img/smilies/neutral
Way to publicize the system is still vulnerable.. @Hackers: You just got the go-ahead! Well.. Not literally, but you could translate it that way //ee.failforums.me/img/smilies/tongue

Dude! Just.. I need to be sure that my data in your system is safe.. Is it? Can you provide proof for that? Can you also tell me (under the rules of the new GDPR law) who has and had access to my personal data?
If not, I am allowed to claim you delete everything related to my personal data, in Every system you have, including backups, IP logs, you name it.. Luckily you don't have to prove it if we ever get to that point, but if my data somehow still leaked after that, you lied and that means good times for my wallet.. (hypothetically).
Oh right, and if I'm allowed: Everyone is!

Just a quick note.. Will you stop the science can't be proven stuff.. The more you say it, the more rediculous it gets.. I know science, I know how it works, don't presume/assume I don't..
Science works on the principle of creating a theory and trying your best to disprove it, while others join in. If nobody is able to disprove it, the conclusion is (until a time it can be disproven) considered a proven fact. Yay science!

I'm not talking about science or logic: I'm talking about data. (no Star Trek vs. Star Wars jokes here.. that's just too easy)

Okay, so you think you've done enough to combat the issue.. Or at least you've done stuff so the issue can eventually be combatted.. Well, good for you.. Now disprove it, or let someone else do it! (@Hackers.. you're queue //ee.failforums.me/img/smilies/tongue )

We're as sure as we can be that the attacker does not have access to new account information, but we know that the attacker still has access to the database. We're currently in the process of getting PlayerIO to make the changes needed to fix this issue.

And at this point little more damage can be done to the database, we've disabled the collection of any private information at risk (in-game mail, IP addresses, etc), and we've made backups of everything that is at risk of being deleted.

As I've said several times, we strongly believe that all new account information is safe (emails and real names), but it is impossible to prove that. And yes, if anyone wants all their data deleted then we can do that, but we collect as little information as possible, so what has already been leaked is all we have (assuming your account was created before the 5th January, and excluding things like passwords because they are stored securely by PlayerIO entirely seperately from the rest of the game).

As for the science stuff, as I said, we've been testing all the data we gather against our hypothesis, and so far everything we have points towards it being correct. Until PlayerIO make the changes we believe will fix the problem this is all we can do.

Gosha wrote:
LukeM wrote:

But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database.

Just because they haven't touched database in a while doesn't mean they don't have access to it, thus you can't claim that the flow of player data is under control (which is proc's main argument for shutting down the game)

Thats what I said, its not. What is safe is the game files and the account information. I was saying that the fact that they still have access shows that it physically cannot be what Atilla was suggesting it was.

XxAtillaxX wrote:

If they do have access to any of your developers' systems, then there is nothing that I can think of that would prevent them from performing the same series of attacks in the future.

What we are currently doing will fix the exploit that we've found and demonstrated on the development server.

Online

#105 2019-03-25 14:14:49

Emma333
Member
From: The Netherlands
Joined: 2015-04-16
Posts: 572

Re: Regarding the data breach

It’s a shame the owner of this game and the staff can not handle responsibility. In cases like this it is important to send clear messages to the public and to not leave everyone in the dark. It is shameful that the owner has not yet made a statement, as it is clear that people should be notified as soon as he knew that there’s a risk when logging in or making an account on everybody edits. It does not matter if this risk is small.
It is also shameful that he decided to block a person that was willing to help by giving information, not matter how this person might have hurted the owners feelings. When a security breach happens, the owner must be able to sacrifice his own pride to minimize the damage.

My advice is that Xenotix reflects on what they are doing, and what it means to have the responsibility they have. Are they competent enough to hold this responsibility? And how will they change their way of handling this situation?

My respect they have lost. I believe this has greatly influenced the way I will look at this game in the future.


c4l0RmQ.png dPtNSbx.png Signature by AnatolyEE

Offline

#106 2019-03-25 14:26:39

Gosha
Member
From: Russia
Joined: 2015-03-15
Posts: 5,860

Re: Regarding the data breach

Just to remind you: people who don't use forums or discord still have no idea about the leak, because there is no information about it on ee.com or in game itself.

Offline

#107 2019-03-25 14:27:02

phinarose
Member
From: Dizzy Land
Joined: 2015-12-31
Posts: 85

Re: Regarding the data breach

Pointing fingers at who is at fault for the holes in EE's security is pointless. What is more concerning to me is that staff has known for the last few weeks that there have been security problems and seemingly portrayed to the public that there is nothing to be concerned about. Even if it was all Player.io's fault you are still willingly using Player.io's services knowing that their security isn't good, and thus making people's accounts more at risk. This shows some form of negligence on your end and the fact that staff keeps saying "security will be better in EEU!" doesn't take away from the seriousness of the issue.


WjoM2zh.png

Offline

#108 2019-03-25 14:34:36

2B55B5G TNG
Member
From: Levitation Planet
Joined: 2016-08-27
Posts: 1,487

Re: Regarding the data breach

“EEU will be better!”

You can’t even solve the current problem, how can you ensure EEU will be better? Tell me, do you devs really know about the problem?

Offline

Wooted by:

#109 2019-03-25 14:50:17, last edited by Anatoly (2019-03-25 14:51:36)

Anatoly
Member
From: Germany, Bavaria, Munich
Joined: 2015-07-31
Posts: 6,341

Re: Regarding the data breach

2B55B5G TNG wrote:

“EEU will be better!”

You can’t even solve the current problem, how can you ensure EEU will be better? Tell me, do you devs really know about the problem?

Ehm - how to ensure? If you trust the staff - they'll move from PIO

If you don't trust the staff - why do you ask? - They will answer you something, and you will not trust them.

E:

phinarose wrote:

Pointing fingers at who is at fault for the holes in EE's security is pointless. What is more concerning to me is that staff has known for the last few weeks that there have been security problems and seemingly portrayed to the public that there is nothing to be concerned about. Even if it was all Player.io's fault you are still willingly using Player.io's services knowing that their security isn't good, and thus making people's accounts more at risk. This shows some form of negligence on your end and the fact that staff keeps saying "security will be better in EEU!" doesn't take away from the seriousness of the issue.

ur right now saying this only because you were demoted, trust me if you stayed a staff moderator you would not have said this.


Best regards,
y51lcgx.png
Graphics | Signatures
Anatoly.

Offline

#110 2019-03-25 14:52:53

LukeM
Dev Team
From: England
Joined: 2016-06-03
Posts: 2,839
Website

Re: Regarding the data breach

2B55B5G TNG wrote:

“EEU will be better!”

You can’t even solve the current problem, how can you ensure EEU will be better? Tell me, do you devs really know about the problem?

We've identified an exploit that would allow the current attacks to be performed, we have shown this by recreating the attack on our development server, and we have found a solution to the problem that we just need PlayerIO to complete the last few steps of, so yes, we know about the problem //ee.failforums.me/img/smilies/tongue

Online

Wooted by:

#111 2019-03-25 15:00:08

2B55B5G TNG
Member
From: Levitation Planet
Joined: 2016-08-27
Posts: 1,487

Re: Regarding the data breach

Okay. What if the hackers plan to attack again, what will you do?

Offline

#112 2019-03-25 15:25:11

LukeM
Dev Team
From: England
Joined: 2016-06-03
Posts: 2,839
Website

Re: Regarding the data breach

2B55B5G TNG wrote:

Okay. What if the hackers plan to attack again, what will you do?

We've made sure that in the meantime while we fix this no private information is being stored in the database, so all of the data they could extract is either public anyway, or internal data we don't really care about being accessed (the only time this is anywhere near important is leading up to an update or something)

Online

#113 2019-03-25 15:29:24

TheSource85
Member
From: Apeldoorn, Netherlands
Joined: 2015-06-07
Posts: 41

Re: Regarding the data breach

LukeM wrote:
2B55B5G TNG wrote:

Okay. What if the hackers plan to attack again, what will you do?

We've made sure that in the meantime while we fix this no private information is being stored in the database, so all of the data they could extract is either public anyway, or internal data we don't really care about being accessed (the only time this is anywhere near important is leading up to an update or something)

How about forcing a strong random password on all accounts and sending reactivation links to all users?
Small, but significant..


Any kind of management not willing to listen is no management at all..

Offline

#114 2019-03-25 15:39:08

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 5,993

Re: Regarding the data breach

can poeple stop wasting lukems time he needs it to fix the severs


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //ee.failforums.me/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

#115 2019-03-25 15:56:04

LukeM
Dev Team
From: England
Joined: 2016-06-03
Posts: 2,839
Website

Re: Regarding the data breach

TheSource85 wrote:
LukeM wrote:

How about forcing a strong random password on all accounts and sending reactivation links to all users?
Small, but significant..

1. Passwords are safe, this really won't change anything //ee.failforums.me/img/smilies/tongue
2. A very large proportion of people use a fake email address, so if we did this we'd effectively be locking a huge number of players out of their account, which is really not something we want to do.

Online

#116 2019-03-25 15:58:40

2B55B5G TNG
Member
From: Levitation Planet
Joined: 2016-08-27
Posts: 1,487

Re: Regarding the data breach

Peace do you even know what’s going on? LukeM is NOT fixing the servers, he is waiting for Player.IO.

Offline

Wooted by: (2)

#117 2019-03-25 16:17:34, last edited by Michele (2019-03-25 16:19:14)

Michele
Formerly AntonioS300
From: EE world
Joined: 2015-02-15
Posts: 1,337

Re: Regarding the data breach

Can we just wait, instead of pointing our fingers? This thread is suddenly so popular and intruging, but if we continue to agrue this will get us nowhere.

I know that this situation is dire but at this point it feels like we're just panicing and attacking LukeM, a dev team. Even if he can't fix the issue without PlayerIO help, he's at least trying to control this situation and making sure that the damage is as low as possible. Can we please not?

Actually, I think this thread should be locked to only moderators and dev teams, since we're just wasting time by doing that to him.

One moment, please.

ONE MOMENT. GIVE THE FREAKING DEV TEAM ONE MOMENT.


Idler.jpg
XOsS4ha.gif

Offline

Wooted by:

#118 2019-03-25 18:10:01

272
Member
From: Everywhere
Joined: 2015-08-26
Posts: 330

Re: Regarding the data breach

Whatever, my EE account was made when I was like 11, it contains nothing but my email in there, and that's only because I recently changed it to my new email. My password, and username literally isn't used anywhere else. (Also, it's not like I had friends to message for there to be messages to leak anyway.)


Despite what people say, Different55 is the best mod.

Offline

#119 2019-03-25 18:10:04, last edited by Tomahawk (2019-03-25 18:18:20)

Tomahawk
Forum Mod
From: BiH
Joined: 2015-02-18
Posts: 2,134

Re: Regarding the data breach

This is a meme checkpoint. Funposters beyond this point will be shot on sight.
am82U0X.jpg


One bot to rule them all, one bot to find them. One bot to bring them all... and with this cliché blind them.

Offline

#120 2019-03-25 20:09:55

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 5,993

Re: Regarding the data breach

2B55B5G TNG wrote:

Peace do you even know what’s going on? LukeM is NOT fixing the servers, he is waiting for Player.IO.

he doesn tget tiem i fe needs to answer here an dhe cant do more thigns then he did he can tchnage things in PIO itself


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //ee.failforums.me/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

#121 2019-03-25 22:33:51

Helvi
Member
Joined: 2015-04-06
Posts: 1,127

Re: Regarding the data breach

Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.

Again, xeno made the wrong descissions as always. Good job X.


Hi.

Offline

Wooted by:

#122 2019-03-25 22:46:54

MWstudios
Member
From: World 4-2
Joined: 2018-04-06
Posts: 1,330

Re: Regarding the data breach

MWstudios wrote:

Where did you find out all the information, did the staff tell it on the discord server?

I'll take that as a "yes"


Time before becoming a Member - Leaderboard
1. Whirl - 9 months
2. KirbyKareem - 8 months
3. pwnzor - 2.4 months
4. MWstudios - 2 months
5. ILikeTofuuJoe - 1.5 months
giphy.gif Piskel is the best GIF maker I've seen
HG's signature for me - Anatoly's signature for me
The Mashed Potatoes Song - The longest post on EE forums - Play my Minesweeper

Offline

#123 2019-03-25 23:03:24

Michele
Formerly AntonioS300
From: EE world
Joined: 2015-02-15
Posts: 1,337

Re: Regarding the data breach

Helvi wrote:

Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.

Again, xeno made the wrong descissions as always. Good job X.

You're a member... how can you be this sure? Or is it this /r/woosh again?


Idler.jpg
XOsS4ha.gif

Offline

#124 2019-03-26 00:48:25

Crybaby
Formerly minimania
From: Wilted
Joined: 2015-02-22
Posts: 4,280

Re: Regarding the data breach

Michele wrote:
Helvi wrote:

Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.

Again, xeno made the wrong descissions as always. Good job X.

You're a member... how can you be this sure? Or is it this /r/woosh again?

He's talking about the lobby update which already happened.


unknown.png
(Click to see my graphics topic)

Offline

#125 2019-03-26 07:42:01

peace
Member
From: admin land
Joined: 2015-08-10
Posts: 5,993

Re: Regarding the data breach

Helvi wrote:

Xeno forced the team to work on the ridicilous UI update for an outdated game instead of pushing EEU forward. With EEU heavily delayed we also got these problems.

Again, xeno made the wrong descissions as always. Good job X.

dude the staff has NOT choosen for this its an dpleyr or ro outside e epersosn who t hoguht hey its fun to attack thi sgame whcih is not fun


OeaNm9Q.png              MYaIIs9.png
ty anatoly and nikko99 for a golden sig and blueclued for avatar and daneeko for pixelating my sign //ee.failforums.me/img/smilies/cool3bluekeys.pngKFPwcx.jpg

Offline

Processor1553794257743837

Board footer

Powered by FluxBB

[ Started around 1568839239.72 - Generated in 0.105 seconds, 10 queries executed - Memory usage: 1.79 MiB (Peak: 2.11 MiB) ]