Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Hexxx
Minmatar
|
Posted - 2007.11.20 15:34:00 -
[1]
Edited by: Hexxx on 20/11/2007 15:33:53 G'day folks...
EBANK ANNOUNCEMENT http://www.eve-bank.net/
New Dev
First of all, please give a big big welcome to Mr. Horizontal. He's joined the EBANK Dev Team (there's 3 of us now) and he's been able to really push our development schedule forward in alot of ways. He's helped provide a secure test environment (to protect our live site) and he's worked like crazy to make progress on our features. He's also been helping out alot on our drawing board items...stuff that's pretty far in the future. He has a deep background and expertise in C# and SQL Server as well and works as a contractor in developing web applications.
New Features
This is taken straight from Mr. Horizontal himself:
Quote:
1. Restructured the MasterPage to be a bit smarter, and dynamically create the new navigation which dumps the Atlas crap that Microsoft think is passable for AJAX, and make it compatible for the IGB. Downside is it takes a bit more screenspace, but that's not too troublesome.
2. Updated all the HTML throughout the whole site to be based on <h1>, <h2>, <h3> and <p> tags. This makes the content viewable in the IGB. Similarly updated the CSS. EBANK looks slightly different now, but it's not completely different. The CSS can handle any cosmetic changes centrally now, so it's easier to maintain.
3. Restructured the transfer accounts page to not use the autopostback feature of ASP.NET, instead make it a 4-step 'wizard'. Again done to work in the IGB to cut reliance on JavaScript.
4. Admin section includes the old 'View Accounts' and 'Pending Withdrawals' pages, but also now includes 'Statistics' and 'View Users'. Statistics shows you a breakdown of EBANK's vital statistics, and View Users allows Admins to create and revoke other admins, as well as convert any user to 'full', ie give them a checking and savings account. The Admin section isn't supported in the IGB.
5. Took out the responsibility of security and checking the logged in status of users from high level pages and put the logic in the class that all pages inherit. So security is now inherited, which is pretty good stuff.
6. While passwords are currently saved as they are in the database, the new site now 'hashes' (using MD5) passwords, and saves the hash in the database. When you login, it computes the hash and then compares the hash in the db. This isn't encryption per se (there are other complications with that, primarily due to running code on different machines encrypts stuff differently), but means devs like me, even when we poke our noses in the DB, don't actually see your passwords but just a string of nonsense.
The problem is how to convert all existing passwords to the hashed ones? Answer: we don't. Whenever you do anything on the site, it will convert your password to the hashed version. Update your password, you get hashed. Create an account by sending to EBANK Ricdic, you're hashed. If you login with an unhashed password, it logs you in with your plaintext password then promptly hashes your ass. So it'll be an organic changeover.
As you can see...he's been busy! EBANK now works in IGB for all customers.
New WIN!
1. Horizontal is working with Ricdic very closely on developing an automated loan system which is about half way done.
2. All Directors are in full brain-storming mode to get our affiliates system hashed out ASAP. This is a big big priority right now. So is user to user transfers!
3. I've been talking crazy again about some of my ideas about where the market needs to go. Not sure if I'm going to get shot down or not but we've got a ton of ideas in the pipeline and already on our plate.
Anyway, that's it for now.
Consulting, IPO Template, and Stock/Bond definitions.
|
EBANK Ricdic
Eve-Tech Savings n Loans
|
Posted - 2007.11.20 15:39:00 -
[2]
Yes WIN is the EBANK word of the month.
Just as a quick note, whilst it says Automated Loan System up there, it means you will be able to automatically request one, and I can automatically accept it and have it work within your EBANK account (ie interest etc being charged automatically etc). However there still is a manual element which is my discussing terms/conditions, securities etc etc with our applicants.
It won't just be a "request eleventy billion isk" and be accepted deal.
Otherwise, EBANK is all 4tehWIN
WWW.EVE-BANK.NET
|
Treelox
Amarr Market Jihadist Revolutionary Party
|
Posted - 2007.11.20 16:11:00 -
[3]
Gratz ebank devs and board members, and thank you for continued transparency and communications.
Originally by: Hexxx EBANK now works in IGB for all customers.
The accounts section only, or the forums too?
Sorry to ask instead of check myself, but I dont see myself being able to get into eve for the next few weeks still.
--
|
Hexxx
Minmatar
|
Posted - 2007.11.20 16:15:00 -
[4]
Originally by: Treelox Gratz ebank devs and board members, and thank you for continued transparency and communications.
Originally by: Hexxx EBANK now works in IGB for all customers.
The accounts section only, or the forums too?
Sorry to ask instead of check myself, but I dont see myself being able to get into eve for the next few weeks still.
No....EBANK forums are still out-of-game.
Consulting, IPO Template, and Stock/Bond definitions.
|
Treelox
Amarr Market Jihadist Revolutionary Party
|
Posted - 2007.11.20 16:25:00 -
[5]
Originally by: Hexxx No....EBANK forums are still out-of-game.
nothing to be ashamed off Hexxx, I have been pleasantly surprised with the leaps and bounds with which the technological backbone of Ebank grows.
On a side note, I know that there exsist skins for php based boards, that work within the IGB. I know this because the first player corp I belonged too had such for awhile. I wish I could point it out to you, but alas my memory fails me atm. Not that I consider such forum intergration of Ebank with the IGB in anyway a priority. --
|
Ambo
2nd Outcasters
|
Posted - 2007.11.20 16:29:00 -
[6]
Sounds great, good work all!
|
John Newport
Caldari Newport Family Trust Fund
|
Posted - 2007.11.20 16:56:00 -
[7]
Very nice! Keep up the good work, team!
John Newport Small Time Investor
|
Mr Horizontal
Gallente Brotherhood of Wolves
|
Posted - 2007.11.20 16:58:00 -
[8]
Thanks everyone too, glad you appreciate the work!
--- meh. |
Molari Gracie
ironwood ink
|
Posted - 2007.11.20 17:01:00 -
[9]
I'd like to request eleventy billion isk please.
Good work guys - it's been fun watching EBank evolve!
|
Minerva Vulcan
Caldari The Nexus Foundation
|
Posted - 2007.11.20 17:51:00 -
[10]
Great work being put into this whole thing. That is indeed a lot of win.
Btw, I'd signed up for the forums a couple days ago, but I still don't have access. Does it usually take a few days to get approved? _______________________________ I need new voices in my head, To speak my secret evils with. I need new lovers in my bed, To be my friends and special pets. |
|
Femintaki
Gallente Tech 1 Holdings Limited Tech Holdings Limited
|
Posted - 2007.11.20 23:29:00 -
[11]
Originally by: EBANK Ricdic It won't just be a "request eleventy billion isk" and be accepted deal.
awwww - was hoping it would be
Quote: Do or do not - there is no try!
|
Astorothe
Aperture Science Industries
|
Posted - 2007.11.21 04:59:00 -
[12]
Edited by: Astorothe on 21/11/2007 04:58:57
Originally by: Minerva Vulcan Great work being put into this whole thing. That is indeed a lot of win.
Btw, I'd signed up for the forums a couple days ago, but I still don't have access. Does it usually take a few days to get approved?
Jump into the ingame channel EBank - someone should be able to register you (happened to me too).
Eve Web Design | PerthChat | Learning to Trade
|
Taikun
Gallente Serenity Prime Praesidium Libertatis
|
Posted - 2007.11.21 06:12:00 -
[13]
Originally by: "Mr Horizontal"
6. While passwords are currently saved as they are in the database, the new site now 'hashes' (using MD5) passwords, and saves the hash in the database. When you login, it computes the hash and then compares the hash in the db. This isn't encryption per se (there are other complications with that, primarily due to running code on different machines encrypts stuff differently), but means devs like me, even when we poke our noses in the DB, don't actually see your passwords but just a string of nonsense.
Of course most people know that MD5 encrypted passwords can be easily reverse engineered via Cain. Although encrypting is 1000x better than raw state as it was. (Who set THAT up??)
For everyone else out there... this is why is it critically important to ensure ANY passwords you use on applications and or sites (including teamspeak) are not duplicated. EVER.
In other words, if you use your EvE online password for accessing this stuff, or anything like it... well, you truly are lazy and deserve to have your stuff stolen.
Taikun -----------------------------------
For lack of a better word ladies and gentlemen... Greed is good. |
Johnathan Roark
Caldari Quantum Industries Interstellar Alcohol Conglomerate
|
Posted - 2007.11.21 06:33:00 -
[14]
Originally by: Taikun Edited by: Taikun on 21/11/2007 06:25:12
Originally by: "Mr Horizontal"
6. While passwords are currently saved as they are in the database, the new site now 'hashes' (using MD5) passwords, and saves the hash in the database. When you login, it computes the hash and then compares the hash in the db. This isn't encryption per se (there are other complications with that, primarily due to running code on different machines encrypts stuff differently), but means devs like me, even when we poke our noses in the DB, don't actually see your passwords but just a string of nonsense.
Of course most people know that MD5 encrypted passwords can be easily reverse engineered. Although encrypting is 1000x better than raw state as it was. (Who set THAT up??)
For everyone else out there... this is why is it critically important to ensure ANY passwords you use on applications and or sites (including teamspeak) are not duplicated. EVER.
In other words, if you use your EvE online password for accessing this stuff, or anything like it... well, you truly are lazy and deserve to have your stuff stolen.
Taikun
I'm hoping there those passwords will be salted on a per user basis? Also I suggest looking at some other hashing algorithims.
Corporation Management Improvement |
LaVista Vista
Corporate Research And Production Pty Ltd Zzz
|
Posted - 2007.11.21 06:45:00 -
[15]
Edited by: LaVista Vista on 21/11/2007 06:50:18 Edited by: LaVista Vista on 21/11/2007 06:47:14
Originally by: Taikun Although encrypting is 1000x better than raw state as it was. (Who set THAT up??)
Blame Hexxx and I. It was always on our to-do list to actually hash it at some point. But we(I?) made the call, that it wasnt a priority, as the only real problem would be if we had a place where people can SQL inject(Wont happen) or if someone got access to the actual database. At present this is only Hexxx and I. And at least i have had no need to even look in that table. Only reason i actually logged into the database, was to test SQL queries for some statistics
So blame me for the lack of anything in the past. But really, its no big deal As far as i remember, we log all IP's(I could be mistaken, but we were CERTAINLY discussing this, and having some implementations of it), so if either Hexxx and I took the passwords and logged into accounts, it could be seen it. And no, nothing keeps us from just changing stuff in there. But we would just roll back the server 24 hours, and everything would be fine :)
Hashing or encrypting wont stop anything but SQL injection. SQL Injection as it is, is already very unlikely, as Hexxx have tried real hard to hack it already. Only weak link is us who have access to the database. In which case we also have access to the source code, and we can just unhash it. Doesnt take too long
So thats why encryption wasnt priority. SQL Injection was no threat and we cant save the database from ourselfs.
|
Astorothe
Aperture Science Industries
|
Posted - 2007.11.21 06:50:00 -
[16]
I'm pretty confident you guys are on top of this - all this security stuff goes over head - but I know the best thing I can always do is use a unique password on every different site/app.
Eve Web Design | PerthChat | Learning to Trade
|
LaVista Vista
Corporate Research And Production Pty Ltd Zzz
|
Posted - 2007.11.21 06:52:00 -
[17]
Originally by: Astorothe I'm pretty confident you guys are on top of this - all this security stuff goes over head - but I know the best thing I can always do is use a unique password on every different site/app.
On the site, and several times on the forums, we have stated that people shouldnt use the same password for eve-bank as they do for eve, or anything else for that matter. So it shouldnt be a problem in the first place
|
Astorothe
Aperture Science Industries
|
Posted - 2007.11.21 06:59:00 -
[18]
Edited by: Astorothe on 21/11/2007 06:59:38
Absolutely, I saw your warnings and give kudos that you are looking after your investors welfare.
These day's it should almost be common sense to never reuse passwords - ever. I would hazzard a guess that anyone playing eve is at least somewhat Tech savvy, and know's that they should never reuse passwords.
But then again, maybe not :)
Edit: typo
Eve Web Design | PerthChat | Learning to Trade
|
Taikun
Gallente Serenity Prime Praesidium Libertatis
|
Posted - 2007.11.21 07:09:00 -
[19]
Edited by: Taikun on 21/11/2007 07:10:36
Originally by: Astorothe Edited by: Astorothe on 21/11/2007 06:59:38
Absolutely, I saw your warnings and give kudos that you are looking after your investors welfare.
These day's it should almost be common sense to never reuse passwords - ever. I would hazzard a guess that anyone playing eve is at least somewhat Tech savvy, and know's that they should never reuse passwords.
But then again, maybe not :)
Edit: typo
2BH I have never actually visited the site, but if they have a warning about not using the same passwords, I agree kudos to them. Tis more than most eve online related setups.
As for common sense... the only thing common about it is that so few of us actually have it at all times. Taikun -----------------------------------
For lack of a better word ladies and gentlemen... Greed is good. |
Mr Horizontal
Gallente Brotherhood of Wolves
|
Posted - 2007.11.21 08:10:00 -
[20]
Password hashing was done for the simple reason that we (the 3 devs: Hexxx, LV and myself) have been doing quite a lot work in the database to get everything engineered properly. It's only supposed to make passwords unmemorable gibberish to 3 trusted individuals not anyone else who have to have access to the data anyway to build the site.
The other reason for this is we have to maintain 2 copies of the database on our development and live servers simultaneously, and the seeds of a lot of encryption algorithms are often based on machine keys. Because of this portability issue we needed a simple hash that would be computed the same on any machine. Hence MD5.
Please understand that I did consider full on encryption (I generally use 256-bit Rijndael for this) instead of just a hash, but rejected it on the basis of the above reasons, plus a whole rats nest of new issues come up like who'll look after the private keys.
Yes we do make suggestion that you don't use your game password, and we couldn't be clearer about changing your password the first time you login. This is really critical that you do.
Please rest assured however, that security within EBANK is not taken lightly. In fact there's quite the healthy dose of paranoia in the governance, decision making and technical architecture within EBANK. --- meh. |
|
LaVista Vista
Corporate Research And Production Pty Ltd Zzz
|
Posted - 2007.11.21 08:39:00 -
[21]
Originally by: Mr Horizontal Please rest assured however, that security within EBANK is not taken lightly. In fact there's quite the healthy dose of paranoia in the governance, decision making and technical architecture within EBANK.
I have personally been told by Ricdic, that if i ever touch and note down userpasswords, he'll take the next plane to Denmark. He knows where i lives
|
Ricdic
Caldari Corporate Research And Production Pty Ltd Zzz
|
Posted - 2007.11.21 09:08:00 -
[22]
Originally by: LaVista Vista
Originally by: Mr Horizontal Please rest assured however, that security within EBANK is not taken lightly. In fact there's quite the healthy dose of paranoia in the governance, decision making and technical architecture within EBANK.
I have personally been told by Ricdic, that if i ever touch and note down userpasswords, he'll take the next plane to Denmark. He knows where i lives
Well yeh, but not Denmark as we know LV is a CCP dev in disguise. So it would be a trip to Iceland.
Need Empire Research Slots. Click here |
Hexxx
Minmatar
|
Posted - 2007.11.21 13:42:00 -
[23]
Originally by: Ricdic
Originally by: LaVista Vista
Originally by: Mr Horizontal Please rest assured however, that security within EBANK is not taken lightly. In fact there's quite the healthy dose of paranoia in the governance, decision making and technical architecture within EBANK.
I have personally been told by Ricdic, that if i ever touch and note down userpasswords, he'll take the next plane to Denmark. He knows where i lives
Well yeh, but not Denmark as we know LV is a CCP dev in disguise. So it would be a trip to Iceland.
Yah! Fieldtrip! Wahoo!!!
Consulting, IPO Template, and Stock/Bond definitions.
|
Liisa
Absolutely No Retreat
|
Posted - 2007.11.21 14:13:00 -
[24]
Originally by: Hexxx
Originally by: Ricdic
Originally by: LaVista Vista
Originally by: Mr Horizontal Please rest assured however, that security within EBANK is not taken lightly. In fact there's quite the healthy dose of paranoia in the governance, decision making and technical architecture within EBANK.
I have personally been told by Ricdic, that if i ever touch and note down userpasswords, he'll take the next plane to Denmark. He knows where i lives
Well yeh, but not Denmark as we know LV is a CCP dev in disguise. So it would be a trip to Iceland.
Yah! Fieldtrip! Wahoo!!!
You call yourselves businessmen?
Real businessmen subcontract. Remember: A criminal beats up those who cross him, a businessman pays somebody to beat up those who cross him. Signature Your signature exceeds the 24000 byte limit allowed on the forums. -Darth Patches |
Marie deMedici
|
Posted - 2007.11.21 16:29:00 -
[25]
Actually hashing is better than encrypting.
The main reason to use hashing is that nobody can steal the password database and use the passwords without anybody noticing. This is because the hashes cannot be used as passwords by themselves. They have to be broken one by one (if salted properly) to come up with compatible passwords.
If however encryption is used, this implies that the passwords _are_ stored ont he server and can be decrypted if a key is found. But if the server needs to check the passwords it must have the keys right? so this is almost as insecure as plaintext passwords. The only advantage is that the devs dont see them by accident.
Btw. Encryption algorithms based on machine keys suck, are wrong and are microsoft. You should use something real and separately keyed if you use encryption. The key should be random and not dependent on machine properties or machine keys.
|
Hexxx
Minmatar
|
Posted - 2007.11.21 16:41:00 -
[26]
Originally by: Marie deMedici Actually hashing is better than encrypting.
The main reason to use hashing is that nobody can steal the password database and use the passwords without anybody noticing. This is because the hashes cannot be used as passwords by themselves. They have to be broken one by one (if salted properly) to come up with compatible passwords.
If however encryption is used, this implies that the passwords _are_ stored ont he server and can be decrypted if a key is found. But if the server needs to check the passwords it must have the keys right? so this is almost as insecure as plaintext passwords. The only advantage is that the devs dont see them by accident.
Btw. Encryption algorithms based on machine keys suck, are wrong and are microsoft. You should use something real and separately keyed if you use encryption. The key should be random and not dependent on machine properties or machine keys.
Which is why I love Rainbow Tables. Pop an MS box in 15 minutes after you dump the SAM file. Easy as pie.
Consulting, IPO Template, and Stock/Bond definitions.
|
Marie deMedici
|
Posted - 2007.11.21 16:50:00 -
[27]
yeah well. with unix boxen the problem usually is clueless users who select clueless passwords.
stuff like: username hexxx password h3xxx
... =)
|
EBANK Ricdic
Eve-Tech Savings n Loans
|
Posted - 2007.11.21 17:00:00 -
[28]
The 2 posters above are commonly known as geeks.
WWW.EVE-BANK.NET
|
Hexxx
Minmatar
|
Posted - 2007.11.21 17:40:00 -
[29]
Originally by: Marie deMedici yeah well. with unix boxen the problem usually is clueless users who select clueless passwords.
stuff like: username hexxx password h3xxx
... =)
select * users where clue < 0;
Heh.
Consulting, IPO Template, and Stock/Bond definitions.
|
Calgorac
The Arrow Project Morsus Mihi
|
Posted - 2007.11.24 03:30:00 -
[30]
ttt
Latest News |
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |