Eu api

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
I think it is about time to implement an application programmers interface (API) into EU, just like the way twitter let's 3rd party software access their users accounts.
(OAuth authorization via https)

Facebook, Google, Twitter, yes even Youtube and MSN offer their own API, to enable third party software controlled access to their service features.


This would allow users to grant access to the numerous EU tools that can be revoked from the user unilaterally at any time and doesn't require gold card codes and stuff like that.

Including source samples i.e. for PHP that can be openly downloaded, so even programming newbs can make use of the API without having to go trough all the OAuth and curl coding.


Access level should be determined by the user, and include i.e. these:

  • Access to the users storage list
  • Access to the users skills
  • Access to the users shops/shopkeeper inventory/sales list
  • Access to the users auctions (info about pending/completed sales
  • Access to the users PED accounts (i.e. CLD payouts/LA payouts)
  • Access to the users land area data, like fertilizer amount left and such
  • Maybe access to the numerous bank control panels (not soo important, only 6 players would benefit from that)

This does NOT involve spending of PEDs (not necessarily), but merely provide an interface for maintaining and managing your avatar and assets in EU.


I am sure there are more good ideas, feel free to post them here.



I'd happily help to implement it (not for free though, a mod merc would be a good start) - so, MA, can we get it, please?
 

mastermesh

Mutated
Joined
Apr 21, 2007
Posts
15,904
Location
FOMA SHOP # 22
Society
Silly Underground Family
Avatar Name
Maria Mesh
They already have some info going in to twitter and facebook, so it would make sense...
 

ermik

Elite
Joined
Dec 4, 2006
Posts
4,940
Location
oil rig
Society
The Unit
Avatar Name
ermik ermik ermik
They already have some info going in to twitter and facebook, so it would make sense...

well thats just a function where you tell EU to feed twitter and facebook, what he is asking for is technically a whole different thing.

im not sure what the benefits would be, except that i could write a cool app for iphone and android and make a few bucks of ppl who are desperate to spend all of their non playable time atleast getting fed with data about their eu life.

as i said, cool thing but im not sure its really needed, MA should focus on other things, like maybe keeping the players ingame.
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
well thats just a function where you tell EU to feed twitter and facebook, what he is asking for is technically a whole different thing.

Yes, although this proves that they do know how the authorization process works and that they are, in general, not unwilling to share client data if the player concurs.

im not sure what the benefits would be, except that i could write a cool app for iphone and android and make a few bucks of ppl who are desperate to spend all of their non playable time atleast getting fed with data about their eu life.

I.e. the inventory calculator(s) and Jdegres chipping optimizer could benefit from it.

And there is room for many more ideas.

The last thing i thought about is an iphone app, really, more like webservices that can offer additional functionality based on your player data.

If player want more than read-only access, you could i.e. restock your shops without logging in.

I haven't said a single word about "making money from it", dunno why you think someone will try to "make a few bucks of desperate people" - Inventory calculator and Chipping optimizer are free tools as well - they just require a substantial amount of hand-made data mining from the user, which is pointless when the data are already available in a digital (machine-readable) format.

as i said, cool thing but im not sure its really needed, MA should focus on other things, like maybe keeping the players ingame.

Probably, yes - but this is an issue my posts didn't intend to address.
 

ermik

Elite
Joined
Dec 4, 2006
Posts
4,940
Location
oil rig
Society
The Unit
Avatar Name
ermik ermik ermik
If player want more than read-only access, you could i.e. restock your shops without logging in.

Do you think it would be a good idea to have a potential api anything but read-only?

the security issues are endless, with a read-only api the only thing you really risk is data leakage and possible denial of service. With write access ... well i dont even want to go there :)

sorry if i may seem booring, but i just think its too much design considerations to be made with such a implementation that the risks and cost far outweight the benefits.
 

dr3w

Elite
Joined
Mar 3, 2011
Posts
3,244
Location
Latvia
Society
Mine To Extract
Avatar Name
Eve Damsel Online
  • Access to the users auctions (info about pending/completed sales

Thanks. Enough AH-zombies already, now you want to give them nice offline notifier.

Everything except AH, MU and other sensitive economic stuff.
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
Do you think it would be a good idea to have a potential api anything but read-only?

Sure, why not, when it's done properly...

the security issues are endless, with a read-only api the only thing you really risk is data leakage and possible denial of service. With write access ... well i dont even want to go there :)

What security issues?
Google has obviously no security concerns, nor has PayPal or Twitter - the method i have suggested (OAuth via https, per application access token) is state of the art and when not even PayPal has security concerns, why should we?

And why should anyone runs a DDoS attack on this service?

I am sorry, but it sounds like you are not making a real point, more like you are just repeating what you read in the yellow press.

And, i think i know enough about computer security to claim that this is uncritical when done right.

sorry if i may seem booring, but i just think its too much design considerations to be made with such a implementation that the risks and cost far outweight the benefits.

What design considerations?

Basically i was asking them to copy the concept PayPal & Twitter & Facebook & others are using, successfully using for quite a while now. It's not even complicated.

And, MA HAS already an interface that provides i.e. your storage data, all i am asking for is to provide an interface that is accessible from 3rd party apps, in a format that is suited to be processed by another computer.
They already give away those info (albeit in a format that targets human readers, not machines), so, following your logic, the harm (according to you, i don't deem it harmful)is already done... ;)


Oh, something else would be nice to have, too - auction data, in XML format, including a unique auction ID. This one doesn't even require access control, and is probably a better solution than the 10+ auction clients polling the data every 30 seconds.
 

forgo

Elite
Joined
Apr 13, 2006
Posts
3,419
Location
US
Society
Freelancer
Avatar Name
Forgo Forgorth Lundain
I agree with this idea. It would be great to have an API for accessing values for non sensitive data like storage contents and skill/profession levels, perhaps even mission counters. Read only of course.

To add more fun and enticement for people to complete things, you could add leader-boards as well for anything they track, like the RT achievements (10,000 blp rounds, 500 logins, ect).

This would also bring some sense of competition among the player base, and an opportunity to see the most active players on a weekly, or monthly basis. Anything to keep any kind of people in game is good.

I will say that the games aside from this that I played most, had leader-boards, either generated from the game company onto a site, or given through API keys. And the leader-boards were the primary reason I stayed longer. 20 years ago, One of my 1st MMO's ever (DAOC) had such leader-boards on their website, it baffles me to this day why this has not become standard...like 15 years ago.

Eve online has used API's for years, without much issue (aside from user carelessness). The tools and programs that people made using these API keys was/is very beneficial.
 

JohnCapital

Slayer
Joined
Jul 19, 2006
Posts
9,671
Location
Colorado
Society
Freelancer
Avatar Name
John Teacher Capital
There is an ingame issue to be considered to these types of "login via website to do minor things" ideas as well. I'll see if I can explain it properly.

In essence ingame, you can't access the auction/TT/repair/etc. unless you're within a few meters of them.

So imagine the ease of the game when you are out in the a field hinting/mining away, and on your other screen, you have your web logins running. Repair, auction stuff and reload without having to return at all. Getting heavy? Auction your mining loot and buy a new amp immediately. Or, if they don't let us access the web APIs while logged in then simply log out, use APIs, and log back in again. It would completely alter the game and not for the better.

I know you didn't mention TT's etc. in your list of possible APIs, but just giving worst case examples. Hopefully you understand.

As for access to inventory, we have it. Skill counts, not sure why they try to hide that part so much. etc. etc.
 

Danton

Alpha
Joined
Jul 21, 2009
Posts
527
Location
Germany
Society
Dark Knights Squires
Avatar Name
Ron Danton Thetin
That would mean giving access to the database from outside. I hope that never will happen. It's a difference allowing a connection to Twitter/Facebook with their own MA code and giving away an API to the wild where everyone will have access to with his own, uncontrolled code.

It is impossible to code such stuff in a 100% secure way. So I hope they will never do so.
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
So imagine the ease of the game when you are out in the a field hinting/mining away, and on your other screen, you have your web logins running. Repair, auction stuff and reload without having to return at all. Getting heavy? Auction your mining loot and buy a new amp immediately. Or, if they don't let us access the web APIs while logged in then simply log out, use APIs, and log back in again. It would completely alter the game and not for the better.

Well, access to auctions was only one example - but, what would be so bad about being able to access the auction from everywhere? Not being able to sell stuff (as that would require transfer of items), but checking who's bidding how much on your auctions and may even bidding on items would be nice. (electronic funds transfer is not exactly a new technology)

This could be done with the help of a small, transportable and futuristic device connected to a planet wide data network...
I know, having something like a smart phone where we can use a service like eBay from everywhere on a planet where we have all kinds of other SciFi stuff is probably a totally weird idea... :silly2:


And, after all, there are things like a personal storage terminal and even a personal CRAFTING terminal - and none of those made EU disintegrate.


As for access to inventory, we have it. Skill counts, not sure why they try to hide that part so much. etc. etc.

The whole point about the API is that the access can be automated - as it is now, you either have to COPY & PASTE data from their website, or (theoretical other scenario) share your login credentials (plus one gold card code everytime you use it) with your 3rd party service provider.




That would mean giving access to the database from outside. I hope that never will happen. It's a difference allowing a connection to Twitter/Facebook with their own MA code and giving away an API to the wild where everyone will have access to with his own, uncontrolled code.

And whats so bad about "giving away an API to the wild" - that is EXACTLY what google, facebook, twitter, yes even PAYPAL and other web services are doing.


Are you saying that they are all completely unaware of the risks?
Are you saying that MA has a higher need of security than PayPal??
Or even higher than your bank (homebanking via internet is exactly the same)???


And "access to the database" - you appear to be unaware of something vital here:

We DO have already access to their database - what do you think you are doing when you check your avatar inventory on their website?
Exactly, you are reading stuff from their database...
 
Last edited:

aridash

Slayer
Joined
Nov 29, 2005
Posts
9,289
Location
England
Society
Skillin' Villains
i see little benefits and more downsides as JohnCapital highlights. its a game and they want people to log in, not remotly manage commercial accounts. Far more usful, and i believe it would be far more achievable aim, if we simply asked for an easily exportable skills and inventory function from the web portal.
 

Wollongong

Elite
Joined
Mar 7, 2006
Posts
4,665
Location
Calypso
Society
Odysseus Unbound
Avatar Name
Jerry "Wollo" Wollongong
While I would applaud the opportunity to easily implement certain datamining tools into other sites (I'd love to know how to make a good market overview, based on auction data, for instance), I am terrified by the idea that third-party-users would be able to gain access to avatar information.

The range of scams and thefts we would witness would be sheer endless!
 

OZtwo

Stalker
Joined
Jun 4, 2011
Posts
1,991
Location
USA
Society
Vikings Of Entropia
Avatar Name
Kent OZtwo OpaloMan
Well, an API isn't needed. Just more info on the main website other than just the Items list - which I use a lot. API (Application Program Interface) are used for programming where one could then create a bot to monitor the game while away form the computer which in turn wouldn't be liked by many players.
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
While I would applaud the opportunity to easily implement certain datamining tools into other sites (I'd love to know how to make a good market overview, based on auction data, for instance), I am terrified by the idea that third-party-users would be able to gain access to avatar information.

The range of scams and thefts we would witness would be sheer endless!

Scam and theft? How??

You can grant a 3rd party tool READ-ONLY access. Not much harm can be done with that.
And, of course, you grant access only to tools you deem trustworthy.

If you, for instance, copy&paste your inventory to one of the inventory calculator, you do the same thing manually and give away exactly the same information.



The other scenario would be a tool that you run on your computer, where you use the access token to enable the application to i.e. bid on an item - this would not require that you give away anything.



It's funny how easily people grant every kind of 3rd party software access to their MSN account, to their Facebook account, to their Twitter account or use 3rd party software for electronic fund transfers from their bank account, yes even buy things over the internet with credit card - but when it comes to EU, everyone's being paranoid.


Many of you have already used these APIs, very likely use it even daily, without knowing it.

You would cry havoc when you realize how unsafe the email system is - yes, your emails, too...
Compared to emails, the twitter API (for instance) is fort knox.
 

dr3w

Elite
Joined
Mar 3, 2011
Posts
3,244
Location
Latvia
Society
Mine To Extract
Avatar Name
Eve Damsel Online
what would be so bad about being able to access the auction from everywhere? Not being able to sell stuff (as that would require transfer of items), but checking who's bidding how much on your auctions and may even bidding on items would be nice. (electronic funds transfer is not exactly a new technology)

Well, I'll try again, please?

Advantage to re-sellers. Also, you basically want to implement MU-rate "live sticker". Also, it's a dream for management of "wife's", "brother's", "hamster's" accounts.

Dude, it's not rocket science, mkay?
 

ermik

Elite
Joined
Dec 4, 2006
Posts
4,940
Location
oil rig
Society
The Unit
Avatar Name
ermik ermik ermik
Ok , will try to tackle this in a resonable way, not sure if it will work since youve already made up your mind regarding this idea.

To implement such a api would require massive security measures, i hope we can agree on that.

You mention paypal, as an example of how things can be done.

Paypal have a security staff of over 2000 people worldwide working with security issues related to the paypal system.

Ofcourse i understand that what you ask for can be made, im not dumb, however im concerned about the cost it would bring in order to be implemented securely.

I dont see technical problems, i see financial and security problems. The tech part is simple, the other have more vectors to consider though.

So bottom line is, it can be done yes, but it will cost more money to secure and maintain than it will bring in functionality.

note, i dont read yellow press.... nor do i trust email...
 

Wollongong

Elite
Joined
Mar 7, 2006
Posts
4,665
Location
Calypso
Society
Odysseus Unbound
Avatar Name
Jerry "Wollo" Wollongong
It's funny how easily people grant every kind of 3rd party software access to their MSN account, to their Facebook account, to their Twitter account or use 3rd party software for electronic fund transfers from their bank account, yes even buy things over the internet with credit card - but when it comes to EU, everyone's being paranoid.

Well... I don't... I don't grant very much access to facebook (which is quite empty itself). I don't give anything access to twitter, to avoid becoming one of those spammers. I definately do not grant ANYONE access to my bank info, and I sure as hell don't throw my credit card details (if I had one) into the world wide web.

So my "paranoid" is not EU related. (Whoever was the guy who said "Just because I am paranoid doesn't mean they aren't after me?"). Anyhow, I sure wouldn't want anyone getting access to the Entropia Databases, because this would give hackers a new way to figure out security leaks. And they WILL find leaks. They always do.

It could even be possible that YOU use an application granting access to your data, but a hacker using it to gain access to the full dataset, putting all userdata (and "possessions") at risk.

So... no thanks.

I'll stick with tools where I have to manually get my own data from the PlanetCalypso site and put it into the tool manually.

An API would also destroy the whole GoldCard benefits...
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
Ok , will try to tackle this in a resonable way, not sure if it will work since youve already made up your mind regarding this idea.

Reasonable is good :)

To implement such a api would require massive security measures, i hope we can agree on that.

You mention paypal, as an example of how things can be done.

Paypal have a security staff of over 2000 people worldwide working with security issues related to the paypal system.

Look, it doesn't matter how many people a company has, once the algorithms are coded and implemented, there's nothing to do for those 2000 people - it's not like a computer security guy (let alone 100s or 2000s) is sitting and watching the access logs in real time.

MA already runs a HTTPS server amd OAuth is an open standard - it's not like they have to reinvent the wheel.


Ofcourse i understand that what you ask for can be made, im not dumb, however im concerned about the cost it would bring in order to be implemented securely.

Estimated time to implement this would be one week for a gifted coder, maybe for MAs inept team it's 4 weeks.


Well... I don't... I don't grant very much access to facebook (which is quite empty itself). I don't give anything access to twitter, to avoid becoming one of those spammers. I definately do not grant ANYONE access to my bank info, and I sure as hell don't throw my credit card details (if I had one) into the world wide web.

You do have a bank account? You have checked your balance online already, i guess?
Or even initiated a money transfer?

That's even LESS safe than using OAuth, because you actually send your access credentials (read: password - over https, but still).

You have NEVER checked your avatar inventory on the EU website?

Oh, c'mon...

So my "paranoid" is not EU related. (Whoever was the guy who said "Just because I am paranoid doesn't mean they aren't after me?"). Anyhow, I sure wouldn't want anyone getting access to the Entropia Databases, because this would give hackers a new way to figure out security leaks. And they WILL find leaks. They always do.

That's hackers in the movies - reality is quite different, most hacks are like that:
They try 100s of servers until they find one they can hack.

Targetting one specific server is something entirely different - just because it is done within minutes in the movies doesn't mean that it works like that IRL.

How many times has your bank been hacked? Or any bank?

It could even be possible that YOU use an application granting access to your data, but a hacker using it to gain access to the full dataset, putting all userdata (and "possessions") at risk.

Tell me how exactly READ-ONLY access would put your "possessions" at risk?




What you do not understand is that EU already allows access to their data - all i want them to do is set up an interface that is not targetting HUMANS (with a nice eye-candy interface) but MACHINES. There is NO difference whatsoever in security so far.

Then, it would require to replace the gold card code (6 digits only) with an access token.

This access token will grant access to a SINGLE USER account ONLY.
The access token technique used is MORE SECURE than the gold card codes.
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
And, to comment on the "resellers" - resellers will either stand around in the auction house all the time or use the API - what's the difference?
They will do it, even if you make it more complicated (instead of more convenient) - they will still resell.


And, resellers are actually providing a service, amongst other benefits they stabilize market prices. But this thread is not the right place for economy lessons, so either you understand it or you don't - i won't elaborate further on "resellers".

The whole reseller debate is pointless, anyway - EVERYTHING you consume IRL, everything you buy, your car, your food, your clothers, your computer, ...
all that has been "resold" at least once, food very likely even way more than twice - but have you ever pointed at your supermarket and screamed "burn the reseller scum!!!!!"?

I doubt it.
 
Last edited:

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
And, in general, no system is 100% secure, not as long as it is connected to the internet.

MA even let's you do ALL the things i have outlined above, you just need to use their client.

All the security concerns posted here are a mere joke - a hacker would very likely target EUs client. The UDP packets are very likely less string encrypted than https. Plus, the FULL ALGORITHM is available through reverse engineering: from the client source code!

:wise:

What, nobody has ever posted concerns that the client or it's UDP communication could be hacked? Nobody???

Just proves my point, you are all panicking over the API, but the real "weak spot" is ignored.

:laugh:
 
Last edited:

narfi

Elite
Joined
Jul 14, 2008
Posts
4,874
Location
Alaska
Society
Lost Renegades
Avatar Name
Narfi Hungry Willem
Read only with a secondary username/password provided by MA for use with these 3rd party programs. (so that I am not endangering my in game login info)

No bidding, listing, tting, repairing, etc... I don't want to see that become possible unless directly provided by MA. (not a 3rd party)



scared/pissed off customer said:
Dear Support, I logged in this morning and my UL mining amp was missing from inventory and my ped card has 0.00ped on it. When I loged off last night it had 12,xxx ped on it.

Please return these missing items to my inventory as fast as possible so I can keep playing.

support said:
Dear Pissed off,
Our records indicate that you auctioned your UL amp for tt+10ped at 0100 MA time, and that you then purchased a pixie harness for tt+12,235ped at 0128 MA time.
Check your inventory again, the harness should be there.

Case Closed.

While it would likely never happen, the fear is there. And the motivation is there for someone to try it.

But your right it would be really helpful to be able to access skills, inventory, auction, auction history, etc... from offline in an easily readable manner(displayed by 3rd party or by MA i don't care)

narfi
 

FallenAngel

Stalker
Joined
Dec 9, 2006
Posts
1,968
Society
Free!
Avatar Name
Fallen Yours Angel
And, in general, no system is 100% secure, not as long as it is connected to the internet.

MA even let's you do ALL the things i have outlined above, you just need to use their client.

All the security concerns posted here are a mere joke - a hacker would very likely target EUs client. The UDP packets are very likely less string encrypted than https. Plus, the FULL ALGORITHM is available through reverse engineering: from the client source code!

:wise:

What, nobody has ever posted concerns that the client or it's UDP communication could be hacked? Nobody???

Just proves my point, you are all panicking over the API, but the real "weak spot" is ignored.

:laugh:

Its a great idea and most of the fears people have seem to come from misconceptions :)
while we are on the subject they should also have in game TV, players could broadcast their activities in game instead of the substandard video you get on the streaming sites
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
Read only with a secondary username/password provided by MA for use with these 3rd party programs. (so that I am not endangering my in game login info)

No bidding, listing, tting, repairing, etc... I don't want to see that become possible unless directly provided by MA. (not a 3rd party)

The write options are just a possibility, to show what an API would be capable of.

TTing and repairing via external API would make no sense anyway.

Bidding on items, well, is merely just like ebay, i'd say "why not", and it has been requested a couple of times in the past, but hey, MA will not give it to us anyway.

The "secondary username/password" is basically what the API access token is - it is generated for access to one users account, from one specific application.

But, mind you, all the things you don't like (i.e. bidding) can already be done by a fake client. Faking one is not as hard as people would think. And i am quite sure that some people have already considered that option.


While it would likely never happen, the fear is there. And the motivation is there for someone to try it.

You seem to mix up something there - i.e. for bidding (write access), you can set up a windows app to have access to the API. There's just the app and MA, noone else who could possibly abuse it.


And, on a sidenote:
Of course nobody would give away an access token to someone he doesn't trust - what if i wrote such a bidding client, what if starfinder wrote one?

Many people trust starfinder enough to run his tracker client, and you, narfi, trusted me enough to run mine (at least back then)

It takes ~30 minutes to code a custom keylogger, access to the internet had the tracker anyway - a custom keylogger is hardly found by any virus scanner...


So, if you trust the ET client, you would trust an auction app made by starfinder, too!?!
 

FallenAngel

Stalker
Joined
Dec 9, 2006
Posts
1,968
Society
Free!
Avatar Name
Fallen Yours Angel
faking clients, custom key loggers, exploits via unencrypted UDP, could you not just explain without giving people bright ideas?!?! :p
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
faking clients, custom key loggers, exploits via unencrypted UDP, could you not just explain without giving people bright ideas?!?! :p

I have already skipped most of the details! :laugh:

However, if you know how to do these things, you very likely don't need any ideas from me.
 

Wody

Stalker
Joined
Aug 12, 2007
Posts
2,259
Location
TI City Copper 13G (and F)
Society
Freelancer
Avatar Name
Joshua Jot Avarius
Tell me how exactly READ-ONLY access would put your "possessions" at risk?

For example, a virus on your computer that checks regularly what you looted, and locks you out as soon as you loot something valuable, or your account reaches a certain amount, after which the controller of the virus takes over your computer to get access.
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
For example, a virus on your computer that checks regularly what you looted, and locks you out as soon as you loot something valuable, or your account reaches a certain amount, after which the controller of the virus takes over your computer to get access.

And how would you "lock out" a player with READ-ONLY access?
How do you want to "take control" over someone computer when the API is accessed from i.e. Jdegres server? Your computer is not even involved, all you do is browsing an internet page.


The API access token is exactly the way to control how much access a third party app has to your data - unlike giving away your password and goldcard code (which would be the only way as the system works now). The API access token would NOT enable an app to take over full control over your account.


And btw - the ET client is (well, could be made) capable of doing what you describe - yet a lot of people run it, and i have yet to see a debate about security concerns with the ET client.
 

Wody

Stalker
Joined
Aug 12, 2007
Posts
2,259
Location
TI City Copper 13G (and F)
Society
Freelancer
Avatar Name
Joshua Jot Avarius
And how would you "lock out" a player with READ-ONLY access?
How do you want to "take control" over someone computer when the API is accessed from i.e. Jdegres server? Your computer is not even involved, all you do is browsing an internet page.

You were talking about an API to EU, which means to the client, if you meant just an API to other software, you should post it in the relevant thread/forum for that software.
You also missed the part where I said 'A virus on your computer'. When you have a virus or other malware on your computer, it is no longer your computer, it is the computer of whoever controls the virus/malware, untill you get rid of the virus/malware. The only reason why such malware just hides and lets you use the computer, is because it is in their best interest to do so, because otherwise you would detect and remove it.
So, in the case of EU, there would be a point where it would no longer make sense to let you use your computer, after which it is easy to lock it, so the keyboard won't work anymore, the screen won't update etc, so you can't use it anymore (untill you turn it off, and remove the malware).
For passwords and such, it would have them already cause you typed them and the virus grabbed it from that, or since it would take over the computer, and disallow access to you, and open up remote access to somewhere else, it wouldn't need them.

As to using the tracker, there's usually about 100 people or so using it, and yeah, you could write a virus to use that, but for so few people it doesn't make sense. And even then, you only get globals/hofs, but no listings of items looted etc, which can be much more profitable because of the markup. With a read-only API to the client, it would be easy to check the inventory once every 5-10 seconds and compare what somebody just got, and check for items of interest.
I'm sure that everybody who does run the tracker-client has worried about security, and I think I can remember debates about such software, like no resources found, maybe not specifically about ET, but it doesn't have to be cause it's all the same discussion. At least jdegre's software is java, which you can easily decompile and check, and the tracker is .net, which has the same possibilities.
 

wizzszz

Banned
Joined
Dec 31, 2006
Posts
5,202
Location
Germany
Society
Jurai Blood
Avatar Name
Nicholas wizzszz Wolf
You were talking about an API to EU, which means to the client, if you meant just an API to other software, you should post it in the relevant thread/forum for that software.

Other software??

"to the client"??

Sorry, i don't understand a single word of the line above.

Of course i am talking about an EU API - just look at the thread title... however, the API enables access to the SERVER, not the CLIENT.

You also missed the part where I said 'A virus on your computer'. When you have a virus or other malware on your computer, it is no longer your computer, it is the computer of whoever controls the virus/malware, untill you get rid of the virus/malware. The only reason why such malware just hides and lets you use the computer, is because it is in their best interest to do so, because otherwise you would detect and remove it.

A virus just replicates itself, and maybe try to damage your system after infecting enough other resources. A virus will never spy on anything.

What you mean is very likely a trojan/keylogger.

But, you missed the point - if you grant company XYZ access to your avatar account via the (fictional) EU API, there is nothing stored on your computer.

So, in the case of EU, there would be a point where it would no longer make sense to let you use your computer, after which it is easy to lock it, so the keyboard won't work anymore, the screen won't update etc, so you can't use it anymore (untill you turn it off, and remove the malware).
For passwords and such, it would have them already cause you typed them and the virus grabbed it from that, or since it would take over the computer, and disallow access to you, and open up remote access to somewhere else, it wouldn't need them.

I got your example in the last post, no need to repeat it - howeverm this scenario is absolutely irrelevant. Either you give access to some 3rd party app - that means there is NOTHING your "virus" can find on your system.

If you use an app on your computer, the app is in charge to store the API access token in a secure way (read: encrypted). Again, nothing what a "virus" can do with that.

Read my last reply to you, i have already outlined why your scenario doesn't make sense (instead of repeating your point).

As to using the tracker, there's usually about 100 people or so using it, and yeah, you could write a virus to use that, but for so few people it doesn't make sense. And even then, you only get globals/hofs, but no listings of items looted etc, which can be much more profitable because of the markup. With a read-only API to the client, it would be easy to check the inventory once every 5-10 seconds and compare what somebody just got, and check for items of interest.

"Too little people are using it" is not even a valid argument - hacking deathifier should be enough.

Then, you came up with the "when you loot something valueable", which could even be read from the chat log when in team...

/Edit:
If you loot some new cool modified XYZ, it is even available to the public, even outside of EU - you just need to read the latest discoveries.

It was, however, not MY point, so you are basically argueing with yourself about an invalid scenario here...

I'm sure that everybody who does run the tracker-client has worried about security, and I think I can remember debates about such software, like no resources found, maybe not specifically about ET, but it doesn't have to be cause it's all the same discussion. At least jdegre's software is java, which you can easily decompile and check, and the tracker is .net, which has the same possibilities.

What a bunch of (wrong) assumptions, really - my tracker (yes, i wrote one, too) was run by 64 people during the test phase. Not a single one asked about security.

Every software can be decompiled, including your OS and the EU client - i just doubt there are more than 3 people playing EU who are capable to make some meaningful statements about undocumented source code they didn't write on their own.
And even those HAVE TO DO it before you use i.e. the tracker.

Did this happen? NO.
Nobody checked the ET client, and frankly, nobody can be arsed to do that on EVERY SINGLE UPDATE. You chose either to trust the guy who wrote it or you dont. That's all there is to it.



My tracker was a native .exe btw - checking disassembled source codes (Assembler) is something you do often? Nobody ever asked if he could have a glance at the sources (which were even written in two different programming languages), and frankly, i doubt you would have detected any malicious code in there if i'd have hidden it from you - i will no go into details though, but what you claim is simply wrong.


Worries about security before running an .exe on your system?
One should think so, yes, reality is entirely different.
That you CAN decompile and check a program doesn't mean that someone actually DID it.
 
Last edited:
Top