tag:blogger.com,1999:blog-1461700565722278823.post8018639072722298941..comments2024-02-27T14:44:07.868+01:00Comments on Greedy goblin: Watch out with API keys!Gevlonhttp://www.blogger.com/profile/07072766785893313616noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-1461700565722278823.post-7028364751255516482013-08-21T19:45:26.436+02:002013-08-21T19:45:26.436+02:00As far as I know, wallet keeps history only for 1 ...As far as I know, wallet keeps history only for 1 month. So if you want to join corp, send enough ISK to your alt account, wait for 1 month and then join with full API access.nekomancernoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-38156844567538236072013-08-20T13:41:22.938+02:002013-08-20T13:41:22.938+02:00@Lucas
> Any sensible corp will need at least ...@Lucas<br /><br />> Any sensible corp will need at least wallet journal, assets and mail ticked<br /><br />Wrong. Corporation that wants to read private mails isn't sensible.<br /><br />> Nothing you can receive from an API is really that critical.<br /><br />It doesn't justify digging up other people's private information.<br /><br />> Why would I want to join a corp, and put my assets on the line when half the corp could be awoxers and spies?<br /><br />API check doesn't guarantee that you won't have spies in your corp. In fact, API doesn't give any information more than 1 month old. So it is useless for anyone who wants to screen out spies. <br /><br />But it gives a false sense of security which is extremely dangerous.<br /><br />> you need to to ensure this is not a spy you would need to see HighSecGuy's API<br /><br />You can't ensure that. All you can do with api keys is to show a new player that you don't trust him, that's all.<br /><br />> Even with a full key on all of your accounts, there's really not that much damage anyone could do.<br /><br />Wrong. There is a lot they can do with this information. For example, if you haul things between trade hubs in your blockade runner, full API information could easily mean end of game.<br /><br />> But you'll miss out a massive portion of the game by just going it alone because you refuse to properly analyse the risk of someone seeing your assets.<br /><br />RvB and brave newbies don't require ANY api keys. TEST requirements are sensible. You don't miss out anything.<br /><br />PS: I won't join any corporation that require full api keys, and suggest everyone to do the same. Just saying.Rlid Wkanoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-9573401067488625212013-08-20T02:24:29.326+02:002013-08-20T02:24:29.326+02:00https://forums.eveonline.com/default.aspx?g=posts&...https://forums.eveonline.com/default.aspx?g=posts&t=257268<br /><br />Possibly also something you should be concerned about when giving out your API keyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-82659647654480697932013-08-19T18:33:23.112+02:002013-08-19T18:33:23.112+02:00Just goes to show you TEST is rotten to the core. ...Just goes to show you TEST is rotten to the core. Who would bother joining them where backstabbing is the norm?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-84233917869620809352013-08-19T18:11:40.594+02:002013-08-19T18:11:40.594+02:00@"If your API is known, you can practically o...@"If your API is known, you can practically only mine or do trivial missions for 30M/hour."<br />That is utterly ridiculous. You'd probably be able to count the times someone has used an API key to track down where someone is going to be in high sec then kill them on a single hand. There's no way it's a big enough issue to warrant any amount of worry.<br />And while they wouldn't suicide gank every tengu, but I'm sure they'd passive scan them if they see them coming through a lot. Then when they see your guy they are like "wow, he carrys a lot of implants..." then they'd suicide you next time.Lucas Kellhttps://www.blogger.com/profile/03969897349629783605noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-56228302486822353102013-08-19T16:36:12.465+02:002013-08-19T16:36:12.465+02:00@Lucas: all kind of high ISK/hour moneymaking acti...@Lucas: all kind of high ISK/hour moneymaking activity involves taking some risky moves. For example I transport 10-30B worth of implants between trade hubs. Sure, I do it in a cloaky, 400K EHP Tengu. But if someone knows the names and routes, he can gank them. Their safety lies in their secrecy: No one will suicide gank EVERY Tengu on Niarja to catch mine.<br /><br />Similarly the pro mission runner who has a paper thin 3B Machariel in some system no one would check is hidden by the fact that no one will sweep every system one by one and probe down every Machariel.<br /><br />The most vulnerable is probably the speculator who puts multi-billions into for example Caldari Ice having a good tip. See that and the speculation is ruined.<br /><br />If your API is known, you can practically only mine or do trivial missions for 30M/hour.Gevlonhttps://www.blogger.com/profile/07072766785893313616noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-68446491912003859442013-08-19T14:55:05.573+02:002013-08-19T14:55:05.573+02:00Man that whole thing pissed me off. If had my keys...Man that whole thing pissed me off. If had my keys deleted since, and still haven't recieved any reassurance that its worthwhile to add another one.<br /><br />The best Ive heard was that it was taken down. BY is still a mod, playing the sympathy card for all the hate he got, and i got shit on because one of the mods was ignored (on account of following posts and crapping all over them, Dys0n)<br /><br />But yeah, until theres some reassurances, no reason to have anything up there. Either it gets fixed, or Iget purged, we will seeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-11939122801600739502013-08-19T14:23:52.609+02:002013-08-19T14:23:52.609+02:00Gevlon, you are right - if you are that paranoid, ...Gevlon, you are right - if you are that paranoid, you need to hide your money maker well.<br /><br />Your suggestion that you use a zero skill alt as a go-between wont work - a full audit of that alt will lead back to your money maker.<br /><br />It is exceptionally difficult to hide from good recruiters. Much of the "red flagging" of pilots can be done automatically and quickly.<br /><br />Your only real option is to keep your money maker completely separate from your pvp pilot, and potentially launder money through a 3rd party - or not join. I don't think flipping the recruiter the bird and refusing to give up your secrets is the way to go. Your secrets are found by that point and the recruiter was only doing his job.<br /><br />It is common place for us to reject people as spies if we find other toons, even if the applicant is willing to give up the API keys for the undisclosed - if you are going to hide something you need to hide it well.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-67149991460646240072013-08-19T13:44:15.603+02:002013-08-19T13:44:15.603+02:00I think that's a bit of an extreme. There'...I think that's a bit of an extreme. There's nothing that important they can get from your full API. the API system was made with that in mind. Who really cares if they know which high sec station you store your ships in? Or the names of your other characters? Even with a full key on all of your accounts, there's really not that much damage anyone could do.<br /><br />At then end of the day, yes the choice is give them the key and join, or don't join. But you'll miss out a massive portion of the game by just going it alone because you refuse to properly analyse the risk of someone seeing your assets.Lucas Kellhttps://www.blogger.com/profile/03969897349629783605noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-40752564044680428002013-08-19T12:44:48.028+02:002013-08-19T12:44:48.028+02:00Then you have two options: hide your highsec accou...Then you have two options: hide your highsec account well enough that they don't find it (actually be a spy), or don't join. <br /><br />Giving them full API to your moneymaker is being a suicidal retard.Gevlonhttps://www.blogger.com/profile/07072766785893313616noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-4931514191335231402013-08-19T12:39:48.008+02:002013-08-19T12:39:48.008+02:00"I did not tell you shouldn't give out yo..."I did not tell you shouldn't give out your key to the joining pilots but not to your highsec ones."<br />Any corp with half a clue about security would ask for your high sec API. If you have a character called NullSecGuy, and he's going to join the corp, but NullSecGuy is being funded by another character called HighSecGuy, then to see what you need to to ensure this is not a spy you would need to see HighSecGuy's API to ensure he's not also funding a guy called EnemyNullSecGuy.<br /><br />When a corp recruits, they are vetting the player, not the character, so they if they let you in based on the character applying alone, there's a good chance they will be used as an in point for a spy. Once a spy is in your corp, moving internally in the alliance is considerably easier.Lucas Kellhttps://www.blogger.com/profile/03969897349629783605noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-4214480966866961602013-08-19T12:30:46.048+02:002013-08-19T12:30:46.048+02:00@Lucas: I did not tell you shouldn't give out ...@Lucas: I did not tell you shouldn't give out your key to the joining pilots but not to your highsec ones. <br /><br />The PL comment was not about APIs but generally trusting corpmates.<br /><br />@Stabs: what people wants on forum is very different from what leaders do in TEST. I left and didn't look back.Gevlonhttps://www.blogger.com/profile/07072766785893313616noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-21617591779217374742013-08-19T12:06:24.246+02:002013-08-19T12:06:24.246+02:00I'm really sorry that this happened Gevlon. Th...I'm really sorry that this happened Gevlon. The person who leaked your information received a lot of heat on the forums for this, it's seen by almost all of our community as lame, as very poor conduct in a leader.<br /><br />They didn't sack him though which perhaps they should have. Perhaps the feeling is some people are too big to sack.Stabshttps://www.blogger.com/profile/08716211705647213383noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-39180031118504150252013-08-19T11:09:16.516+02:002013-08-19T11:09:16.516+02:00Your thoughts about keeping some things secret are...Your thoughts about keeping some things secret are wise, however not fool proof. A good recruiter will be looking for wallet transactions (specifically regular transactions) to undisclosed toons as well as leave/join history on previous corporations to determine patterns (same toon leaves on the same date everytime your disclosed toons leave etc).<br /><br />So it isn't normally as straight forward as having an account set aside for your money making. Transferring that money to your PvP account could give you away at some point. If you are going to hide stuff you need to be creative about itAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-29756221196507296032013-08-19T10:33:48.110+02:002013-08-19T10:33:48.110+02:00Oh and just to add:
"Just think of the PL sup...Oh and just to add:<br />"Just think of the PL supercapital pilots who were ganked by their own FC."<br />This was done as part of an official op. Their assets were lost because they were part of the op, not because they gave out api keys. It's very unlikely that after leaving a corp they'll come running to high sec to blap all of your assets, and if they wanted to, it would take no more than a few locator agents an a couple of npc corp alts to find everything they need to know.Lucas Kellhttps://www.blogger.com/profile/03969897349629783605noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-87533179535261858992013-08-19T10:30:59.999+02:002013-08-19T10:30:59.999+02:00Most of the time when people request full API keys...Most of the time when people request full API keys it's for security checks prior to joining a corp. Any sensible corp will need at least wallet journal, assets and mail ticked, as from those they can see if there are any common characters you give money to or receive money from, or people you have contacted or have contacted you. They can also check if you have assets in strange places or assets that seem to have appeared, rather than being part of a trade or market entry. <br /><br />Since spies are such a big part of this game, and alliance assets are lost to spies, it's a major part of joining a corp. Nothing you can receive from an API is really that critical. If you wanted to find out where someone biggest assets are you can usually find out just by asking them.<br /><br />Most people will want to join a corp, and most corps will require a full api key. Hell if a corp DOESN'T require one, I'd think twice about joining them. Why would I want to join a corp, and put my assets on the line when half the corp could be awoxers and spies?<br /><br />By the way, I do notice your half trillion not listed on here.Lucas Kellhttps://www.blogger.com/profile/03969897349629783605noreply@blogger.com