Greedy Goblin

Monday, August 19, 2013

Watch out with API keys!

Why do I get so many blog hits from a Reddit page? Because it has this very interesting leak:
This screenshot was taken by someone with higher access rights from the TEST API system, which pulls submitted API keys from the CCP server. It stores the last info it could pull down before I quit TEST. I posted summary of my accounts several times and this leak contains the 3 accounts that had TEST API keys submitted:
  • Gevlon Goblin is my highsec main, I never kept that secret. He only undocks for baiting gankers. He was training Ice Harvesting at the time of the API pull, because I'm going to mine White Glaze in the upcoming weeks. You'll hear about my mining stories tomorrow.
  • The second is my Hek trader and I'm pretty sad that her name got out. There is a lvl2 research agent in Hek who gives courier missions that can be completed in a shuttle for corp standings. One mission a day, I've been doing them every time I log in. I guess I won't get to 9.8 Boundless Creation standings, because my fans will surely pop that little shuttle.
  • Cindy Sasen is my well-known scout/cyno pilot who started my nullsec career as an AFK cloaker in -A- space
  • Avat Goblin is my dreadnought pilot, who was in TEST (somehow the API updated after I quit).
  • Botmuncher Goblin was started when I was ganking in highsec, to have a secondary ganker so I don't have to wait out GCC. His training has stopped. Now I have a new plan for him so activated dual character training. Hopefully you'll hear from his exploits.
  • Titania Goblin is my logi pilot who was flying with TEST the most and now gets her carriers.
  • Okami Kusoni is just sitting in a trade hub to PLEX this nullsec account.
  • Botslayer Goblin is the famous ganker who killed 52B worth of miners in a month.
Well, nothing really interesting is here, why the post? The interesting thing is the lack of leak. Except for Helga's name, you couldn't learn anything from this screenshot you did not know already, because I wasn't stupid with APIs. TEST demands a very limited API key: Account Status, Character Info, Skill Queue, Skill in Training, Character Sheet, Character Info, Standings, Kill Log. These are info that you'd share with anyone. Which is the most important rule in API key management: Only give out API key about info that you wouldn't mind sharing with anyone. Consider your API-key covered info public information. Be careful, a full API key gives out practically everything about your account, including mails, locations, assets, wallet journal, everything. If there is a piece of information you wouldn't share with anyone, don't share it with anyone! If the guy asking for your API says "Only I will see it and very trustable guys" and you believe him, well, I know of a very reliable ISK doubling service in Jita you might be interested in.

Of course it doesn't mean you shouldn't give your API key, even your full API key to anyone. Since you need two accounts to play EVE unless you are very casual, have a separate moneymaking account(s) and make sure that your personal pilots are there. Have a different public nullsec/PvP account(s). Your nullsec pilots cannot have secrets anyway, I can tell without keys that your combat pilot flies alliance doctrine ships, trains for them, have doctrine ships and jump clones in staging and deployment systems outlined in your SotA. The only interesting thing they can get from even a full API key is the name of the moneymaking pilot who sent ISK or assets to the combat pilot. The solution is having a zero-skill alt in the private account(s), only this pilot should receive or send anything to your nullsec pilot(s), so the only thing they learn is the name of a zero-skill pilot. If they ask for API key of that pilot, give them a finger. Never, ever give out the API key of your personal account(s) to anyone! Being kicked from your alliance is much better than losing all your assets.

If they know the locations and assets of your moneymaking pilots, they can gank it. If they can, they will. Just think of the PL supercapital pilots who were ganked by their own FC. I'm not saying you shouldn't trust your alliance mates, just that you shouldn't trust them with everything you have. You nullsec assets should be enough for them. Combat ships are considered lost on fitting anyway. But if you keep your moneymaking assets safe, you can always rebuild after a loss.

16 comments:

Lucas Kell said...

Most of the time when people request full API keys it's for security checks prior to joining a corp. Any sensible corp will need at least wallet journal, assets and mail ticked, as from those they can see if there are any common characters you give money to or receive money from, or people you have contacted or have contacted you. They can also check if you have assets in strange places or assets that seem to have appeared, rather than being part of a trade or market entry.

Since spies are such a big part of this game, and alliance assets are lost to spies, it's a major part of joining a corp. Nothing you can receive from an API is really that critical. If you wanted to find out where someone biggest assets are you can usually find out just by asking them.

Most people will want to join a corp, and most corps will require a full api key. Hell if a corp DOESN'T require one, I'd think twice about joining them. Why would I want to join a corp, and put my assets on the line when half the corp could be awoxers and spies?

By the way, I do notice your half trillion not listed on here.

Lucas Kell said...

Oh and just to add:
"Just think of the PL supercapital pilots who were ganked by their own FC."
This was done as part of an official op. Their assets were lost because they were part of the op, not because they gave out api keys. It's very unlikely that after leaving a corp they'll come running to high sec to blap all of your assets, and if they wanted to, it would take no more than a few locator agents an a couple of npc corp alts to find everything they need to know.

Anonymous said...

Your thoughts about keeping some things secret are wise, however not fool proof. A good recruiter will be looking for wallet transactions (specifically regular transactions) to undisclosed toons as well as leave/join history on previous corporations to determine patterns (same toon leaves on the same date everytime your disclosed toons leave etc).

So it isn't normally as straight forward as having an account set aside for your money making. Transferring that money to your PvP account could give you away at some point. If you are going to hide stuff you need to be creative about it

Stabs said...

I'm really sorry that this happened Gevlon. The person who leaked your information received a lot of heat on the forums for this, it's seen by almost all of our community as lame, as very poor conduct in a leader.

They didn't sack him though which perhaps they should have. Perhaps the feeling is some people are too big to sack.

Gevlon said...

@Lucas: I did not tell you shouldn't give out your key to the joining pilots but not to your highsec ones.

The PL comment was not about APIs but generally trusting corpmates.

@Stabs: what people wants on forum is very different from what leaders do in TEST. I left and didn't look back.

Lucas Kell said...

"I did not tell you shouldn't give out your key to the joining pilots but not to your highsec ones."
Any corp with half a clue about security would ask for your high sec API. If you have a character called NullSecGuy, and he's going to join the corp, but NullSecGuy is being funded by another character called HighSecGuy, then to see what you need to to ensure this is not a spy you would need to see HighSecGuy's API to ensure he's not also funding a guy called EnemyNullSecGuy.

When a corp recruits, they are vetting the player, not the character, so they if they let you in based on the character applying alone, there's a good chance they will be used as an in point for a spy. Once a spy is in your corp, moving internally in the alliance is considerably easier.

Gevlon said...

Then you have two options: hide your highsec account well enough that they don't find it (actually be a spy), or don't join.

Giving them full API to your moneymaker is being a suicidal retard.

Lucas Kell said...

I think that's a bit of an extreme. There's nothing that important they can get from your full API. the API system was made with that in mind. Who really cares if they know which high sec station you store your ships in? Or the names of your other characters? Even with a full key on all of your accounts, there's really not that much damage anyone could do.

At then end of the day, yes the choice is give them the key and join, or don't join. But you'll miss out a massive portion of the game by just going it alone because you refuse to properly analyse the risk of someone seeing your assets.

Anonymous said...

Gevlon, you are right - if you are that paranoid, you need to hide your money maker well.

Your suggestion that you use a zero skill alt as a go-between wont work - a full audit of that alt will lead back to your money maker.

It is exceptionally difficult to hide from good recruiters. Much of the "red flagging" of pilots can be done automatically and quickly.

Your only real option is to keep your money maker completely separate from your pvp pilot, and potentially launder money through a 3rd party - or not join. I don't think flipping the recruiter the bird and refusing to give up your secrets is the way to go. Your secrets are found by that point and the recruiter was only doing his job.

It is common place for us to reject people as spies if we find other toons, even if the applicant is willing to give up the API keys for the undisclosed - if you are going to hide something you need to hide it well.

Anonymous said...

Man that whole thing pissed me off. If had my keys deleted since, and still haven't recieved any reassurance that its worthwhile to add another one.

The best Ive heard was that it was taken down. BY is still a mod, playing the sympathy card for all the hate he got, and i got shit on because one of the mods was ignored (on account of following posts and crapping all over them, Dys0n)

But yeah, until theres some reassurances, no reason to have anything up there. Either it gets fixed, or Iget purged, we will see

Gevlon said...

@Lucas: all kind of high ISK/hour moneymaking activity involves taking some risky moves. For example I transport 10-30B worth of implants between trade hubs. Sure, I do it in a cloaky, 400K EHP Tengu. But if someone knows the names and routes, he can gank them. Their safety lies in their secrecy: No one will suicide gank EVERY Tengu on Niarja to catch mine.

Similarly the pro mission runner who has a paper thin 3B Machariel in some system no one would check is hidden by the fact that no one will sweep every system one by one and probe down every Machariel.

The most vulnerable is probably the speculator who puts multi-billions into for example Caldari Ice having a good tip. See that and the speculation is ruined.

If your API is known, you can practically only mine or do trivial missions for 30M/hour.

Lucas Kell said...

@"If your API is known, you can practically only mine or do trivial missions for 30M/hour."
That is utterly ridiculous. You'd probably be able to count the times someone has used an API key to track down where someone is going to be in high sec then kill them on a single hand. There's no way it's a big enough issue to warrant any amount of worry.
And while they wouldn't suicide gank every tengu, but I'm sure they'd passive scan them if they see them coming through a lot. Then when they see your guy they are like "wow, he carrys a lot of implants..." then they'd suicide you next time.

Anonymous said...

Just goes to show you TEST is rotten to the core. Who would bother joining them where backstabbing is the norm?

Anonymous said...

https://forums.eveonline.com/default.aspx?g=posts&t=257268

Possibly also something you should be concerned about when giving out your API key

Rlid Wka said...

@Lucas

> Any sensible corp will need at least wallet journal, assets and mail ticked

Wrong. Corporation that wants to read private mails isn't sensible.

> Nothing you can receive from an API is really that critical.

It doesn't justify digging up other people's private information.

> Why would I want to join a corp, and put my assets on the line when half the corp could be awoxers and spies?

API check doesn't guarantee that you won't have spies in your corp. In fact, API doesn't give any information more than 1 month old. So it is useless for anyone who wants to screen out spies.

But it gives a false sense of security which is extremely dangerous.

> you need to to ensure this is not a spy you would need to see HighSecGuy's API

You can't ensure that. All you can do with api keys is to show a new player that you don't trust him, that's all.

> Even with a full key on all of your accounts, there's really not that much damage anyone could do.

Wrong. There is a lot they can do with this information. For example, if you haul things between trade hubs in your blockade runner, full API information could easily mean end of game.

> But you'll miss out a massive portion of the game by just going it alone because you refuse to properly analyse the risk of someone seeing your assets.

RvB and brave newbies don't require ANY api keys. TEST requirements are sensible. You don't miss out anything.

PS: I won't join any corporation that require full api keys, and suggest everyone to do the same. Just saying.

nekomancer said...

As far as I know, wallet keeps history only for 1 month. So if you want to join corp, send enough ISK to your alt account, wait for 1 month and then join with full API access.