Wallet Manager Security Issues
Posted: 2011-08-26 Filed under: industry | Tags: database, injection, security, sql 8 CommentsIf you have been following this blog for a while, you know that my corpmate James and I have been working on a Wallet Manager site to help manage our Eve ventures. Over time it has grown into our all-encompassing-project-management-thing which now has a trading, manufacturing, invention, and cost analysis sections.
I wanted to disclose why this darn thing is not open to the public as the majority of the feedback that I have been hearing has been, “awesome, now when can I use it!?”
We have not made the site public because of security issues, specifically due to the numerous SQL injection abilities in our code.
Here is a common function that we use that takes the typeID of an item and returns its name. We use this so when we display a Cap Recharger II for example, you can see the name of the item and not just the ‘2032’ number identifier that is easier to work with from a programmability standpoint.
This PHP function retrieves the item name from an input of its typeID.
public function getName($typeID)
{
$sql = ‘SELECT typeName FROM invTypes WHERE typeID = ‘.$typeID.’‘;
$connection=Yii::app()->db;
$command=$connection->createCommand($sql);//Run the query
$results = $command->query();
$itemName = $results->read();return $itemName[‘typeName’];
}
The database query is highlighted in green and the terrible part has been highlighted in red.
What you are seeing is a database query that is fed a non-sanitized input. Good programmers will take the $typeID variable and sanitize it before putting it into the SQL query. A common check is to limit the variable to only have characters such as A-Z and 1-3 characters. This check will not allow any special characters such as : ; ‘ ” $ that are used for SQL operations to be allowed in the query.
With our current function with the unsanitized input variable, you can plug in all sort of things into the query. You could inject code in place of the variable to read, drop, and modify the database, something we obviously don’t want happening.
Sadly around half of our function were written in this fashion in order to get the pages up and working. Because it has been an internal project, the focus has been on the aesthetic result and not the security of the code behind it. If we were to release it to the public we would have to go over each function and check to make sure that it is secure.
Let me quote CCP and say Soon(tm) for the release.
Empire Research and POS Attack
Posted: 2011-08-25 Filed under: industry, pos | Tags: lowsec, me, pirate, pos, research 11 CommentsIn Empire space open Material Research slots are notoriously hard to find. To view Public slots in your area, go to your Science & Industry section, Installations tab, filter by Material Research / Any / Current Region / Public. This will show you just how full the slots are.
The saturation of slots in Empire is true for Material Research and Copy job activities while Time Efficiency and Invention slots are generally easy to find.
Why are Time Efficiency (PE) and Invention slots generally open in empire?
Adding PE to a BPO reduces a small amount of time off of the construction job. For example here are the build times for a Noctis at differing PE levels (doesn’t account for character skill bonuses):
PE 5: 2 hours, 46 minutes
PE 10: 2 hours, 43 minutes
PE 20: 2 hours, 41 minutes
via games.chruker.dk
If getting it to PE 20 only save 5 minutes off of the build time, why even bother? A lot of small industrialists consider PE on a blueprint a bonus. The amount of time does scale with the job length so for long jobs such as capitals, PE can save a few hours and might be worth the investment. Also if you are planning on making 1,000 Noctii (?), then you will want to spend some research time adding PE to the BPO.
For invention, the jobs are quick. To invent a Cap Recharge II the job takes 2 hours and 30 minutes. I find that it is easier to run a batch of invention jobs and then spend a few weeks working on the invented T2 BPCs.
So what is the budding industrialist supposed to do when he or she wants access to a lot of ME and Copy slots? Why setup a POS of course! How exciting — hours of anchoring, fueling, and defense management! Can you tell I don’t like POS management?
I stupidly setup my research POS in a lowsec dead-end system that has a lot of cyno traffic. I picked this system due to my Highsec proximity. Not to my surprise, a local pirate group had targeted the tower within two weeks.
One weeknight while I was out to dinner, I started to get frantic emails and text messages from corpmates who were seeing the in-game ‘Under Attack’ messages. When I got home I was able to cancel the research jobs, unanchor all of the labs, pull out the majority of the fuel, and online a bunch or hardeners just to make the job of taking the tower down more tedious; the amount of smack in local informed me that they were there to stay and finish what they had started.
Note to you pirates out there that think killing a POS with labs will get you billions of BPOs: you can run the jobs remotely. This means that the BPO is sitting in a Station in the corporation hangar. The research is done from the POS while the shiny BPO is locked up in the Station corporation hanger.
Second note to pirates: If you find a research tower in a system with NO station, then you have found something quite precious.
After the last hardener was setup, I logged off, watched some Netflix, and went to bed. After waking up and reviewing the Eve in-game alerts, it turns out that they did put the tower into Reinforced mode after 7 hours. I’m glad that the only POS bashing I have participated in on was with Supercarriers and Titans; subcapital POS bashing seems like a boring, boring task.
The lowsec pirates did camp the lowsec station that I was using as a base and stalked me into Empire while the tower was in Reinforced. I believe that they were gathering intel to see if I was going to mount a defense effort or possibly unanchor and save the tower. Having wrote off the costs of the POS project from the beginning, I wasn’t interested in either. Saving the 700 M worth of labs was all I really cared about.
Two weeks later the POS still stands anchored, offline, and with damaged guns that need repair in order to unanchor and save the tower. For now I have no interest in saving it and I need to find a different method or location for getting ME and Copy slots.
Building a Jump Freighter
Posted: 2011-08-24 Filed under: industry | Tags: anshar, freighter, invention, obelisk, t2 24 Comments*Warning* Eve Industry Speak Ahead!
I have always been a builder. Even as a young child I would construct elaborate towers of falling water in the kitchen sink with dirty dishes and cups. My parents told me that I would entertain myself for hours with a small stream of running water and some dirty dishes.
There is something satisfying about taking smaller components and arranging them in a way to serve a higher purpose and I have definitely channeled this passion into Eve. Though the T2 production chain is complicated, there is a beauty to it.
I spend a lot of time on the Sell Forum section of the Eve website. Some deals are in your favor, but you have to do your research. One evening I found a person selling some invented Jump Freighter Blueprints and that really interested me. For a while now, I have been looking to put my Capital BPOs to good use as they have been sitting idle in station for over a month now.
The contract was for 6x ME-1 Anshar BPCs for 700 M, so 116.67 M each. I looked at Jita contracts for ME-1 BPCs and they were selling for around 180-200 M.
Perhaps I stumbled upon a weary industrialist looking to sell his inventory? The offer seemed like a legitimate deal so I accepted it. He even threw in two Obelisk T1 BPCs for free which run about 35 M each. Nice.
Channel Name: Private Chat (Seller)
Listener: Blake
Session started: 2011.08.15 19:19:54
—————————————————————[ 2011.08.15 19:19:56 ] Blake > hi
[ 2011.08.15 19:20:00 ] Seller > hey bud
[ 2011.08.15 19:20:04 ] Seller > you into those bpc?
[ 2011.08.15 19:20:17 ] Blake > nice price
[ 2011.08.15 19:20:19 ] Blake > I’ll take em
[ 2011.08.15 19:20:24 ] Seller > i’ll do all 6 for 700m
[ 2011.08.15 19:20:30 ] Seller > ok, contract to you? now?
[ 2011.08.15 19:20:36 ] Blake > yep
[ 2011.08.15 19:20:59 ] Seller > need those obelisk bpc as well?
[ 2011.08.15 19:21:21 ] Blake > not right now
[ 2011.08.15 19:21:35 ] Seller > foc
[ 2011.08.15 19:21:37 ] Seller > you can have them
[ 2011.08.15 19:22:33 ] Blake > foc?
[ 2011.08.15 19:22:39 ] Blake > oh oh free of charge?
[ 2011.08.15 19:22:40 ] Seller > free of charge
[ 2011.08.15 19:24:17 ] Blake > thanks man
[ 2011.08.15 19:24:24 ] Seller > my pleasure
[ 2011.08.15 19:24:26 ] Seller > enjoy :))
[ 2011.08.15 19:24:31 ] Blake > fly safe
Well now what do I do? I also needed to purchase the Gallente based Advanced Capital Ship Components which run 13.5 M each at NPC prices and get them to at least ME 10.
Right, now to build the things! Our T2 production page of the wallet manager is still taking shape, so I had to resort to using Excel to calculate the build costs.
Now before you rush out to get into Jump Freighter production, consider the large amount of time and capital involved.
First you need the T1 item for the T2 production job and building an Obelisk from BPCs kills the profits. If you build them from BPOs, there is about a 110 M profit at Jita mineral prices. Also, in order to timely produce a freighter, you need multiple copies of the BPOs. I found that you need 1:1:3:2 in order to build a freighter every 15 days.
Second, you need a freighter BPC for Invention, which take around a month copy or you can buy one on the market for around 35 M. Datacores for the Invention job cost about 18.4 M and are consumed during the job. For a ship of this cost level, you are going to also use a decryptor to affect ME output of the T2 BPC, which costs about 6 M and is also consumed.
Now stack up the odds of the Invention success chance with a 41.58 % theoretical max success rate, which means that a successful invention job costs around 61.7 M and takes 5 days for the result and you can see why this isn’t a common industry production chain.
Whew, now to put all the items together to make a fancy Jump Freighter!
If you like these type of Industry posts, let me know. I’m not sure if I should continue to write them or file them under ‘nobody cares’ like Eve Fail (a site which I personally enjoy).
Nullsec Industrialization
Posted: 2011-08-01 Filed under: industry, market | Tags: dominion, industry, jita, nullsec 4 CommentsIn Eve we talk a lot about vision. With Dominion, we were going to be brought into a new era of Nullsec gameplay. Small alliance were going to gain a foothold in space, industrial powers were going to rise, and major conflicts were going to arise over these resources.
Here we are almost two years later and not much has changed in Nullsec. There are major powerblocks controlling the majority of space and conflicts are over a few precious moon types.
I don’t think the vision of Dominion came to be fully actualized. Some major steps were taken, such as removing the POS bowling that had to occur to gain sovereignty and the addition of upgrades with the Infrastructure Hub, but overall the gameplay hasn’t moved forward as far as the vision promised.
People have been talking about the “Independence from Jita” that Nullsec needs and I haven’t seen a concrete plan to reduce the dependance of goods from Highsec.
Here’s a graphical overview of how I see the current flow of Industry:
Industrialists are supposed to be producing all of the goods you PVP types want locally with no reliance on anything from empire. This statement could not be farther from the truth.
Let’s use me as a case study. I’m a industrialist that owns many ship, module, and capital blueprints. I have the ability to produce anything from Cap Rechargers, a Heavy Interdictor, or even a Carrier. All of my production occurs in Highsec/Lowsec. I have three characters that work night and day to produce goods that get shipped off to Nullsec.
Why should I move my operation into Nullsec?
Right now there is a low amount of risk for getting my Highsec/Lowsec goods into Nullsec due to proper scouting and intel combined with a high reward because everything in Nullsec is marked up. Why move?!
Yes there is the topic of nerfing Jump Bridges, Cynosural Generator Array, and Jump Freighters but that will do nothing but drive industry out of Nullsec. Making it more difficult to move items around is not the answer. The main problem is the availability of materials and the lack of industrial infrastructure that Nullsec currently provides.
Moon Source Dependance
In order for me to make a Tech 2 Drone, I need a few moon materials that come from many regions. There is no way that I could get all of the materials from one Nullsec region. What’s the simplest answer? Eve people always go for the simplest answer — get the items from Jita of course! Why would I spent hours getting wild trade routes setup in Nullsec when I can take a freighter to Jita and buy everything that I need en mass?
There will be a huge amount of player uproar if the current distribution of moons is altered. Instead there should be a new method for obtaining moon materials other than POS moon harvesting. Perhaps we can see scannable comets emerge? Perhaps a Tech 2 moon harvesting Noctis hull?
Outposts
I can understand moving research (ME/PE/Copy/Invention) slots to a POS structure, but having manufacturing slots so few and hard to come by in Nullsec impedes industrialists from starting operations.
New players that want to get into manufacturing should be able to spend a few days polishing off skills and have access to slots in Outposts. This reduces the barrier of entry and keeps POS permissions and corp politics out of the arena.
Why would I fight with other people in a Outpost for use of the 10 available slots when in empire I can have access to 50+ in one system? When I do a Carrier build, I get all three characters on the job and I have 30 capital parts building at once. Adding a 3x or more time multiplier on my overall job doesn’t encourage me to move my operations to Nullsec.
Players should have access to cheaper, more robust upgrades for Outposts and be able to have multiple Outposts in systems. If you truly want to make a home capital system in the sky, then we should be able to have the ability to construct facilities that rival Empire systems. This is how Dominion could have created some really valuable territory that people would like to own. Imagine how encouraging it would be to solicit to an Industrial corp to join your Alliance if you controlled a system with six outposts dedicated to manufacturing. Imagine how attractive it would be for a foreign power to take that away from you!
Lowend Ores
The amount of Lowend minerals (Tritanium, Pyerite, Mexallon) is very unbalanced. Making Capital ships requires a huge amount of lowends and the small sized in the belts is not enough to meet the demand. The current method for building a large amount of ships or Capitals is to mine the Highends, compress and ship the off to Jita, buy high compression ratio items/minerals, bring back to your production area and manufacture.
Industry Index
Currently it is too difficult to keep the Industry Index at 4 or 5 compared to the Military Index. Make it easier to maintain and spawn better sites at high levels.
Time-based Disruptions
Increasing the amount of HP on a structure rather than going with the time-based model of taking structures will only encouraging more blobbing. Any new method for taking sov or disabling station services should be timer based.
Nerf the Logistics!
Nullsec logistics is already hard enough if you are far away from Empire. Jump bridges and Cynosural Generators perform well. If any change to Logistics is to be made, increase the consumption of Isotopes or Liquid Oxygen.
Capital vs Subcapital ME Levels
Posted: 2011-07-23 Filed under: industry, ships | Tags: maelstrom, obelisk Leave a commentWhile working on some profit numbers for various items, I found that ME levels affect the build costs a little differently for Capital ships than other items such as Battleships or Modules.
A simple example is a battleship like the Maelstrom. For every additional ME level, the material requirements level off. Less Tritanium, Pyerite, Isogen, etc. are required for each additional ME level.
There is a diminishing return with each ME level as it is a logarithmic trend. For a Maelstrom the ‘optimal’ ME is around 15, which is about 2 months worth of research.
Capitals however, are made from Capital Components which are made from minerals.
The material requirements for the Obelisk only change at ME 1, 2, 3, 5, 10, 16, and so on. You don’t get any benefit by researching a Obelisk BPO to ME4. You might as well get it to 5 to remove another Capital Component from the requirements.
I have found the ME charts on games.chruker.dk to be invaluable for this type of information.
k162space 
