Friday, 14 March 2014

API Security - A blessing and a curse

One of the key parts of corporation recruitment is background checking your members.  A lot of people ask for API keys to vet their members, and it's most commonly thought about as the number one thing to do when recruiting.  I disagree.  API checking is BAD!

What is API checking?
API checking is the act of taking a new recruits API key, running through their information and working out if they are likely to be a spy.  It often goes hand in hand with an interview type process so questions can be raised about portions of the provided data to clarify if they are something to worry about.

API checking is good for catching obvious spies and awoxers, but you will never prevent all spies and you will never stop every awox. If someone with experience in intel wants to get a spy or an awoxer in, they will, and there's nothing you can do to stop them.  A lot of people like to encourage API checking and point out all of the positives, but they overlook a problem that API checking introduces.  The false sense of security.

False sense of security
Checking API keys provides a leader a sense of security, a sense that they have done their background checks so they feel more secure. But spies can still infiltrate a corp, awoxers can still get int too, all it takes is a clean enough account to pass the target corporation's level of scrutiny.

Since awoxers and spies will get in anyway, the corporation is in fact no more secure than it was before.  Any one or more of the members could be in the corporation for illegitimate purposes.  But that sense of security provided by the API checking will often make CEOs more comfortable, and make further security measures more relaxed.  People are more comfortable granting access to roles and titles with API checking having been done, even though the member could still be a spy.

From experience, corporations that have API checks in place are on the whole harder to get into (though not substantially harder, only a minor inconvenience), but considerably easier to maneuver into a good position once on the inside.  Corporations that have no API security tend to be incredibly tight on role security, making it more difficult for a spy to get into a position where they can cause any real damage.

The solution
The solution is pretty straightforward: Assume all of your members are spies.  If you simply assume your members are all in the corporation as spies and awoxers, you'll put more effort into ensuring they can't do anything bad.  You won't hand out roles so swiftly, and you'll ensure secure information is kept restricted to only the people who need it.

You can still use API keys to vet your members, but don't let yourself fall into a false sense of security.  If people want to move up the ranks you'll need to vet them, and API keys should be used but again, that should never be evidence that they are fine to hand masses of roles to.  Take API verification with a pinch of salt. Never let the rest of your security lapse.


  1. Nothing can replace well thought out titles in corp management, as broken as the system is, It is your only line of defense against whole sale theft. But it still leaves your vulnerable to spies, who can report on fleet movements and ops
    Mandatory coms is possbily the best defense against spies. As crazy as it sounds, the guy who never gets on coms and speaks is probably really gaming else where, and possibly plotting your demise. API is a good filter, but it's only the first step

    1. Very true. Comms can be off-putting for a spy. A dedicated infiltrator though will be nice and friendly even through that. Generally people that escalate up to the large scale awoxes, director level and such will always be on comms. The absolute best defence in my opinion is strictly controlled permissions and good auditing, and at the very least you can minimize damage. Nothing is 100% safe. There's always someone willing to go that extra mile for the payoff.

  2. How do you use api to check anyway? just to make sure they didnt get isk from outside the account?

    1. That's part of it yeah. You're basically looking for anything out of place to start with. So 0 values station trades showing in the journal, funds from other characters, mails and notifications, contact list, things like that.

      You also need to just take on board general information which you can ask them about to see if you can catch them in a lie. So for example, If someone says they have tried out T3 manufacture or something, see if they have the required skills to do it. I've seen an example where someone stated they've strictly played solo since they started, but they got quizzed because mission income looked divided. Turns out they'd been teamed up with an alt. Essentially you want to match their recorded information against their word, and look out for any signs of deceit or third party intervention.

      But like I say, finding nothing isn't proof of innocence, so never fall into the trap of thinking a thorough API check is all that is needed.

  3. an API check weeds out the laziest of the griefers. the impatient ones. the usual suspects (because we all know how bloody easy it is for griefers to do damage amidst an unsuspecting corp, why should they bother to evolve?)

    I'm sure long ago APIs were a powerful anti-spy tool, but i'm sure it didn't take long for the griefers to adapt to this long known line of defense. (purging evemails, making sure any gank ships are on an another account, keeping the isk/free trade activity off the books, not having griefers on their +10 list) ...thing is, APIs will definitely find the awoxers and the thieves who've been at it for a while. If one is n00b friendly it's more difficult to get a good feel for someone who has barely any paper trails.

    Thing is, red flags come up even with the best candidate. It is the stories the person tells, the queries and lack thereof, that 'out' most of the griefers.

    The consolation is that there is no way in hell a rinky dink operation is going to get preyed upon by the best spies/thieves/awoxers since there's null sec alliances with much tastier treats.
    So one has to deal with the amateurs and assume the very experienced (and after a decade i'm sure there's some griefer playstyle players who could run circles around any one of us) will target juicier targets.

    APIs are great in not only helping build a backstory about one's recruits, but also to suggest ship fits and what items really don't need to be hauled to their new 'home'...It's a great tool, for the first month, and i always get someone to supply their full API with a month's expiry.

    Point is, if you depend on mechanics instead of intuition to flush griefers out you're playing a losing game. These people, if they've got any experience at infiltration at all, know way more about the tricks of the trade than we ever will...but you see there's only so many tricks and the griefers invariably think they're unique and believe they're not falling into easily recognizable patterns.

    Whether or not we see patterns that aren't there is what separates the wheat from the chaff.