| 
	
		| 
				
					| Pages: 1 [2] 3   |  |  |  
	
		|  Author | Topic: Hackers and their hackering hacks  (Read 36493 times) |  
	| 
			| 
					
						| Thrawn 
								Terracotta Army 
								Posts: 3089
								
								 | 
 A lot of this thread is starting to feel like I'm reading the official forums.    |  
						| 
 "Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us." |  |  |  | 
			| 
					
						| Salamok 
								Terracotta Army 
								Posts: 2803
								
								 | 
 You know what ?  I'm just not prepared to accept the 'we didn't know it would be popular' line.
 It's bullshit.
 
 
 I wonder if their game servers are EC2 instances.   IIRC EA just spins up more instances on the fly to meet demand during peak times, if Diablo does the same then there really isn't an excuse for not being able to satisfy the masses. |  
						|  |  |  |  | 
			| 
					
						| Mrbloodworth 
								Terracotta Army 
								Posts: 15148
								
								 | 
 This does not happen on my lan. Just saying. |  
						| 
 |  |  |  | 
			| 
					
						| Ironwood 
								Terracotta Army 
								Posts: 28240
								
								 | 
 What a fuckup.
 |  
						| 
 "Mr Soft Owl has Seen Some Shit." - Sun Tzu |  |  |  | 
			| 
					
						| Shatter 
								Terracotta Army 
								Posts: 1407
								
								 | 
 Didnt someone say they brought servers down today to possibly correct this?  Has there been any information from them today whether this was the case?  Im blocked at work so I cant check. |  
						|  |  |  |  | 
			| 
					
						| Thrawn 
								Terracotta Army 
								Posts: 3089
								
								 | 
 Didnt someone say they brought servers down today to possibly correct this?  Has there been any information from them today whether this was the case?  Im blocked at work so I cant check.
 As far as I know Blizzard hasn't even said a problem actually exists on their end yet in regards to the supposed hacking.  The blue post that everyone links to just says "Yes, we see a lot of people are complaining about this, we are looking at it." Not much solid info yet, just a TON of speculation and guesses unless I'm missing something. |  
						| 
 "Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us." |  |  |  | 
			| 
					
						| waffel 
								Terracotta Army 
								Posts: 711
								
								 | 
 Seems way too wide spread and random to be a simple issue of people having poor security. Blizzard of course will deny anything on their end because why wouldn't they? I'm not trying to stir up a controversy or anything, but for a publicly traded company like Activision/Blizzard to admit their new lovechild game has security flaws is just silly. Best course of action for them is to carry on, deny a breach, and do everything in their powers to correct it. Newest 'rumor' is that the maintenance today was done to correct the flaw.    edit: On a related note, I haven't seen the public forums for a Blizzard game in many years. Just checked out the General D3 forum and my god, what the fuck is wrong with gamers/people these days? |  
						| 
								|  |  
								| « Last Edit: May 22, 2012, 08:52:30 AM by waffel » |  | 
 |  |  |  | 
			| 
					
						| Thrawn 
								Terracotta Army 
								Posts: 3089
								
								 | 
 Seems way too wide spread and random to be a simple issue of people having poor security. Blizzard of course will deny anything on their end because why wouldn't they? I'm not trying to stir up a controversy or anything, but for a publicly traded company like Activision/Blizzard to admit their new lovechild game has security flaws is just silly. Best course of action for them is to carry on, deny a breach, and do everything in their powers to correct it. Newest 'rumor' is that the maintenance today was done to correct the flaw.    edit: On a related note, I haven't seen the public forums for a Blizzard game in many years. Just checked out the General D3 forum and my god, what the fuck is wrong with gamers/people these days?Yeah, the official forums are really, really bad.  I know they always are, but D3 forums were even worse than I expected. I wasn't at all saying it's not possible it's something at Blizzards end (although I am one of those people who stand firmly in the "it's usually the users" fault camp, but that's just personal opinion).  It's just annoying to me to see so many posts/news/blogs whatever being thrown around that are treating posts from random idiots on the D3 forums as facts and guessing what is actually going on when no one knows for sure yet. |  
						| 
 "Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us." |  |  |  | 
			| 
					
						| Paelos 
								Contributor 
								Posts: 27075
								
								Error 404: Title not found. | 
 You can basically ignore general forums as a rule, but you should certainly ignore them until a month after launch. |  
						| 
 CPA, CFO, Sports Fan, Game when I have the time |  |  |  | 
			| 
					
						| Quinton 
								Terracotta Army 
								Posts: 3332
								
								is saving up his raid points for a fancy board title | 
 You're not going to get any details about a security issue while it's still unresolved.  That just does not happen very often.  It tends to favor the bad guys more than the good guys.
 I suspect the bulk of account compromise issues (even if there's an exploit around capturing some kind of session tokens, etc) are going to be lousy credentials.  The trend of using email addresses as account identifiers combined with the fact that people very commonly use the same password everywhere makes credential farming pretty trivial.  Especially when you factor in the number of issues with various forum software (remote exploits, passwords in the clear, questionable "management" or hosting companies, etc).
 |  
						|  |  |  |  | 
			| 
					
						| Ginaz 
								Terracotta ArmyPosts: 3534
 
 
 
 | 
 I still don't know WHY THE FUCK we're forced to use email addresses as our account name instead of choosing one ourselves, not just with Blizzard but with almost all online games.  Fuck.  That.  Shit.   |  
						|  |  |  |  | 
			| 
					
						| Quinton 
								Terracotta Army 
								Posts: 3332
								
								is saving up his raid points for a fancy board title | 
 Oh, obnoxious.  I figure, what the hell, might as well turn on their "SMS Protect" thing.
 "Voice-Over-IP (VOIP) numbers cannot be used for this service. Please enter a different mobile telephone number and try again."
 
 Thanks, Blizzard.   No problem receiving text messages from anybody else through Google Voice...
 
 
 |  
						|  |  |  |  | 
			| 
					
						| Merusk 
								Terracotta Army 
								Posts: 27449
								
								Badge Whore | 
 so... if I haven't joined any public games should I be safe (for now?)
 Nope, I havent joined any public games and got hit this weekendOut of curiosity, did you have an authenticator?  Seems way too wide spread and random to be a simple issue of people having poor security. 
 Never, ever doubt the capacity for a person to act like an idiot when they think "Meh, it's just a game."  We've pointed out lots of the security vulnerabilities of Blizzard's system in the WOW forum previously but the #1 problem continues to be the bit between the chair and the computer.   Ways you can be "hacked" that people will swear they don't do but study after study has shown people do: 1) Using the same e-mail at multiple forums   1a) using the same password WITH that email, everyplace.       (One way they were stealing WOW accounts is hacking guild/ fan sites which had much less robust security and then using those email and passwords together.) 2) Using a simple one-word password 3) Using something stupid as that simple password (Ever read the info that came out of the Gawker hack? Link here  Be amazed!  4) Never changing passwords, even after having one account compromised.  That's just a quick list of what *I* know and I'm not an IT professional.  Now the question is, how many D3 players have never had a game login before this so they just weren't careful?  Not that Blizzard isn't complicit in this.  They've got some really fucked-up security holes that are begging for a lawsuit when real money gets involved in the game.  * You can still brute force passwords - it just sits back and lets you try forever with no time out or account lock * Account logins should NEVER BE EMAILS (    ) * Last I checked you only had to have 8 characters and one had to be a letter. No combination of Upper, lower and number is mandated.  It could be all numbers.  |  
						| 
								|  |  
								| « Last Edit: May 22, 2012, 09:36:29 AM by Merusk » |  | 
 
 The past cannot be changed. The future is yet within your power. |  |  |  | 
			| 
					
						| Quinton 
								Terracotta Army 
								Posts: 3332
								
								is saving up his raid points for a fancy board title | 
 Also never ever underestimate how willing people are to lie to avoid looking like idiots.
 Saw one interaction where somebody claimed they were hacked but they used authenticator and the blizzard rep replied that their data indicates the authenticator was added to the account after the reported hacking incident.
 
 Again, that's not to say there couldn't be some actual exploit out there (and if there is Blizzard almost certainly is keeping a lid on it while they sort out what's going on), but given the number of people involved, and the amazingly terrible password hygiene most people practice, it's not surprising that plenty of people are running into hacking issues.
 |  
						|  |  |  |  | 
			| 
					
						| kildorn 
								Terracotta ArmyPosts: 5014
 
 
 
 | 
 Given the release, I consider it just as likely that a few banner ad networks have malware in them again to try and snag D3 account information compared to BNet being completely compromised.
 That said, it's still a non zero chance of BNet getting mauled. If auth'd accounts are getting actually hacked(not just social engineering on the help desk techs), it means either there is a shitty token system going on or their master cert was stolen.
 |  
						|  |  |  |  | 
			| 
					
						| Shatter 
								Terracotta Army 
								Posts: 1407
								
								 | 
 Nope, hadnt used my Battlenet account for 6 years since I quit WOW.  Ordered one Sunday though.   |  
						| 
								|  |  
								| « Last Edit: May 22, 2012, 10:18:59 AM by Shatter » |  | 
 |  |  |  | 
			| 
					
						| Lakov_Sanite 
								Terracotta Army 
								Posts: 7590
								
								 | 
 I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned. |  
						| 
 ~a horrific, dark simulacrum that glares balefully at us, with evil intent. |  |  |  | 
			| 
					
						| Hoax 
								Terracotta Army 
								Posts: 8110
								
								l33t kiddie | 
 I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.
 This is my guess as well. Or someone ran some smart fishing schemes during the beta and sent out fake invites that got people to "sign in" using their bnet account. I def saw some. |  
						| 
 A nation consists of its laws. A nation does not consist of its situation at a given time. If an individual's morals are situational, then that individual is without morals. If a nation's laws are situational, that nation has no laws, and soon isn't a nation.-William Gibson
 |  |  |  | 
			| 
					
						| Rokal 
								Terracotta Army 
								Posts: 1652
								
								 | 
 I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.
 Wasn't this part of the problem with the hacking Rift experienced? Lot's of people having their WoW account hacked and then reusing the same username/password for the next game they played. If your WoW account got hacked and you didn't care or never noticed, it's not a stretch to think that a few years later D3 hackers would try the same username/password. |  
						|  |  |  |  | 
			| 
					
						| kildorn 
								Terracotta ArmyPosts: 5014
 
 
 
 | 
 I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.
 Wasn't this part of the problem with the hacking Rift experienced? Lot's of people having their WoW account hacked and then reusing the same username/password for the next game they played. If your WoW account got hacked and you didn't care or never noticed, it's not a stretch to think that a few years later D3 hackers would try the same username/password.I should google this, but I thought Rift's bullshit was essentially that their forums used your game login information, and for the first week or so didn't use SSL. |  
						|  |  |  |  | 
			| 
					
						| Zetor 
								Terracotta Army 
								Posts: 3269
								
								   | 
 The main RIFT bullshit involved being able to forge auth tokens and essentially log in as anyone else  once you were past the login process (by using a trial account f'rex... though I'm not sure they had trials back then), iirc. It was rather    . |  
						| 
 |  |  |  | 
			| 
					
						| Lantyssa 
								Terracotta Army 
								Posts: 20848
								
								 | 
 Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
 Case-insensitive passwords. |  
						| 
 Hahahaha!  I'm really good at this! |  |  |  | 
			| 
					
						| Thrawn 
								Terracotta Army 
								Posts: 3089
								
								 | 
 Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
 Case-insensitive passwords.Hah, just tried it, it's true.  Not that big of a deal but certainly comes across badly. Still guessing the wave of "hacking" is user fault until I read otherwise though. |  
						| 
								|  |  
								| « Last Edit: May 22, 2012, 01:15:20 PM by Thrawn » |  | 
 
 "Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us." |  |  |  | 
			| 
					
						| Quinton 
								Terracotta Army 
								Posts: 3332
								
								is saving up his raid points for a fancy board title | 
 Next you're going to tell me all punctuation maps to 'a' or something.
 EDIT: I wonder if case insensitivity is the result of too many customer support tickets due to people not understanding CAPSLOCK or something...
 |  
						|  |  |  |  | 
			| 
					
						| Ingmar 
								Terracotta Army 
								Posts: 19280
								
								Auto Assault Affectionado | 
 Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
 Case-insensitive passwords.Which has nothing to do with what I said? |  
						| 
 The Transcendent One: AH... THE ROGUE CONSTRUCT.Nordom: Sense of closure: imminent.
 |  |  |  | 
			| 
					
						| waffel 
								Terracotta Army 
								Posts: 711
								
								 | 
 Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
 Case-insensitive passwords.Reminds me of Chase's website. You can set your password to be case-sensitive, but logging into their website doesn't take that in effect. I can set my password to have two capital letters, but I can log into their website with them being lower case. And to this day it's still like that. Bonkers for a BANKING website... |  
						|  |  |  |  | 
			| 
					
						| Lantyssa 
								Terracotta Army 
								Posts: 20848
								
								 | 
 Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
 Case-insensitive passwords.Which has nothing to do with what I said?I consider that incompetence.  YMMV |  
						| 
 Hahahaha!  I'm really good at this! |  |  |  | 
			| 
					
						| Ingmar 
								Terracotta Army 
								Posts: 19280
								
								Auto Assault Affectionado | 
 I was talking specifically in the context of investigating this issue. |  
						| 
 The Transcendent One: AH... THE ROGUE CONSTRUCT.Nordom: Sense of closure: imminent.
 |  |  |  | 
			| 
					
						| Daeven 
								Terracotta Army 
								Posts: 1210
								
								 | 
 Hell. Battle.net *still* doesn't allow 'special' characters like _ in passwords.
 What is this? 1995? Are they not escaping their sql sequences?
 
 Games are so amateur hour its pathetic.
 |  
						| 
 "There is a technical term for someone who confuses the opinions of a character in a book with those of the author. That term is idiot." -SMStirling
 It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shakes, the shakes become a warning. It is by caffeine alone I set my mind in motion
 |  |  |  | 
			| 
					
						| Ingmar 
								Terracotta Army 
								Posts: 19280
								
								Auto Assault Affectionado | 
 Along with my bank, my company's payroll provider, my admin portal for Verizon Business, etc., etc., etc. It isn't really a games industry specific problem.
 And they do allow *some* special characters, I'm using them.
 |  
						| 
 The Transcendent One: AH... THE ROGUE CONSTRUCT.Nordom: Sense of closure: imminent.
 |  |  |  | 
			| 
					
						| Maledict 
								Terracotta Army 
								Posts: 1047
								
								 | 
 Um, it's probably changed since I was at uni but we were taught that case sensitive passwords were a bad idea because people are atrociously bad at remembering the capitalisations, which results in a ton of recovered password issues and ultimately everyone using one password which is the bane of proper security.
 Certainly when I worked in IT support that was the case. Theres got to be a reason so many, many companies don't use case sensitive passwords if it provided any realistic extra security, especially given the ridiculous lengths you go to acces banking services. (3 separate passwords plus an authenticator if I want to transfer money somewhere).
 |  
						|  |  |  |  | 
			| 
					
						| Lantyssa 
								Terracotta Army 
								Posts: 20848
								
								 | 
 People are bad about remembering passwords in general.  Any forced requirement is going to have its set of people who cannot remember to use it, whether it's case, special characters, one number, etc.  That doesn't mean we should throw out 26 characters because a few people can't remember how they capitalized an arbitrary word and the help desk is a bit inconvenienced.  I'm an advocate of not having crazy password requirements because it increases the chance people will put their password on a sticky next to their monitor, but using toupper() or tolower() to normalize a password is a bit much for me to accept as good practice.
 Snarky follow up:  Should we next make symbols and numbers interchangeable because some people can't remember to hit shift?  Maybe start truncating passwords because they can't remember anything over eight characters.  Hell, why don't we just substitute 'a' for all characters and call it a day?
 |  
						| 
 Hahahaha!  I'm really good at this! |  |  |  | 
			| 
					
						| Ingmar 
								Terracotta Army 
								Posts: 19280
								
								Auto Assault Affectionado | 
 I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was. |  
						| 
 The Transcendent One: AH... THE ROGUE CONSTRUCT.Nordom: Sense of closure: imminent.
 |  |  |  | 
			| 
					
						| naum 
								Terracotta Army 
								Posts: 4263
								
								   | 
 Back in ancient computing times, there was a reason for limiting the password size. 
 But now, users should be encouraged to use phrases/sentences that are easy to remember but difficult to brute force dictionary attack. Special requirements (example being my bank) like having passwords no greater than 8 characters, but requiring presence of a digit, capital letter and special character (non-letter and non-digit) just delivers grief to a user.
 |  
						| 
 "Should the batman kill Joker because it would save more lives?" is a fundamentally different question from "should the batman have a bunch of machineguns that go BATBATBATBATBAT because its totally cool?". ~Goumindong |  |  |  | 
			| 
					
						| kildorn 
								Terracotta ArmyPosts: 5014
 
 
 
 | 
 I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.
 It's really common. But a game company doing it is no more offensive than say, Symantec's Enterprise Manager not allowing ANY special characters in it's password, or RSA's customer website not allowing special characters (both true!) since if a security company can't handle escaping SQL well.. Honestly, I consider the constant pushing of Authenticators to put MMOs a step above banks for basic security concerns. "Please pick your favorite picture or color" is not two factor authentication. Nor is constantly demanding case sensitive answers to random fucking questions (Wait, two years ago did I capitalize the name of my first highschool or not..?) Anyways, leaving this here because any discussion about passwords shouldn't be without it: http://xkcd.com/936/ |  
						|  |  |  |  |  |  
	
		| 
				
					| Pages: 1 [2] 3   |   |  |  
	
 
  |