Welcome, Guest. Please login or register.
March 28, 2024, 06:58:50 AM

Login with username, password and session length

Search:     Advanced search
we're back, baby
*
Home Help Search Login Register
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  Diablo 3  |  Topic: Hackers and their hackering hacks 0 Members and 1 Guest are viewing this topic.
Pages: 1 [2] 3 Go Down Print
Author Topic: Hackers and their hackering hacks  (Read 24846 times)
Thrawn
Terracotta Army
Posts: 3089


Reply #35 on: May 22, 2012, 05:48:07 AM

A lot of this thread is starting to feel like I'm reading the official forums.  ACK!

"Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us."
Salamok
Terracotta Army
Posts: 2803


Reply #36 on: May 22, 2012, 06:27:38 AM

You know what ?  I'm just not prepared to accept the 'we didn't know it would be popular' line.

It's bullshit.


I wonder if their game servers are EC2 instances.   IIRC EA just spins up more instances on the fly to meet demand during peak times, if Diablo does the same then there really isn't an excuse for not being able to satisfy the masses.
Mrbloodworth
Terracotta Army
Posts: 15148


Reply #37 on: May 22, 2012, 06:29:51 AM

This does not happen on my lan. Just saying.

Today's How-To: Scrambling a Thread to the Point of Incoherence in Only One Post with MrBloodworth . - schild
www.mrbloodworthproductions.com  www.amuletsbymerlin.com
Ironwood
Terracotta Army
Posts: 28240


Reply #38 on: May 22, 2012, 06:40:21 AM

What a fuckup.

"Mr Soft Owl has Seen Some Shit." - Sun Tzu
Shatter
Terracotta Army
Posts: 1407


Reply #39 on: May 22, 2012, 08:16:54 AM

Didnt someone say they brought servers down today to possibly correct this?  Has there been any information from them today whether this was the case?  Im blocked at work so I cant check.
Thrawn
Terracotta Army
Posts: 3089


Reply #40 on: May 22, 2012, 08:47:31 AM

Didnt someone say they brought servers down today to possibly correct this?  Has there been any information from them today whether this was the case?  Im blocked at work so I cant check.

As far as I know Blizzard hasn't even said a problem actually exists on their end yet in regards to the supposed hacking.  The blue post that everyone links to just says "Yes, we see a lot of people are complaining about this, we are looking at it."

Not much solid info yet, just a TON of speculation and guesses unless I'm missing something.

"Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us."
waffel
Terracotta Army
Posts: 711


Reply #41 on: May 22, 2012, 08:50:27 AM

Seems way too wide spread and random to be a simple issue of people having poor security. Blizzard of course will deny anything on their end because why wouldn't they? I'm not trying to stir up a controversy or anything, but for a publicly traded company like Activision/Blizzard to admit their new lovechild game has security flaws is just silly. Best course of action for them is to carry on, deny a breach, and do everything in their powers to correct it.

Newest 'rumor' is that the maintenance today was done to correct the flaw.  rolleyes

edit: On a related note, I haven't seen the public forums for a Blizzard game in many years. Just checked out the General D3 forum and my god, what the fuck is wrong with gamers/people these days?
« Last Edit: May 22, 2012, 08:52:30 AM by waffel »
Thrawn
Terracotta Army
Posts: 3089


Reply #42 on: May 22, 2012, 08:57:32 AM

Seems way too wide spread and random to be a simple issue of people having poor security. Blizzard of course will deny anything on their end because why wouldn't they? I'm not trying to stir up a controversy or anything, but for a publicly traded company like Activision/Blizzard to admit their new lovechild game has security flaws is just silly. Best course of action for them is to carry on, deny a breach, and do everything in their powers to correct it.

Newest 'rumor' is that the maintenance today was done to correct the flaw.  rolleyes

edit: On a related note, I haven't seen the public forums for a Blizzard game in many years. Just checked out the General D3 forum and my god, what the fuck is wrong with gamers/people these days?

Yeah, the official forums are really, really bad.  I know they always are, but D3 forums were even worse than I expected.

I wasn't at all saying it's not possible it's something at Blizzards end (although I am one of those people who stand firmly in the "it's usually the users" fault camp, but that's just personal opinion).  It's just annoying to me to see so many posts/news/blogs whatever being thrown around that are treating posts from random idiots on the D3 forums as facts and guessing what is actually going on when no one knows for sure yet.

"Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us."
Paelos
Contributor
Posts: 27075

Error 404: Title not found.


Reply #43 on: May 22, 2012, 09:01:30 AM

You can basically ignore general forums as a rule, but you should certainly ignore them until a month after launch.

CPA, CFO, Sports Fan, Game when I have the time
Quinton
Terracotta Army
Posts: 3332

is saving up his raid points for a fancy board title


Reply #44 on: May 22, 2012, 09:25:55 AM

You're not going to get any details about a security issue while it's still unresolved.  That just does not happen very often.  It tends to favor the bad guys more than the good guys.

I suspect the bulk of account compromise issues (even if there's an exploit around capturing some kind of session tokens, etc) are going to be lousy credentials.  The trend of using email addresses as account identifiers combined with the fact that people very commonly use the same password everywhere makes credential farming pretty trivial.  Especially when you factor in the number of issues with various forum software (remote exploits, passwords in the clear, questionable "management" or hosting companies, etc).
Ginaz
Terracotta Army
Posts: 3534


Reply #45 on: May 22, 2012, 09:31:40 AM

I still don't know WHY THE FUCK we're forced to use email addresses as our account name instead of choosing one ourselves, not just with Blizzard but with almost all online games.  Fuck.  That.  Shit. Mob
Quinton
Terracotta Army
Posts: 3332

is saving up his raid points for a fancy board title


Reply #46 on: May 22, 2012, 09:33:32 AM

Oh, obnoxious.  I figure, what the hell, might as well turn on their "SMS Protect" thing.

"Voice-Over-IP (VOIP) numbers cannot be used for this service. Please enter a different mobile telephone number and try again."

Thanks, Blizzard.   No problem receiving text messages from anybody else through Google Voice...

Merusk
Terracotta Army
Posts: 27449

Badge Whore


Reply #47 on: May 22, 2012, 09:34:40 AM

so... if I haven't joined any public games should I be safe (for now?)

Nope, I havent joined any public games and got hit this weekend

Out of curiosity, did you have an authenticator?

Seems way too wide spread and random to be a simple issue of people having poor security.

Never, ever doubt the capacity for a person to act like an idiot when they think "Meh, it's just a game."  We've pointed out lots of the security vulnerabilities of Blizzard's system in the WOW forum previously but the #1 problem continues to be the bit between the chair and the computer.  

Ways you can be "hacked" that people will swear they don't do but study after study has shown people do:

1) Using the same e-mail at multiple forums  
1a) using the same password WITH that email, everyplace.
      (One way they were stealing WOW accounts is hacking guild/ fan sites which had much less robust security and then using those email and passwords together.)
2) Using a simple one-word password
3) Using something stupid as that simple password (Ever read the info that came out of the Gawker hack? Link here Be amazed!
4) Never changing passwords, even after having one account compromised.

That's just a quick list of what *I* know and I'm not an IT professional.  Now the question is, how many D3 players have never had a game login before this so they just weren't careful?

Not that Blizzard isn't complicit in this.  They've got some really fucked-up security holes that are begging for a lawsuit when real money gets involved in the game.

* You can still brute force passwords - it just sits back and lets you try forever with no time out or account lock
* Account logins should NEVER BE EMAILS ( Mob )
* Last I checked you only had to have 8 characters and one had to be a letter. No combination of Upper, lower and number is mandated.  It could be all numbers.
 
« Last Edit: May 22, 2012, 09:36:29 AM by Merusk »

The past cannot be changed. The future is yet within your power.
Quinton
Terracotta Army
Posts: 3332

is saving up his raid points for a fancy board title


Reply #48 on: May 22, 2012, 09:57:44 AM

Also never ever underestimate how willing people are to lie to avoid looking like idiots.

Saw one interaction where somebody claimed they were hacked but they used authenticator and the blizzard rep replied that their data indicates the authenticator was added to the account after the reported hacking incident.

Again, that's not to say there couldn't be some actual exploit out there (and if there is Blizzard almost certainly is keeping a lid on it while they sort out what's going on), but given the number of people involved, and the amazingly terrible password hygiene most people practice, it's not surprising that plenty of people are running into hacking issues.
kildorn
Terracotta Army
Posts: 5014


Reply #49 on: May 22, 2012, 10:04:51 AM

Given the release, I consider it just as likely that a few banner ad networks have malware in them again to try and snag D3 account information compared to BNet being completely compromised.

That said, it's still a non zero chance of BNet getting mauled. If auth'd accounts are getting actually hacked(not just social engineering on the help desk techs), it means either there is a shitty token system going on or their master cert was stolen.
Shatter
Terracotta Army
Posts: 1407


Reply #50 on: May 22, 2012, 10:16:44 AM

Nope, hadnt used my Battlenet account for 6 years since I quit WOW.  Ordered one Sunday though.  
« Last Edit: May 22, 2012, 10:18:59 AM by Shatter »
Lakov_Sanite
Terracotta Army
Posts: 7590


Reply #51 on: May 22, 2012, 10:17:54 AM

I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.

~a horrific, dark simulacrum that glares balefully at us, with evil intent.
Hoax
Terracotta Army
Posts: 8110

l33t kiddie


Reply #52 on: May 22, 2012, 10:32:19 AM

I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.

This is my guess as well. Or someone ran some smart fishing schemes during the beta and sent out fake invites that got people to "sign in" using their bnet account. I def saw some.

A nation consists of its laws. A nation does not consist of its situation at a given time. If an individual's morals are situational, then that individual is without morals. If a nation's laws are situational, that nation has no laws, and soon isn't a nation.
-William Gibson
Rokal
Terracotta Army
Posts: 1652


Reply #53 on: May 22, 2012, 11:10:35 AM

I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.

Wasn't this part of the problem with the hacking Rift experienced? Lot's of people having their WoW account hacked and then reusing the same username/password for the next game they played. If your WoW account got hacked and you didn't care or never noticed, it's not a stretch to think that a few years later D3 hackers would try the same username/password.
kildorn
Terracotta Army
Posts: 5014


Reply #54 on: May 22, 2012, 11:14:11 AM

I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.

Wasn't this part of the problem with the hacking Rift experienced? Lot's of people having their WoW account hacked and then reusing the same username/password for the next game they played. If your WoW account got hacked and you didn't care or never noticed, it's not a stretch to think that a few years later D3 hackers would try the same username/password.

I should google this, but I thought Rift's bullshit was essentially that their forums used your game login information, and for the first week or so didn't use SSL.
Zetor
Terracotta Army
Posts: 3269


WWW
Reply #55 on: May 22, 2012, 11:32:24 AM

The main RIFT bullshit involved being able to forge auth tokens and essentially log in as anyone else once you were past the login process (by using a trial account f'rex... though I'm not sure they had trials back then), iirc. It was rather  why so serious?.

Lantyssa
Terracotta Army
Posts: 20848


Reply #56 on: May 22, 2012, 12:39:52 PM

Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
Case-insensitive passwords.

Hahahaha!  I'm really good at this!
Thrawn
Terracotta Army
Posts: 3089


Reply #57 on: May 22, 2012, 01:07:27 PM

Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
Case-insensitive passwords.

Hah, just tried it, it's true.  Not that big of a deal but certainly comes across badly.

Still guessing the wave of "hacking" is user fault until I read otherwise though.
« Last Edit: May 22, 2012, 01:15:20 PM by Thrawn »

"Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us."
Quinton
Terracotta Army
Posts: 3332

is saving up his raid points for a fancy board title


Reply #58 on: May 22, 2012, 01:19:32 PM

Next you're going to tell me all punctuation maps to 'a' or something.

EDIT: I wonder if case insensitivity is the result of too many customer support tickets due to people not understanding CAPSLOCK or something...
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #59 on: May 22, 2012, 01:20:40 PM

Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
Case-insensitive passwords.

Which has nothing to do with what I said?

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
waffel
Terracotta Army
Posts: 711


Reply #60 on: May 22, 2012, 01:36:38 PM

Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
Case-insensitive passwords.

Reminds me of Chase's website. You can set your password to be case-sensitive, but logging into their website doesn't take that in effect. I can set my password to have two capital letters, but I can log into their website with them being lower case. And to this day it's still like that. Bonkers for a BANKING website...
Lantyssa
Terracotta Army
Posts: 20848


Reply #61 on: May 22, 2012, 02:51:29 PM

Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.
Case-insensitive passwords.
Which has nothing to do with what I said?
I consider that incompetence.  YMMV

Hahahaha!  I'm really good at this!
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #62 on: May 22, 2012, 02:52:43 PM

I was talking specifically in the context of investigating this issue.

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
Daeven
Terracotta Army
Posts: 1210


Reply #63 on: May 22, 2012, 03:48:21 PM

Hell. Battle.net *still* doesn't allow 'special' characters like _ in passwords.

What is this? 1995? Are they not escaping their sql sequences?

Games are so amateur hour its pathetic.

"There is a technical term for someone who confuses the opinions of a character in a book with those of the author. That term is idiot." -SMStirling

It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shakes, the shakes become a warning. It is by caffeine alone I set my mind in motion
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #64 on: May 22, 2012, 03:51:51 PM

Along with my bank, my company's payroll provider, my admin portal for Verizon Business, etc., etc., etc. It isn't really a games industry specific problem.

And they do allow *some* special characters, I'm using them.

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
Maledict
Terracotta Army
Posts: 1047


Reply #65 on: May 22, 2012, 04:03:56 PM

Um, it's probably changed since I was at uni but we were taught that case sensitive passwords were a bad idea because people are atrociously bad at remembering the capitalisations, which results in a ton of recovered password issues and ultimately everyone using one password which is the bane of proper security.

Certainly when I worked in IT support that was the case. Theres got to be a reason so many, many companies don't use case sensitive passwords if it provided any realistic extra security, especially given the ridiculous lengths you go to acces banking services. (3 separate passwords plus an authenticator if I want to transfer money somewhere).
Lantyssa
Terracotta Army
Posts: 20848


Reply #66 on: May 22, 2012, 04:31:03 PM

People are bad about remembering passwords in general.  Any forced requirement is going to have its set of people who cannot remember to use it, whether it's case, special characters, one number, etc.  That doesn't mean we should throw out 26 characters because a few people can't remember how they capitalized an arbitrary word and the help desk is a bit inconvenienced.  I'm an advocate of not having crazy password requirements because it increases the chance people will put their password on a sticky next to their monitor, but using toupper() or tolower() to normalize a password is a bit much for me to accept as good practice.

Snarky follow up:  Should we next make symbols and numbers interchangeable because some people can't remember to hit shift?  Maybe start truncating passwords because they can't remember anything over eight characters.  Hell, why don't we just substitute 'a' for all characters and call it a day?

Hahahaha!  I'm really good at this!
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #67 on: May 22, 2012, 04:32:48 PM

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
naum
Terracotta Army
Posts: 4262


WWW
Reply #68 on: May 22, 2012, 04:36:16 PM

Back in ancient computing times, there was a reason for limiting the password size.

But now, users should be encouraged to use phrases/sentences that are easy to remember but difficult to brute force dictionary attack. Special requirements (example being my bank) like having passwords no greater than 8 characters, but requiring presence of a digit, capital letter and special character (non-letter and non-digit) just delivers grief to a user.

"Should the batman kill Joker because it would save more lives?" is a fundamentally different question from "should the batman have a bunch of machineguns that go BATBATBATBATBAT because its totally cool?". ~Goumindong
kildorn
Terracotta Army
Posts: 5014


Reply #69 on: May 22, 2012, 04:56:51 PM

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

It's really common. But a game company doing it is no more offensive than say, Symantec's Enterprise Manager not allowing ANY special characters in it's password, or RSA's customer website not allowing special characters (both true!) since if a security company can't handle escaping SQL well..

Honestly, I consider the constant pushing of Authenticators to put MMOs a step above banks for basic security concerns. "Please pick your favorite picture or color" is not two factor authentication. Nor is constantly demanding case sensitive answers to random fucking questions (Wait, two years ago did I capitalize the name of my first highschool or not..?)

Anyways, leaving this here because any discussion about passwords shouldn't be without it: http://xkcd.com/936/
Pages: 1 [2] 3 Go Up Print 
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  Diablo 3  |  Topic: Hackers and their hackering hacks  
Jump to:  

Powered by SMF 1.1.10 | SMF © 2006-2009, Simple Machines LLC