"
crazypyro wrote:
Do you realize how unfeasible brute forcing say an 8 character password is with even a delay of 2 seconds or are you still a moron?
Considering that you are posting from a layman glasses, I'd doubt you even know on what length hackers could go in cracking just one user password.
Haven't I already mentioned that this wasn't a one-man job? look back at recent pages, you'll find it.
Oh, and also, calling me a moron wouldn't fixes anything. You, in the other hand, are not even contributing to this issue while only questions users feedback and calling them "morons".
I wonder what internet has done to online games fanbases today.
|
Posted bydarkro90#1163on Feb 20, 2013, 10:39:52 PM
|
"
darkro90 wrote:
Are you on crack, son? Users like me and Heff actually trying to make the game better by pointing out GGG mistakes, it's called giving FEEDBACKS. Get off your High Councilor of GGG Hardfanboys horse and start contributing to the game like testing their security system and reports bugs you found instead of flaming actual feedbacks while thinking "omg im so swaggy lel ggg rulez wheres muh pizza". People like you that only defends the game while not giving actual feedback is the real cancer that kills the game, aside from the hackers.
Sounds like you're the one on crack, son lol. I don't give a fuck what kind of grand, awesome nut jacking supporters of GGG you are - you like to throw the fanboy accusation at me because I don't agree with your attitude but, "supporters" or not, calling any group of people "liars" just because you've found a problem - and without any fucken logic to explain how that translates to them LYING - is a sucker bitch move.
You want to give feedback to make the game better? What part of telling a developer they are resorting to public lies - without any credible information to back it up - is useful FEEDBACK??
Crack, son - it's what you're smoking right now! Fucken genius.
IGN: ScrubcoreRulezBitch
Alt: HardcorePwnsScrubcore Last edited by mkmaddage#1774 on Feb 20, 2013, 10:42:37 PM
|
Posted bymkmaddage#1774on Feb 20, 2013, 10:41:44 PM
|
"
$10 says if Kripps account was hit, it would be restored in a heartbeat.
If GGG ever decided to restore items, streamer will be the last on their list.
but it will be amusing to see Kripp gets hacked, and see how he react to it
|
Posted byMuleMule#1193on Feb 20, 2013, 10:42:26 PM
|
"
mkmaddage wrote:
Sounds like you're the one on crack, son lol. I don't give a fuck what kind of grand, awesome nut jacking supporters of GGG you are - you like to throw the fanboy accusation at me because I don't agree with your attitude but, "supporters" or not, calling any group of people "liars" just because you've found a problem - and without any fucken logic to explain how that translates to them LYING - is a sucker bitch move.
You want to give feedback to make the game better? What part of telling a developer they are resorting to public lies - without any credible information to back it up - is useful FEEDBACK??
Crack, son - it's what you're smoking right now! Fucken genius.
It's called giving them feedbacks to not gives out statement they didn't really sure before to avoid public backlashes like this.
Sounds like your cracks are now giving you the advice of using ad hominem against a user that actually gives feedback. Heh. I'll stop with this charade of stupidity and spare you further arguments of your state that could results in massive tantrums on your side.
|
Posted bydarkro90#1163on Feb 20, 2013, 10:47:52 PM
|
"
TheHeffNerr wrote:
"
Chris wrote:
We do lock out accounts for multiple incorrect password attempts! The threshold is higher than 3 though, because users often legitimately take quite a few attempts to get their password right. There's no way they can effectively brute-force passwords in an online manner, and we'd be able to see that in our access logs.
This is just flat out a lie. I've just entered 10 incorrect passwords in less then a minute and then able to log in... This is why I'm also pissed because GGG lies out their ass. Any one can try this.
http://www.twitch.tv/theheffnerr/b/369580932
I can't wait for GGG nut swingers to answer this one.
"
darkro90 wrote:
I've also tried this for not only 10 times, 20 times, with reasonable delay in each password input since if you're entered it repeatedly, you will get warning message of "trying to login too much in a short time period". And guess what, when I tried my own password after the 20 tries, it still get me logged in.
Looks like PR disaster is imminent.
Get your shit together, GGG. When you resort to public lies like this, your credibility just shrunk more.
There are NO lies in Chris's post. Everything he said is true, and he specifically went and tested that the system still worked before posting. As he said in the post you quoted, the threshold is high, because users reasonably often do take a few attempts to get their passwords correct. The video you linked looks like it misread Chris's post and expected 3 attempts to be the maximum possible number, which is specifically what Chris said it wasn't.
Chris already responded to that post in this thread, but for anyone who doesn't want to bother clicking the link:
"
Chris wrote:
It does work, I tried it on Beta today before posting about it. The threshold is quite high (approximately 30 logins before you get slowed down, followed by about one login per 10 seconds after that). You can try this yourself to see.
In tomorrow's patch, we're reducing it so there are far less attempts before you get banned. This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.
|
Posted byMark_GGGon Feb 20, 2013, 11:06:59 PMGrinding Gear Games
|
"
mkmaddage wrote:
"
MacantSaoir wrote:
Rage much child? I wasnt hacked, I'm simply stating this whole mess was preventable if actions were taken when they were told it would happen. Also, welcome to 2013 where government officials and security experts get hacked. SO you think the common gamer at the end of the day is going to be able to combat this on their own? This is why authentication is crucial. You can blame the security guy? easily? its 2013 where probably the majority of gamers play on compromised systems and authentication heavily combats this problem. In times of peace prepare for war. Whoever was on their security issues was not preparing for war, and it's clearly obvious now.
However the failure to listen to the CBTs on this hacking issue has been a huge blunder, and until it is properly addressed with authentication I wont sink another cent, or bring another oldschool gamer here. That's just the reality.
The point, my soft-headed little friend, is that the fact that you and your cronies of all-knowing wisdom made your wise (utterly obvious) prediction has no bearing on GGG's handling of the situation. You're like a TV Faith Healer lol - here, I'll have a go: "Soon, Oh Father Chris of the Wilsonian Persuasion, you will have an update that fails and ends up with more server downtime than anticipated. All Hail My Nuts."
Want a medal for stating the obvious?
Blame the security guy? What I'm saying is: what do WE know about the internal structure of GGG and how the issue was handled? Love how all you "experts" can spout your wisdom from OUTSIDE the group of people you're accusing. No matter how much you might know about a field from the inside you still don't know how a group of people from another culture (perhaps) are handling it!
Yes, I'm a petulant child - it's my natural response to the pompous, superior tone of your post.
You've not challenged a single point of anything I've said? They were told it would happen, there was a simple preemptive solution to prevent it happening which EVERYONE knows about (authentication) and it was not taken. It's on GGG not the userbase. It's common knowledge at this point in gaming that a majority of people play on compromised machines or fail at account security. This is why we have Authentication so you can play even with all the compromised bullshit going on and not get dinged.
So common knowledge: Majority of people can be compromised, authentication prevents the compromise from happening, why not authenticate?
Complacency that's why. The only answer to it. So now they get to feel the rage of *insert number* gamers because of pure complacency. As I stated prior, I refuse to further support the game with more players or currency until this severe oversight is addressed.
|
Posted byMacantSaoir#5557on Feb 20, 2013, 11:10:35 PM
|
"
Mark_GGG wrote:
This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.
Thanks Mark. I fully agree that it's clear brute force attacks aren't the cause of the recent issues.
Just for a bit of extra peace of mind, would it be possible to get some sort of clarification regarding the possibility of session hijacking? More specifically, whether under the current setup a hacker would even need a password to impersonate an account if they were able to intercept the session ID.
|
Posted byMonstaMunch#6519on Feb 20, 2013, 11:21:29 PMAlpha Member
|
Tested it and there is a limit to the amount of passwords you can try.
Implement /players x already
|
|
"
darkro90 wrote:
"
crazypyro wrote:
Do you realize how unfeasible brute forcing say an 8 character password is with even a delay of 2 seconds or are you still a moron?
Considering that you are posting from a layman glasses, I'd doubt you even know on what length hackers could go in cracking just one user password.
Haven't I already mentioned that this wasn't a one-man job? look back at recent pages, you'll find it.
Oh, and also, calling me a moron wouldn't fixes anything. You, in the other hand, are not even contributing to this issue while only questions users feedback and calling them "morons".
I wonder what internet has done to online games fanbases today.
I really want to know how you can boldly state one's opinion without taking 1 minute of your time to actually see what effort it takes to brute force one's password.
As previous posts have stated, there is eventually a limit to how many times you can try a password anyways.
|
Posted byKontossis#2697on Feb 20, 2013, 11:32:24 PM
|
"
MonstaMunch wrote:
"
Mark_GGG wrote:
This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.
Thanks Mark. I fully agree that it's clear brute force attacks aren't the cause of the recent issues.
Just for a bit of extra peace of mind, would it be possible to get some sort of clarification regarding the possibility of session hijacking? More specifically, whether under the current setup a hacker would even need a password to impersonate an account if they were able to intercept the session ID.
To be clear - you don't need a user's password to log in as that user. You can do that with their password hash itself by copy/pasting it in to your own ini file and treating it as a saved password. In that respect GGG may as well be storing the password in the clear locally.
Additionally, it appears that the password hash is stored in memory throughout the execution of the program and not just during the challenge/login process. As such, you'd need only an exploit to gather information about the process in-memory (easier than a rootkit or general remote code execution). With such an exploit, a hacker would effectively only need to paste in the user's hash into his/her own client with the account name for access.
It's not hard to believe in a beta client such exploits exist as bugs and have been overlooked. Hopefully GGG will either directly address these, if they exist, soon, or come out with authenticators or a similar rotating key-based auth mechanism.
ign: SeriouslySRSLY
|
Posted byThrombo#7609on Feb 20, 2013, 11:39:32 PM
|