"
Elynole wrote:
"
MacantSaoir wrote:
You guys were warned in CBT that hackers would come Chris, you guys were warned. I warned you, as did many other users. Once the economy mattered, they would attack in full force and you didnt listen to us. We told you to authenticate, you didnt listen to us. Now behold the shit storm of CS issues that will take you forever to sort out and respond to. Not only that but you have infuriated many gamers with you response on not restoring items, all from something easily preventable if you guys just took the time to do it before launching. You guys were warned, you didnt listen feel the rage.
Not restoring items I feel is a pathetic response to the issue at hand. Telling the person they're out on their ass. Especially over something you were warned, and you acknowledged to us in CBT. It's not like you didnt see it coming, dont lie because we talked about it during CBT. You cannot claim ignorance on this issue. 'Tis impossibru.
Everyone seems to be a certified security penetration specialist here, hind-sight is 20/20 btw.
Maybe you're right, but his point is that the hindsight argument is difficult to make here, since there was a lot of talk about these sorts of things before Open.
Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
Posted byVideoGeemer#0418on Feb 21, 2013, 2:10:18 PM
|
I can see it now...
"Yeah guys, so we found out our system actually had been hacked and that is how they got your passwords. Still not restoring your accounts, sorry"
Customer 'support'
IGN Dopplewalk
|
Posted byBladesong#2285on Feb 21, 2013, 2:10:59 PM
|
"
Charan wrote:
"
Moeses wrote:
$10 says if Kripps account was hit, it would be restored in a heartbeat.
I'd take that bet and raise it a grand. Hell, it's Thursday. Two grand.
In fact, I'd pay a grand right now just to see it happen. Because if one of the prominent, in-the-spotlight players got hit, it would prove a lot of things.
And I like seeing proof. Not enough of it lately, from either side.
Indeed. It would be nice to really see the proof here. Perhaps it's just a matter of time before a bot hits Kripp, or perhaps he has some sort of specific added security that we don't know we should have as well.
At this point, who knows? :\
Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
Posted byVideoGeemer#0418on Feb 21, 2013, 2:22:01 PM
|
"
altaccount wrote:
"
FrodoFraggins wrote:
"
Ruefl2x wrote:
PS: the real problem are people who actualy buy the currency for real money. without them none of this would even happen!
So what? People keep talking about that like it's some great revelation.
Probably 95% of hacks could be prevented by:
1) Not reusing your password ANYWHERE else - prevents a majority of stolen accounts
2) Using a strong password - prevents brute force
2) Don't download maphacks/bots - prevents most trojans/keyloggers
We already know where most hacks come from. It's very very very rare that a games entire account-name/password database gets compromised.
Nice guessing. Let me join you. What about the other probable 5%? Users with unique login/pw, clean systems and proper security habits?
I've already spent countless workhours on my free time reviewing my home network's firewall logs, file access logs (a nightmare on windows server) for the PC I play POE on, searching through password hash databases that could somehow contain my POE pw hash (I don't even use the same login/password anywhere else) and looking for any obscure vulnerabilities I might've missed. I'm actually worried for my security here, but I can't find any problems whatsoever.
All the while support replies are in the vein of "sorry, your fault, we also won't tell you anything" when they're not just a copypasted stock reply. Extremely frustrating.
bingo
|
Posted byMoeses#7657on Feb 21, 2013, 2:30:34 PM
|
"
altaccount wrote:
"
FrodoFraggins wrote:
"
Ruefl2x wrote:
PS: the real problem are people who actualy buy the currency for real money. without them none of this would even happen!
So what? People keep talking about that like it's some great revelation.
Probably 95% of hacks could be prevented by:
1) Not reusing your password ANYWHERE else - prevents a majority of stolen accounts
2) Using a strong password - prevents brute force
2) Don't download maphacks/bots - prevents most trojans/keyloggers
We already know where most hacks come from. It's very very very rare that a games entire account-name/password database gets compromised.
Nice guessing. Let me join you. What about the other probable 5%? Users with unique login/pw, clean systems and proper security habits?
I've already spent countless workhours on my free time reviewing my home network's firewall logs, file access logs (a nightmare on windows server) for the PC I play POE on, searching through password hash databases that could somehow contain my POE pw hash (I don't even use the same login/password anywhere else) and looking for any obscure vulnerabilities I might've missed. I'm actually worried for my security here, but I can't find any problems whatsoever.
All the while support replies are in the vein of "sorry, your fault, we also won't tell you anything" when they're not just a copypasted stock reply. Extremely frustrating.
it could very well be that that 5% may have been punished for simply being human, that is, being careless. Do you recall clicking on any pathofexile link that you've received via pms or what not and then being led to the poe site or poe skilltree and having to log in again even though you're pretty sure you've logged in before?
would be nice if you could check your browser history and see if you've visited any sites that looked suspiciously like POE but were not the actual POE url. Would be helpful if you managed to uncover something like that.
Build of the Week 14
The first Righteous Fire/Non-Shavronne's/Shavronne's HC
Shameless self-proclaimed theory-crafting extraordinaire and forum crusader
|
Posted byInvalesco#7360on Feb 21, 2013, 2:37:04 PMAlpha Member
|
"
crazypyro wrote:
"
darkro90 wrote:
I've also tried this for not only 10 times, 20 times, with reasonable delay in each password input since if you're entered it repeatedly, you will get warning message of "trying to login too much in a short time period". And guess what, when I tried my own password after the 20 tries, it still get me logged in.
This is exactly how you counter brute force attacks you moron.
Is it possible that hackers would program their little bots to deliberately wait a certain period of time before trying another password?
Probably...
But if what GGG says is correct, then some of the other suppositions here that it's not password hacking but session hijacking, that's a completely different issue and perhaps much more serious.
Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
Posted byVideoGeemer#0418on Feb 21, 2013, 2:40:01 PM
|
Damn...
I have many accounts in many games. Never got hacked in my life until... They hacked my poe account today or yesterday.
At least I do know that this is on my end. POE was the only game that I used my "e-mail for everything" and password which I also use on some other websites like a true noob. No clue why I did that. Also I never used map hacks or something like that
They took most of my currency (valuable ones), and some good gems.
I "woke up" in act 1 normal in Lioneye's watch (I'm lvl 76 ranger). No gear or maps were stolen
|
Posted byTingol#0584on Feb 21, 2013, 2:41:47 PM
|
"
MacantSaoir wrote:
They were told it would happen, there was a simple preemptive solution to prevent it happening which EVERYONE knows about (authentication) and it was not taken. It's on GGG not the userbase. It's common knowledge at this point in gaming that a majority of people play on compromised machines or fail at account security. This is why we have Authentication so you can play even with all the compromised bullshit going on and not get dinged.
So common knowledge: Majority of people can be compromised, authentication prevents the compromise from happening, why not authenticate?
I know that some people are quick to jump on this guy, but you can't deny that he has a valid point here.
Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
Posted byVideoGeemer#0418on Feb 21, 2013, 2:47:37 PM
|
"
VideoGeemer wrote:
Hackers will likely take WHATEVER they can get. What if their system doesn't let them target just rich players? Besides, if all they did was target those individuals, it would be more obvious that this was the work of a hacking group and not just some users that didn't know what they were doing.
Then ask yourself why they can't target the rich players but it's so easy for them to target noob accounts... answer is pretty obvious.
How Fusings Work: http://www.pathofexile.com/forum/view-thread/38585/page/3#p1451934
IGN: TheHammer
|
Posted byTehHammer#0539on Feb 21, 2013, 2:57:57 PMBanned
|
"
MonstaMunch wrote:
"
Thrombo wrote:
To be clear - you don't need a user's password to log in as that user. You can do that with their password hash itself by copy/pasting it in to your own ini file and treating it as a saved password. In that respect GGG may as well be storing the password in the clear locally.
Additionally, it appears that the password hash is stored in memory throughout the execution of the program and not just during the challenge/login process. As such, you'd need only an exploit to gather information about the process in-memory (easier than a rootkit or general remote code execution). With such an exploit, a hacker would effectively only need to paste in the user's hash into his/her own client with the account name for access.
It's not hard to believe in a beta client such exploits exist as bugs and have been overlooked. Hopefully GGG will either directly address these, if they exist, soon, or come out with authenticators or a similar rotating key-based auth mechanism.
My point was that while your information is entirely correct, if sessions can be hijacked simply by intercepting the session ID, there is no reason to believe that passwords have been stolen (hashed or not), or that end user PC's have been infected with anything, kind of like you're describing in your second paragraph.
That's why I'd like some confirmation as to why we're so sure that all these issues are the fault of the players and that nothing is being intercepted before it even gets to them.
These sections are quoted because they're important. Things like this, or something similar which hasn't been speculated or discovered yet, is probably the reason behind many of these security breaches. Sure, infected machines and phishing sites may account for some of it as well, but these examples should really not be possible in any public game.
"
Edit: I just saw the post above mine. Dear lawd, this is going to get ugly. What happened to "we don't have the functionality to restore characters. We never restore items, no exceptions"? This is just messed up.
No, that's completely different. they never said they *couldn't* restore a single character, but that they couldn't do it en masse when they had no immediate proof that it was the direct doing of GGG.
I'm sure that if they could tell for certain that a GGG staff member personally took one of our items, they'd be able to track them down and restore them too.
Invited to Beta 2012-03-18 / Supporter since 2012-04-08
|
Posted byVideoGeemer#0418on Feb 21, 2013, 3:00:36 PM
|