43 replies to this topic

[DamienJnr]

Is Piranha's server security greater than Blizzards? Good passwords are not very useful if the hackers steal whole account details. Take a look at what's happened to Diablo/BattleNet.

[Thorn Hallis]

DamienJnr, on 12 August 2012 - 09:49 AM, said:

Is Piranha's server security greater than Blizzards? Good passwords are not very useful if the hackers steal whole account details. Take a look at what's happened to Diablo/BattleNet.

There is no reason to do something like this, other then some mischief.

[Hoytmandoo]

Tsunamisan, on 18 June 2012 - 02:14 PM, said:

Well if they are worried about hacking i say that what they do is make Key authenticators and sell those like blizzard does for WOW. Then if th player cares enough to seccure their account they can buy one fo like $15

This not only splits th pressure between th player and the developer but also gives th developer an incentive to seccure it becau they will also make money on each authenticator sold.

Oh yah and another thing. Games that have no ecconomy often fail becaus you cant trade or sell items. This game i can see that you probably wouldnt have anything but c-bills on hand since you don't gain salvage, But trading money is integral to battletech. IE: how would you pay your merc if you couldnt trade?

There's obviously going to be an economy, the question posed is whether or not players can trade with other players. Which I think will not be allowed, you'll still be able to sell and buy stuff from the in game store, but you could only get stuff from them. Anyway, that's what will probably happen

[IceSerpent]

DamienJnr, on 12 August 2012 - 09:49 AM, said:

Is Piranha's server security greater than Blizzards? Good passwords are not very useful if the hackers steal whole account details. Take a look at what's happened to Diablo/BattleNet.

It's not about server security per se, but more about how authentication is implemented. For example, if server only stores the hash of the password, stealing that from the server won't be extremely useful for a hacker.

[Dreadnought13]

http://howsecureismypassword.net/

I have yet to hear of a single case of account hacking in ten years of MMOing that wasn't also accompanied by RMTing, browsing keylogger infected sites, or simple idiocy. Use a strong password, dont do anything foolish, and the only way youll get 'hacked' is if PGI gets hacked, Blizz-style.

[Draco Argentum]

IceSerpent, on 18 June 2012 - 01:33 PM, said:

Hacking becomes a non-issue as soon as one uses a reasonably strong password. I agree that not having a trade system removes gold farmers from the game though, which is a good thing.

P.S. I wouldn't bring up pay-to-win games like WoT as a model for anything, but that's just me.

False, key loggers completely circumvent strong passwords.


Authenticators, also false. Modern banking malware circumvents passwords and authenticators. Its a clever hack and doesn't exactly work in games as is. But given motivation it could be done.

IceSerpent, on 12 August 2012 - 10:44 AM, said:

It's not about server security per se, but more about how authentication is implemented. For example, if server only stores the hash of the password, stealing that from the server won't be extremely useful for a hacker.

Very false. If the password is merely hashed it will be cracked quite quickly if it consists of modified dictionary words. Fri3ndlyG!ant scores really well according to most security advice. You can see the pattern though and hash cracking software is designed to be able to try for common patterns.



The best defense against account hacking is making the accounts worthless when hacked. No interplayer trading does that perfectly, MWO should be a lot safer than Diablo 3 just for this reason.

[Eiodalin]

I think if you have a possibility of hacking in accounts on any game set up in game password systems as well.

And i f they were to do that have the player make a pass code to there account that is kept on there local machine.

that pass code would be the only code allowing you to trade so if a hacker does get in to an account the only thing they can do is play your account

Edited by Eiodalin, 13 August 2012 - 05:49 AM.

[IceSerpent]

Draco Argentum, on 12 August 2012 - 10:33 PM, said:

False, key loggers completely circumvent strong passwords.

If somebody manages to install a key logger on your box, you have much bigger problems than loss of a game account.

Quote

Very false. If the password is merely hashed it will be cracked quite quickly if it consists of modified dictionary words. Fri3ndlyG!ant scores really well according to most security advice. You can see the pattern though and hash cracking software is designed to be able to try for common patterns.

Try it. I mean seriously, get whatever "hash cracking software" you think is the best and use it to crack a hash of "Fri3ndlyG!ant". After you are done, think of how important the tardet protected by that password has to be in order for a hacker to actually go through all the trouble.

Quote

The best defense against account hacking is making the accounts worthless when hacked. No interplayer trading does that perfectly, MWO should be a lot safer than Diablo 3 just for this reason.

That's true of course, no arguments here

[JFlash49]

No. just no. no trading in mech warrior.

[Python46]

i do like the idea that blizz hacks accounts just to sell authenticators. apparently, communications from blizz should never have any advertising in them, as footers or sigs. i get stuff from blizz all the time and there's an ad for an authenticator in everything. but i already have one. so, i guess either their software didn't realize i have one, or they simply advertise them in all their stuff. btw, unless they changed the price, they were like $7 when i got one. it's a simple token, such as used for network access to work systems. i used one, more than a decade ago, to access work via dialup, using a laptop they provided me. just another layer of authentication, which can make things better, but can't possibly prevent all hacking. if it's on a computer, connected to the net, it can be hacked, and if it's a business network, linked to the net, it WILL be hacked sooner or later. that's just reality. everyone in the business world gets hit sooner or later. the more they have to offer, the sooner they get hit.

the key thing to know about MWO, though, is what has been said repeatedly. there's no community trade happening, so there's no value in hacking your account, other than to irritate the account owner and just to prove you can. makes no sense for real hackers to bother with it, unless they put something in the system to hold your credit card info, or some such. hackers could, possibly, steal info to steal your money, create bogus credit applications, etc, if you have too much info in your account profile. otherwise, this game isn't really worth hacking, at this point.

[Raalic]

Sell an authenticator for $8 and have it come with a little armored car that follows you around.

[Draco Argentum]

IceSerpent, on 13 August 2012 - 10:34 AM, said:

Try it. I mean seriously, get whatever "hash cracking software" you think is the best and use it to crack a hash of "Fri3ndlyG!ant". After you are done, think of how important the tardet protected by that password has to be in order for a hacker to actually go through all the trouble.

http://blog.spiderla...kov-chains.html

Thats the sort of thing IT security is up against. Take a list of known common password formats. Feed it in and see what cracks. Then use rules to mutate the successes, like i changes to !, and feed those in. Iterate on that and you will get a lot of hits. Not the entire set but a goodly chunk. Its getting easier with powerful GPUs available for cheap these days.

At the minimum passwords must be salted before being hashed with a specialised password hashing algorithm. Using a normal hashing algorithim no longer works well because compute power is so easy to get for cheap.

[deadeye6]

a Authenticator app and be problem solved thats one way another way is to use your email four questions and answers or more thats how i change stuff on my online banking and how they know its me answers have no relationship to questions like your first pets name? answer=762x25 or a 10-16 character alpha numeric case sensitive pass will stop all but the most dedicated thief and it doesn't cost you or the provider anything but some time and and thought yea i know thinking is a dying art common sense needs to be renamed to uncommon i blame the education system for this and the fact that the kids that were born with a game-boy in there hand think all they should do is push a button and puff instant gratification i have spent 2 days reading the forums and for the most part i can tell the the older from the younger generation by quit your winning and lets see how it works out in the end give the development staff and beta time for the older and now for the younger group the iiiiiiiiis the memememememes the i want it nows i don't know where to put the english professors grading every post for spelling grammar and punctuation other than to say its childish so more likely than not your of the me me me generation

[empath]

NOTHING is impregnable.

A lot of security methods become VERY secure, but there is ALWAYS ways and means.

One relatively secure strategy to take (which again, isn't infallible) is to simply make the hack more work than its worth, and there are two basic means of accomplishing this situation:
1) increase the difficulty of the hack (which the majority of people obsess over),

and/or

2) make what is being protected as meaningless/undesirable/insignificant as possible. (You don't need a car alarm or The Club™ if all you're driving is a rusted-out 1976 Dodge Dart. )

But again, this is not a perfect plan, as there's invariably a couple of groups that ignore the 'get through the door to get the l00t' paradigm. Firstly, those individuals which look upon accomplishing the hack as reward enough in and of itself; for them increasing the difficulty actually BACKFIRES upon yourself, and attracts more of the 'because it's there' crowd. Secondly, the meta grudge-holder. This could be someone you dissed on some forums somewhere, or downvoted his vid on YouTube, or dominated him in a game of CoD, or heck, even just didn't hold the door open for him IRL. Or maybe you profess an opinion, or support a political party that the individual doesn't like. It might even be as simple as you work for 'an evil money-grubbing corporation'. SOME people are petty and vindictive for any number of reasons, and will exert disproportionate effort into attaining an intangible satisfaction in breaching your security and doing ANY amount of mischief, no matter how trivial.

Never expect to be completely hack-free; with seven BILLION people on the planet, there's invariably someone out there with the wherewithal, inclination and most of all PATIENCE to get through to you.

Just enjoy whatever peace and quiet you do get; shrug when the incursion happens, take different security measure and repeat...and keep repeating the cycle until you die. :|


Oh, and deadeye6? I *really* don't wanna throw out "pot calling the kettle black" but a seven-line, punctuation-less run on sentence isn't really the best way to try to put forward your argument. Oh, and in my experience, it's absurd to generalize by age; I've seen plenty of circumspect, earnest and LITERATE teenagers online, just like I've gone on to discover that some of the laziest, dim-witted, inerudite and unlettered offenders turn out to be middle-aged...

[IceSerpent]

Draco Argentum, on 13 August 2012 - 07:49 PM, said:

http://blog.spiderla...kov-chains.html

Thats the sort of thing IT security is up against. Take a list of known common password formats. Feed it in and see what cracks. Then use rules to mutate the successes, like i changes to !, and feed those in. Iterate on that and you will get a lot of hits. Not the entire set but a goodly chunk. Its getting easier with powerful GPUs available for cheap these days.

At the minimum passwords must be salted before being hashed with a specialised password hashing algorithm. Using a normal hashing algorithim no longer works well because compute power is so easy to get for cheap.

Very interesting read, but ultimately my point remains - how about I give you a SHA1 hash of a password made along those lines (based on dictionary, with some common letter - other character replacements, like e = 3, etc.), you crack it and see if you'd be willing to invest that much time and processing power just to crack a game account?

[Fezzwig]

Accounts are only as secure as the company holding them. Authenticators aren't fool proof. Just look at 4 days ago.

http://www.forbes.co...rmation-stolen/

[Draco Argentum]

IceSerpent, on 14 August 2012 - 11:55 AM, said:

Very interesting read, but ultimately my point remains - how about I give you a SHA1 hash of a password made along those lines (based on dictionary, with some common letter - other character replacements, like e = 3, etc.), you crack it and see if you'd be willing to invest that much time and processing power just to crack a game account?

I don't have the knowledge to operate hashcat at that level, you'd need to talk to a hacker/actual security researcher. Would somone go to the trouble for a dump of the MWO password hashes? Security researchers, Anonymous and some others would for the fun. If it was an MMO with virtual currency that could be sold? There are plenty of criminal hackers who stand to make a fortune from cracking those hashes, you'd better believe they'd make the effort just to crack a game account.

[Kaelin]

For Every Lock There is a Key.

lets explain the most previlent methods using real-world metaphor:

Keylogging - letting the burglar into your house and leaving them to it. easily prevented with a little common-sense.

Phishing - handing your keys to the first person that knocks at your door. if you get an email instructing you to verify your account details/ there may have been an attempt to break in etc. NEVER click the link in the email; go to the service/website in question and log-in directly, if it's your bank etc. phone them.

Brute-force - burglar tries to unlock your door using a box full of different keys. most servers have measures in place that automagically detect and actively block brute-force programs; making your password long/obscure helps in most instances anyway.

There are certainly more drastic methods in use for obtaining account details such as hacking forums/website etc. but what you have to understand is this; the responsibility shifts from you, the user, to the perpetrator and service that had it's security undermined. yes the community suffers as a result and the provider even moreso.

<EDIT> Personally I treat every unsolicited email/communication with extreme suspicion given the prevalence of phishing scams.

Edited by Kaelin, 14 August 2012 - 03:22 PM.

[IceSerpent]

Draco Argentum, on 14 August 2012 - 02:46 PM, said:

I don't have the knowledge to operate hashcat at that level, you'd need to talk to a hacker/actual security researcher. Would somone go to the trouble for a dump of the MWO password hashes? Security researchers, Anonymous and some others would for the fun. If it was an MMO with virtual currency that could be sold? There are plenty of criminal hackers who stand to make a fortune from cracking those hashes, you'd better believe they'd make the effort just to crack a game account.

The point you keep missing is that people don't go through too much trouble unless they expect an appropriately large reward. Granted, if you are trying to protect blueprints for a nuke, a simple hash is not going to cut it, but then this sort of information tends to have very different security measures. On the other hand, hacking an MMO acount would give you what - a few hundred bucks in the best case? Investing lots of time/effort/money into a hacking operation "for the fun" is unlikely to happen, so for a company it makes more sense not to build a virtual Fort Knox just to protect game accounts.
Basically, if I am trying to protect $1, only need to make it cost $2 to steal it and my security system is good enough.

Edited by IceSerpent, 14 August 2012 - 04:08 PM.

[Draco Argentum]

IceSerpent, on 14 August 2012 - 04:07 PM, said:

The point you keep missing is that people don't go through too much trouble unless they expect an appropriately large reward.

Nope, not missing anything. Like I said, this game is secured by having worthless accounts. But that is the only thing that will stop hackers. Blizzard got done, RSA got done and they're a security firm. The only thing MWO has on its side is lack of financial gain. Any other security talk I bring up is for general informational purposes. I see lots of people in and outside this thread who think they're secure because their password isn't pass1234.