Hacked Accounts

"

crazypyro wrote:

Do you realize how unfeasible brute forcing say an 8 character password is with even a delay of 2 seconds or are you still a moron?

Considering that you are posting from a layman glasses, I'd doubt you even know on what length hackers could go in cracking just one user password.

Haven't I already mentioned that this wasn't a one-man job? look back at recent pages, you'll find it.

Oh, and also, calling me a moron wouldn't fixes anything. You, in the other hand, are not even contributing to this issue while only questions users feedback and calling them "morons".

I wonder what internet has done to online games fanbases today.

"

darkro90 wrote:

Are you on crack, son? Users like me and Heff actually trying to make the game better by pointing out GGG mistakes, it's called giving FEEDBACKS. Get off your High Councilor of GGG Hardfanboys horse and start contributing to the game like testing their security system and reports bugs you found instead of flaming actual feedbacks while thinking "omg im so swaggy lel ggg rulez wheres muh pizza". People like you that only defends the game while not giving actual feedback is the real cancer that kills the game, aside from the hackers.

Sounds like you're the one on crack, son lol. I don't give a fuck what kind of grand, awesome nut jacking supporters of GGG you are - you like to throw the fanboy accusation at me because I don't agree with your attitude but, "supporters" or not, calling any group of people "liars" just because you've found a problem - and without any fucken logic to explain how that translates to them LYING - is a sucker bitch move.

You want to give feedback to make the game better? What part of telling a developer they are resorting to public lies - without any credible information to back it up - is useful FEEDBACK??

Crack, son - it's what you're smoking right now! Fucken genius.

"

$10 says if Kripps account was hit, it would be restored in a heartbeat.

If GGG ever decided to restore items, streamer will be the last on their list.

but it will be amusing to see Kripp gets hacked, and see how he react to it

"

mkmaddage wrote:

Sounds like you're the one on crack, son lol. I don't give a fuck what kind of grand, awesome nut jacking supporters of GGG you are - you like to throw the fanboy accusation at me because I don't agree with your attitude but, "supporters" or not, calling any group of people "liars" just because you've found a problem - and without any fucken logic to explain how that translates to them LYING - is a sucker bitch move.

You want to give feedback to make the game better? What part of telling a developer they are resorting to public lies - without any credible information to back it up - is useful FEEDBACK??

Crack, son - it's what you're smoking right now! Fucken genius.

It's called giving them feedbacks to not gives out statement they didn't really sure before to avoid public backlashes like this.

Sounds like your cracks are now giving you the advice of using ad hominem against a user that actually gives feedback. Heh. I'll stop with this charade of stupidity and spare you further arguments of your state that could results in massive tantrums on your side.

"

mkmaddage wrote:

"

MacantSaoir wrote:

Rage much child? I wasnt hacked, I'm simply stating this whole mess was preventable if actions were taken when they were told it would happen. Also, welcome to 2013 where government officials and security experts get hacked. SO you think the common gamer at the end of the day is going to be able to combat this on their own? This is why authentication is crucial. You can blame the security guy? easily? its 2013 where probably the majority of gamers play on compromised systems and authentication heavily combats this problem. In times of peace prepare for war. Whoever was on their security issues was not preparing for war, and it's clearly obvious now.

However the failure to listen to the CBTs on this hacking issue has been a huge blunder, and until it is properly addressed with authentication I wont sink another cent, or bring another oldschool gamer here. That's just the reality.

The point, my soft-headed little friend, is that the fact that you and your cronies of all-knowing wisdom made your wise (utterly obvious) prediction has no bearing on GGG's handling of the situation. You're like a TV Faith Healer lol - here, I'll have a go: "Soon, Oh Father Chris of the Wilsonian Persuasion, you will have an update that fails and ends up with more server downtime than anticipated. All Hail My Nuts."

Want a medal for stating the obvious?

Blame the security guy? What I'm saying is: what do WE know about the internal structure of GGG and how the issue was handled? Love how all you "experts" can spout your wisdom from OUTSIDE the group of people you're accusing. No matter how much you might know about a field from the inside you still don't know how a group of people from another culture (perhaps) are handling it!

Yes, I'm a petulant child - it's my natural response to the pompous, superior tone of your post.

You've not challenged a single point of anything I've said? They were told it would happen, there was a simple preemptive solution to prevent it happening which EVERYONE knows about (authentication) and it was not taken. It's on GGG not the userbase. It's common knowledge at this point in gaming that a majority of people play on compromised machines or fail at account security. This is why we have Authentication so you can play even with all the compromised bullshit going on and not get dinged.

So common knowledge: Majority of people can be compromised, authentication prevents the compromise from happening, why not authenticate?

Complacency that's why. The only answer to it. So now they get to feel the rage of *insert number* gamers because of pure complacency. As I stated prior, I refuse to further support the game with more players or currency until this severe oversight is addressed.

"

Mark_GGG wrote:

This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.

Thanks Mark. I fully agree that it's clear brute force attacks aren't the cause of the recent issues.

Just for a bit of extra peace of mind, would it be possible to get some sort of clarification regarding the possibility of session hijacking? More specifically, whether under the current setup a hacker would even need a password to impersonate an account if they were able to intercept the session ID.

Tested it and there is a limit to the amount of passwords you can try.

"

darkro90 wrote:

"

crazypyro wrote:

Do you realize how unfeasible brute forcing say an 8 character password is with even a delay of 2 seconds or are you still a moron?

Considering that you are posting from a layman glasses, I'd doubt you even know on what length hackers could go in cracking just one user password.

Haven't I already mentioned that this wasn't a one-man job? look back at recent pages, you'll find it.

Oh, and also, calling me a moron wouldn't fixes anything. You, in the other hand, are not even contributing to this issue while only questions users feedback and calling them "morons".

I wonder what internet has done to online games fanbases today.

I really want to know how you can boldly state one's opinion without taking 1 minute of your time to actually see what effort it takes to brute force one's password.

As previous posts have stated, there is eventually a limit to how many times you can try a password anyways.

"

MonstaMunch wrote:

"

Mark_GGG wrote:

This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.

Thanks Mark. I fully agree that it's clear brute force attacks aren't the cause of the recent issues.

Just for a bit of extra peace of mind, would it be possible to get some sort of clarification regarding the possibility of session hijacking? More specifically, whether under the current setup a hacker would even need a password to impersonate an account if they were able to intercept the session ID.

To be clear - you don't need a user's password to log in as that user. You can do that with their password hash itself by copy/pasting it in to your own ini file and treating it as a saved password. In that respect GGG may as well be storing the password in the clear locally.

Additionally, it appears that the password hash is stored in memory throughout the execution of the program and not just during the challenge/login process. As such, you'd need only an exploit to gather information about the process in-memory (easier than a rootkit or general remote code execution). With such an exploit, a hacker would effectively only need to paste in the user's hash into his/her own client with the account name for access.

It's not hard to believe in a beta client such exploits exist as bugs and have been overlooked. Hopefully GGG will either directly address these, if they exist, soon, or come out with authenticators or a similar rotating key-based auth mechanism.