"
GGG dont seem to stand up against all these people accusing them of ruining there gaming experience where its 99% of the time on the players fault and they just whining like little kids.
Just got hacked too, and didnt type my pass since like 3-4 weeks (wich is unique to this game), still all my fault?
Complaining about some hundred hours spendt for nothing is whining like a kid? let's see when they will hack your account who is the kid then.
IGN: AtomicDantou
|
Posted byDantounet#3271on Feb 21, 2013, 6:34:23 AM
|
"
bluelightningflik wrote:
Just adding to the flood. My username and password combination are entirely unique to this game. And, like most players, I haven't typed the username and password in anywhere since initial install weeks ago. This is on GGG's end, in that somewhere they are storing credentials is not secure. Will not be playing until GGG has an acceptable solution in place, inlcuding recompense for those of us who are victim to their shoddy security. Very disappointed with their current handling of the situation.
http://news.cnet.com/8301-1009_3-57563337-83/java-flaw-draws-web-attacks-reports-say/
Have you bothered disabling java for your browser...that's like a month old and still no one seems to know about it.
Your PC is never truly secure...why do you think anti viruses update practically daily?
Ancestral Bond. It's a thing that does stuff. -Vipermagi
He who controls the pants controls the galaxy. - Rick & Morty S3E1
|
Posted bylagwin1980#2224on Feb 21, 2013, 6:34:53 AM
|
"
lagwin1980 wrote:
"
bluelightningflik wrote:
Just adding to the flood. My username and password combination are entirely unique to this game. And, like most players, I haven't typed the username and password in anywhere since initial install weeks ago. This is on GGG's end, in that somewhere they are storing credentials is not secure. Will not be playing until GGG has an acceptable solution in place, inlcuding recompense for those of us who are victim to their shoddy security. Very disappointed with their current handling of the situation.
http://news.cnet.com/8301-1009_3-57563337-83/java-flaw-draws-web-attacks-reports-say/
Have you bothered disabling java for your browser...that's like a month old and still no one seems to know about it.
Your PC is never truly secure...why do you think anti viruses update practically daily?
If GGG is storing cached password on the client machine in a way that can be both scraped and deobfuscated (as some posts in this forum have posited) by any program including a java hack, that's absolutely GGG's problem to fix. Either way, this requires the player to have visited a site that ran this exploit. This is something that I can say has not happened to me, and also something that the community would likely have noted by now and be able to point people towards directly.
|
|
|
I actually have worked in IT, and I know a few things about Internet security.
Saying GGG was "hacked" is just completely nonsense.
All of the hacked accounts are on the client end, and GGG has even stated that every thorough investigation into this has proven so.
Although it is true that certain ways GGG has built their game allow for easy "hacking" of clients. The password being clearly saved in the config file being one of them.
There are new key loggers and vulnerabilities being discovered and patched every day. To be confident that you weren't exposed to one, is to be ignorant.
The only way to be mostly safe, would be to run your gaming computer and gaming account on a separate computer, and have a different account for logging into the forums and browsing the Internet.
So, just have some maturity, and take responsibility for the fact that SOMETHING got you. Whether or not you know what it was, or if you like it.
|
Posted byAsonex#6804on Feb 21, 2013, 8:31:19 AM
|
|
Yeah. Personally I can rule out exploits and buy sites and the likes, but I can't rule out that my stupid re-used password got lifted off some other service long ago, as I tend to use the same 2-3 passwords everywhere.
It would be very interesting to see if all the compromised accounts have anything in common, though.
|
Posted byZegasu#3430on Feb 21, 2013, 8:36:39 AM
|
"
bluelightningflik wrote:
"
lagwin1980 wrote:
"
bluelightningflik wrote:
Just adding to the flood. My username and password combination are entirely unique to this game. And, like most players, I haven't typed the username and password in anywhere since initial install weeks ago. This is on GGG's end, in that somewhere they are storing credentials is not secure. Will not be playing until GGG has an acceptable solution in place, inlcuding recompense for those of us who are victim to their shoddy security. Very disappointed with their current handling of the situation.
http://news.cnet.com/8301-1009_3-57563337-83/java-flaw-draws-web-attacks-reports-say/
Have you bothered disabling java for your browser...that's like a month old and still no one seems to know about it.
Your PC is never truly secure...why do you think anti viruses update practically daily?
If GGG is storing cached password on the client machine in a way that can be both scraped and deobfuscated (as some posts in this forum have posited) by any program including a java hack, that's absolutely GGG's problem to fix. Either way, this requires the player to have visited a site that ran this exploit. This is something that I can say has not happened to me, and also something that the community would likely have noted by now and be able to point people towards directly.
The only thing you got right was that storing the hash in a config file was poor planning on GGG's part. It still requires the user to compromise their computer, but they should have assumed users will do that. They need a clever way to salt the hash, or change how the passwords are stored.
|
Posted byLask001#4507on Feb 21, 2013, 8:44:56 AM
|
"
Asonex wrote:
I actually have worked in IT, and I know a few things about Internet security.
Saying GGG was "hacked" is just completely nonsense.
All of the hacked accounts are on the client end, and GGG has even stated that every thorough investigation into this has proven so.
Although it is true that certain ways GGG has built their game allow for easy "hacking" of clients. The password being clearly saved in the config file being one of them.
There are new key loggers and vulnerabilities being discovered and patched every day. To be confident that you weren't exposed to one, is to be ignorant.
The only way to be mostly safe, would be to run your gaming computer and gaming account on a separate computer, and have a different account for logging into the forums and browsing the Internet.
So, just have some maturity, and take responsibility for the fact that SOMETHING got you. Whether or not you know what it was, or if you like it.
You use quote marks incorrectly. I never said with complete certainty that GGG was "hacked". Just that they have something that needs fixing on their end, that they store credentials in an unsecure fashion.
I don't just "work in IT"... I'm a professional web/client dev that has worked for years on products used by many times more users and targeted by many times more hackers than PoE (statistically speaking) even could be, let alone by any other metric. This is wholly unimportant, except for the fact that it means you can be pretty certain that when I say that my machine is as secure as any machine used for such purposes can be reasonably expected to be, I know what I'm talking about. For you to assume otherwise is what's ignorant, and counterproductive.
The only possible ways for my hack to have occurred is either:
1)GGG caches passwords in an unsecure fashion on the client, allowing for a (very doubtful in my case) java client scrape hack from sites not directly related to PoE, OR
2)GGG has security issues not related to the client
And, to be honest, it really doesn't matter to me whether or not you can understand this, it matters that GGG understands and addresses this.
And I'm an exceptional case. GGG cannot makes the assumption they can make with me with 99% of their users. Their current approach for this issue is untenable.
So, just have some maturity, and take responsibility for the fact that this is indeed an issue and one that is currently not being handled acceptably.
Last edited by bluelightningflik#5007 on Feb 21, 2013, 9:11:42 AM
|
|
"
bluelightningflik wrote:
"
Asonex wrote:
I actually have worked in IT, and I know a few things about Internet security.
Saying GGG was "hacked" is just completely nonsense.
All of the hacked accounts are on the client end, and GGG has even stated that every thorough investigation into this has proven so.
Although it is true that certain ways GGG has built their game allow for easy "hacking" of clients. The password being clearly saved in the config file being one of them.
There are new key loggers and vulnerabilities being discovered and patched every day. To be confident that you weren't exposed to one, is to be ignorant.
The only way to be mostly safe, would be to run your gaming computer and gaming account on a separate computer, and have a different account for logging into the forums and browsing the Internet.
So, just have some maturity, and take responsibility for the fact that SOMETHING got you. Whether or not you know what it was, or if you like it.
You use quote marks incorrectly. I never said with complete certainty that GGG was "hacked". Just that they have something that needs fixing on their end, that they store credentials in an unsecure fashion.
I don't just "work in IT"... I'm a professional web/client dev that has worked for years on products used by many times more users and targeted by many times more hackers than PoE (statistically speaking) even could be, let alone by any other metric. This is wholly unimportant, except for the fact that it means you can be pretty certain that when I say that my machine is as secure as any machine used for such purposes can be reasonably expected to be, I know what I'm talking about. For you to assume otherwise is what's ignorant, and counterproductive.
The only possible ways for my hack to have occurred is either:
1)GGG caches passwords in an unsecure fashion on the client, allowing for a (very doubtful in my case) java client scrape hack from sites not directly related to PoE, OR
2)GGG has security issues not related to the client
And, to be honest, it really doesn't matter to me whether or not you can understand this, it matters that GGG understands and addresses this.
And I'm an exceptional case. GGG cannot makes the assumption they can make with me with 99% of their users. Their current approach for this issue is untenable.
So, just have some maturity, and take responsibility for the fact that this is indeed an issue and one that is currently not being handled acceptably.
Lets assume you really do know what you are talking about with IT. You have to keep in mind that a very large percentage of the player base that has been hacked claims to be some sort of IT god, with 10 to 20 years of amazing programming and hacking experience, and that they build their own OS from the ground up (Yes, I've heard everyone of those things from someone on these forums in the last two weeks). It makes it very hard to trust the one or two people that might actually be that.
I do find it hard to believe though, as someone who also works in IT, for you to be 100% sure your machine is secure. We are people, we make mistakes, and are always the weak point in the system. There is a lot more human interaction with our personal PC's than GGG's servers.
|
Posted byLask001#4507on Feb 21, 2013, 9:22:54 AM
|
"
bluelightningflik wrote:
"
Asonex wrote:
I actually have worked in IT, and I know a few things about Internet security.
Saying GGG was "hacked" is just completely nonsense.
All of the hacked accounts are on the client end, and GGG has even stated that every thorough investigation into this has proven so.
Although it is true that certain ways GGG has built their game allow for easy "hacking" of clients. The password being clearly saved in the config file being one of them.
There are new key loggers and vulnerabilities being discovered and patched every day. To be confident that you weren't exposed to one, is to be ignorant.
The only way to be mostly safe, would be to run your gaming computer and gaming account on a separate computer, and have a different account for logging into the forums and browsing the Internet.
So, just have some maturity, and take responsibility for the fact that SOMETHING got you. Whether or not you know what it was, or if you like it.
You use quote marks incorrectly. I never said with complete certainty that GGG was "hacked". Just that they have something that needs fixing on their end, that they store credentials in an unsecure fashion.
I don't just "work in IT"... I'm a professional web/client dev that has worked for years on products used by many times more users and targeted by many times more hackers than PoE (statistically speaking) even could be, let alone by any other metric. This is wholly unimportant, except for the fact that it means you can be pretty certain that when I say that my machine is as secure as any machine used for such purposes can be reasonably expected to be, I know what I'm talking about. For you to assume otherwise is what's ignorant, and counterproductive.
The only possible ways for my hack to have occurred is either:
1)GGG caches passwords in an unsecure fashion on the client, allowing for a (very doubtful in my case) java client scrape hack from sites not directly related to PoE, OR
2)GGG has security issues not related to the client
And, to be honest, it really doesn't matter to me whether or not you can understand this, it matters that GGG understands and addresses this.
And I'm an exceptional case. GGG cannot makes the assumption they can make with me with 99% of their users. Their current approach for this issue is untenable.
So, just have some maturity, and take responsibility for the fact that this is indeed an issue and one that is currently not being handled acceptably.
Lets assume you really do know what you are talking about with IT. You have to keep in mind that a very large percentage of the player base that has been hacked claims to be some sort of IT god, with 10 to 20 years of amazing programming and hacking experience, and that they build their own OS from the ground up (Yes, I've heard everyone of those things from someone on these forums in the last two weeks). It makes it very hard to trust the one or two people that might actually be that.
I do find it hard to believe though, as someone who also works in IT, for you to be 100% sure your machine is secure. We are people, we make mistakes, and are always the weak point in the system. There is a lot more human interaction with our personal PC's than GGG's servers.
|
Posted byLask001#4507on Feb 21, 2013, 9:22:54 AM
|
|
Lask001, you are actively disregarding and denying each and every thread people create about this hack wave. Do you have this much more information on the behind-the-scenes of GGG then we have? Because you could share it with us....
All people are saying, whether you believe it or not that they know what they are talking about, is that the usual motives and excuses used by every single company online when hack claims are made, do not fit every user, and it is too much of a coincidence that those users got hacked at the same time that the users they claim to have been using hacks or infected.
Are you that narrow-minded that you can`t think that GGG is at fault at all? Why exactly are you so sure that there is no exploitable feature on the site or game that could allow someone to get account info?
Whether it is done by a java exploit, by keyloggers, rootkits or whatever, if it is able to grab a password that haven`t been typed for weeks, I don`t believe the public is at fault here. As you so wisely put it over and over again, not everyone is a security expert, and because of that, shouldn`t be expected to patch or disable JAVA because of exploits or whatever, shouldn`t be able to detect rootkits from ads or suspicious scripts. This goes to GGG pile too.
Last edited by buttseckz#3921 on Feb 21, 2013, 12:02:57 PM
|
Posted bybuttseckz#3921on Feb 21, 2013, 12:00:17 PM
|
