Patch Notes - 0.9.13m Patch Notes - Forum

Still adding encryption in a small patch will only giving hackers the advantage to get the functions they need, without having invest much time to find the correct function. And usually account thefts in Onlinegames start with infecting users,sql injection or an easily accessable database. It would be better to use hardwareidentifiers or unique verficationcode from send from the server to protect unauthorized access.	Posted by Hilbert on Jan 8, 2013, 9:26:33 PM Quote this Post
Chris, will we be getting a preview of the OB patch notes before hand to prepare for it? My Supporter Pack list compensates for my small penis.	Posted by Relidar on Jan 8, 2013, 9:39:07 PM Quote this Post
" Hilbert wrote: Still adding encryption in a small patch will only giving hackers the advantage to get the functions they need, without having invest much time to find the correct function. And usually account thefts in Onlinegames start with infecting users,sql injection or an easily accessable database. It would be better to use hardwareidentifiers or unique verficationcode from send from the server to protect unauthorized access. I don't know about anyone else, but since I reported this bug a week or two ago, and found it fixed today, I'm inclined to believe my bug report had something to do with it. Anyway. When hackers have access to your local machine the battle is already lost. They can sniff password in via the keyboard, read them from files or at decryption time. That attack is not something you prevent by encrypting game traffic. What you prevent when you encrypt traffic is letting people who can listen in on your connection figure out what your password hash is. That means when you play Path of Exile on a wifi connection at Starbucks, the patron next to you can't steal your account. That's what this patch was made to prevent. Last edited by PeculiarBias on Jan 8, 2013, 9:50:44 PM	Posted by PeculiarBias on Jan 8, 2013, 9:49:54 PM Quote this Post
" Hilbert wrote: Still adding encryption in a small patch will only giving hackers the advantage to get the functions they need, without having invest much time to find the correct function. And usually account thefts in Onlinegames start with infecting users,sql injection or an easily accessable database. It would be better to use hardwareidentifiers or unique verficationcode from send from the server to protect unauthorized access. Knowing how encryption works does not necessarily help you to defeat it. In fact, if GGG has been smart about this, the encryption routines themselves should all be completely standard stuff -- there's never any good reason to reinvent crypto for yourself, as it only introduces a further opportunity to mess things up and have something with unforeseen mathematical weaknesses in it. I'm assuming that what they mean when they say that they've added crypto to the protocol is that the game will now do some form of Diffie-Hellman key exchange with the server to prevent eavesdropping while transmitting the password hash. Probably they'd do this by pulling in some existing TLS or SSL library. If someone has your machine compromised with a trojan, there's not much that GGG could reasonably do to prevent someone getting access to your account at that point -- at least if the game is storing the password hash used to log in locally.	Posted by MesostelZe on Jan 8, 2013, 10:31:36 PM Quote this Post
GIBE OB PLZ GIBE OB ;_; Only 2 weeks to go and I still want to join OB so badly. Keep up the good work GGG. 1337 21gn17ur3	Posted by ExiledToWraeclast on Jan 9, 2013, 12:50:14 AM Quote this Post
" ExiledToWraeclast wrote: GIBE OB PLZ GIBE OB ;_; Only 2 weeks to go and I still want to join OB so badly. Keep up the good work GGG. Kinda off-topic but you have the same name as one of my characters ._. Was nice seeing you here.	Posted by SenpaiTypeBeat on Jan 9, 2013, 5:23:49 AM Quote this Post
" I don't know about anyone else, but since I reported this bug a week or two ago, and found it fixed today, I'm inclined to believe my bug report had something to do with it. One Dev stated that the protocol wasn't encrypted long before that. " When hackers have access to your local machine the battle is already lost. They can sniff password in via the keyboard, read them from files or at decryption time. That attack is not something you prevent by encrypting game traffic. You can't prevent somebody hosting a clean site for most of the time that infects users for 2,4h. It would be easy to for somebody to write an external ladder monitor for races and infect them. Just look at Diablo3 how many accounts were compromised because the authenticators were an identification tool on the client and there were just too many fanpages that could easily infect you if you had Javascript turned on. That's why I said to add something to give hackers a harder time to access accounts. " If someone has your machine compromised with a trojan, there's not much that GGG could reasonably do to prevent someone getting access to your account at that point -- at least if the game is storing the password hash used to log in locally. Or now take following example: The PW hash includes a dynamic identifier code. You send the PW hash. The server sends you an unique code that rehashes your id code, so your old local login will be invalid and you have stored a new one. Meaning each local hash works only once and if somebody accesses your account with the most recent hash then you won't be able to login via stored hash and it will throw an error and warn you that your PC is possibly infected. The only remaining problem would be recording keystrokes and the user can give hackers a hard time because those loggers log like this: ABC{Space}{Enter} They don't record your cursor position and can't tell what you are doing by clicking, you could create incredbly long logs and piss them off. While passwords like: AlphaBetaGammaDeltaEpsilon are easy to remember they can easily be guessed by that method. Now let's say your password is qwert should be a longer random combination(not related to keys that are next to each other like qay qwe etc will do) Now this is how you enter the password. qt-->Move mouse to 2nd spot hit e move to 2nd spot again hit w move to the forth spot and hit r. The record will show qtewr and a hacker has to add far more functions or even inject code into PoE(If somebody got hookshark he easily finds modified code) to get the correct password or he creates all permutations of the letters he got to find real words. A password like AlphaBetaGammaDeltaEpsilon wouldn't need many login attempts to find the correct combination random gibberish wouldn't create many real words.	Posted by Hilbert on Jan 9, 2013, 10:34:03 AM Quote this Post
" Chris wrote: " Dreggon wrote: Encryption? Can you tell us just what sort of underhanded hackery we're allowed to get up to in Closed/Open beta? We're preparing the banhammer for people who engage in underhanded hackery in OB :P Is overhanded hackery okay? Like, if I think I can exploit something, can I tell you I'm going to try it and let you know if it worked? My Keystone Ideas: http://www.pathofexile.com/forum/view-thread/744282	Posted by anubite on Jan 9, 2013, 1:04:39 PM Alpha Member Quote this Post
" And usually account thefts in Onlinegames start with dmub fucks giving out account information fixed	Posted by Xendran on Jan 9, 2013, 1:07:38 PM Quote this Post
" anubite wrote: Is overhanded hackery okay? Like, if I think I can exploit something, can I tell you I'm going to try it and let you know if it worked? This has always been the case in beta, let them know and as long as permission is granted and you don't stream it to the public there will be no problem. RIP Bolto	Posted by Covert on Jan 9, 2013, 3:12:43 PM Alpha Member Quote this Post