No need to blame Goa for all

erol · Aug 26, 2003

Errr... how can the problems have nothing to do with Goa?

They are in charge of the servers, it is their responsibilty to make sure they are secure. Games / companies / Websites with this much public access will always get hacked. It is up to them to stay one step ahead.

And frankly the way they handle passwords and giving them to end-users etc is laughable, no wonder so many accounts get hacked.

I'm angry that we can't get in to the game, but maybe this will kick them into improving the whole security / passwords setup, it would be about bloody time!

herjulf · Aug 26, 2003

Originally posted by DeaD GuRu
well, i'm not acting as a lawyer.. i'm telling my pov

comparrisson:

ok , let's talk in a couple (5/10) year when you have a business of some sort. In which you give your heart and soul to make the best of it.
Then someone feels so free to steal half your work and runs away with it. or destroys/undermines your work with his mentally ill brain..

how would you feel as owner..

last note...; internet is a LOT more then playing games

lets put it this way then, a comany run a business with thousand of customers. These customers spend alot of time and potentially money.
And by spending alot of time by utilizing that product, they create something priceless, something that to some are only replaced by many many active hours of product use, and personal sacrifices.
However This company is aware of a great and severe weakness that render the product wide open and cause widespread discomfort for its customers.

Potentially very serious discomfort as months and months of work for these customers can be lost in seconds.

The company knows of this but let it pass, leaving its customers exposed.
a "caring" customer decides to do something, he can see where things are heading and decides to open the eyes of the company that put him and thousands of othr customers at risk.

Therefore he utilise these well known issues, and makes a relatively harmless event, in the product.
causing no damage to the customers, creations. and make a great impact to the company, who realise they must do something to secure its customers expensive creations.

The customers does this in knowing he ill loose his rigt to take part in further exploration and creation within this product.

He does this, partly for his own sake, but also in large parts for his fellow man.

Who is the badguy here?

The person who opened the companys eyes, or the company who glued them shut?

DeaD GuRu · Aug 26, 2003

Originally posted by herjulf
lets put it this way then, a comany run a business with thousand of customers. These customers spend alot of time and potentially money.
And by spending alot of time by utilizing that product, they create something priceless, something that to some are only replaced by many many active hours of product use, and personal sacrifices.
However This company is aware of a great and severe weakness that render the product wide open and cause widespread discomfort for its customers.

Potentially very serious discomfort as months and months of work for these customers can be lost in seconds.

The company knows of this but let it pass, leaving its customers exposed.
a "caring" customer decides to do something, he can see where things are heading and decides to open the eyes of the company that put him and thousands of othr customers at risk.

Therefore he utilise these well known issues, and makes a relatively harmless event, in the product.
causing no damage to the customers, creations. and make a great impact to the company, who realise they must do something to secure its customers expensive creations.

The customers does this in knowing he ill loose his rigt to take part in further exploration and creation within this product.

He does this, partly for his own sake, but also in large parts for his fellow man.

Who is the badguy here?

The person who opened the companys eyes, or the company who glued them shut?

i was expecting a post like this....

if IT were a caring customer he would have send a friendly email and told em that port nr blablabla was open and that he could enter doing blablabla then they (goa) could have adjusted it in a rationel, silent way. A hacker does this for a hobby not to point out that there is a problem in there, just to fool around or act out of frustration because -he got banned for using illegal software- had a fight over an account or something- whatever-.
As Sibanac said in a post here... do you know all about networking, servers etc??? Do they know all?? Nope , they think that all is ok. And hackers will create holes in newly created security systems... that is what they do.. whatever their reasons may be, no one knows....
I don't care even.... they should be lobotomized ( not the white-hackers as they call themselves in that enviroiment, the black-hackers ( has nothing to do with race nor coulor, ok))

But no ... IT had to hack and demonstrate his utter power... now the firm panics because it could have been they were unaware of the problem. Things have to be adjusted asap... not all means are availble at that time... panic cause faulty installations etc....

anyway.. defending this hacker is not wise... ppl would not "suffer" and be unhappy if it weren't for those sick minded hackers, jealous, etc...

old_saxo · Aug 26, 2003

The hack on prydwen was kinda fun to see all the badguy m0bs at apk hehe . But not to reset my password to somthing els

and my sub , i know em in my hands 100% and now i gotta learn somthing new ( sobbing )

braxxus · Aug 26, 2003

I agree. I dont care who or why or what is at fault, I would just like to have this all sorted out so I can log back into the game! Its been 8 days now with no DaoC.....

Bleri McThrust · Aug 26, 2003

Originally posted by Draylor
Wrong - GOAs lack of proper security is entirely to blame for this.

Absolutely right

medowind · Aug 26, 2003

If a prisoner escapes from prison it’s the prisoners fault not the prisons!

cleeve · Aug 26, 2003

'Lo all

Security is always a reactive thing. All you can do is make the best efforts you can to deny easy access. Tbh people who know enough about the way computers talk and services run will always be able to innovate faster than security experts can protect.

Having said that, my thoughts are that the game servers weren't hacked, the subscription servers were. Why bother trying to hack servers when its far far easier to hack web servers. Most web servers have the nice vulnerable ports already open to provide access to services and it can be shockingly easy to access server side databases IF they are incorrectly secured or if someone has simply left the wrong line of code in the wrong place.

Once the hacker had the subby db - they had EVERYONE's accounts for the game - then its simply a case of figuring out the level of access from the db and voilla - instant prydwyn 'event'

To prevent further access and damage - it was probably easier to shut the server down than leave it up - and hope that the hacker hasn't saved any tables to local drive. hence - new subby passwords and game passwords for everyone and no game access.

It's easy to jump on Goa over this. My only criticism is that they waited so long to do what they have done. There is no telling how many people have suffered from having their accounts 'stolen'.

That is all Supposition - I could and probably am wrong on a number of instances - but it fits with the actions taken by the company to date and tbh - gave me something to do whilst waiting for my fix to come back online

Try not to get too stressed, remember the chances are thus is being done to protect YOUR characters.

Cheers

C

Gesp · Aug 26, 2003

If a prisoner escapes and wounds someone on the way, its the prisoner's (that hacker-ish) crime and the prison guards' (teh uber goa) fault, and we're the one wounded in this case. Sounds better imo.

vandar · Aug 26, 2003

Originally posted by cleeve
'Lo all

Security is always a reactive thing. All you can do is make the best efforts you can to deny easy access. Tbh people who know enough about the way computers talk and services run will always be able to innovate faster than security experts can protect.

Having said that, my thoughts are that the game servers weren't hacked, the subscription servers were. Why bother trying to hack servers when its far far easier to hack web servers. Most web servers have the nice vulnerable ports already open to provide access to services and it can be shockingly easy to access server side databases IF they are incorrectly secured or if someone has simply left the wrong line of code in the wrong place.

Once the hacker had the subby db - they had EVERYONE's accounts for the game - then its simply a case of figuring out the level of access from the db and voilla - instant prydwyn 'event'

To prevent further access and damage - it was probably easier to shut the server down than leave it up - and hope that the hacker hasn't saved any tables to local drive. hence - new subby passwords and game passwords for everyone and no game access.

It's easy to jump on Goa over this. My only criticism is that they waited so long to do what they have done. There is no telling how many people have suffered from having their accounts 'stolen'.

That is all Supposition - I could and probably am wrong on a number of instances - but it fits with the actions taken by the company to date and tbh - gave me something to do whilst waiting for my fix to come back online

Try not to get too stressed, remember the chances are thus is being done to protect YOUR characters.

Cheers

C

My understanding from reading the grab bag and the additional info Bleri got was that there is an admin/development tool/client which looks to have reached some1 out in the ether, possibly from simply an annoyed/sacked GOA employee or something. But basically this admin tool/client was used to create the event from outside of the GOA offices.
Read the text from Mythic, they have seen this as a possible threat to the security of the game and resolved it by tight rules on their firewall and more mundane security restrictions such as phyical ones.

I suspect the client gives you access to change users password etc hence the change of everyones password.

I'd love to see how GOA handled this admin tool/client.

vandar · Aug 26, 2003

Oh, and while I'm at it, how long can it possibly take to write and test a script to update a record in a database and mail the info out to an email address in field in the same database?

Minutes?...longer.......an hour?...more....several hours.....sounds reasonable to me......12 hours......... :eek:

......a day.....:eek2:

And 18th August, thats a hell of a long time to have known about a problem to take a day down time to fix.

Here's something to chew on........

4 * French servers = approx 16,000 players signed up?
5 * German servers = approx 20,000 players signed up?
2 * English servers = approx 8,000 players signed up?

Based on £10 a month we are talking:

£444,000 :eek6:

Now thats not pocket money.. Should pay for a few security consultants.

jetsetminer · Aug 26, 2003

Originally posted by Draylor
Wrong - GOAs lack of proper security is entirely to blame for this.

Agreed, GOA run an on-line server system, it's their job to employ people to keep the systems secure.

Not doing so is like leaving your front door wide open and then blaming the people who come in and steal your stuff, yes they shouldn't steal it but you are hardly blameless.

Ravenbourne · Aug 26, 2003

Ravenbourne · Aug 26, 2003

Originally posted by svartmetall
What really disturbed me was seeing GOA say something had been going on since August 18th...what the fuck have they been doing for the last 8 days?
But I agree, whoever did the hack is a tiny-dicked waste of DNA...once again I find myself wishing my keyboard had a "reach through the Internet and give someone a good slap" button.

They were probably streamlining this or improving that, then laughing at us all for putting up with their half arsed attemp at anything resembling customer service. I have to deal with french companies in my work, they are all the same, fucking useless at everything they do.

NetNifty · Aug 26, 2003

Originally posted by DeaD GuRu
if IT were a caring customer he would have send a friendly email and told em that port nr blablabla was open and that he could enter doing blablabla then they (goa) could have adjusted it in a rationel, silent way.

agreed but judging by RightNowOrMaybeNever's reputation, its possible they just ignored it and the hacker had to do this to get their attention. more than likely a griefer tho imo.

deadkid · Aug 26, 2003

Originally posted by DeaD GuRu
nope, as you should know, nothing is perfect.......

is it our job to point to someonce weaknesses?
if it would be your job, no problem, otherwise why bother?

like GOA cares if we get hacked accounts etc.. they say "well keep your password away from poeples' eyes...
Total Goa fault for wasting our time we expected to spend in-game...
maybe "hacker" if there was one.. is one of the offended by their service guys.. who wanted a payback on GOA and no he/she 's not the one to blame.. GOA shut things down not the hacker...
coz they lack the compentence in fixing problems without affecting poeple.. french suck at serious jobs ( blame me for being nationalist if u want)

my 2 cents

rg-zorena · Aug 26, 2003

Well just another thought ... of all those who said they lost items chars being hacked maybe its been truth in that all along or maybe its ppl who have shared their account information on kazaa, who knows.

amuse · Aug 26, 2003

This aint GOAs fault.. its that little SOAB that hacked em(maybe)...
i mean... even the freaken pentagon and nasa has ben hacked!!

there is ALWAYS a way for a seriusly good hacker to get in to a system.. nomather what u do, u cant stop this... the only thing u can do, is make ur service/system unatractive to hackers, have a advansed securety...

maybe this little sod stumbled upon a backdoor or smt while tryen to have some fun...

there is always a way in to everything

old.Laryssa · Aug 26, 2003

be happy that the hacker didn't DESTROY anything - cheer him that he "helped" GOA with fixing their security holes

well that GOA is not able to quick reset pwds is sad imho - it's just an update statement in a database with a mail send routine

2h work imho for a programmer

dapprman · Aug 26, 2003

Originally posted by vandar
Oh, and while I'm at it, how long can it possibly take to write and test a script to update a record in a database and mail the info out to an email address in field in the same database?

Minutes?...longer.......an hour?...more....several hours.....sounds reasonable to me......12 hours...............a day.....:eek2:

If you know the database structure, 30 seconds to a couple of minutes for the script.

old.Laryssa · Aug 26, 2003

Originally posted by dapprman
If you know the database structure, 30 seconds to a couple of minutes for the script.

as I said - but GOA is not a dev company ... just publisher

herjulf · Aug 27, 2003

Originally posted by DeaD GuRu
i was expecting a post like this....

if IT were a caring customer he would have send a friendly email and told em that port nr blablabla was open and that he could enter doing blablabla then they (goa) could have adjusted it in a rationel, silent way. A hacker does this for a hobby not to point out that there is a problem in there, just to fool around or act out of frustration because -he got banned for using illegal software- had a fight over an account or something- whatever-.
As Sibanac said in a post here... do you know all about networking, servers etc??? Do they know all?? Nope , they think that all is ok. And hackers will create holes in newly created security systems... that is what they do.. whatever their reasons may be, no one knows....
I don't care even.... they should be lobotomized ( not the white-hackers as they call themselves in that enviroiment, the black-hackers ( has nothing to do with race nor coulor, ok))

But no ... IT had to hack and demonstrate his utter power... now the firm panics because it could have been they were unaware of the problem. Things have to be adjusted asap... not all means are availble at that time... panic cause faulty installations etc....

anyway.. defending this hacker is not wise... ppl would not "suffer" and be unhappy if it weren't for those sick minded hackers, jealous, etc...

first of all it was not a matter of some "advanced" net hack or something like that it was a matter of passing commands to the server, from the client/or a frontend to the client.
A scary weakness.

A weakness any of us can exploit if we have the right tool, infact i dont know exactly how. i know the basic theory on how it was done etc.

Another weakness of the service causes us to be target of measly cheating bastards, who uses radar programs or macro/trigger programs.
Dut to the fact that the client-server communications is NON encrypted, i have looked at this and i could reveal my own username/password from my laptop by sniffing the network traffic.
Alot more information spammed out of the and from the server, i could see names of players and numbers, i dont know what all numbers etc represent, but some1 who does can shurely interpet them to something usuall.

This is also a potential security risk, even at this time, alot of people are on "hubbed" networks.
Like cable lans, LANs and older ISPs.
And even switched networks isnt 100% safe, switches can be forced to leak packets.

What you fail to realise is that something far far worse very well could have happened.
why is that you may ask yourself. Well if some1 more malicious had taken control.... brrrr.

I see it this way, shurely he have broken the law, and if/when caught he will get punishment for his action.
He will however have done us all a invaluable favour, he made shure atleast GOA did what they could to secure their service.

My guess is that mythic will change the client-server communication someday, mainly due to those cheat programs that are around.

I suggest you read the hackers post after/meanwhile his event.
And taste his words a tad. Perhaps you will see something in it.

old.Laryssa · Aug 27, 2003

lol i got 2 pwds of my 3 accounts without naming the game account .... happy matching

erol · Aug 27, 2003

Originally posted by old.Laryssa
be happy that the hacker didn't DESTROY anything - cheer him that he "helped" GOA with fixing their security holes

well that GOA is not able to quick reset pwds is sad imho - it's just an update statement in a database with a mail send routine

2h work imho for a programmer

Yeah totally agree. If the so called hacker had been malicious, then accounts would have been deleted, plats would have gone walkabouts etc... instead he just put a large number of mobs around a keep... to me that says, "hey guys, look what I can do, now please sort out your security!"

And yes, the passwords and email would be a 2 hour job, but I guess Goa are reviewing all the security now.... well I hope they are anyway, and who knows how long that will take.

Imo, they still have a lot to sort out with security, both in terms of policy and actual technology.

LOL, and knowing the French (I have also worked with them a lot before), they probably did hire security experts, but have not acted upon any of the advice that was given. :doh:

kaod · Aug 27, 2003

I have no real sympathy for Mythic or GOA, and feel people are fully justified for blaming them for this.

After all - they set the standard:
http://www.camelotherald.com/more/1021.shtml

Originally posted by Frisky Friday Grab Bag
from Sanya Thomas

Every case of "account hacking" has been people not keeping their passwords secure. If you share your password with others, if you email your password to strangers, and if you say, boot up a third party program and then type your password, your password is not secure. We feel bad for people who get taken advantage of, but we can't restore their accounts or their treasures. So never give out your password, and change it frequently.

Athanas · Aug 27, 2003

If the hacker had evil intentions, he could have all our credit cards in no-time,like they did in Ragnarok Online.
GOA should make small self-security tests to their servers imho if they want problems like that to dissapear for a long time.
And yes,it would be very thoughtful of them to have a script that recreates random passwords to the database and e-mails them but they are just publishers,like someone else already pointed out in this forum.
Happy waiting

carky · Aug 27, 2003

yer- has he been banned from playing daoc coz i heard he was a player on 1 of the german servers

No need to blame Goa for all

erol

Guest

herjulf

Guest

DeaD GuRu

Guest

old_saxo

Guest

braxxus

Guest

Bleri McThrust

Guest

medowind

Guest

cleeve

Guest

Gesp

Guest

vandar

Guest

vandar

Guest

jetsetminer

Guest

Ravenbourne

Guest

Ravenbourne

Guest

NetNifty

Guest

deadkid

Guest

rg-zorena

Guest

amuse

Guest

old.Laryssa

Guest

dapprman

Guest

old.Laryssa

Guest

herjulf

Guest

old.Laryssa

Guest

erol

Guest

kaod

Guest

Athanas

Guest

carky

Guest

Users who are viewing this thread

Similar threads