Diablo2: Apocalypse Now! 235
Weyoun writes "All those who play Diablo2 know that their characters on the battle.net 'Realms' servers are supposedly secure and unhackable. This has been the case up until a few days ago, when a group of crackers discovered a method whereby they could log on as any character. Since then, they have reigned over a virtual apocalypse as hundreds of the top ladder players have seen their items stolen (including that of one well-known Blizzard employee). Even worse, beginning last night one of the hackers began systematically murdering the top hardcore ladder players, by logging in as them and getting them killed (death is PERMANENT for them). As of yet there has been no official reaction from Blizzard, but the entire community is in a state of shock over this situation." Update: 01/02 04:30 AM by T : It appears that Blizzard has now corrected the problem. See below for more.
Gaile - DiabloII.Net sent this update: "Blizzard has posted their response to the Diablo II Realm Character losses on their Realm Status Forum. The losses have been stopped (as of this morning), and characters are secure once more on the Realms. In addition, dead Hardcore Characters will be restored automatically, on January 8th, as outlined here:
In addition, a mechanism is in place for the retrieval of items, as well. The Blizzard post is on the Blizzard Site. We'll have more soon in the DiabloII.Net Bug Bytes section, which is an overview of the current game build."[On] Monday, January 8, we will be reviving all hardcore characters who died between December 19th and January 1st. The restored hardcore characters will be revived with the experience, skills and items possessed as of Tuesday, December 19th. This restore will be automatic and players do not need to contact Blizzard to request that their character be restored. Note: Only dead hardcore characters that died between December 19th and January 1st will be revived.
Re:Another reason to develop for consoles? (Score:1)
Why? That won't solve anything. You can steal hack and cheat on console games. "Game Genie", etc.
Maybe... (Score:1)
.
Re:The general flaw: server side data (Score:2)
For the server(s) to authorize character changes to a signed, client-stored character, they would have to perform an expensive public-key-encryption step for every change. Hardware crypto coprocessors notwithstanding, this is infeasible.
Naah, no need. Just set up a session key and use fast conventional cryptography for one gaming session. I mean, heck, it works swimmingly well for SSH, so why not for a game?
-Rob
Security through Obscurity (Score:2)
Battle.net uses *obscurity* to implement it's security. It seems to trust the client too much. Worse yet it seems that a simple logic flaw has cost Blizzard it's reputation. Ack.
Another thing this proves is that the more obsure something is, the more complicated the system is, etc. It lends into being more of a challenge for 'hackers' and 'crackers' to break, which only fuels the fire. Though, if the system was open and exploits available and commonly known, you get the scr1pt k1ddies comming. Sheesh.
Or maybe it's just me..
Maybe it's a good thing... (Score:1)
Re:not just you (Score:1)
Obviously this would only be a short-term 'deal' to get back to the pre-disaster state.
Re:Yeah, imagine how horrible it would be (Score:1)
Teaches them a lesson (Score:2)
sympathy? (Score:1)
Re:The general flaw: server side data (Score:2)
You can't store anything client side, because you cannot trust the clients. It doesn't matter how much encryption or checksums you have on the client - the bad guys have all the code on the client, and can reverse engineer it down to the metal if they have to. They can write proxies that pretend to be properly checksummed, and behind the scenes are doing whatever they want.
You have all of the code to PGP (or GPG). You can reverse engineer it all you want. Are you able to easily change a digitally signed message and still have the digital signature check out? No. Hence, if done right, why would a game client be able to change a character and have a decently implemented checksum come out right the next time you try to use the character on the server?
I'm certainly not advocating storing things client side and relying on security through obscurity! I'm advocating reasonable authentication, but not putting all the eggs in one basket, storing all the characters out there on a single server wehre anybody can get to it.
I'm also not saying that the client code is the code that should authorize any changes to the character. That should be done from the server side, yes. What I'm saying is that the character *data* should be stored on the client side, not in a central server location, but it should be done in such a way that the server can authenticate the data and verify that it is in fact a character it had approved before.
-Rob
Why don't they use a PKI? (Score:1)
It's a game, non? (Score:1)
Mind you, I can understand the anger of people that have "worked" hard on their characters to achieve those levels. I am not nearly patient enough to do these things.
--
Re:call me silly... (Score:1)
from what i've read that seems to be what they did. they said he i'm user "x" and the server said ok.. have fun "x".
use LaTeX? want an online reference manager that
Re:ouch (Score:1)
[sarcasm]I mean, when was the last time anybody was able to break into Microsoft...
Re:prosecute for what? (Score:1)
Seriously though, the US computer crime laws, most of which are in 18 USC 1030, do make it a crime to cause more than $5,000 of "damage" to a system, and "damage" includes money paid to system administrators and investigators to figure out what happened.
Blizzard. (Score:1)
Blizzard needs to do something, INFACT because of this they should send everyone that has a registered copy of Diablo 2 some form of coupon or something to solace the people that have spent hours building up characters.
If Starcraft wasn't so old I'd demand my money back if I knew that I was going to play and that I'd be cheated against. It's not fair, it's no longer fun to play and I sincerely hope that Blizzard plans to do something about it. If they don't this will not be the last time we hear about this.
Servers suck! (Score:1)
Hmmm ... I wonder if that's why USEAST has been so friggin' laggy for the past couple of weeks now? All the "crackers" are trying to break in. I am completely fed up with it and would like for Blizzard to ask me what they can do with battle.net-- I dare them!
I will definately NOT miss people begging for SOJ, FROSTBURN, or all the other UNIQUE/RARE's i can never get ahold of."This completely sucks... I'm going back to inventing that damn lickable wallpaper wonka teased me with when I was a kid ..." -- Me
Re:It is dark. (Score:1)
Anonymous (Score:1)
Karma security through obfuscation?
What are you smoking? Thats how D1 was (Score:3)
And Diablo 1 was notorious for cheating! The correct answer is to centralize the important things on the server, because otherwise clients are free to modify them. Checksums are just obfuscation, unless you do crypto things to make a private key necessary to log in to your account... which, IMO, is overkill for a game. Of course, you also have to avoid bugs in your database system that completely circumvent the usual login procedure :)
Your post shows a complete lack of awareness of the history here--I think you are trolling.
Re:Partial rollback??? (Score:1)
Re:Uh (Score:1)
* 2000-09-29 07:28:04 Foresight Institute Using Slash for Nanotech Weblog (articles,science) (rejected)
* 2000-11-26 22:16:58 PCR with your G4 (articles,science) (rejected)
* 2000-11-28 03:54:25 Canada Reelects Liberal Party (articles,news) (rejected)
*/
Try those stories on kuro5hin. Duh.
Re:I agree. But blizzard should get sued as well. (Score:1)
Your post is bullshit. Like so many people replying to this story and others, no matter how secure your system is, somone will be able to crack it, through finesse (breaking into the banks computer system with bugs in the system, finding an old passowrd that hasn't been deleted yet) or brute force (driving a truck through the wall of the vault, walking up to the teller with a gun and making them give you money).
Re:Maybe it's a good thing... (Score:2)
Now Taco can get rid of Windows (Score:1)
His two stated reasons for having Windows is Diablo II and playing DVDs...
"Once the audio and video sync right I'm blowin away the Windows partition on my hard disk" to be quickly reminded of Diablo II located on same....
Well now all Taco has to do is focus on that DVD player for Linux... Becouse his Carricters been Hax0red... to death...
Re:good.. (Score:1)
Here's the deal - I'm uber-competitive and hate to lose at anything. I don't play games where luck is a greater component than skill. When not playing with others, I cheat. My wife doesn't understand why I'm so competitive and take losing so seriously.
One day, I finally had my answer: I care because my gameplay is a reflection on my abilities and/or intelligence. Simple as that. Some 12-year-old punk wastes me at Tekken Tag or the Grid, well I must be a moron and back to practice.
Also, what about the emotional involvement? Pride? Ambition? Power? Have you never felt anything for a character you've played? I can't speak for PC MMPORGs but on console, I very much give a damn about the characters I've spent weeks building up.
It's no substitute for life, but gaming can be a healthy complement to a real life! Don't like games, go do something else!
GTRacer
--Hopefully going online to kick ass with GT3
Re:Good thing (Score:1)
Re:Pay closer attention (Score:1)
Re:You wouldn't have to trust the clients (Score:2)
Let me say this as simply as I can: If you don't trust the client, that means you never ask the client for anything... except what key strokes and mouse movements the user is making. And you don't let that go by unchecked either.
As I alluded to in my first post: The bad guys could write a proxy that stored both the "correct" data, that would generate the correct check sum, but really used different data. In your scenario, the server tells the client: "Compute the checksum on your character data and send it to me". The client does something and then says: "OK, here it is". The server checks it and it looks good. So you let the client play. And then the client can use whatever data they want.
The easy way to make a game "unhackable" is to treat the client sort of like an X terminal. Raw keyboard and mouse input goes down the wire to the server. The server sends back a stream of jpg's and they get displayed on the screen.
With that design, the only way someone can do any "hacking" is to break into the server. The problem with that design, and the reason no one does it, is that it is too slow. So compromises have to be made. The client is used to cache data and do local computation. But as soon as you make that compromise, then the client can be modified to use different data (transparent walls, turn off fog of war, whatever) and to do computation differently (make my aim perfect).
You can attempt to prevent this by checksumming and other tricks, but if the bad guys are determined enough, they can always fake out the server.
Torrey Hoffman (Azog)
Re:prosecute for what? (Score:1)
Re:Gimme a Break (Score:1)
During the spring and summer months, I work with an auto racing team. We're by no means a multi-million dollar operation. On the contrary, our division is low-end professional racers and high-end amatuers. We're the amatuers.
At any rate, we work hard building and perfecting our race cars. Making sure that everything is just right, that the paint job is perfect, that it's clean and is in prime working condition. We don't get paid for our efforts. All the race winnings goes back into parts for the cars. But during racing season I'm usually working at the shop 3 nights a week and out of town racing all weekend. And it's really a lot of fun. It's not a career, it's a hobby. It's a very involved game.
But every once in a while something happens. It's what we refer to as a "racing incident." Someone is driving in a way that they shouldn't be, or there is a mechanical failure somewhere and there is a wreck. And on more than one occasion our $60,000 race car has come home in the trailer a pile of twisted metal and fiberglass. It doesn't cost me anything. I don't have to pay to have it fixed. But it absolutely kills me to see something that I've worked so hard on destroyed.
Sure, the race car is a tangible object. It exists in the real world. But it's no different than the Hardcore Diablo II characters when you look at the effort that has been put into them. People don't mourn the loss of the characters as much as they mourn the loss of their effort and their creativity, and the product of the two of them coming together.
Emotionally, psychologically, it's no different. Even though one is just bits and the other is metal. That's why it's a big deal.
Re:More proof of why on-line gaming sucks. (Score:1)
It's true, there are too many losers in online games. I stopped playing EQ partially for that reason. The other reason is that the game is boring hack-n-slash.
I play Diablo II, but I only play with people I know. I have several friends who play, and my wife plays. I have never played a game with Joe Blow, and I never will, because Joe is usually an idiot or a cheater.
I still play Q3 and UT online sometimes, but I have probably deluded myself into thinking that no one is cheating.
Re:Doesn't Play In Linux (Score:1)
It is dark. (Score:5)
You appear to be in a cave. It is dark.
north
You go north.
You appear to be in a cave. It is dark.
You are likely to be eaten by a grue.
west
Sorry, you can't go that way.
north
You appear to be in a cave. It is dark.
cast create light
You fumble over the somatic gestures for create light
look
You appear to be in a cave. It is dark.
Someone says "0wn3d j00 d00d!"
cast detect in
Your eyes tingle.
3l33t d00d says "0xDEAD 0xFFFF 0xBEEF"
3l33t d00d casts Buffer Overflow
You have been killed!
Play again? (Y/n)?
N
Re:not just you (Score:1)
eudas
Re:Can these folks move on?? (Score:1)
eudas, ex-mudder
Response from Blizzard!! (Score:1)
Re:prosecute for what? (Score:1)
use LaTeX? want an online reference manager that
Re:Something kind of Ironic (Score:1)
Re:You wouldn't have to trust the clients (Score:2)
rknop: Except for saving disk space (reducing the amount of server-side data that must be stored while the client is disconnected), what problems would storing a hash of the character data instead of the whole data solve? If someone hasn't hacked your server, they can't change the server-side character data. If someone has read/write access to your server, then they can read your hash function, calculate a hash of their own altered character data, then write that new hash. It would make altering a character more tedious, but not more difficult.
Use public key cryptography, and encrypt things both ways, with your client's key and the server's key. In fact, you don't even need to store *anything* server side, which means that there's nothing server-side for crackers to modify in order to steal your character. (That was my mistake the first time around, thinking that any hash would need to be stored server side.) If the server has imprinted a digital signature on your character with its private key, and you're using crypto where faking that signature is hard (much as faking a digital signature with somebody else's private key in PGP is hard), then when you come back with a character, and the server sees that its private key checks out the digital signature, it knows that it's a legitimate character. If the server only signs characters it has approved, and only accepts characters with its digital signature, then you can keep control of your character data, *and* the server can be sure that only legitimate characters are coming back into the game.
Yes, there are ways around this too. Hack the server, steal its private key, and set up a man-in-the-middle sort of thing to modify incoming character data as people connect thereafter. This is more involved than just getting read/write access to the server, however. Without getting that server's private key, you can't change or replace other people's character data the way you can now, because that data isn't there on the server.
-Rob
Wow! (Score:2)
Feeding Frenzy (Score:5)
From reading the comments posted so far, there's a long stream of "So what? Get a life!" posts. To see that sort of thing coming from slashdot readers has got to be the biggest case of "Pot. Kettle. Black" that I've seen in a long while. It seems that even amongst geeks, there continues to be the constant need to place yourself on the next social rung up from the person beside you - to take something that someone else enjoys, and say "Hey, you're just a nerd. You should be doing something cool instead."
I don't play Diablo myself. I didn't even particularly like nethack. But being the sort of person who can happily spend an entire weekend coding, I can understand people who give their spare time away to something they enjoy, and in which they find some kind of challenge and fulfilment. And to have some fuckwits come along and callously erase all that hard work is going to hurt a hell of a lot of people.
Human nature depresses me. I say we take off and nuke the site from orbit, it's the only way to be sure.
Charles Miller
--
Re:prosecute for what? (Score:2)
As a caveat, though, in order to show that you committed a crime, the state would have to show the mens rea, the guilty mind, or the desire to commit a criminal act. If you put a quarter in a payphone and it explodes, you are not guilty of a crime. If you are trying to pry the coin box open and it explodes, well, then you were trying to commit a criminal act and can be charged with a crime. The state would have to prove, beyond a reasonable doubt, that you intended to cause damage to /. (At least for criminal charges. For a civil matter, they just have to show a preponderance of the evidence.
IANAL, but I play one on TV.
Re:Something kind of Ironic (Score:2)
No, EverQuest's character stealing bugs (which have been fixed for almost two years now) relied on extremely unusual situations and were hardly exploitable because of the rarity of their occurance.
From what I've been reading, the Diablo2 bug can be easily reproduced. The competition ladders in Hardcore are a graveyard now. These are characters with hundreds of hours of play into them. I hope Blizzard kept backups.
Re: (Score:2)
Re:The general flaw: server side data (Score:5)
You can't store anything client side, because you cannot trust the clients. It doesn't matter how much encryption or checksums you have on the client - the bad guys have all the code on the client, and can reverse engineer it down to the metal if they have to. They can write proxies that pretend to be properly checksummed, and behind the scenes are doing whatever they want.
The real solution to problems like this is to store everything server side, have really comprehensive backups, and really good log files.
The server must only send the clients what they should be seeing, according to the game rules.
When someone breaks something, fix the bug, and then roll back the game state to where it was when the bugs were first exploited. With sufficient backups, even if the bad guys completely take over each server, recovery is possible.
Take down the servers, rebuild their software from scratch, fix the bugs, restore the data from backup, and you are back where you started before the exploit. Then use the log files to track the crackers and sue their asses.
Slashdot had a big discussion on this subject back when the GPL'ed version of Quake led to some people creating hacked clients that gave them more capabilities than they should have had (like being able to see through walls, etc.)
You can't trust the client. End of story.
Torrey Hoffman (Azog)
Re:Feeding Frenzy (Score:2)
Right, Rob?
There are backup tapes, r-r-right?
--
Re:Problem fixed, items and characters restored! (Score:2)
In essence, having your characters deleted and wiped is not the big deal that you originally think it is at the time. If you're really any good at the game, it's only a minor setback. Plus, on the positive side, maybe it's a good chance to say "well, that's enough of that for now. i think i'll go do something else instead."
oh, and just for the record: Fuck You, Talen.
that is all.
eudas
call me silly... (Score:3)
My question - Will there be an official response? (Score:5)
What, if anything, will Blizzard do in the form of an 'official response' that acknowledges the cheats and lets the online community know how it will be dealth with?
As fellow slashdotters probably remember, I wrote an article on online cheating last june that was printed in Game Developer and posted to gamasutra.com [gamasutra.com]
I asked people at several companies if they would talk about exploits that had occured in their games. One of those requests went to Blizzard, asking if I could talk about what happened to Diablo 1. Now at that point in time (last spring), the cheats and exploits on Diablo 1 were well known and old news. Yet the response I got back from Blizzard was (this obviously is not the exact quote) "No - we can't talk about anything regarding any cheating on any of our games and if you did say something too specific we'd strongly discourage you as we might get mad". For the record, in the article, I discussed the various cheats in my own games (Age of Empires series) most of all.
Now, this was actually about par for the course - for every developer willing to talk, there were ten that were in public denial mode. And as you might have guessed, it's a peeve of mine. Wishful thinking won't make anything go away and it only can further hurt the honest players.
I do think the climate is shifting, and that users are becoming less tolerant of 'head in the sand' tactics by developers and publishers.
I'm waiting to see what happens next.
I'd ramble on, but I have to leave.
-Matt Pritchard
How to catch the Bad Guys (Score:2)
-Jason-
The crackers have no sympathy ... (Score:3)
-----
Ladder reset (Score:2)
http://www.diabloii.net [diabloii.net]
We have received email after email from people reporting that their characters have been stripped of all their equipment, and many have been killed as well, costing experience, or in the case of Hardcore characters, permanent death. The USEast HC ladder is now a graveyard, with the top 15 or so dead, and we've heard from several of them, they were all alive, even sitting in chat when their chars suddenly turned to ghosts. There is no known way to prevent this, and if you want advice, I took every item off of my highest lvl HC char last night, and if she's dead next time I get on, I won't be surprised.
As for the ladder reset, it appears to have been undone on East, as there are numerous characters in the 90's. West already has characters in the 60's, and there are a bunch in the 50's on Europe, so either bugs are letting older chars on the ladder, or else a lot of people did some impossibly fast levelling in the past 9 hours. Happy New Year.
Re:Wow, who didn't see this coming... (Score:2)
Along the lines of yesthatman's comment... Mark Fabi recently wrote a fairly good cyberpunkish SF novel called Wyrm that takes place in the days leading up to 01/01/00. Though it has some pretty far-fetched stuff about what computers can do, there was one very intriguing idea: a virus planted all over the place, especially in pornography, in the hope that some gov't employee would download the stuff and transfer it to a "secure" missile-command computer not connected to the internet. The virus would then analyze the system and prepare a "report" that was transmitted back the next time something went from the secure computer to a net-connected computer. Then another virus would be prepared, to carry out more isntrucitons, and so forth. Kinda time consuming, but the whole thing was being orchestrated by an "AI."
As I said, far-fetched. But it came to mind upon reaidng your post.
-J
Re:The general flaw: server side data (Score:2)
Your computer at home or at your office is certainly less secure than any server at, say, Microsoft, Red Hat, or Sun -- you depend on security through obscurity to hope that it doesn't get attacked. They don't.
The fact that computers at home depend on security through obscurity is a flaw in how home computers are configured nowadays. This is particularly a problem with Linux, where many distributions come out of the box running mail servers, web servers, at servers, etc. They should come running *no* servers. Somebody who needs that stuff will know how to turn it on. Most home computers should run few or no servers. At that point, you aren't just depending on security through obscurity; there's no way in to the computer! Obviously, this isn't exactly true, since you can use soemthing trojan-like, such as the spate of E-mail viruses out there, but that's yet another flaw in how home computers are configured.
However, for sake of argument, I will accept your assertion that the Microsoft, RedHat, Sun, etc. servers are safer than your home computer, for the simple reason that the companies have paid security people watching the network, and your computer is running a stupidly open distribution of your OS that leaves lots of holes. In this case, yes, it probably is more secure to have your data on the central server than at home-- for *one user*. But we aren't talking one user. We're talking lots and lots of users. If Microsoft has thousands or hundreds of thousands of users' data online on the server, it becomes a very tempting target. A cracker who gets in there and wreaks havoc can destroy or meddle with the files of huge numbers of users at once. He's unlikely to do that to all of the client machines one by one. (On the other hand, he might be likely to write an E-mail virus that will take the drudgery out of going from client to client for him.)
For some people, who would be targets of distruntled crackers, it might be worth it to hire security people to watch your computer-- and maybe that means putting your data on a Microsoft/Sun/RedHat server. But what this means to the rest of us, whom the crackers don't give a flyer about, is that now we've got our data sitting on the same place where the target has their data sitting. The analogy isn't to driving a car versus riding a plane, but is to driving a car and minding your own business versus trying to cut off a couple of people who are having a gun battle on the freeway.
All of this aside, for the common user, it may well be more secure to have his data on a central server. Not just from hackers, but from your own goofs (disk crashes, accidental deletions-- the server may well have backups that can rescue you). But for somebody who knows how to back up his data, and actually does it regularly, you can have more peace of mind knowing that you did your backups right rather than having to trust that the people who run the server did.
-Rob
Re:Security through Obscurity (Score:2)
This doesn't prove that at all. What this proves is that your servers need to make damn sure that no one can create an account with the same name as an existing account.
There's no trust in the client here that's being exploited, it's a bug in their server software.
What's happening is this:
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Okay. Here you go.
Re:Pay closer attention (Score:2)
Note that the server has to "muck" with the character in order for one to play the game. So, while you make perfect sense, if your server goes untrusted on you, you are still screwed, no matter where the character data is stored. (For example you could log in, do the authentication dance, and then have character killed by a hacker and downloaded back to the client.)
Yes, you're right. There's not much you can do about that. However, in that case, they have to hack the server and set up a hacked server in its place. Right now, all they have to do is convince the properly running server that you are the one who gets to access this juicy character data that's sitting there on the server. That's almost certainly an easier hack than setting up a "false" server, especially if the authentication is done both ways.
(Recent discussions about flaws in the security model of SSH probably become relevant at this point.)
-Rob
Re:prosecute for what? (Score:2)
I'm a most co-operative. Come here with a court order and I'll release the username.
We had a case where someone had used someone elses CC card number to sub to a porn site.
Cops came down, we did the investigation and sat there and said "well we know which account was used to log in, which know which phone number the call came from. We can't tell you until you've got a warrant. And when you've got that information that's all you've got. You can't prove who was on the other end of the phone, just that it was that phone - unless they can forge CLI."
So for all intents and purposes it was plain who the perp was but the cops never came back with a warrant forthe information and the perp never got any comeback.
Blizzard may be taking action (Score:3)
Re:Feeding Frenzy (Score:2)
Can you imagine the riots of geeks if the first 50K slashdot accounts were erased by some punkass cracker?
Man, what a heyday the media would have with that one.
Rami
--
Re:Interesting... (Score:3)
Re:The general flaw: server side data (Score:2)
Let's look at the argument in favor of security through obscurity -- "There's only one of me; there are lots of us; why would anybody attack me?" That's a sound argument, and it is the argument that gets all of us through every facet of our lives in each and every day. I don't have a food taster, I don't have people check on my kids friends, etc. My bet is that you don't, either. After all, any rational person would ask "Why would anybody target me? I'm not worth it!"
But that same argument applies if there are thousands of files on a single server! If somebody breaks into my employer's corporate network, they're not going to steal code from me, since there are just too many "mes" there. The same thing is true of your data if it's up on some great big server in the sky. If your data is physically safe in your home or office, then it's logically safe on some big company's server. The very same argument applies.
And, contrapositively, if your data is NOT logically safe on some big company's server, then it is NOT physically safe if you're trying to protect it yourself. Hey, you keep good backups? Good for you -- I'll hire a PI to come "reclaim" them for me. Lot's of 'em won't worry too much about whether you really stole them from me or not. And what about the possibility of a fire in your office? If your office burned down tomorrow...where are your backups? Are they under your desk? How much good will they do for you if they're reduced to carbonized dust? Did the cleaning staff pick them up while vacuuming, placing them on top of you monitor? A monitor is a great degaussing device, you know...
The truth is that if what you've got is worth securing, then you will do well to get a pro to secure it, paying him or her to figure out how to put the layers of protection in place for each different item. One of those layers will entail offsite backup of at least some of your most critical data, and that will mean putting it in a site with other valuable data. That site will be subject to attack. If you've picked your security geek well, your data will still be more secure in that bank safe deposit box than it is in your own home.
You may feel more secure taking care of your own data, but you will *be* more secure asking somebody else to do it for you.
Guess I was Wrong Resurrections on Next Monday! (Score:2)
More resurrections than you can shake a stick at...
From Diabloii.netGuess this was important enough to make a real exception. So much for "Blizzard will not, and does not have the capability to restore any deceased Hardcore characters."
More proof of why on-line gaming sucks. (Score:2)
I want to play a co-op dungeon crawl. People on battle.net don't. They want to max their characters out, so they join your game to solo and kill monsters, making it harder for you, and taking up a space an honest co-op player could be in. The usual response when you ask them to go to an experience building game? "Fuck you." And this isn't even a tech problem, it's a person problem. For some reason, I get called a whiner for bitching about this. I want to play the game's main feature, playing with other people to explore the dungeons, but it's simply impossible nowadays, because nobody has the courtesy to stick in games made for what they want to do, and it's whining to be upset?
On top of all this, Blizzard's attention to security has been atrocious. The game shipped with full online functionality, but NO change password function. Got your password stolen by a keystroke logger trojan advertised as a simple text color changer? Too bad, better start downloading that Starcraft Shareware over your modem to get password changing before somebody strips your account. Has password theft become an epidemic? Let's wait six months to add one of the most necessary parts of account management to a game.
That was bad enough. Now there's a sure-fire method to access anybody's characters, with no way for people to defend themselves, and Blizzard leaves the servers up. What? Although naturally not as serious, it's akin to a credit card company leaving a server up that has compromisable CC#'s, even after numerous incidents. WTF kind of logic is that? And it's not just hard-core nerds who stay in their basements all day, playing the game 24/7, unlike the snide posts on here would have you believe. It's people who play the game a few times a week, building up their characters slowly, only the have it all ruined through the maliciousness of another person, and no fault of their own. Yeah, that's real funny.
Re:The general flaw: server side data (Score:3)
I don't think that would go over too well at all. Players invest huge amounts of time on these games building up their characters. Imagine if an exploit existed for a week or more in EverQuest, and they rolled everybody back to their previous status, including the 250,000 players that just had an honest experience and item gain during that time. We wouldn't let Verant hear the end of it, and many of us (me included) would cancel our account.
I don't think any MMORPG maker would implement this if they wanted to stay in business.
--
SecretAsianMan (54.5% Slashdot pure)
illegal? (Score:5)
Re:Oh please (Score:2)
Re:ouch (Score:5)
And I guess lasting half a year without any cheating incidents is pretty good, compared to most other online games.
But there were other "cheating" incidents. Two major ones come to mind. In the first, characters were able to go "hostile" on another character from anywhere in the game. Normally you can only go hostile on another character if you are in town (where you can't attack) thus preventing a quick hostility + attack to surprise kill players.
The second hack increased running/walking speed tremendously by exploiting a feature in the game's frame rate code. This in general was not a major problem until people used it to go hostile in town and then run and kill someone.
The problem with the new hack is that it's not done in-game. The "hack" is just a bug in the server code that lets a player jump into another player's character, then join games and play as that character without ever typing in a password. At first all that happened was that characters were losing all their items (read a few threads at the lurker lounge or in the forums of www.diabloii.net [diabloii.net]) but then characters started dying. That's when the REAL uproar happened.
Frankly this disgusts me. It's one thing to use legitimate, in game features to attack, kill and steal, it's quite another to exploit a bug to do it covertly. And don't expect Blizzard to do anything about it, there have been lots of scamming and other Bad Things (tm) going on for awhile now, and even though they *could* disable specific CD keys from Battle.net, they apparently refuse to do so.
Stronger encryption isn't the answer either, incidentally, since it's a bug in the server code (or, so says the forums).
Backups on battle.net (Score:2)
This is largely because they are a small company, and if every half-brained lamer on bnet went whining to them every time they lost something, they would never have time to do anything else.
Log files are all very well and good, but there are problems. There are two pieces of information that the servers receive which could be used to identify a person. These are the CD key and the IP address. Dynamic IP addresses make the latter pretty useless, and CD keys can be stolen/faked, and they may not even be logged like that (I've heard it suggested that they aren't, for security reasons, which I consider to be a really bad idea)
The worst part is, it's a really stupid bug, and it's INCREDIBLY easy to exploit it - you can use the regular D2 client. (No, I won't explain how it works) Suffice it to say that somebody must have made a really gross mistake in one of the recent server patches.
(I am in no way affliated with Blizzard, I won't give you free stuff, and if you're korean and loud and run into me in the game, you're toast)
Re:You wouldn't have to trust the clients (Score:2)
Yes, his argument was that you can *not* trust the client too. In both his and your scheme, you store something on the server-- either the data, or the hash. Or the private key, with another method proposed below.
Of these three options, I would most rather store all data on the server. Character data does not take much space, and allows the operator to make backups. The incident reported in this article is an example of when backups become very useful. Indeed, Blizzard just announced that they would be resurrecting all hard-core characters which died after December 19th.
~
Re:The general flaw: server side data (Score:4)
And keep in mind that an attack can consist of something as crude as stealing a whole computer, lock, stock, and barrel. That's a lot more efficient than working across the network, believe it or not. I can't speak for all corporations, but most majors have their key servers in rooms with alarms and/or armed guards. I'll bet that your backups aren't stored in such safe conditions.
This is the same fallacy that leads people to be scared while the plane is landing, and then be blase when they pull out onto the freeway. Guess which of those is more dangerous?
Clarification to prior comments (Score:2)
When I said I had a big question, I meant just that - it is a Question that interests me.
Blizzard can fix this particular problem independant from having to acknowledge publically that it was hacked and players were damaged. So the question remains: Will they say something they don't have to?
I find it interesting because because of all the factors involved (installed base of game, popularity, striking at top (most time invested) players, etc) and am curious as to how it will play out.
Personally, most of the guys at Blizzard I've met in person are pretty cool, and some of them wanted to talk about specific things that happened to D1. (BTW: What I asked them was to discuss the technicals on problem they had already fixed so both the problem and a solution could be presented - Thus educating other developers while not putting the current D1 player base in any possible harm - The guys in the trenches were cool with it, but when they ran it up the chain of command is when it hit the snag)
I do stand up for my personal belief that faliure to disclose successful cheats is not the best thing to do. The developers and publishers do not have exclusive control of the flow of information about their games (/shudders at the thought) and therefore run a considerable risk of being cast in a bad light and upsetting the people who are, after all, their paying customers when an exploit becomes well known (or posted to
I regret any confusion my prior comments may have caused.
-Matt Pritchard
Screw online, just play alone or w/ friends. (Score:4)
As if there wasn't enough about b-net to be pissed over already.
This is just UO-"Death of Lord British" all over again. Yet another blow to online gaming. How many more companies are gonna step up and offer this for free if this keeps up? And, boy, wasn't UO a colossal rip-off anyway? You pretty much HAD to treat it like a job to get your damn money's worth out of that dog. I'm glad that noone else has attempted to put out a purely ol game since.
We now have one more example of why parents should just buy their snotty little brats consoles instead of P5s. Better yet, just buy them a pack of playing cards and watch them crow about their superiority through cheating at solitaire.
My real point is that I don't play with anyone online anymore. It's ALWAYS a fucking mistake and a bad return on the investment(time/money/stress). It's been proven on every ol game that unless you have someone supporting you so you can play 16 hours a day, you might as well forget having fun with anyone you don't personally know. Unless you can track someone down and kick their ass physically as a means of enforcement, there is nothing preventing them from using any number of means to thumb the scales.
Actually, I've found that even hacks don't need to be employed. All you really need is Google and the time and seediness to want to learn the bunny-strafe or the x-unit rush or the gold-multiplyer exploit or the mystery-vertex-glitch camping spot. And if your opponent is just up for casual play, well, he wanted to be meat. If he was serious, he'd be scouring the web as well. Since when did I need to be serious about a fucking game?
And ol guilds as a response/defense is specious at best, due to its status as more of a symptom of the disease rather than anything close to a cure. I bet T-cells in an AIDS victim have similar conversation threads as the PKK-guilds and whatnot.
Realms was a puss-ass attemp at a gated community, anyway. Well, freaks can still ride in through the front gate if they are in the parent's back seat. Or if they're employed by the residents. Or if they just plain have the time/energy/malicious boredom.
Of course Blizzard hasn't said anything. This activity negates one of the promises that made me even buy their software. They can't respond until they can close the hole. And they won't be able to close the hole for a good while(the next 12 hours would qualify as that). Anyone want to lay money on the security of their CD-key system now? Anyone want to lay money on whether the crackers were using valid CDs?
In any case, this is one more reason why I don't factor online play into any of my game purchases anymore.
ol != fun^sum(players)
How to prevent, blizzard response, etc (Score:2)
What's insane is that blizzard took the Realms down last night for 'emergency maintenance'. After a couple hours, they came back up, with no mention of the reason they were down or mention of a fix. A lot of people mistakenly thought things were repaired -- and paid the penalty. What we can't figure out: why haven't they said ANYTHING? Why not just shut the realms off? Or say ahead of time: all characters will be rolled back until as of now, so you can play, but it will be rolled back, along with all the thefts. Only Blizzard knows what's going through their heads, and they aren't saying.
I have one friend who makes $2500-$3000 systematically acquiring, trading, and selling on ebay the best items you can get in the game. He anticipates his income will be devastated by this incident, because people used to trust that their stuff would remain their stuff -- and now, who could trust the realms?
Re:Maybe it's a good thing... (Score:2)
Re:Clarification to prior comments (Score:2)
Quick question. Do you know if AoE is coming over to the Xbox? Man, I'd love to play a suped up version on the Xbox.
Keep it real !
The problem with backups (Score:2)
- Most likely this has been widespread for a few days, as it usually takes a day or two for something like this to bubble up to Blizzard admins, let alone Slashdot.
- Most likely 99% of the Blizzard players are unaffected. This sounds like a hack somebody used from the regular game client, not somebody who r3wted a battle.net realm server. Therefore, they could only do damage one player at a time, and the vast majority of players aren't worth messing with even as an exercise in vandalism.
- Most likely this has been going on in SOME form for more than a few days, as the person who discovered the exploit wouldn't be likely to tell the world immediately. One person messing around in this fashion would be unlikely to be noticed - even if someone reported the problem immediately they would get jerked around by admins who thought they were lying to get their stuff back. It's easy to believe that Blizzard admins get lots and lots and lots of spurious "fix my character!" requests every day.
This leaves them with a gaping question: which backups do they restore? (Assuming they even have an option.)
-The entire player database back to the point where the hack was first reported? That's screwing 99% of players out of a week's work to help the 1%. Even doing a full restore back a day or two would be a PR disaster. Can't do that.
- Hand-selected characters who reported the hack? How do they differentiate from the people who actually got toasted and the sea of voices claiming they lost stuff illegally when in fact they got killed/lost gear legitimately? This is at least a good move PR-wise, because they'll only have to put up with minor bitching from the people who decided not to jump on the bandwagon. But it becomes completely unfeasible if they make an effort to investigate every claim. The less investigating they do, the more freeloading that will occur.
Any way Blizzard handles this, the hackers have done their damage. Sorry Blizzard, should have spent more time debugging your code and less time trying to pack 2 million players into a space built for 100k...
--
Re:Every computer can be hacked? (Score:2)
What happened with DiabloII was probably some mixup of case-sensitive and case-insensitive distinguishing of characters (like when they check your new charactername against existing ones it's done case sensitive, but when you access a char it's case-insensitive, so you can create a char with the same name as one existing, only different case and such access the existing one (that's what i guess from characters apperaring twice in Highscore lists prior to the mischiev being done) there's probably a little more to it, i would guess some client side hacking to prevent the client from sending the charname in all lowercase or somesuch). Things like this will happen anywhere if more than one programmer is working on a project and apply slightly different rules how a certain thing should be done. There's numerous other things i can imagine, if you find a posibility to crash the serverside of a game before characters are saved, you get (for example with a buffer overflow) a cheap way of duplicating things
To say that Linux, FreeBSD and Solaris are unhackable means complete ignorance of their past bug histories (and i don't believe that bug history will stop on 1/1/01) especially sendmail (which runs on many of those machines) showed numerous vulnerabilities. Discussion of bugs in open forums may lead to a short lifetime of those bugs once they become public, but every once in a while something is uncovered which was overlooked for a year or more, and not every admin installs all securitypatches the moment they are announced.
So instead of "every computer can be hacked" it'd be more correct to say like "99% of all computers on the internet can be hacked." or "The probability that (specific configuration) can be hacked is (something in the high nineties)%", but it sure has more credibility than saying "server xy is unhackable".
Wow, who didn't see this coming... (Score:5)
The only computer that can't be hacked over the internet is a computer that can't be accessed over the internet.
Dark Nexus
Re:prosecute for what? (Score:2)
Re:Security through Obscurity (Score:2)
I disagree here. Have you played the game? You can't do anything in the game without the client asking the server to make sure it's ok. It's probably the single biggest reason lag is a problem in the game. You can't even pick up an object from your inventory without asking the server if it's ok (and you can't drop it either, making for problems if you're holding an item and need to run away quickly).
As far as how they implement their security... what, by having it closed source? There are other closed-source forms of security, would you call those "obscurity"? This is a bug in the battlenet servers. It could be corrected client-side by making a check, although that could probably be hacked to change it back. It *should* be correctable on the server side, but they haven't done it yet.
How will this affect other MMP games? (Score:2)
prosecute for what? (Score:5)
I'll admit I don't know what you have to agree to when you play on battle.Net, but I can just see the case:
Prosecutor:
Your honor, the defendant killed off a top 10 hardcore character after stealing a Bow of Major Virtue from him. He created a character by the name of Pokedin, who he obviously should have known was a high-level characters name, and tried to connect with this character name until he got in. After he connected, he then allowed this character be killed. Since our client was playing a hardcore realm character, he could then not reconnect as his character. We suing for lost time my client spent building this character up, damages in the amount of 834,342 gold pieces, one pair of Plate Boots with +40 to mana, and three dates he passed on to play the game.
Yeah...it sucks, but I doubt it'd fly.
Re:ouch (Score:2)
And year after year the release of their games shows how that is utter BS.
The incidents of bugs and imbalances in their games has become more and more apparent. The Diablo series, while a masterpiece of story telling, is a shoddy example of programming. Diablo 1 was AWFUL. It appeared to be very ahead of its time, but it was easily hacked and quickly became very unfun as the guy next door hacked his character to have every advantage under the sun while you tried to work your way up "honestly". Diablo 1 quickly became a $50 chat program.
Diablo 2 solved a lot of design problems, and while there are still some balance problems (gee, 48 of 50 top ladder players are barbarians? go figure) its a far more fun game no matter what character you play. They had a lot of good ideas, which outweight most of the bad ones, which aren't too common.
However, the quality has suffered severely. With every patch that fixes something they break something else.
First they find out that one skill's range is broken. Then they fix this by redesigning the way the game calculates range. They release a patch, and end up breaking 3 other skills' ranges, plus 1 more skill in a way that has nothing to do with range!!! What kind of QA is this?
Someone open source this puppy because obviously Blizzard can't do it themselves.
We know when this started, right? (Score:2)
You get what you pay for. (Score:2)
No I'm not referring to Camelot, I'm referring to The Total Entertainment Network. It was a subscription service ($20.00 a month) for playing games online. It was run in a 1 million dollar fail-safe machine room by people who were experts on the net. It had a security system that was tested and approved by Dan Farmer (the author of Satan)( and during its three year history though there were many, many runs NOONE ever broke into it.
Alas, the public decided that free and half-assed was a better deal and TEN died from the market pressure as you culd not run a system of that sophistication and quality on the dribble of money advertising brings in.
So, as I strated out by saying. The Diablo players got what they wanted and what they paid for. They'll get no sympathy from me.
Re:ouch (Score:2)
Re:Teaches them a lesson (Score:3)
Not like that classic car you spent years and thousands of dollars restoring. That could Never get totalled in an accident afterall.
Or that house that you planned for half your life and had to have wood shipped halfway across the country from the mission church it used to be in. That could Never burn down.
Or that friend of yours you've known for a decade. He could never be in an accident or get a disease or be mugged or fall off a building or have a piano dropped on him..
Get a clue, everything in life is transient. How you choose to spend your time is Your choice. If you have more fun with games than with any of the other hobbies humans find to fill our meaningless little lives, then play on. If you don't, then go out and get wasted at a club or go to church or whatever other pointless activity you feel gives your existence a purpose. But if all that makes you feel worthy of living is telling people how pitiful they are for getting upset at having something they labored to create destroyed, go do it elsewhere.
Interesting... (Score:2)
You would think blizzard would have some sort of database backup that they could recover for this type of event. They have so much riding on the information, it would seems silly to only have one copy.
Re:good.. (Score:2)
thats what I was thinking...I can understand being upset and pissed for about 5 minutes. After that, get a fucking life.
So, you are the arbitrator of how people should spend their time, and you've decided that playing Diablo 2 isn't an approved activity?
I agree that some people go way overboard with some games, but that's their right.
Clearly, everyone should be playing Unreal Tournament.
The general flaw: server side data (Score:2)
I think that calling this Apocalypse for loss of game characters may be a bit alarmist.... However, there are lessons to be learned here for people doing actual *work* on the internet.
The basic flaw here is that the characters are all stored on the server. I don't care how good your crypto is, one day somebody will find a bug and figure out how to exploit it.
The damage may be mitigated if Blizzard had good backups. One can only hope.
However, the hack would have been made a lot harder in the first place if the characters were *not* stored server side. Store them client side, with a checksum stored server side to prevent client side cheating. Yeah, somebody may still figure out how to delete your server-side checksum, but they won't be able to muck with your data as much that way. And, if you use public key crypto, the "checksum" stored server side may be something that never needs to get sent anywhere but the server, making the thing intrinsically harder to hack.
There is a serious lesson here for systems like .NET. No matter how good the people running the server assert that their security is, you're asking for trouble by storing your data on a centralized server rather than on your own machine. I for one plan never fully to go to what is being touted as "the next platform". Some stuff I'll keep on servers, but I'm going to keep local backups on my *own* machine (and my own tapes), and I'm going to keep the documents I care more about on my own machine. Then I only have to worry about the security of just my machine, not some central server that's designed to be accessed by many people from many places.
-Rob
You wouldn't have to trust the clients (Score:2)
Azog: If you have a proper one way hash function doing the server-side checksum, you don't *have* to trust the client. You have the client send you all it's character data, and if the checksum of the client data doesn't match the stored checksum, you don't allow that character to play. Perhaps rknop was misleading in his use of the word "checksum" (since a real checksum would make it easy to generate an upgraded character profile with the same checksum), but his mention of public key crypto should have made it clear that he was talking about a 1-way hash function, which would make client cheating as difficult as faking a PGP signature.
rknop: Except for saving disk space (reducing the amount of server-side data that must be stored while the client is disconnected), what problems would storing a hash of the character data instead of the whole data solve? If someone hasn't hacked your server, they can't change the server-side character data. If someone has read/write access to your server, then they can read your hash function, calculate a hash of their own altered character data, then write that new hash. It would make altering a character more tedious, but not more difficult.
The Craven (Score:5)
Once upon a millenium dreary, while I pk'd, weak and weary,
Over many a faint and furious game of DiabloII,
While I killed 'em, illiciting yapping, suddenly there came a hacking,
As of some one gently a-hacking, hacking at my character's door.
"'Tis some rapist," I muttered, "hacking at my character's door-
Blizzard: "Only a ladder quirk, and nothing more."
Ah, distinctly I remember it was in the bleak December,
And each separate dying hardcore wrought its ghost upon the floor.
Eagerly I chugged a bull;- vainly I had sought to mule
From my PC internet of lust- all my items turned to dust-
For the rare and radiant things with my Amazon bonded-
All were quickly by evil absconded!
And the anguished cries of all those that died & lost sweet things
Saddened me- maddened me with fantastic terrors never felt before;
So that now, to still the beating of my heart, I stood repeating,
"'Tis some hacker entreating entrance at my character's door-
Some late hacker entreating entrance at my character's door;-
Blizzard: "Only a ladder quirk, and nothing more."
Presently my soul grew stronger; fervently I sought of Schlonglor,
"Boy," said I, "or Madam, truly your assistance I implore;
But the fact is I was napping, and so gently it came a-hacking,
And so faintly it came a-hacking, hacking at my character's door,
That I scarce was sure I heard you"- here you (Blizzard) opened wide the door;-
Schlonglor replied, "Deal with it!".
Deep into that toilet peeing, long I stood there wondering, fearing,
Doubting, dreaming dreams no heroes ever dared to dream before;
But the silence was unbroken, and from Blizzard came no token,
And no word there spoken, all my characters lay dead & broken
Blizzard: "Only a ladder quirk, and nothing more."
Back into Bnet a-turning, all my soul within me burning,
Soon again I heard a hacking somewhat louder than before.
"Surely," said I, "surely that is something at my windows 98 Reg?:
Let me see, then, what the threat is, and this mystery explore-
Let my heart be still a moment and this mystery explore;-
Blizzard: "Only a ladder quirk, and nothing more."
Open here I flung the shutter, when, with many a flirt and flutter,
In there stepped a stately Craven of the saintly days of yore;
Not the least obeisance made he; not a minute stopped or stayed he;
But, with mien of lord or lady, perched above my character's door-
Perched upon a bust of Diablo just above my character's door-
Perched, and sat, and nothing more.
Then this ebony turd beguiling my sad fancy into smiling,
By the grave and stern decorum of the countenance it wore.
"Though my character be shorn and shaven",
Thou I said, "art surely a Craven,
Ghastly grim and ancient craven wandering from the Nightly shore-
Tell me what thy lordly name is on the Night's Millenium shore!"
Quoth the Craven, "You've been jacked, w h o r e."
Pay closer attention (Score:2)
Your post shows a complete lack of awareness of the history here--I think you are trolling.
I'm not trolling at all. And, yes, I'm unaware of the history. And, no, you didn't understand what I said. Obviously, the client-side character in D1 was implemented poorly, from what you say. Obviously the D2 server-side character was implemented poorly, from the original news story. From just that alone, it's not obvious that one or the other is better. But I still believe that a client-stored character is safer.
Obviously, yes, it's really easy to have data stored on the clients in a manner that makes it too easy to cheat. Think it through; what I was in fact proposing was a checksum which uses public key cryptography to authenticate itself. It's not that big deal to make a private/public key; it can be an internal part of the program, and the user never has to know it is happening. All the keys can be stored internally to the client data. I don't see why this is overkill for a game, any more than getting the fastest CPU out there is overkill for a game. It's just using technology to help enhance the gameplay.
Basically, the server could authenticate the character exactly the same way that you authenticate digitally signed PGP messages. Digitally signed PGP messages store a checksum. The message can go anywhere, but people can check that the message fits the checksum. This isn't just obfuscation at all.
Changes to the character have to be approved by the server, but the characters then don't need to be *stored* on the server. The server just needs information to be sure that when a character comes back, it's an approved character. Digital signatures with decent public key cryptography serve this need to a T.
If the character data is on the server, then people who hack the server can muck with it. It probably could be done better, again using some sort of public-key cryptography. However, if the character data is on the client side, then somebody has to hack your client to screw with your character. Yes, it can happen, but it's less likely that we'll see the kind of wholesale hacking we're seeing here. If the server has decent autentication of the client's character, then that prevents you from cheating by modifying your character offline and coming in with an upgraded character.
-Rob
Preach on brother (Score:2)
I haven't factored online gaming into my game purchases since starcraft, and probably won't unless i win the lotto and have 5 hours a day to play them.
Re:The general flaw: server side data (Score:2)
A lot of good it does you, because the server is never going to trust that data again. You lose. (This is not the only flaw in your proposal.)
Something kind of Ironic (Score:5)
Re:Every computer can be hacked? (Score:2)
Your statement is wrong for two reasons:
Re:We know when this started, right? (Score:2)
good.. (Score:3)