"Some kid says "I found a security hole, here's how and a list of what I touched" and they send the FBI after him?"
I'm hardly concerned about the FBI statement. It's not uncommon to hear, and I have nothing to be worried about.
"Agreed. If he told you how he got in and didn't appear to break anything, you should just give him a pat on the back and fix it, not ban him and report him to the FBI. That said, it is kind of scary that someone got in like that..."
Well, there was no "getting in", just "look what he left open". I don't want to post exactly what they are in public, that's rather antithetical. Also, pat on the back isn't neccessary
I do this kind of stuff for fun. I mean, it excercises my knowledge, plus it helps other people out as well. Win-win, usually.
"Thanks to most of your responses to feedback and this little bit, I'm not even going to touch your game. "
Aaaaand shoot. Now this has turned into a drama.
"I think this is all a bit hasty... It's perfectly understandable that someone would panic after having their game hacked."
That's my theory, at the moment.
http://www.bay12games.com/forum/index.php?topic=27168.msg410273#msg410273Blah. That's not an objective of mine. However, I will state I am dissapointed in the way Lumin stores passwords in the database, I can confirm that the passwords are either encrypted with a two-way encryption, or are stored as plaintext, as opposed to storing it as a hash.
"The guy who hacked it should have first asked the developer if he could test the security.
Besides, he could only be pretending to have been helping and copied all of the passwords anyway. "
I did ask, and he said it was a "good thing that you found these glitches before anyone else did".
I never found any database injection points, though (I never checked, to be honest), the database itself has not been compromised (at least, not by me)
"Even hired hacker most likely don't actually hack into the system and leave a message. They search and discover vulnerabilities and report on those, they don't actually go in and mess around."
This is very true.
http://www.bay12games.com/forum/index.php?topic=27168.msg410554#msg410554"There are 2 types of hackers: white hat hackers and black hat hacker."
I consider myself a greyhat (yes, this is a semi-official term as well). I prefer to say the white-hats are the anti-blackhats. I do what I do as excercise, for learning, etc. I wouldn't think of taking money for a job, or using my skills for harm. On the contrary, I've found the security of my code has increased greatly, and I'm glad about this.
"All respect for trying to find these things but really, ask first hack after. The lockpicking analogy works well. You wouldn't go to Lumin's house, pick the locks, and then tell him 'Hey your locks kinda suck'. Because by that point you've already taken what is considered a hostile action."
I introduced myself as a hacker and told him I wanted permission before I tried anything. I asked twice. His first answer was really fuzzy (probably surprised), his second was essentially a yes.
Cheers
- Natso
Author
Topic: Faery Tale Online (Read 33073 times)