Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 ... 10 11 [12] 13 14

Author Topic: Faery Tale Online  (Read 33062 times)

Hamel

  • Bay Watcher
    • View Profile
Re: Faery Tale Online
« Reply #165 on: January 31, 2009, 04:15:59 pm »

Yeah that is true... It is like breaking into someone's home because they didn't lock the door... walking up to their room... waking them up... and saying "You should have locked the door"

Actually, it's more like picking the lock on the door, walking up to their room and telling them they should have had a better lock. :P

There was a lot at stake there, the passwords of all the players for instance, no one knows if the offender was trustworthy or not. I think Lumin did what was best.

It is also important for Lumin to stick by his rules, and show his player base that he isn't pulling any punches.
Logged

Natso

  • Bay Watcher
  • Latent Apocalypse
    • View Profile
    • DarkNova Games
Re: Faery Tale Online
« Reply #166 on: January 31, 2009, 04:40:16 pm »

Hello.  I'm Natso from FTO.  Some people correctly predicted that I was the one Lumin was talking about. (I am the "hacker" that Lumin banned)

I've got a headache about the situation now...  I don't want to give any more long explanations, but if any of ya'll have any questions about it / me / my involvement in it / etc, ask me here (or through PM, etc) I don't mind.  I am sad that I am accused of being dangerous.  I'm a greyhat, finding vulnerabilities is my forte.  If I go to a site, find some bugs (really really big bugs), report them to the admin, and get banned, what am I supposed to think?

Anyways, icky icky icky.

 - Natso

edit: Oh yes, thanks for linking to this topic from the FTO forum.  I'm respecting Lumin's ban, and will not login until the situation cleans itself up.
« Last Edit: January 31, 2009, 05:38:40 pm by Natso »
Logged
Meh~

Tilla

  • Bay Watcher
  • Slam with the best or jam with the rest
    • View Profile
Re: Faery Tale Online
« Reply #167 on: January 31, 2009, 04:53:43 pm »

All respect for trying to find these things but really, ask first hack after. The lockpicking analogy works well. You wouldn't go to Lumin's house, pick the locks, and then tell him 'Hey your locks kinda suck'. Because by that point you've already taken what is considered a hostile action.
Logged

Natso

  • Bay Watcher
  • Latent Apocalypse
    • View Profile
    • DarkNova Games
Re: Faery Tale Online
« Reply #168 on: January 31, 2009, 04:58:39 pm »

Quote
"Some kid says "I found a security hole, here's how and a list of what I touched" and they send the FBI after him?"

I'm hardly concerned about the FBI statement.  It's not uncommon to hear, and I have nothing to be worried about.



Quote
"Agreed. If he told you how he got in and didn't appear to break anything, you should just give him a pat on the back and fix it, not ban him and report him to the FBI. That said, it is kind of scary that someone got in like that..."

Well, there was no "getting in", just "look what he left open".  I don't want to post exactly what they are in public, that's rather antithetical.  Also, pat on the back isn't neccessary :D  I do this kind of stuff for fun.  I mean, it excercises my knowledge, plus it helps other people out as well.  Win-win, usually.



Quote
"Thanks to most of your responses to feedback and this little bit, I'm not even going to touch your game. "

Aaaaand shoot.  Now this has turned into a drama.



Quote
"I think this is all a bit hasty... It's perfectly understandable that someone would panic after having their game hacked."

That's my theory, at the moment.



http://www.bay12games.com/forum/index.php?topic=27168.msg410273#msg410273

Blah.  That's not an objective of mine.  However, I will state I am dissapointed in the way Lumin stores passwords in the database, I can confirm that the passwords are either encrypted with a two-way encryption, or are stored as plaintext, as opposed to storing it as a hash.


Quote
"The guy who hacked it should have first asked the developer if he could test the security.

Besides, he could only be pretending to have been helping and copied all of the passwords anyway. "

I did ask, and he said it was a "good thing that you found these glitches before anyone else did".
I never found any database injection points, though (I never checked, to be honest), the database itself has not been compromised (at least, not by me)



Quote
"Even hired hacker most likely don't actually hack into the system and leave a message.  They search and discover vulnerabilities and report on those, they don't actually go in and mess around."

This is very true.



http://www.bay12games.com/forum/index.php?topic=27168.msg410554#msg410554
Quote
"There are 2 types of hackers: white hat hackers and black hat hacker."
I consider myself a greyhat (yes, this is a semi-official term as well).  I prefer to say the white-hats are the anti-blackhats.  I do what I do as excercise, for learning, etc.  I wouldn't think of taking money for a job, or using my skills for harm.  On the contrary, I've found the security of my code has increased greatly, and I'm glad about this.



Quote
"All respect for trying to find these things but really, ask first hack after. The lockpicking analogy works well. You wouldn't go to Lumin's house, pick the locks, and then tell him 'Hey your locks kinda suck'. Because by that point you've already taken what is considered a hostile action."

I introduced myself as a hacker and told him I wanted permission before I tried anything.  I asked twice.  His first answer was really fuzzy (probably surprised), his second was essentially a yes.

Cheers
 - Natso
Logged
Meh~

Soulwynd

  • Bay Watcher
  • -_-
    • View Profile
Re: Faery Tale Online
« Reply #169 on: January 31, 2009, 05:07:20 pm »

You know, these analogies suck. They don't work out. It's not the same thing. The environment they take place in are completely different. You're not there, it's not your house, they can't poke you. They can't rape your daughter. It's just not like that.

I don't have an opinion on Lumin's actions, at least not a judgmental one. I don't know the extend of what the guy did and how he gave the information to Lumin. All I know was that he seemed to want to alert Lumin about it as soon as possible. With what I know so far, I would have acted differently, but none of us know exactly what went on.

Except for Natso over there, nice to see you talking about it here.

And storing passwords in plain text? Yuck. I'm glad I have a random 2-3 words password for each place. Not the safest method, but at least I don't keep a global pass.
Logged

Natso

  • Bay Watcher
  • Latent Apocalypse
    • View Profile
    • DarkNova Games
Re: Faery Tale Online
« Reply #170 on: January 31, 2009, 05:10:59 pm »

Ummm, Soulwynd... I AM that guy that Lumin banned... which is why I know so much about the topic :D

Also, I agree, the analogies are pretty poor, but I can hardly blame people for defaulting to stereotypes.

Also, I don't think Lumin's situation is entirely irreversable, I could probably do it, and I'm sure he can get a nearly/complete recovery too.

 - Natso
Logged
Meh~

Sowelu

  • Bay Watcher
  • I am offishially a penguin.
    • View Profile
Re: Faery Tale Online
« Reply #171 on: January 31, 2009, 05:19:55 pm »

*prods the drama with a ten-foot stick*
Logged
Some things were made for one thing, for me / that one thing is the sea~
His servers are going to be powered by goat blood and moonlight.
Oh, a biomass/24 hour solar facility. How green!

Soulwynd

  • Bay Watcher
  • -_-
    • View Profile
Re: Faery Tale Online
« Reply #172 on: January 31, 2009, 05:41:07 pm »

Ummm, Soulwynd... I AM that guy that Lumin banned... which is why I know so much about the topic :D
Oh, I know that. I just wasn't about to tell people before you did it yourself. I was writing while you posted, so I kept the original post.
Logged

Natso

  • Bay Watcher
  • Latent Apocalypse
    • View Profile
    • DarkNova Games
Re: Faery Tale Online
« Reply #173 on: January 31, 2009, 05:44:23 pm »

Ummm, Soulwynd... I AM that guy that Lumin banned... which is why I know so much about the topic :D
Oh, I know that. I just wasn't about to tell people before you did it yourself. I was writing while you posted, so I kept the original post.
Aah, that's fine.  The reason I came here though was so that whoever needed to talk with me still could, as I'm not available on FTO.

Cheers
 - Natso
Logged
Meh~

beorn080

  • Bay Watcher
    • View Profile
Re: Faery Tale Online
« Reply #174 on: January 31, 2009, 05:45:08 pm »

I think the best way to describe this is:

Closing a door a neighbor left open and leaving a note for the neighbor to be more careful.

Natso, I would say you have done nothing wrong but certainly questionable. Lumin also did nothing wrong. The problem lies in the fact that any "authority" ranging from a webmaster to the FBI has to take all attacks seriously. I watched a show where a person dropped a backpack bomb in an airport that was packed with confetti and a note saying exactly what he did. Naturally the FBI and the airport didn't like that he did that but it did prove a point.
Logged
Ustxu Iceraped the Frigid Crystal of Slaughter was a glacier titan. It was the only one of its kind. A gigantic feathered carp composed of crystal glass. It has five mouths full of treacherous teeth, enormous clear wings, and ferocious blue eyes. Beware its icy breath! Ustxu was associated with oceans, glaciers, boats, and murder.

Rhodan

  • Bay Watcher
    • View Profile
Re: Faery Tale Online
« Reply #175 on: January 31, 2009, 05:46:35 pm »

Umm, analogies aren't supposed to be literal; it's the concept that's behind them that matters.

House = Website = Personal property.  People can look at it, but aren't supposed to enter the parts you don't want them to enter.
Lock = Security Code = Protection of your property.  To protect your property from people that ignore the above.  The protection itself is also not supposed to be fiddled with without permission.
Raping your daughter = Stealing data/breaking stuff = Abusing property.  This hasn't happened in this case, but it's just to complete the analogy from below.

Yes, the severity of each case is different, but the basic concept of property still stands.  "Don't touch other people's stuff without permission or a really good reason."

People should stop seeing the internet as some magical fairyland where no one can get hurt and nothing ever has an impact on the real world.  People trade, communicate and socialize via the web almost as much as they do offline, often at a much greater speed.  Anything you do on here has an effect on people in the real world, any website you visit is owned by someone who pays money to keep it online, so breaking into a website is very comparable to breaking into someone's house or shop.
The main difference is of course physical damage to people and the cost of the damage done, but when you break into a house and don't stab anyone, it's still illegal.  There's people that break into houses just for kicks and to keep their skills up as well.  They'd never want to hurt anyone or steal anything, is that acceptable, or only if they send the owners of the house an essay on their security system afterwards?

"Dear Madam,
I broke into your house last night and noticed your terrier didn't even wake up.  I suggest you acquire a better watchdog. 
Yours truly, Fred
PS: I didn't steal anything, but check the lock on your jewelery box."

"Dear Sir,
I hacked your website last night and noticed your safety protocols have a loophole.  I suggest you upgrade to version 2.4.
Yours truly, Fr3dz0rs
PS: I didn't copy the passwords from the database, but you really shouldn't store them in plain."

Anyways, I doubt Natso actually took any passwords or had any bad intentions, but I can't really agree with the grey-hat hacker philosophy.  Why not get together with other hackers and make a big test-server playground with hacking contests or something?
I also can't comment on the bit where Lumin apparently gave permission, seems like there has been misunderstandings.
Few people want their stuff hacked, even with good intentions.  Always ask first.  If Natso did indeed ask first, then he did nothing wrong.
Logged

Natso

  • Bay Watcher
  • Latent Apocalypse
    • View Profile
    • DarkNova Games
Re: Faery Tale Online
« Reply #176 on: January 31, 2009, 05:54:47 pm »

"Dear Sir,
I hacked your website last night and noticed your safety protocols have a loophole.  I suggest you upgrade to version 2.4.
Yours truly, Fr3dz0rs
PS: I didn't copy the passwords from the database, but you really shouldn't store them in plain."

Anyways, I doubt Natso actually took any passwords or had any bad intentions, but I can't really agree with the grey-hat hacker philosophy.  Why not get together with other hackers and make a big test-server playground with hacking contests or something?
I also can't comment on the bit where Lumin apparently gave permission, seems like there has been misunderstandings.
Few people want their stuff hacked, even with good intentions.  Always ask first.  If Natso did indeed ask first, then he did nothing wrong.
::)
All I pointed out was what I observed over the course of no more than 15 minutes, common security flaws that most any entry-level php coder is unaware of.  (even applied me, a good time ago)

Quote
I don't mind if you check some things out for me. Lets just make sure we are careful not to break something while testing.
(I took this as a yes.  I don't break crap, so that's hardly an issue)

After sending him info that his site was insecure, He sends...
Quote
Well I'm just glad you're finding these things out before someone, you know, causes a glitch in the system.

So what do you suggest I do to secure things up?
And then, I reply with details about the four important points, and... here we are.


Also, I still think the break-into-the-house analogy is poor.  I have not tampered with the games code at all, so it's stretching the facts to even call it hacking in the first place  ::)

 - Natso
Logged
Meh~

Hamel

  • Bay Watcher
    • View Profile
Re: Faery Tale Online
« Reply #177 on: January 31, 2009, 06:03:29 pm »

Having heard some more from Natso, it seems to me that this may just be a huge misunderstanding. And before anymore judgment is passed out, we should wait until some more word on this matter is heard from Lumin.
Logged

Natso

  • Bay Watcher
  • Latent Apocalypse
    • View Profile
    • DarkNova Games
Re: Faery Tale Online
« Reply #178 on: January 31, 2009, 07:51:15 pm »

Meh.  A lot of stuff I have said has been taken out of context.

In regard to knowing family and relatives - I found this info while trying to find lumin's usernames so that I could speak with him through a chat client.  PM correspondence is terrible and slow.  During this process, I found plenty of other details related to Lumin's RL, which I have little use of.  End of story.

 - Natso
Logged
Meh~

Neonivek

  • Bay Watcher
    • View Profile
Re: Faery Tale Online
« Reply #179 on: January 31, 2009, 08:30:59 pm »

I think the house Analogy is perfect and your splitting hairs...

But I guess if you want something a bit closer to your version of the events...

It is as if you walked around the guy's house peering through windows... climbed onto his roof and yelled through his window "I think you should get a better keypad"

Anyhow, point being... Lets get over this and try to enjoy the game.
« Last Edit: January 31, 2009, 08:36:10 pm by Neonivek »
Logged
Pages: 1 ... 10 11 [12] 13 14