0.9.13m Patch Notes

Still adding encryption in a small patch will only giving hackers the advantage to get the functions they need, without having invest much time to find the correct function.


And usually account thefts in Onlinegames start with infecting users,sql injection or an easily accessable database.

It would be better to use hardwareidentifiers or unique verficationcode from send from the server to protect unauthorized access.





Chris, will we be getting a preview of the OB patch notes before hand to prepare for it?
My Supporter Pack list compensates for my small penis.
"
Hilbert wrote:
Still adding encryption in a small patch will only giving hackers the advantage to get the functions they need, without having invest much time to find the correct function.


And usually account thefts in Onlinegames start with infecting users,sql injection or an easily accessable database.

It would be better to use hardwareidentifiers or unique verficationcode from send from the server to protect unauthorized access.



I don't know about anyone else, but since I reported this bug a week or two ago, and found it fixed today, I'm inclined to believe my bug report had something to do with it.

Anyway.

When hackers have access to your local machine the battle is already lost. They can sniff password in via the keyboard, read them from files or at decryption time. That attack is not something you prevent by encrypting game traffic.

What you prevent when you encrypt traffic is letting people who can listen in on your connection figure out what your password hash is. That means when you play Path of Exile on a wifi connection at Starbucks, the patron next to you can't steal your account. That's what this patch was made to prevent.
Last edited by PeculiarBias#5297 on Jan 8, 2013, 9:50:44 PM
"
Hilbert wrote:
Still adding encryption in a small patch will only giving hackers the advantage to get the functions they need, without having invest much time to find the correct function.

And usually account thefts in Onlinegames start with infecting users,sql injection or an easily accessable database.

It would be better to use hardwareidentifiers or unique verficationcode from send from the server to protect unauthorized access.


Knowing how encryption works does not necessarily help you to defeat it. In fact, if GGG has been smart about this, the encryption routines themselves should all be completely standard stuff -- there's never any good reason to reinvent crypto for yourself, as it only introduces a further opportunity to mess things up and have something with unforeseen mathematical weaknesses in it.

I'm assuming that what they mean when they say that they've added crypto to the protocol is that the game will now do some form of Diffie-Hellman key exchange with the server to prevent eavesdropping while transmitting the password hash. Probably they'd do this by pulling in some existing TLS or SSL library.

If someone has your machine compromised with a trojan, there's not much that GGG could reasonably do to prevent someone getting access to your account at that point -- at least if the game is storing the password hash used to log in locally.
GIBE OB PLZ

GIBE OB

;_;

Only 2 weeks to go and I still want to join OB so badly. Keep up the good work GGG.
1337 21gn17ur3
"
ExiledToWraeclast wrote:
GIBE OB PLZ

GIBE OB

;_;

Only 2 weeks to go and I still want to join OB so badly. Keep up the good work GGG.

Kinda off-topic but you have the same name as one of my characters ._.
Was nice seeing you here.
"
I don't know about anyone else, but since I reported this bug a week or two ago, and found it fixed today, I'm inclined to believe my bug report had something to do with it.

One Dev stated that the protocol wasn't encrypted long before that.


"
When hackers have access to your local machine the battle is already lost. They can sniff password in via the keyboard, read them from files or at decryption time. That attack is not something you prevent by encrypting game traffic.

You can't prevent somebody hosting a clean site for most of the time that infects users for 2,4h.
It would be easy to for somebody to write an external ladder monitor for races and infect them.

Just look at Diablo3 how many accounts were compromised because the authenticators were an identification tool on the client and there were just too many fanpages that could easily infect you if you had Javascript turned on.


That's why I said to add something to give hackers a harder time to access accounts.


"
If someone has your machine compromised with a trojan, there's not much that GGG could reasonably do to prevent someone getting access to your account at that point -- at least if the game is storing the password hash used to log in locally.

Or now take following example:
The PW hash includes a dynamic identifier code.
You send the PW hash.
The server sends you an unique code that rehashes your id code, so your old local login will be invalid and you have stored a new one.

Meaning each local hash works only once and if somebody accesses your account with the most recent hash then you won't be able to login via stored hash and it will throw an error and warn you that your PC is possibly infected.

The only remaining problem would be recording keystrokes and the user can give hackers a hard time because those loggers log like this:
ABC{Space}{Enter}
They don't record your cursor position and can't tell what you are doing by clicking, you could create incredbly long logs and piss them off.

While passwords like: AlphaBetaGammaDeltaEpsilon are easy to remember they can easily be guessed by that method.

Now let's say your password is qwert should be a longer random combination(not related to keys that are next to each other like qay qwe etc will do)
Now this is how you enter the password. qt-->Move mouse to 2nd spot hit e move to 2nd spot again hit w move to the forth spot and hit r.

The record will show qtewr and a hacker has to add far more functions or even inject code into PoE(If somebody got hookshark he easily finds modified code) to get the correct password or he creates all permutations of the letters he got to find real words.
A password like AlphaBetaGammaDeltaEpsilon wouldn't need many login attempts to find the correct combination random gibberish wouldn't create many real words.







"
Chris wrote:
"
Dreggon wrote:
Encryption?

Can you tell us just what sort of underhanded hackery we're allowed to get up to in Closed/Open beta?


We're preparing the banhammer for people who engage in underhanded hackery in OB :P


Is overhanded hackery okay? Like, if I think I can exploit something, can I tell you I'm going to try it and let you know if it worked?
My Keystone Ideas: http://www.pathofexile.com/forum/view-thread/744282
"

And usually account thefts in Onlinegames start with dmub fucks giving out account information


fixed
"
anubite wrote:

Is overhanded hackery okay? Like, if I think I can exploit something, can I tell you I'm going to try it and let you know if it worked?


This has always been the case in beta, let them know and as long as permission is granted and you don't stream it to the public there will be no problem.
RIP Bolto

Report Forum Post

Report Account:

Report Type

Additional Info