 |
|
Mar 24, 2011, 06:03 PM // 18:03
|
#101 | |
|
Frost Gate Guardian
Join Date: Aug 2010
Guild: Dragons Den
Profession: E/
|
Quote:
SBE also takes a snapshot of the system at various times and reconciles that with on file information both local and remote. The ongoing snapshots are so close to impossible to duplicate that it can even mess the signature up on the exact same system if that system becomes compromised. A zombie system trying to duplicate that sig will be seen as a foreign system even if they get everything right. Yes, it also uses serial numbered USB devices that look and act like a standard USB drive. That is why I said such was used in the first post. It is a combined effort to take as much authentication out of the hands of the user as possible. Again, it is THE method of various agencies around the world of preventing log on compromise. So far not a single successful attack has been made against such a system. Well, credential attack  There have been many well publicized breaches of some of these systems but they all came from OS exploits, browser exploits or firewall breaks and such. Basically the people got in after the person was already logged on and took partial control of the system. I say partial because after the system was logged out it could not be logged back in. The log in and credentials remained safe even though parts of them were known.With massive amounts of super computing / distributed computing you might be able to get past such a system but there are far easier ways than that. Now, if we had quantum state based encryption through quantum entanglement we could have unbreakable encryption. Any attempt to decrypt such an encryption would fail every single time even on the very machine that created the key. That is still science fiction but may not be for much longer. Oh, and even with everything I am talking about it still only comes down to this on the user end; Plug in USB device Input username and password play game Last edited by LordDragon; Mar 24, 2011 at 06:49 PM // 18:49.. |
|
|
|
|
Mar 24, 2011, 08:57 PM // 20:57
|
#102 |
|
Academy Page
Join Date: Mar 2011
|
Urcsumug, I think you've got half of what I'm proposing but not the other half -- the signature changes every log-in. It's not that your IP is now authenticated (in fact, IP wouldn't figure anywhere into it) -- it's that when you log out and log back in you need to authenticate again.
I think I'm going to sit down and actually make said device in the upcoming month, just so I can tell people "it's not hard, they should be doing it yesterday." Last edited by Surgo; Mar 24, 2011 at 09:01 PM // 21:01.. |
|
|
|
|
Mar 24, 2011, 10:18 PM // 22:18
|
#103 | |
|
Krytan Explorer
Join Date: Jan 2011
Guild: UNO
Profession: W/
|
@LordDragon: what you describe (examining the system, taking snapshots) can only be done by running software on the computer. Any software or data on the computer is under malware control => fail.
You're either not explaining it right or not making sense. Quote:
Problem 1: You say it's not about the IP; but how will the server know which client is the "good" client? How will the device describe the GW client that should be allowed to login, out of the millions of clients installed in the world? Problem 2: If you want to only do this for login, what I said stands. After a successful login, if the malware is on your computer it can strip your toons naked and that's it. So login is not enough (it would put a damper on botting, if required across the board; but not on account hijacking). You have to authenticate each potentially harmful operation (trades, merch buy/sale, collector exchange, quest taking/handing/abandon, item drops, map jumps, item destroy, salvage etc.) How does your device handle that? How will the device know if your client does things because you told it or because the malware told it? Banking websites do it by giving out a challenge code and asking you to enter it into a device and come back with the proper response code. If you do this for every operation above it will be secure, but it's gonna get really old really fast. |
|
|
|
|
|
Mar 24, 2011, 10:24 PM // 22:24
|
#104 |
|
Academy Page
Join Date: Mar 2011
|
I was under the assumption that an account could only be logged in once at a time -- is this not the case? Otherwise, the challenge-response could (of course) only happen when the USB device was plugged in. When you're not actually playing the game, you should unplug it from your computer.
|
|
|
|
|
Mar 25, 2011, 12:16 AM // 00:16
|
#105 |
|
Frost Gate Guardian
Join Date: Aug 2010
Guild: Dragons Den
Profession: E/
|
I am explaining it correctly, I just think you are refusing to understand. I work with clients who use such a system (but also add biometrics) every day. It works beautifully and has not been hacked even after systems have gotten infected with specific key loggers/malware to their industry.
Every log on has to be logged in a physical book, every written down log in has to be cross checked with the log in server every day. That is how I know they have not been compromised via credentials. What Surgo is proposing is actually part of the system I am describing. Yes, Surgo, it already exists. Again, this is about CREDENTIALS log on not other hacks. The malware you talk about in your Problem 2 is easy enough to stop. Just kill the game! Hell, if my character starts running places that I am not running him I would kill the game client in seconds. Already have done that when the keyboard locked up once. He wouldn't stop running in circles. For malware to stealth sell off your stuff and compromise your game account they would need to break the database/client/server interface on the game server itself. If they could do that I think we would be seeing posts about items vanishing while people are playing. Have you seen any? I haven't. Oh, and the snap shots in SBE are both on the client computer and FROM the log on server. It is a combination of so many different areas that no malware in the world is going to get them all and get them all right. The fact is the log on sever only uses some of the information each time and even THAT changes. The very act of intercepting the particular client with malware or changing the client itself causes the log on to fail. Read that bold part over and over and over again until you get it. that is the basis for the whole thing. Yes, that means that you would have to re-authenticate yourself if you put on a macro keyboard, logged in from another system, changed out your G15 for another identical G15, changed out your mouse, and more. Last edited by LordDragon; Mar 25, 2011 at 12:22 AM // 00:22.. |
|
|
|
|
Mar 25, 2011, 04:02 PM // 16:02
|
#106 | ||||||
|
Krytan Explorer
Join Date: Jan 2011
Guild: UNO
Profession: W/
|
Quote:
Still, the device would reduce botting by orders of magnitude (if it becomes mandatory) and it would prevent account hijacking, so there's value in the idea. Quote:
Not to mention that computer reaction time is about a million times better than yours.Come on, give the hackers some credit, from what I've seen they tend to be rather smart. Quote:
Quote:
Quote:
Quote:
The problem I had is that you seemed to be describing a device that is at the same time isolated from the computer and interacting with it. As long as I assumed that the device has to have a regular software presence on the system, I couldn't imagine what would prevent the malware from taking over that presence. I think I may have figured out. You're talking about a hardware chip connected directly to the motherboard and/or the CPU, or even replacing the CPU, which means complete low level access and control to everything. Which is in fact an even more powerful form of mind-control than the malware. To make an analogy, the malware is like using telepathy to influence and control you; the chip is like cutting you open and sticking wires directly into your brain. The problem is that this is not a trivial device to make or use. I don't doubt that the military or corporations use such a thing, but you can't expect ordinary users to use it. First of all, it would cost a bomb to design and manufacture such a device (even assuming you stop at a single special motherboard, not attempting to make mass-market models for any CPU slot). This is not something that can be plugged into USB on any computer and just work. There's nothing inside a regular PC that allows a regular USB device to do this. And even assuming for the sake of argument it was possible; would you plug into your personal computer a device that has complete control and reports privately to a private company? Wouldn't you be replacing the malware with an even bigger evil? |
||||||
|
|
|
|
Apr 13, 2011, 11:52 PM // 23:52
|
#107 |
|
Pre-Searing Cadet
Join Date: Apr 2011
|
A Cautionary Tale
A Cautionary Tale
My wife and myself have played Guild Wars just short of six years. The game has provided us with thousands of hours of entertainment. I have made friends from all over the world whom I never would have without this game. We have shared the triumphs of struggle and the agonies of defeat. For that I am grateful. Through our guild and various alliances we have held Cavalon and HzH. Slain Urgoz countless times. Dominated the Challenge Ladder for years. We won the Hall of Heroes on occassion as well. As a guild we accomplished all aspects of the game with the exception of GvG. As individuals we attained GWAMM status and filled our Hall of Monuments. I personally have achieved five GWAMM's and was on course for the sixth. However .................. Last Sunday, my wife was unable to log into her account. She followed the login instructions to reset her password, and waited the twenty-four hours for a response. No response was made. She contacted support via email and was provided assistance to log into her NCSoft master account and change her password. She followed the instructions this morning, and found that her account had been stripped of her virtual worldly goods. During the course of looking over her raped account, we noticed that my account was online. I immediately attempted to login, and was denied. I have contacted support for assistance regaining my account, which is most likely in the same pillaged state that my wife’s account was in. I am awaiting a reponse beyond the automated one. The moral of this story is this ...... I have followed all the rules and taken all the precautions advised by Arena Net and NCSoft. No third party programs. Unique passwords that are not used anywhere else. No real money trades. Our computers are virus and trojan free. My wife doesnt even know my account password. Based upon what i have read on the forums over the years, i can draw no other conclusion than the one that has been voiced by others. The NCSoft Master account is the only common element I have with those that have had their accout stolen. Do not think it will not happen to you. Unfortunately, this latest experience has left me somewhat jaded as to the future. I will not be an active player in Guild Wars anymore. As far as Guild Wars 2, I am undecided as of yet. However, should the NCSoft Master Account be needed to access my Hall of Monuments and bring forward my Guild Wars achievements, I dont believe I will be a participant. Good Night and Good Luck All W I C K E D |
|
|
|
 |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 08:28 PM // 20:28.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("