Guild Wars Forums - GW Guru
 
 

Go Back   Guild Wars Forums - GW Guru > The Outer Circle > Off-Topic & the Absurd

Notices

Reply
 
Thread Tools Display Modes
Old Jun 28, 2008, 11:54 PM // 23:54   #21
Forge Runner
 
Darkobra's Avatar
 
Join Date: Aug 2006
Location: Scotland
Guild: Type like an idiot, I'll treat you like an idiot
Profession: E/Me
Advertisement

Disable Ads
Default

Well this is a predicament. Pay them MORE money, or use common sense? Hm...
Darkobra is offline   Reply With Quote
Old Jun 29, 2008, 12:08 AM // 00:08   #22
Frost Gate Guardian
 
Join Date: Oct 2006
Location: Ohio
Profession: R/
Default

Yeah, this isn't anything special. This is just another scheme by Blizzard to bum even MORE money off of their endless legion of nerds.
GoodApollo1234 is offline   Reply With Quote
Old Jun 29, 2008, 12:12 AM // 00:12   #23
Frost Gate Guardian
 
Silent Coyote's Avatar
 
Join Date: Nov 2005
Location: UK
Profession: E/N
Default

Interesting, though generally 2FA methods like this aren't all that useful for remote login.

http://catless.ncl.ac.uk/Risks/25.18.html#subj3
http://www.schneier.com/blog/archive...ailure_of.html
Silent Coyote is offline   Reply With Quote
Old Jun 29, 2008, 12:21 AM // 00:21   #24
Likes naked dance offs
 
cellardweller's Avatar
 
Join Date: Aug 2005
Guild: The Older Gamers [TOG]
Default

I'd happily pay for the comfort of 2fa
cellardweller is offline   Reply With Quote
Old Jun 29, 2008, 12:29 AM // 00:29   #25
Forge Runner
 
-Loki-'s Avatar
 
Join Date: Oct 2005
Default

Quote:
Originally Posted by Masseur
The Blizzard Authenticator will be available at the Blizzard Store for $6.50. No release date has been announced.
Good idea, poor implementation. Security upgrades should be offered for free. But hey, most of the WoW community is too dumb to realise this.
-Loki- is offline   Reply With Quote
Old Jun 29, 2008, 12:39 AM // 00:39   #26
Frost Gate Guardian
 
Join Date: Mar 2008
Default

Quote:
Originally Posted by Silent Coyote
Interesting, though generally 2FA methods like this aren't all that useful for remote login.

http://catless.ncl.ac.uk/Risks/25.18.html#subj3
http://www.schneier.com/blog/archive...ailure_of.html
um ya... except instead of trivial key logger (using which 99.99% of all account "hacks" made) you would have to do some real hacking involving figuring out game's communication protocol, intercepting packets and modifying them. Thats not a trivial task at all. Doing that to some silly game is just not cost effective.
Robbert Monga is offline   Reply With Quote
Old Jun 29, 2008, 01:44 AM // 01:44   #27
Wilds Pathfinder
 
BLOODGOAT's Avatar
 
Join Date: Jun 2007
Location: long a
Profession: Mo/
Default

Quote:
Originally Posted by Chthon
The numbers aren't truly random. It's just a pseudo-random number generator. It produces a fixed, repeating, but very long, sequence of seemingly-unrelated numbers with an even distribution across a range, with the starting point in the sequence determined by an input, often called the "seed." The seed is hardcoded into the keyfop and also known to the server. The keyfop advances to the next number in the sequence every X sec, which you have to enter before it advances again. The server runs the same pseudo-random number generator to determine which number in the sequence that seed should have produced at the time you submitted your code. If they match, you get access; if they don't, you don't.

Weaknesses:
1. You can lose or break the keyfop. Then you're SOL unless you can get support to help you.
2. Social engineers can steal accounts by tricking the support staff who deals with "I lost/broke my keyfop."
3. Cheaply made keyfops (or keyfop batteries) may run their clock faster or slower than the server, which means it gives you the wrong code.
4. Although they are tamper resistant, the pseudo-random number generation algorithm can be extracted by (destructively) examining the keyfop hardware. With the algorithm in hand, an attacker knows the sequence of valid codes. If they can learn what your seed is or learn what your code was at a given time, then they can compute which codes will be valid when for your account. Although extracting the algorithm requires expensive hardware and numerous sacrificial keyfops, the value of stolen WoW accounts is high enough that someone's sure to do it.
And in my personal opinion, it would take a lot less time for me to actually accumulate the wealth myself than learn how to do the aforementioned activities, thus reducing the likelihood I would so much as think of attempting it.

JUST ME THOUGH
BLOODGOAT is offline   Reply With Quote
Old Jun 29, 2008, 01:51 AM // 01:51   #28
~ Retired ~
 
Yang Whirlwind's Avatar
 
Join Date: Nov 2005
Location: Copenhagen, Denmark (GMT +1)
Profession: E/
Default

Quote:
Originally Posted by Carinae Dragonblood
"My husband left me for a Bone Horror!"
Sorry to hear that!
Yang Whirlwind is offline   Reply With Quote
Old Jun 29, 2008, 06:54 AM // 06:54   #29
Ascalonian Squire
 
Javeron's Avatar
 
Join Date: Apr 2007
Location: California
Guild: [OAK]
Profession: E/Mo
Default

I already have this for work. It's already become a corporate tool for traveling accountants and consultants.

The only problem is that it's VERY expensive to implement, and you are ****ed if you lose it.
Javeron is offline   Reply With Quote
Old Jun 29, 2008, 08:53 AM // 08:53   #30
Frost Gate Guardian
 
captain_carter's Avatar
 
Join Date: Jul 2007
Location: England
Guild: The X Viles [TXV]
Profession: R/
Default

ok, so it is not a random number generator.
From what I see the server expects the next code in the sequence, not a previous one. What hapens if you accidentally activate the authenticator serveral times on your way home from work as it bangs against your steering column? will the sever accept any subsequent code?
captain_carter is offline   Reply With Quote
Old Jun 29, 2008, 09:10 AM // 09:10   #31
Insane & Inhumane
 
Brianna's Avatar
 
Join Date: Feb 2006
Default

Sounds neat, It might be something I'd pay for.

My mom uses this exact thing to log into her work computer, she can't get on without the key generator - that's why she gets so pissed off when she loses it.

Personally I don't see it as a scheme, but rather a good thing, some people value their accounts and possessions highly - in a sentimental and materialistic way. It is a good option for paranoid people who want to be extra sure that they won't get hacked, even if you are the most ''Secure'' person - and while common sense can prevent a lot of bad things, no one is 100% secure, so don't get your hopes too high.

And, since it isn't forced on anyone to buy it, it is all the better. I don't think they need any more money, so I doubt if anything it would be another gold mine for them.

In regards to people losing the key-generator, I am sure support would straighten that out pretty quickly, naturally there has to be good support for something like this to work out, and of course to keep rocks out of your office windows.

Oh and to add, even though everything is presumably ''hackable'' it would take a lot of effort on the hackers side to get past this, and any hacker who is smart enough / and or capable enough to do this would not be wasting their time on stupid video game accounts, they would be going for much larger greater bonuses such as bank accounts or other significant information.

Last edited by Brianna; Jun 29, 2008 at 09:19 AM // 09:19..
Brianna is offline   Reply With Quote
Old Jun 29, 2008, 10:10 AM // 10:10   #32
Krytan Explorer
 
Divinitys Creature's Avatar
 
Join Date: Apr 2005
Location: Somewhere between the Real World and Tyria ;P
Guild: The Gothic Embrace [Goth]
Default

LOL! Even banks don't go to these lengths AFAIK, at least not retail banks and they are doing it for an MMO! LOL Well if gaming can make something like this widespread I'm for it. I just don't play WoW. If I did I'd probably get one for the geek factor.
Divinitys Creature is offline   Reply With Quote
Old Jun 29, 2008, 01:10 PM // 13:10   #33
Desert Nomad
 
Join Date: Jul 2006
Profession: W/R
Default

Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous
Dante the Warlord is offline   Reply With Quote
Old Jun 29, 2008, 01:16 PM // 13:16   #34
So Serious...
 
Fril Estelin's Avatar
 
Join Date: Jan 2007
Location: London
Guild: Nerfs Are [WHAK]
Profession: E/
Default

An important comment, in particular to those that see this as a feature for "paranoid" people:

it's already a feature used by certain companies and a lot of big banks in Europe (you actually get a card reader in addition to seeding); security is always proportional to the risk, so Blizzard want to protect their business as banks do.

Now, we can't have a discussion on the principle or the idea of an authenticator token. Everyone'll have to wait until its implementation is tested by being released (people will try to crack it very quickly), to see whether or not it's the right way to fix security problems in WoW.
Fril Estelin is offline   Reply With Quote
Old Jun 29, 2008, 04:07 PM // 16:07   #35
/retired
 
jackie's Avatar
 
Join Date: Dec 2005
Location: On the Beach
Default

Quote:
Originally Posted by Dante the Warlord
Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous
Yeah I bet if Anet or any other company produces similar physical object to minimize hacking to nil they'll send it to you in a silky paper box for free?

Countering stupid trolls aside, seen similar devices used in many industries & and not heard much negative about them except if you lose the actual device.. then it's a phone call to customer support.
jackie is offline   Reply With Quote
Old Jun 29, 2008, 04:12 PM // 16:12   #36
Frost Gate Guardian
 
Join Date: Mar 2008
Default

Quote:
Originally Posted by Dante the Warlord
Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous
actually token itself probably cost more than 6.50
Robbert Monga is offline   Reply With Quote
Old Jun 29, 2008, 04:28 PM // 16:28   #37
Jungle Guide
 
Anarkii's Avatar
 
Join Date: May 2005
Guild: -None-
Profession: R/Me
Default

Quote:
Originally Posted by Chthon
Weaknesses:
1. You can lose or break the keyfop. Then you're SOL unless you can get support to help you.
They'll send replacements.

Quote:
Originally Posted by Chthon
2. Social engineers can steal accounts by tricking the support staff who deals with "I lost/broke my keyfop."
This is Blizzard, not Walmart. They ask for photo-id, secret question to your account, your original cd-key, middle 8 digits of your credit card.

Quote:
3. Cheaply made keyfops (or keyfop batteries) may run their clock faster or slower than the server, which means it gives you the wrong code.
4. Although they are tamper resistant, the pseudo-random number generation algorithm can be extracted by (destructively) examining the keyfop hardware. With the algorithm in hand, an attacker knows the sequence of valid codes. If they can learn what your seed is or learn what your code was at a given time, then they can compute which codes will be valid when for your account. Although extracting the algorithm requires expensive hardware and numerous sacrificial keyfops, the value of stolen WoW accounts is high enough that someone's sure to do it.
Both of these points are absurd. RSA tokens are used by many high-security installations. You might as well try brute-forcing the password if you're doing this.



The token itself is extremely secure. That is not a problem. The concern should be over your computer itself. If a trojan is present in your PC, you're losing your account no matter what. The token will only prevent account theft from cyber cafes and such kiddie scripters.
Anarkii is offline   Reply With Quote
Old Jun 29, 2008, 09:06 PM // 21:06   #38
Grotto Attendant
 
Join Date: Apr 2007
Default

Quote:
Originally Posted by captain_carter
ok, so it is not a random number generator.
From what I see the server expects the next code in the sequence, not a previous one. What hapens if you accidentally activate the authenticator serveral times on your way home from work as it bangs against your steering column? will the sever accept any subsequent code?
Both the keyfob and the server advance to the next code based on time, not whether the previous code has been used. So that's not a problem.

Quote:
Originally Posted by BLOODGOAT
And in my personal opinion, it would take a lot less time for me to actually accumulate the wealth myself than learn how to do the aforementioned activities, thus reducing the likelihood I would so much as think of attempting it.

JUST ME THOUGH
To be clear, I'm not talking about individual users like you and me. I'm talking about criminal organizations that resell what they steal as RMT. After all, there is a LOT of money to be made in RMT. (See: Source, Source, Source, Source, Source.) In fact, some say that the value-to-risk ratio of stealing WoW accounts is now better than that of stealing bank accounts.

Quote:
Originally Posted by Anarkii
Both of these points are absurd. RSA tokens are used by many high-security installations. You might as well try brute-forcing the password if you're doing this.
1. High-security installations pay top-dollar for their keyfops; WoW players pay $6.50. I'd bet dollars to doughnuts (mmmmhhh doughnuts....) that a small-but-non-trivial proportion of WoW's keyfops are going to have bad clocks/batteries.

2. Tamper-resistant hardware is not really that secure. (See: Source, Source, Source. These articles focus on compromising tamper-resistant banking smartcards, but the same attack methods apply to keyfop hardware.) The equipment for the invasive attacks is too expensive for most individuals, but organized account theft rings will almost certainly be willing to make that investment.

You have to remember: brute forcing steals one account, but extracting the algorithm that generates all valid codes gets you a significant distance towards stealing every account. Think of it as AoE damage.

Quote:
The concern should be over your computer itself. If a trojan is present in your PC, you're losing your account no matter what. The token will only prevent account theft from cyber cafes and such kiddie scripters.
With this, I agree. The user's computer is usually the weakest link, and these keyfops do nothing to address that.
Chthon is offline   Reply With Quote
Old Jun 29, 2008, 09:46 PM // 21:46   #39
Frost Gate Guardian
 
captain_carter's Avatar
 
Join Date: Jul 2007
Location: England
Guild: The X Viles [TXV]
Profession: R/
Default

Quote:
Originally Posted by Chthon
Both the keyfob and the server advance to the next code based on time, not whether the previous code has been used. So that's not a problem.
I guess you can't take it on too many high speed flights then, lets hope technological advancement of transportation systems doesn't occur.

Good place to move this to, Off-Topic and the Absurd

Last edited by captain_carter; Jun 29, 2008 at 09:49 PM // 21:49..
captain_carter is offline   Reply With Quote
Old Jun 30, 2008, 08:14 AM // 08:14   #40
The Greatest
 
Arkantos's Avatar
 
Join Date: Feb 2006
Profession: W/
Default

Quote:
Originally Posted by Darkobra
Well this is a predicament. Pay them MORE money, or let the person you have to share your account with download a trojan without you knowing, leading to your account getting hacked? Hm...
Fixed for people who have to share a computer. Besides, it's not like paying $6.50 for additional security is in any way a negative thing.

Quote:
Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous
Blizzard releasing this shows they care about their players. If they didn't, they wouldn't have made it.

It also seems that you're forgetting Blizzard is a company. Of course they're going to charge you for additional stuff, they want more money. It's $6.50. If you're playing WoW (which means you're paying a monthly fee), $6.50 is nothing.
Arkantos is offline   Reply With Quote
Reply

Share This Forum!  
 
 
           

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Doomsday Device Guild Recruitment 0 Nov 21, 2007 08:21 PM // 20:21
An Official GW Polling Device Melkorium Sardelac Sanitarium 13 Jun 20, 2007 12:56 PM // 12:56
Device Driver Error The Lich Ranger Technician's Corner 1 Mar 24, 2006 10:01 PM // 22:01
Tsunami Rain Off-Topic & the Absurd 8 Mar 21, 2006 11:19 PM // 23:19
D.E.V.i.A.N.C.E Off-Topic & the Absurd 4 Dec 25, 2005 01:07 AM // 01:07


All times are GMT. The time now is 08:12 AM // 08:12.


Powered by: vBulletin
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("