I mean seriously? "They should know" is not the same as "They would know".Originally Posted by KhainiWest
A thief shouldn't kick in my door and rob my house blind but no force on earth will instantly warn me when it happens unless I specifically set up an alarm on my house for it and arm it on the specific door they use. Sheesh.
You of all people should know that a major company like Nexon has logs that monitor this kind of activity. You can't go around telling me that if someone was accesssing your SQL Database through unconventional means you wouldn't know about it.
Logs.
Would you like me to start releasing programs that look fine, and then release the list of accounts that were stolen from them?
Edit: Just as an addition, I'm using "keyloggers" as a very broad term here. There is more than one way to steal user input, it doesn't have to be just hooking the keyboard.
You just said that if someone hacked a database there would be no way for the company to know about it. How then, did Sony shut down all of their servers while trying to remedy it? Stop contradicting yourself and using hackers as a scapegoat for end user stupidity. Monitor your damn forums and stop letting executables that have no proof of legitimacy run wild. Not so much as a virus scan has been posted for EITHER of them.
Just because they aren't playing Maplestory doesn't mean they're not visiting Maplestory related websites, or downloading programs. As for the common sense thing: People never admit to downloading keyloggers. Every person who's been hacked is a saint and has never touched any "bad websites" or malicious programs in their lives. The truth is that is a load of bullpomegranate and everyone knows it.
Logs are only useful if
A) It logs relevant information
B) It gets read.
C) The reader is capable of recognizing something wrong is occurring.
Next point; Even if all of the above occur, the violations have already happened (Case in point; http://www.southperry.net/showthread.php?t=48014). None of those prevented the breach. At best they get forwarded to someone else to fix on some time line and Nexon in particular never admits it happened, just like they haven't touched the tickets from my entire guild from last year that still send follow up notices every week.
Also, again, the only reason I caught on that an intrusion occurred is because it triggered errors in the log, had it not specifically created errors that raised flags and been perfectly executed I would likely have never known because it ran under the context of the forum itself doing normal operations. If Nexon's database thinks the client is doing what the clients designed to do, it's not going to flag it as anything. In many cases you have to know exactly what you're designing a system to look for in order to catch it.
I don't think you honestly grasp the concept of a vulnerability.
As one of the people who had it happen last year, I do in fact know what I did and I was every bit as skeptical as you until someone logged into my account and changed my costume just to prove they could (all my possessions are perma locked because I have never had any trust in Nexon's security, and rightly so by all accounts).
Skepticism is healthy. Denial is not. Believe what you will, if it happens to you you can try to rationalize how. Until then, insisting it's not possible and everyone who's had it happen is entirely to blame and there could be no possible way it's the companies fault is just insulting the intelligence of every single person who's been victimized. It benefits nothing but your own sense of superiority so if you don't believe this is really happening, ignore it and go about your businesses, you have no contribution to this thread if you're just here to insult everyone.
I'm sorry but if you believe the only hacking outbreaks are related to keyloggers then* well, ignorance is bliss ey?
Case in point.
If it happens to me, I will accept that perhaps I mis-stepped and ran something I shouldn't have. However, I am in the habit of disassembling/decompiling any programs that have to do with Maplestory that I download, and it has saved me numerous times in the past. I am seriously wondering why you are not sceptical about the programs I have referenced in my other posts, and just continue to let them sit there scot-free.
Just one more thing: If Nexon has such a big problem with their security Database, why are people not getting hacked in mass numbers in other games they host? All accounts are tied to the same Database.
People hacked in 2009 were not keylogged, and saying someone like eos was keylogged is ridiculous. For example, the hack outbreak I was victum too had nothing to do about obtaining your info, simply sending you a bowling invite on MSN. Why did I add a hacker you ask? I didn't, he hacked a friend of mine, and spider webbed it to other people, including me. All he did was sending me a bowling invite and logged out. He then used a 3rd party program that was able to catch my IP address, then did a MSN recovery to gain access to my email, using my IP information as data to prove he was the owner. MSN happily gave him access to my account. My ms account wasn't hooked up with msn, but he was able to find out my gmail account, and used the recently aquired information to break into that, same method.
Point is you're extremely dumb if you think keylogg is the culprit. Like extremely.
I don't run crap, period.
If I want something I generally write it myself.
Anyone who accuses me otherwise clearly knows not a damn thing about me.
None of my info is reused, there is literally zero way I was keylogged in any capacity.
The fact they'd need a PIC bypass to do any of this proves right away the entire basis of your theory is flawed; If they can bypass the pic, which can not be keylogged in the first place so has to be bypassed somehow, clearly they have a security gap already that they're unaware of, which then points to the possibility of other holes and the obvious inability to see them.
As for why Maple - It's their flagship, their largest most well known game. Most of these hackings are economy based for mesos, which again, being the largest game has the largest market. Why waste time on a half dozen smaller games when you can go right for the biggest and juiciest. Also maple is the only game with MTS, therefore the only game you can drain NX cash from someone regardless of what other Nexon game they're playing as long as you make a maple character for them. For all we know people in other games *are* having their NX siphoned and they just don't realize how and don't come to Maple forums to complain about it since they're not Maplers.
The login bypass is most likely not related to intrusion of their database at all. Most probably it'd be something akin to adding an email variable to the end of the password reset URL and get the email sent to any account. Some vulnerability on the website would not show up on logs unless you already know what to look for.
Personally I think it's more a matter of just sending the right packets to the server at the right time to make it think the login server approved you, or like the switch hack, to make it think person x is actually person y.
The number of people entered without any changes to the login info is too high for a password reset manipulation to be the only thing out there.
I've already stated that I'm using keylogging as a very broad term meaning anything that the client executes that sends data to the "hacker." In your example, you were at fault for accepting the "bowling invitation" without first ensuring that it was your friend who was sending it to you. People who fall for MSN Worms are just as bad as people who fall for actual keyloggers.
I have personal proof that says that is complete bullpomegranate, but I'll just leave it at that.
Sigh, I really thought you were smarter than that. It is not hard *AT ALL* to get the PIC from the maplestory client.
Each of the games also have their own respective black market where they could get monetary "rewards" for hacking the accounts. If they truely are hacking the database, then there would be no reason at all not to cash in on those games aswell.
And yet it's clearly impossible to break through the rest of their 'security'? Do you see the circle you keep going in? For someone with such a superiority complex I'd think you would be able to see 2+2=4 without having to be led to it.
RavenSCA's PIC was bypassed fairly quickly when he accidentally posted his user/pass. Security is not Nexon's strong point.
It has nothing to do with the server side security that you are talking about. FYI: The PIN is stored in memory as you type it, all you have to do is read the value.
There was a PIN bypass a long time ago, but that has been fixed quite efficiently.
I'd say that's a good guess. Much more likely than someone somehow getting ahold of people's packets as they route between their client and Nexon's server. Or reading off the value of people's computer memory.
You know whats even more retarded is when people don't know how to read. Where does it say I accepted it? He sent an invitation, that's it. The only way to stop that is to turn it off manually, which was not on the top of my mind as I did use the service.
Checkmate.
Grats, you found a flaw in MSN and the Microsoft Support System. If you would have read the Security Notices that Microsoft releases, you would have known about the exploit and would've been able to turn off the gaming service. I know about the exploit you're talking about, and it was no big secret when it was going on. It is entirely your fault for falling for it. Not to mention the fact that it has nothing at all to do with Maplestory.
However, I am very sceptical about the "then did a MSN recovery to gain access to my email, using my IP information as data to prove he was the owner. MSN happily gave him access to my account." part of your story. I think it's more likely that he phished the required information from you while pretending to be your friend. Simply emailing Microsoft telling them what your IP address would not be enough for them to give access to the account, no matter how stupid the support staff was.
This tears it, you're clearly only here to antagonize and troll. Good bye.
And yet you reveal further development of your inability to keep on track with your thought process. First off, this was the beginning of january, 2 months after said notice was released. Considering they didn't change their security system until about late june.
Also like to mention how stupid you sound by saying "you should have not fallen for it". Fallen for what? An invite that I can't retroactively stop without disabling a service during the exposure of it's release? No. You make all these assumptions like your a computer guru but truth be told you're just another smart ass that pretends he knows how things work. C++ for dummies does not constitute as "every possibility".
You say you're aware of the exploit yet couldn't correctly identify it with such obvious details? Only bull sh`it to be called in is your opinion.
Nevermind
Just a small sidenote on the logging; I've worked with my dad on one of the root servers he had access to of his old company (no he didn't get fired for it, they were bought by DOW chemical a few years back and all the IT jobs went to IBM contractors; it was much larger than NEXON, but still, relevant), and you aren't even aware of the sheer size those logs are. They literally have TB upon TB of backup logs, all text. This text I am typing right now won't break 1KB, for reference. So, you have untold millions of lines of logdata in among untold millions of seperate logfiles. A nightmare even if you had an incredibly advanced Find function. I can understand why they are taking so long finding these exploits, I just don't like their way of handling the people effected.
He's banned from the thread I see, but perhaps someone else is interested!
Welp, count me among those hit as well. Though at least it does seem to be for the profit only as all they took was my Mesos, my 3rd unwelcome belt, my first 17 day ring, my first year maple flag, and my chairs. True my equipment by today's standards are crap, but I'm glad it wasn't an ass who would delete all the years of quest items I had. I also still have another 17th day ring sitting around, so not a do or die loss like some people should I ever come back.
No notice of password change or any other alterations on the email in question tied to the account. 900 NX I had left alone. Still aggravates me of course and the loss of my favorite chair hurts; and former plans to mount all my characters are gone; but meh, I want to quit for good anyway.
EDIT: Adding to this, this was on my primary account only. I was hit by the former mass incident as well, but that was on an alternate account that only had a total value of 100k within it. (As a comparison, I just lost 1+ Bil). Both of these incidents seem to imply that the guilty party does not have the information for all accounts on my computer (aka IP affiliation), and leads me to believe something else is the cause. Also, it was not the most recent account logged into in both situation, ie the remembered account name was not the one hacked.
Both my accounts are missing a lot of mesos, all my 17 day rings, 3rd guest belts, my Drk is missing a 137 atk pinaka.. Earrings, other rings, all the general crap. Oddly left all my other chars alone, just the main one, so I can salvage some, but this is rather dissapointing. I haven't played in several months and just logged on for Ascention to find this. Considering I have been playing since 2006 and haven't ever been hacked before, I'm rather saddened by all that. All well, thank goodness for other games.
Posting Permissions
|
|
Reply With Quote
Bookmarks