Diablo® III

Session Spoofing

06/05/2012 01:09 PMPosted by Mashi
It's always funny when these "IT professionals" just know session spoofing is happening even when we KNOW for a fact that NO account with a physical or mobile authenticator has been compromised. The authenticator is another part of the authentication process and has NOTHING do with the session itself, so if session spoofing like the OP describes is happening an authenticator wouldn't provide any protection at all. Doh!

Got proof? Of course not. And authenticators are indeed part of the session. You can't create a session without passing an authenticator check.

Otherwise, how would you be able to ah...login?


LOL. Keep digging that hole. Once you authenticate the session is created. You don't keep authenticating over and over. If you could session spoof the fact that an authenticator was used during the authentication process is now irrelevant because you'd be stealing the session and bypassing the authentication process altogether. It's funny when people don't even understand basic security principles try to talk like they do.
100 Human Paladin
15960
Posts: 3,388


A number out of context is meaningless.


you think there's no difference between 1 and 10,000? unless theres some "context" to it? lol


1 out of 2 people will get cancer and die.
10,000 out of 100,000,000 will develop a slight limp.

There is a huge difference between 1 and 10,000 with context...
Fact: Sony got hacked
Fact: Sony covered it up
Fact: People found out anyway and got really mad at Sony.
Fact: Sony gave away free stuff and the general population said "Oh look, a squirrel!"

Everyone knows about this. Blizzard included. If it was on their side and they are lying about it, once it out (not if, but when) every one will be pissed and only trying to dissuade the public will help them.

Or they could be telling the truth and there is no hack.

I believe point 2, since they have never given me reason to believe that they are lying to us.


Fact: Sony got hacked by people who wanted to steal credit cards and to get fame.
Fact: No user accounts were compromised except for those that some idiot somewhere stored in plain text file.
Fact: If someone had hacked blizzard, and blizzard was denying it (like sony did at first), someone would have come forth to claim otherwise and show proof (just like with Sony).

Fact: Stealing account passwords is nearly impossible. In fact, if done correctly, it would be impossible.
06/05/2012 01:13 PMPosted by Applesoup
well I have 3.14 reasons why that's not true

3.14 is meaningless without context...


you think there's no difference between 1 and 10,000? unless theres some "context" to it? lol


1 out of 2 people will get cancer and die.
10,000 out of 100,000,000 will develop a slight limp.

There is a huge difference between 1 and 10,000 with context...


Well...1 out of 2 people = 3.5 billion. not 1. 10,00 out of 100,000,000 still = 10,000. All youre doing is skewing the numbers.
Posts: 1,305
View profile


I made it very clear that is what I was doing simply to make a point. When you see a phrase like "lets say" that should be pretty clear.

As to your assertion that 15-25% of the complaints here are about this, how exactly did you come to that conclusion? While I do see various topics made about the subject, very few of the people participating in those topics are reporting the same issue.



A number out of context is meaningless.


well I have 3.14 reasons why that's not true


And to what are we applying PI to? See what I am getting at? Your argument is a circular one.


A number out of context is meaningless.


you think there's no difference between 1 and 10,000? unless theres some "context" to it? lol
If one is trying to argue that the "proof" there is "something else going on" is based upon the number of players hacked, the only number that matters is the % of players who have been compromised. Period.
06/05/2012 01:09 PMPosted by shmoo


Just pulling numbers out of the air there, huh?

Fact remains that 80% of the posts on the forums are complaints, and 15%-25% of those are people complaining about being hacked. These are called statistics, and are representative of the entire player base of the game.

I am sure if 80% of the posts on the forums were positive, you would be the first to say that 80% of players love the game, rather than saying they are a vocal minority.


More likely referral bias at play.

I'm not sure it's wholly correct to call posts on the forums "representative of the entire player base". More accurate to call them representative of the players on the forums.

You leave out the very real possibility that players who are not posting on the forums may have very different opinions and experiences.

Qualifying your sampling shouldn't be seen as weakening the results. If anything, it helps to properly scope your results and note potential bias. 8)

love,
shmoo


You are assuming that only only people with a negative opinion post here, and every other player does not. Fact is, most people who dislike the game with put it on the shelf and be done with it, never visiting a forum at all. Same goes for those who like the game. They will play it, and never visit a forum.

Forum percentages are still representative of over all player base. It may not be a 1:1 ratio, but it is pretty close. Close enough that if you have the majority of a forum posting a certain way, you can be sure the majority of people not posting feel the same way.
session spoofing

While many users feel this can happen we can go into reasons why in fact it would be almost imposable for it to happen.

FIrst off the Hackers would have to have a secondary authication server which they could in fact install to a remote server and authicate against bnet server with a valid id to feel it was just a user logging on.

How this is not viable would be the fact they would need a way to have you join there game that does not reside on a battle net server clone or take all your gear and gold put you back into the blizzard offical server and disconnect you.

In extreme cases this in theory could happen 99.9 percent of the time its impossable do to time constraints.

Why do i say its imposable as im sure blizzard as well as many other companies have detection systems to detect rogue servers on there network.

It would be very time intensive to inject a rogue game into the server then bypass the ingames anti cheat so they could run client side hex code into it to strip you of your items and inject you back into there servers without blizzard knowing about it as the hash and id info would not match the last origin info.

Sence the info and injection would have to be ran in unsercured un encryped info and then re encryped to match the id that blizzard gave the info the ammount of time would be astrinomical.

so we can rule out session jacking.

Dude, what?

Just stop posting.
06/05/2012 01:15 PMPosted by Applesoup
you think there's no difference between 1 and 10,000? unless theres some "context" to it? lol


you don't think there is? lol context is always important when it comes to numbers. it's all relative. the number of accounts compromised is most likely statistically insignificant.

...
Yes Im sure blizzard has a redundant backup copy thats made so they have a failsafe but normally backups are not instant. Backup or mirror image to the backup server are done at x intervals and or x time of day normally when the servers are not over x load.

...

What happens here is after awhile the transaction load gets expanitally larger and larger where the server is under such stress that it in fact locks up crashes.

...

When the server crashed this transaciton didnt happen or is extreamly delayed.

2 possible outcomes The item is returned to the original database entry for future putting up back into the database aka the ah its still in your stash it will look like your gold is missing itso nly because you did part of the transaction but it never was completed do to the fact it never finished though queing and saving.

...


Backups on any production system are instant. Some of this makes sense if we're using a laptop as a server but not a distributed file system in a modern server farm.
06/05/2012 01:16 PMPosted by Khagan

Got proof? Of course not. And authenticators are indeed part of the session. You can't create a session without passing an authenticator check.

Otherwise, how would you be able to ah...login?


LOL. Keep digging that hole. Once you authenticate the session is created. You don't keep authenticating over and over. If you could session spoof the fact that an authenticator was used during the authentication process is now irrelevant because you'd be stealing the session and bypassing the authentication process altogether. It's funny when people don't even understand basic security principles try to talk like they do.
It is shocking the number of people who think that an authenticator would prevent session spoofing/hijacking. lol
When will people realize..

These are hackers, their goal is to get your best items, get out before you change password.

So, they use bots which can move quicker than a human.

These bots are programmed using small scripts to avoid detection.

These scripts only focus on your last logged in character.

Think about it, when you logged out and got hacked, was it your last logged in character that was hacked?

Also, I've been doing public games from Day 1, I've yet to be hacked (Also gots an authenticator, but that is un-related if its "Spoofing")

Also, its impossible for such a thing to happen because of the way that D3 was created. I'm not a ITT techy guy, but I've been told a rough version of how it works.

Also, if they did do session spoofing, it would be on your end because the spoofer would be going through your Computer's IP adress or w/e which would require a hacker to be on your PC.

In the end, it would still be your fault.


I am an IT guy, and I applaud you. Finally someone that understand. You are not going to fix your problem by blaming bliz. It's not their fault you screwed up. Kudos to this poster.


Most people who are compromsed use the same password everywhere. Coinlock is effectively useless in this case.

Steam guard is the exact same and so far the reports of compromised accounts hasnt really slowed at all.

You cant protect people from themselves.

They already do something like this for WoW. When I went to alberta my account was locked until I unlocked it, and again when I went to japan, my account was locked and I had to unlock it. And again when I came back to my home in Ontario. Again my account was locked and I had to unlock it.

Though why it doesn't trigger in every case? That's the only thing I can't guess at. And I haven't had a chance to see about my D3 account, I don't do anymore traveling until August.


Because vpn and proxy.

Next time, route all of your traffice through a home vpn or proxy. You will not be locked out.

The people dont compromise accounts from their home land. They organize their lists to regions and hit different regions at different times according to where each log in comes from. This prevents setting off any region locks that might be happening.
100 Night Elf Hunter
11875
Posts: 9,102


If you believe that the forums are representative of the entire player base, I have a piece of land on the moon I want to sell you.


And yet is most posts were positive, you would be adamant that the player base feels the same way. Double standard much?


Dang, way to put words in someone's mouth.
and i'm sorry, when does a number not have context to it? is that possible? you instantly applied pi to 3.14. Can i have a number that has no context? you dont relate something to the number 1? or 20?
What blizzard is essentially saying is that people who claimed they were hacked via session spoofing, or those with an authenticator who were hacked, are essentially all lying. I find this hard to believe.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]