Diablo® III

Session Spoofing

06/05/2012 01:25 PMPosted by kweagle


you don't think there is? lol context is always important when it comes to numbers. it's all relative. the number of accounts compromised is most likely statistically insignificant.


So you are suggesting that 10,000 people are insignificant, and dont matter?

Do you think if the game had only sold 1 million copies, that the ratio of hacked accounts would change proportionality? I would be willing to be the number of hacked accounts would be exactly the same. Over all volume has nothing to do with the number of compromises.
10,000 of 7.7 million is statistically insignificant, yes.
Posts: 1,305
View profile


2,000,000

Do you have any idea what I am referring to with the above number?


Yes, a large number.


Wow, lets go a little slower here.

When I say 2,000,000, am I referring to the number of blood cells in a certain amount of blood, the number of gallons in a body of water, the number of planets in a section of space, the number of characters on any given page on the internet or the number of people in a given city?

You do not know if 2,000,000 is a large or small number until you know what it is being compared against.
Edited by MutantMonkey#1724 on 6/5/2012 1:34 PM PDT
Lylirra,

Are there any plans in the works to have the Authenticator Advertised Up In Your Face on either the Launch or Log In screens?

Picture of the phone with app and/or the physical keybob maybe floating next to your characters on the select screen?

Many of the player base who did not play WoW have never heard of the Authenticator.
Many people who have yet to have their account comprimised don't come to the forums, so also may not know about it.
Many people rush right to the game and don't care about the info on the way in.

I know it is not Blizzards/Battle.net's responsibility to get up in our face to ensure our own person security habits, but I feel it would go a long way in getting people to stand up and take notice of the Authenticator.

Edit: did I really spell feel with an a?


This is actually a good idea. One of my buddies got hacked a week or two ago and I had him change his password, run some malware scans, and told him to attach an authenticator. He had no idea what it was or what it did, but after I explained it to him, he goes "Wow, had I known about that, I'd have done it sooner." He has an iPhone so obviously he was able to do it right away for free and did not have to wait for shipping or anything. He wasn't even aware that it was common for people to try to steal your stuff, I told him, "Welcome to online RPGs."

He's never played WoW, the only Blizzard game he's ever played is Starcraft, so he wasn't familiar with authenticators. It may be a good idea to just throw up a little link under the login screen saying something like, "Want a more secure way to protect your account? Try our free mobile authenticator app. Or for those without a data plan, a keychain authenticator for the low cost of $6."

People love downloading free !@#$ on their phones. If they know about this, they will definitely download it. You'll at least get a large portion of the smart phone users with it being free for them.
I attempted to tell your support staff in my ticket, as well as multiple posts here.

I was hacked without evidence of keyloggers, trojans, or having given my account (intentionally or unintentionally)

My information has fallen on deaf ears and has been met with harsh criticism from this community.

I actually AM a computer technician and will be more then willing to speak of this further with you.

My hackers account is still in use as I can see it logged in from my "recently played" list which has still not been banned despite numerous reports from within the system.

Please contact me at the e-mail address associated with this account and I am willing to help.
There are many ways you can be compromised. Here is just a few:

http://us.battle.net/d3/en/forum/topic/5575469543
06/05/2012 01:21 PMPosted by Flamberge
Backups on any production system are instant. Some of this makes sense if we're using a laptop as a server but not a distributed file system in a modern server farm.


Not true. I have Tlog backups that can take hours to complete on some of the fastest storage devices you can buy. It's all about the IOPS...
you need help seek a professional.

you are just mad because 89% of the player base says you are full of crap, and how did i get those number's i made it up just like those of you who made up the spoofing crap.

Yes! Because, session spoofing is such a "boogeyman" that doesn't really exist in the IT space. We just made it up via monkeys with typewriters.

http://en.wikipedia.org/wiki/Session_hijacking
He was referring to the existence of session hijacking in diablo, not the existence of session hijacking altogether.
Posts: 1,809
06/05/2012 01:33 PMPosted by Khagan
Backups on any production system are instant. Some of this makes sense if we're using a laptop as a server but not a distributed file system in a modern server farm.


Not true. I have Tlog backups that can take hours to complete on some of the fastest storage devices you can buy. It's all about the IOPS...


Yeah, I work for a mid-size company that manufactures storage equipment (~1.5 Billion in revenue) and our production systems don't have "instant" backups.
So you are suggesting that 10,000 people are insignificant, and dont matter?

Do you think if the game had only sold 1 million copies, that the ratio of hacked accounts would change proportionality? I would be willing to be the number of hacked accounts would be exactly the same. Over all volume has nothing to do with the number of compromises.


Wow. Just, wow.

Of course the total number is relevant. There is a vast difference between "50% of those exposed died" and "1% of those exposed died". It doesn't matter if that 1% consisted of 100,000 dead people, odds are the exposure didn't kill them.


You think that? if 1 person dies from exposure, okay maybe he doens't have an immune system. if 100,000 people die, crap, we better do something about this.
Yes! Because, session spoofing is such a "boogeyman" that doesn't really exist in the IT space. We just made it up via monkeys with typewriters.

http://en.wikipedia.org/wiki/Session_hijacking
I like how you linked an article that shows it's only relevant to websites. HTTP and cookies, eh?

People haven't even been able to prove that Diablo 3 uses sessions, never mind if it can be hijacked or not. What people have found is that Diablo 3 uses persistent TCP connections, which doesn't use sessions.
06/05/2012 01:33 PMPosted by Raphael
People lie. Especially when they do not want to admit something occurred on their end because it's embarassing or maddening, and they are upset and feel violated. This is human nature.

Or merely fail to recall events accurately. The mind isn't really all that great at recalling moments in history, especially during highly emotional states similar to how you would feel if you logged into your account to see your 250+ hour character with millions of gold and phat lewts gone. This is a drawback of biology rather than intentional maleficence.
I would say that's another possibility yes. You put it very eloquently.
So you are suggesting that 10,000 people are insignificant, and dont matter?

Do you think if the game had only sold 1 million copies, that the ratio of hacked accounts would change proportionality? I would be willing to be the number of hacked accounts would be exactly the same. Over all volume has nothing to do with the number of compromises.


That's not what I said at all. Every person matters, and I'm sure Blizz is doing all the can to recover the account for anyone who's account was stolen/compromised. 10,000 accounts out of 6.5 million is statistically insignificant though.


Yes, a large number.


whether it's 2 mil out of 5 billion. it's still a lot of 1's.
So you are suggesting that 10,000 people are insignificant, and dont matter?

Do you think if the game had only sold 1 million copies, that the ratio of hacked accounts would change proportionality? I would be willing to be the number of hacked accounts would be exactly the same. Over all volume has nothing to do with the number of compromises.


Wow. Just, wow.

Of course the total number is relevant. There is a vast difference between "50% of those exposed died" and "1% of those exposed died". It doesn't matter if that 1% consisted of 100,000 dead people, odds are the exposure didn't kill them.


You missed the point completely.

Lets say 10,000 people have been hacked out of 7 million that bought the game. The only thing that is limiting the number of hacks is the speed at which the hackers can work.

If only 1 million people bought the game, it does not change the speed the hackers can work, and therefore the number stays the same, and the percentage goes up. This is why the actual number of hacks is relevant. Dont matter if it is 1% or 20%. It is still a problem, and it is certainly not all the fault of the end user.


Wow. Just, wow.

Of course the total number is relevant. There is a vast difference between "50% of those exposed died" and "1% of those exposed died". It doesn't matter if that 1% consisted of 100,000 dead people, odds are the exposure didn't kill them.


You think that? if 1 person dies from exposure, okay maybe he doens't have an immune system. if 100,000 people die, crap, we better do something about this.


tell me how the % is relevant.
Edited by Applesoup#1860 on 6/5/2012 1:39 PM PDT
Yes! Because, session spoofing is such a "boogeyman" that doesn't really exist in the IT space. We just made it up via monkeys with typewriters.

http://en.wikipedia.org/wiki/Session_hijacking
I like how you linked an article that shows it's only relevant to websites. HTTP and cookies, eh?

People haven't even been able to prove that Diablo 3 uses sessions, never mind if it can be hijacked or not. What people have found is that Diablo 3 uses persistent TCP connections, which doesn't use sessions.
I don't think you're using that term correctly... Persistent connection means it leaves the connection open to receive/send multiple request/response, rather than send a new connection request for every single request. A session can be an example of a persistent connection.
Edited by moojerk#1213 on 6/5/2012 1:40 PM PDT
[I doubt the number is that high either, but it is certainly higher than the 1% people here would have you believe.
1% of 7 million people is 70,000. That's a lot of people.

At the same time, an older study from Trusteer put the effectiveness of phishing attempts at 40%, and a more recent study (http://lorrie.cranor.org/pubs/pap1162-sheng.pdf) found a success rate of 28% even after training against phishing. A Trusteer study says 73% reuse passwords, 65% reuse usernames, and 47% reuse both, and PandaLabs report that approximately 40% of computers are infected with malware, of which the majority are trojans.
Persistent connections has nothing to do with whether or not sessions exist. Persistent connection means it leaves the connection open to receive/send multiple request/response, rather than send a new connection request for every single request.


Mea culpa, were the two findings independent, then?
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]