Cancel Auctions Anytime

[Bolty]

Blizzard is banning these threads left and right on the official forums.



If you're having trouble reading what he zooms in on, it's this: "Change the date on your computer to a few days ago (while the AH Auctions tab is open in D3). Now, click a different tab, then click back on the Auctions tab. Wa-lah! You can now cancel your auctions!"

[MMAgCh]

A nefarious individual might well wonder what other mechanisms they decided to tie to one's system clock.

I mean, really, Blizzard?

[Nystul]

A nefarious individual might well wonder what other mechanisms they decided to tie to one's system clock.

I mean, really, Blizzard?

To make up for the lack of offline single player they are implementing the offline auction house.

[ViralSpiral]

I thought people learned better than to tie functions to system clocks in the late 90's.

[MongoJerry]

My theory from the moment I saw it was that D3's auction house was designed by an undergraduate CS major doing it as a project for an unpaid summer internship. "Oh, goodie! I just learned how to use databases and create SQL commnads. Let's throw some tables together and use some default database GUI widgets to make an auction house for millions of people to use all at one!"

[Archon_Wing]

That's just sad. And their servers are secure right? :3 With such genius programmers, clearly it's not exploitable. People make mistakes, people make oversights... that's fine. But this is just incredible.

[Quark]

My theory from the moment I saw it was that D3's auction house was designed by an undergraduate CS major doing it as a project for an unpaid summer internship. "Oh, goodie! I just learned how to use databases and create SQL commnads. Let's throw some tables together and use some default database GUI widgets to make an auction house for millions of people to use all at one!"

Okay, weaknesses of the AH aside, don't be an armchair programmer. You saying this makes it clear you've never really messed with a database that has tables with over 100k rows.

[Ashock]

That's just sad. And their servers are secure right? :3 With such genius programmers, clearly it's not exploitable. People make mistakes, people make oversights... that's fine. But this is just incredible.

I got hacked on Friday, for the first time EVER. And that's with playing WOW for 6 years. Also, since their retarded Bnet for all games requirement, not only did I get hacked on my D3 account, but also on the WOW account, that my wife sometimes uses.

Only thing that I did late last week that I did not do before, is I posted a couple of times in the Barb forum on Thursday. More than a coincidence?

So yeah... this game is full of good news.

[LavCat]

I got hacked on Friday, for the first time EVER. And that's with playing WOW for 6 years. Also, since their retarded Bnet for all games requirement, not only did I get hacked on my D3 account, but also on the WOW account, that my wife sometimes uses.

Only thing that I did late last week that I did not do before, is I posted a couple of times in the Barb forum on Thursday. More than a coincidence?

So yeah... this game is full of good news.

Do you use an authenticator?

[Quark]

I got hacked on Friday, for the first time EVER. And that's with playing WOW for 6 years. Also, since their retarded Bnet for all games requirement, not only did I get hacked on my D3 account, but also on the WOW account, that my wife sometimes uses.

Only thing that I did late last week that I did not do before, is I posted a couple of times in the Barb forum on Thursday. More than a coincidence?

So yeah... this game is full of good news.

No, not more than a coincidence. One of these guys supposedly had a live stream showing how he was doing it and commenting on things. They were saving passwords from basically every actual hack (gawker, PSN, you name it, they've seen the list) from the past few years. They've got millions of emails and passwords to try - it only takes a few thousand hits to be worth it.

They sat on these, waiting for D3 to hit. And now that it has, they're working in full force to find every single person who's password hash has been previously compromised and doesn't have an authenticator. There was an Ars Technica article with the author bemoaning his hacked account, going on and on about the state of things, and my god how did he get hacked between Wed when he played and Fri when he added an authenticator? Oh, damn, he never changed his battle.net password from the PSN hack. (Note: as the two examples given, the gawker and PSN hacks were hashed+salt passwords. Hash without salt and plaintext are significantly worse, and had happened to others).

They'll start with the easiest - pure email and password, with no changes. Once that's through, you add in slight mutations to the password to find people who only minorly change passwords from previous known hacks. Everything after that is fairly simple to implement, but gets significantly more brute force in effort/reward ratio.

And while you're at it, if you get a hit, try it in WoW.

[Ashock]

I got hacked on Friday, for the first time EVER. And that's with playing WOW for 6 years. Also, since their retarded Bnet for all games requirement, not only did I get hacked on my D3 account, but also on the WOW account, that my wife sometimes uses.

Only thing that I did late last week that I did not do before, is I posted a couple of times in the Barb forum on Thursday. More than a coincidence?

So yeah... this game is full of good news.

Do you use an authenticator?

No. However, there's been several threads in general about ppl getting hacked while using it. Either way, I'm not about to start using one.

[Chesspiece_face]

No. However, there's been several threads in general about ppl getting hacked while using it. Either way, I'm not about to start using one.

oO

Major problem with a simple solution. Solution refused.

I hope you have a recliner, home theater system, and hot buttery popcorn in that hole you've got your head in.

[Treesh]

Do you use an authenticator?

No. However, there's been several threads in general about ppl getting hacked while using it. Either way, I'm not about to start using one.

And did you notice Blizzard saying they've looked into it and NO accounts that had authenticators attached (not just the cell phone warning) BEFORE the hacking occurred were actually hacked? You can find people claiming all sorts of things that just aren't true because they just simply don't want to accept the fact that it's THEIR fault that they didn't take enough security measures to keep themselves safe. Just like you're doing by refusing to get an authenticator. They have free apps for smartphones and if you don't have a smartphone, you only have to pay for shipping to get a keyfob. It's your choice of course, but don't come crying to us when you get hacked again.

[Mavfin]

I got hacked on Friday, for the first time EVER. And that's with playing WOW for 6 years. Also, since their retarded Bnet for all games requirement, not only did I get hacked on my D3 account, but also on the WOW account, that my wife sometimes uses.

Only thing that I did late last week that I did not do before, is I posted a couple of times in the Barb forum on Thursday. More than a coincidence?

So yeah... this game is full of good news.

Do you use an authenticator?

No. However, there's been several threads in general about ppl getting hacked while using it. Either way, I'm not about to start using one.

Ah, yes. The "It's Blizzard's fault. Couldn't possibly be me!" defense. Have fun with that.

Blizzard has categorically stated that no D3 users have been compromised with an authenticator attached before the compromise. A few have been called out in public for claiming they were hacked with an authenticator, and Blizzard has checked, and found they attached one after the fact. You can, of course, say that Blizzard lied about it if you like. I actually expect you to do so next.

[Kylearan]

Hi,

Blizzard has categorically stated that no D3 users have been compromised with an authenticator attached before the compromise. A few have been called out in public for claiming they were hacked with an authenticator, and Blizzard has checked, and found they attached one after the fact. You can, of course, say that Blizzard lied about it if you like. I actually expect you to do so next.

Disclaimer: I've been hacked, but I'm pretty sure it wasn't Blizzard's fault - it happened because my password has been a minor variation of a password I had also used on another forum where hackers had stolen the database two years ago.

And yet, I have to play devil's advocate here.

You can, of course, say that Blizzard lied about it if you like. I actually expect you to do so next.

Is it really so implausible that Blizzard would lie about something like that? They sell the game, and they sell the authenticator (at least I think they do?), so they have to lose a lot here. Many other companies that got hacked in the past tried to cover up the event, and only admitted it after proof became undeniable.

So while I haven't seen any credible source where someone with an authenticator got hacked, and thus right now think that simple brute-forcing of weak and stolen passwords like in my case are the more likely cause of the hacks, I also wouldn't lightly dismiss a problem on Blizzard's side only because Blizzard "categorically stated" so.

-Kylearan

[Elric of Grans]

Authenticator is free software. Since it is essentially a second password that changes every time you log in, it would be improbable someone would bother dealing with it just to harass some gamers. Seriously, if you have that kind of time and ability, break into the FBI or something! Situations like Sony and Steam involved real money and credit cards, not gold and armour; there is a huge difference in motivations here.

[MongoJerry]

My theory from the moment I saw it was that D3's auction house was designed by an undergraduate CS major doing it as a project for an unpaid summer internship. "Oh, goodie! I just learned how to use databases and create SQL commnads. Let's throw some tables together and use some default database GUI widgets to make an auction house for millions of people to use all at one!"

Okay, weaknesses of the AH aside, don't be an armchair programmer. You saying this makes it clear you've never really messed with a database that has tables with over 100k rows.

My point was, Quark, that the programmer who designed the AH didn't know much about designing databases with over 100k rows, either. It seemed like a very slap-dash job for something that was supposed to be a central feature in the game.

[Mavfin]

Authenticator is free software. Since it is essentially a second password that changes every time you log in, it would be improbable someone would bother dealing with it just to harass some gamers. Seriously, if you have that kind of time and ability, break into the FBI or something! Situations like Sony and Steam involved real money and credit cards, not gold and armour; there is a huge difference in motivations here.

Yeah, some man-in-the-middle attacks were used to get around the authenticator on WoW accounts a couple years ago, and that's the only known B.net hacks involving authenticators. Blizzard has put in some countermeasures of some kind (no details) and we haven't seen even man-in-the-middle be used against them for some time. Keep in mind man-in-the-middle still requires the client computer to be compromised so the network traffic at login can be redirected to where the hackers want it. The only other way around the authenticators would basically involve someone compromising the authenticator's algorithm that it uses to arrive at the realtime code using it's base key and someone finding out said key attached to the account; i.e. reverse-engineering the authenticator process itself. If they get that info, then, well, they'll have everything else, anyway. And, no one's going to put out that kind of effort for some profit in virtual gold. That kind of thing was done at Lockheed for defense stuff.

With all the people out there w/o authenticators and that huge bunch of passwords and emails to try, the hackers aren't going to bother with going around authenticators. They can't 'keep' the account, they can only trade stuff off the account for one session.

Is it really so implausible that Blizzard would lie about something like that? They sell the game, and they sell the authenticator (at least I think they do?), so they have to lose a lot here. Many other companies that got hacked in the past tried to cover up the event, and only admitted it after proof became undeniable.

I think it's very implausible. It's simply not something Blizzard would want to risk their reputation on. When the authenticators were gotten around with a man-in-the-middle attack a few years ago, they disclosed it. In 2001, when B.net got hacked, they disclosed it. They also sell the authenticators, if you get a physical one, for the shipping cost. They lose money on them, but they make it back on customer service costs in accounts they don't have to restore. They're definitely not using authenticator sales as a money-making thing.

It's one thing to have a breach. If you have one and disclose it as soon as you know, many users will accept that and continue to be customers. Trion and Steam have gone through this recently. Try to cover it up, and disclose it only when found out, and you have Sony. They're still dealing with that because they handled it badly.

With their history on dealing with B.net hacks in the last five years, I'll give them the benefit of the doubt on this. I've done forensics on a few people's machines after they got hacked that, according to the user, 'had to be' Blizzard's fault. In every case, they either had a compromised machine, or after asking some questions, it was the same password as another previously compromised account, as is being used for D3.

As well, I haven't had any issues myself. If Blizzard had ways for the hackers to get info out of their databases, the small numbers getting hacked now would become a huge flood. I know they look like a big number now, but as a percentage of accounts, it's very small. And you're talking not just D3. You're talking SC2, WoW and D3 all use the same authentication database. If Blizzard was hacked, I'd expect 5-10% of all those accounts to be taken, not 0.01% or 0.1% of new no-authenticator B.net accounts. There'd be no way to hide a breach of that size.

I work in IT security for a local college, and know how (in)secure the average user is with passwords and the like, and how gullible people are to phishing emails. It's absolutely amazing how otherwise smart people, with degrees even, totally lose their minds when presented with an email telling them to enter their credentials or get their accounts closed.

[Quark]

My point was, Quark, that the programmer who designed the AH didn't know much about designing databases with over 100k rows, either. It seemed like a very slap-dash job for something that was supposed to be a central feature in the game.

The fact that it's functional at all with over 6 million players says you don't know what you're talking about. The UI is cruddy, but with the commodities now live again I haven't seen any true issue with the backbone of the AH. Trust me, if someone without extensive experience in databases (say, all those people who cleaned up WoW's item lag that used to exist?) had developed this, the AH wouldn't have been up at all. The sheer amount of data it has to process is staggering. Remember, they don't have the benefit of splitting all these players across 100 servers (3 regions?) - something is centralized, and that something has to handle all this in a timely fashion.

Armchair posts about how easy a fix to an issue will be, or how a company didn't understand the server needs, will almost always be a giant pet peeve.

[RiotInferno]

Authenticator is free software. Since it is essentially a second password that changes every time you log in, it would be improbable someone would bother dealing with it just to harass some gamers. Seriously, if you have that kind of time and ability, break into the FBI or something! Situations like Sony and Steam involved real money and credit cards, not gold and armour; there is a huge difference in motivations here.

The Authenticator, IIRC, uses AES Encryption. If you're going to break that, then you're wasting your time on Diablo, and should be collecting huge checks from the security industry.

I have an authenticator, and I'm torn on it, really. I appreciate that there's another layer of security protecting my account. At the same time, though, I can't help but feel like the only reason it exists is because Blizzard doesn't trust their own basic security. To my knowledge, they're the only company that does this.