+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 39

Thread: PST - Episode 34

  1. #1

    PST - Episode 34



    This week:
    0:20 - What do you think of the new Authenticator system?
    4:14 - Can introductory content be too easy?
    6:50 - Is it okay that the lion mount costs $25?
    13:02 - How do I deal with raiders changing mains?
    17:29 - What does Heals per Second actually tell me?
    20:28 - How do I earn Avengers of Hyjal rep?
    22:36 - Why is Blizzard so slow to react to hackers?
    27:31 - Could Blizzard do a legendary the same way they did Quel'delar?

  2. #2
    Join Date
    Jun 2011
    Posts
    1
    if i had a nickle for every time lore mentioned that he has Invincible i could buy a disco lion

  3. #3
    Join Date
    Jun 2011
    Posts
    1
    That pun was beautiful.

  4. #4
    Join Date
    May 2011
    Posts
    5
    You know where that stick went...

  5. #5
    Join Date
    Dec 2010
    Location
    i don't know but it's dark and i hear laughing about black ops scores, help me
    Posts
    7

    Thought on legendary tanking weapon

    Like i've been having this thought for awhile, why don't you have a ledgendary tanking weapon that trasnforms based on your needs somewhat like Benidiction and Anathema back in classic. Such as it's model is a very stylized sheild which is the shealth for a huge sword, and you can switch it into either a sheild/sword combo, or a two hander for Dk's or a resulting polearm for druids. It could still go by the same prefix or name, and have all those special shiney pixels and the epic stats and say an aborbtion/AoE threat truck like proc based on how much dmg is absorbed. It seems like an elegant solution if the model for the different varriations of the weapon would be designed well. Mabey even throw in a cool animation for transforming the ledgendary into it's different varriations. Any thoughts?

  6. #6
    Join Date
    Jul 2010
    Posts
    3
    yay for smolderfail! i mean smolderthorn! haha

  7. #7
    Join Date
    May 2008
    Location
    Ottawa, ON, Canada
    Posts
    7,442
    Haha, props to Smolderthorn, my first server ever. Fun times!

    Tankspot Moderator
    Twitter: Follow me on Twitter! @Krenian

    "Damnit!" - Jack Bauer, 24


  8. #8
    Join Date
    Jun 2010
    Posts
    31
    I laugh every time he says deathwing sweat

  9. #9
    You mention that WoW should be implementing a Coin Lock feature in the course of this PST. What exactly would be the differentiating feature between Coin Lock and the new Authenticator functionality? In the Coin Lock system Rift has, the servers white list the IP/Computer you are playing the game on and uses and email code in order to authenticate that computer. This allows you to actually login to the game and then you use your email application in order to whitelist your computer. Where the current Authenticator system now does this before you actually are able to login to the game.

    The only difference in the functionality is that with the Rift CL system you do not need the phone app or token. Where the new WoW system prevents your character for even be online and doing the few things you can do while being Coin Locked. To me, the only benefit of adding a coin lock system to wow would be to give 100% access to the system instead of forcing players to have another piece of hardware. To me thats a moot point. They both do virtually the same thing now, no need for Blizzard to write a CL system for its games. If they want to "borrow" ideas from Trion, why not AoE Looting?

  10. #10
    Join Date
    Jan 2010
    Location
    Belle Chasse, Louisiana
    Posts
    7
    I rofl'd at Primordial Deathwing Sweat and Slivers.
    I named him Waggleton P. Tallylicker...*sniffle*...and I never got a chance to tell him...*sniffle*...He will be...remembered.

  11. #11
    Join Date
    Oct 2007
    Location
    Illinois
    Posts
    1,632
    In regards to the Authenticator.

    The simple action of entering the code each and every time is what provides its true security and as such the security has been voided under these new procedures.

    If the code is not being entered it is being "bypassed" and bypassing a security measure is voiding it. At that rate why have it at all? I would like to purchase something that works part of the time? The authenticator was not advertised as a second level of security "only when not on your own computer".

    Bottom line, adding an option to enter your code each and every time solves this issue outright, it should be implemented without delay.
    There is something so appealing about backhanding someone across the face with a shield.

  12. #12
    Join Date
    Jan 2009
    Location
    Karlsruhe/Germany
    Posts
    4,020
    They would not introduce this system without being damn sure it would not compromise security. All the scenarios people are thinking of would result in an account compromise regardless of whether there is an authenticator attached to the account or not (man in the middle attacks).

    In fact, this now could prevent a MitM attack, because your authenticator code is not transmitted every time, so even if they intercepted the account details they couldn't log on to the account (would trigger an authentication request).

  13. #13
    Quote Originally Posted by Pyrea View Post
    In fact, this now could prevent a MitM attack, because your authenticator code is not transmitted every time, so even if they intercepted the account details they couldn't log on to the account (would trigger an authentication request).
    ^ this. The system is actually safer by not requiring you to put in a code every time.

    I also think the fact that Google does the exact same thing with their two-factor authentication system should probably indicate that it's not the major security vulnerability that the armchair security experts seem to think it is.

  14. #14
    Join Date
    Jun 2011
    Posts
    9
    Quote Originally Posted by Lore View Post
    The system is actually safer by not requiring you to put in a code every time.
    Since when did a MitM attack become easier than faking IP addresses and computer IDs? I haven't hacked in a long, long time but those things used to be entry level stuff.

    Quote Originally Posted by Lore View Post
    I also think the fact that Google does the exact same thing with their two-factor authentication system should probably indicate that it's not the major security vulnerability that the armchair security experts seem to think it is.
    Yeah, because Google hasn't been the subject of any recent breach-in-security news...

    Bodasafa had it right. An internal bypass has been created. Once the bypass is there, it's simply finding a way to exploit that bypass. There may be a degree of difficulty in finding and using that exploit that makes it essentially not worth an account hacker's time, but an MitM attack is far less reaching than if a flaw in the general system is exploited.

  15. #15
    Join Date
    Jan 2009
    Location
    Karlsruhe/Germany
    Posts
    4,020
    And you have no idea how the computer ID is generated, you have no idea what kind of protocols are used at Blizzard's end and you don't know how the system in general works. In fact, the only people that actually know how the system is put together are the ones who built it.

    The more pressing issue are the millions of users that still refuse to use an authenticator and whose account contents are free for the taking. Or those that insist on clicking on every link that gets sent to their email inbox or whispered to them ingame by [Blízzärd] - level 1 Orc Warrior in Durotar.

  16. #16
    Join Date
    Nov 2009
    Location
    WI, USA
    Posts
    2,614
    Quote Originally Posted by Trelocke View Post
    Since when did a MitM attack become easier than faking IP addresses and computer IDs? I haven't hacked in a long, long time but those things used to be entry level stuff.
    That statement alone says you have no idea how the internet works.

    Here's a little real world example from the corporate workplace. A user at a remote location calls in because they are unable to log into one of our systems to enter their expenses. The reason they were unable to? Because the IP address assigned to the server they were attempting to access via a virtual private network was identical to the IP address assigned to them at their current location for accessing the internet. As a result they couldn't communicate with that machine. This was an IP conflict between two separate networks being bridged with a virtual private network.

    In order for you to actually have legitimate traffic which was being routed down a different path, to joe user's computer, you actually need to change the routing in a matter that when that traffic is sent it goes a different path. You aren't simply spoofing an IP address, you're hacking DNS servers and changing the routing of traffic. Good luck with that.
    "In anything, if you want to go from just a beginner to a pro, you need a montage." /w TankSpot WTB Montage for Raiders.

  17. #17
    Here is one thing to keep in mind. We do not know if Blizzard is doing a deep inspection of the route the packet took to get to them and back to you. Even if you spoof the IP you cannot spoof the routers it has to hop through to get back to you and if you are outside the country trying to hack someone it could very well throw an immediate flag.

  18. #18
    Join Date
    Jun 2011
    Posts
    9
    Quote Originally Posted by Pyrea View Post
    And you have no idea how the computer ID is generated, you have no idea what kind of protocols are used at Blizzard's end and you don't know how the system in general works. In fact, the only people that actually know how the system is put together are the ones who built it.
    This is a moot point since *I'm* not trying to hack the system. Learning these things when you don't have easily available access to the information required is a fundamental part of hacking. And a lot of people do it for fun, just to see if they can. It doesn't mean it isn't less secure (which it is, it's just a matter of degree) than inputting the authenticator code upon each login. For those who still think this is as secure or even more secure than the "old" way ask yourself this: Why do they still require you to input the code every time you log into your battle.net account?

    Quote Originally Posted by Pyrea View Post
    The more pressing issue are the millions of users that still refuse to use an authenticator and whose account contents are free for the taking. Or those that insist on clicking on every link that gets sent to their email inbox or whispered to them ingame by [Blízzärd] - level 1 Orc Warrior in Durotar.
    To me this is very telling in how serious Blizzard takes security and one of the reasons this New! Improved! authenticator log-in system has me uneasy. There are literally dozens of secure log-in methods that could be easily implemented but aren't. It doesn't really inspire confidence in Blizzard's "security".

  19. #19
    I highly doubt that their new system just consists of, "Hey, is that your IP address? Ok, C'mon in."

  20. #20
    Join Date
    Jun 2011
    Posts
    9
    Quote Originally Posted by Quinafoi View Post
    That statement alone says you have no idea how the internet works.

    "some stuff"
    I could say the same thing about your knowledge of how hacking works but I'm not trying to get into a debate about who knows more about what. What I will say is that you are thinking linearly. Hacking isn't necessarily about controlling the points where the information originates, it's more about fooling the system looking for the information into thinking it's found it.

    Authenticators are notorious for being extremely difficult to hack due to the real-time application required to hack them. This new way of authenticating absolutely is less secure than requiring an input upon each log-in. The authenticator is being bypassed so long as the security system finds the X information that is required. It's a hole in the system. A designed hole, but a hole nonetheless. These are the holes that allows hackers to do what they do.

    I don't claim to be an expert hacker and I don't claim to know how hard it would be to exploit this hole. The hacking game passed me by a good 10 years ago and even when I was more current I was nothing more than a novice. However, the basics of hacking hasn't changed. Find the holes, figure out how to spoof the information required or force your way past.

    The reality of the matter may be that the old system was 99.999% secure where as this new system is only 99.997% secure. It's a matter of Blizzard believing the added convenience outweighs the added risk. But if I want that extra .002% I should be able to opt out of their convenience mode. If Blizzard really believed this was as secure or more secure, they would have also applied it to logging into your battle.net account where much more valuable information resides than some easily replaced in-game pixels.

+ Reply to Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts