| 43 posts found | |
|---|---|
|
11/01/06 5:05:54 AM#21
well... atleast something is being done...
|
|
|
11/01/06 5:38:55 AM#22
I just find it odd that someone who played since beta3, and obviously takes agreat deal of interest in the game he plays, had no idea that any of this was happening. Although other players were bringing it up on the forums, in irc, and here. As well, I'm sure, it was spoken of ingame as well. Guess you were lucky enough to only play at times it wasn't mentioned, avoided the forums, didn't go in irc, and didn't come here. Maybe you weren't as intersted in the game as you appear to be. Oh, well. My bad. And this isn't a flame. I am going off what is shown. |
|
|
11/01/06 6:29:06 AM#23
Lepidus post got my attention (the info part), but posting the sample hack codes was definitively a no-no in my book. And ideed it's first time I got the full "SOAP API" bit, and I admit I don't go to IRC (best way to get worms and hack to your system) and I don't support paying forums. I agree that posting the actual ack coding was irresponsible, in the sense that a "scrip junky" and the "wanna be a hacker" have tools they should not mess around. For the fairness and relative freedom of those still playing, this is not helping them. This post like may are strickly on a vendetta style attack from a disgruntle ex-employee or player that want a revenge for x reason. If your not happy with the skill set of the game owner/employee and/or they not listening to your screamings, just go away. What benifit do you get from trying to get the game shutdown (by re-distributing the hack code this is what your trying). The only benifit I see is a competing games for the base population. But even this reason does not sound true as most actual HZ game player have played the other games and returned to HZ because this game offer what they want and the HZ player has not found what he was seeking elsewhere. Nope definitivelly all this ring vendetta to my ears or someone trying to go to their site for more details and get information from your system. Personnally I will not try to get to those "console.cc" links (I have too much a bad feeling about it). |
|
|
11/01/06 6:49:01 AM#24
Just keep in mind folks that we have a couple of EI moles on this thread doing damage control...they are easily spotted , they are the ones that get pissed off when you Dis David Bowman and out right lie about the fact that this hasn't been going on since Beta. If anyone doubts that this hasn't been a problem that has been ignored since beta just ask any of the members of the order of The Sacred Sword they broke this story in 2003 and got banned for it The entire guild banned because David Bowmans inability to fix his broken product, the same product that is ripping off what few members are left. I don't have an agenda against David Bowman just a strong desire to see him prosecuted for Fraud and racketeering, and every day that is becoming more of a possibility.
|
|
|
11/01/06 7:06:56 AM#25
*sigh* So now MMORPG.com is trying to shut down Horizons? Gimme a break. Keep your conspiracy theories where they belong... you know, that place where the sun don't shine. I just don't understand why you people aren't attacking the *real* problem here, which is Tulga/EII's neglegence. Here are your options: 1) No one outs the exploit. EII continues to deny it (lying). Problems continue throughout the lifespan of Horizons... people who know about the hack continue to use it against other players without any kind of punishment... because after all the hack doesn't exist, right? 2) It is brought to public, forcing EII to fix the problem. Players are inconvenienced for a bit while EII does what they should have done a long time ago. Hell, what Tulga should have done a long time ago. The hack is fixed and players can continue to play in relative safety. Which option sounds better to you? Sounds like some of you would rather be ignorant and let EII continue to ignore this problem and continue to let people exploit it. What a nice little naive world you must live in... I also don't understand how you can try to pin this on MMORPG.com, who are only: a) Reporting valid, breaking news. b) Showing valid proof of the accusation. c) Making the current and future players aware of the problem. And you complain about MMORPG.com not caring about Horizon's players? LOL. Basically, ya'll just need to get over it. There's a huge problem with the Horizons client right now. EII wasn't going to fix it without their hand being forced. Guess what? Their hand has been forced. This all could have been avoided if Tulga or EII had fixed it when it should have been... a long, long time ago. In summary, stop complaining about the honest people at MMORPG.com who were doing their job, and start complaining people at Tulga/EII who were NOT doing their job. |
|
|
11/01/06 7:09:23 AM#26
I, too, find it highly irresponsible to republish a step-by-step roadmap of how to hack into Horizons, or any other MMORPG. As has been observed previously in this thread, the purpose of warning the player base of a security vulnerability is served well enough by simply stating that the vulnerability exists, and the kind of damage that can result from the vulnerability. Take the all-too frequent Windows security vulnerabilities as an illustration. Those are often reported by CNN and other mainstream news sites, but you will never see them print a roadmap on how to take advantage of the vulnerabilities. Well beyond the fact that the mainstream news networks' legal departments would undoubtedly prohibit the publishing of such a "report" as this one for all the legal woes printing it would entail, there is the plain old common sense issue of responsibility in journalism. While publishing this "report" does indeed embarrass EI (and I should imagine DB and the former dev team), it simultaneously places the subscribers to the game in serious jeopardy. Just as our troops should never be considered "collateral damage" in favor of printing some article adverse to the present administration's policies, so too should the security of the players of any MMO be lightly discarded in favor of publishing something derogatory to its past or present developers or owners. In closing, I would mention how intriguing it is that the genesis of this report is a "source within the original development team," and its publication follows hard on the heels of an attempt by a former Tulga "source" to disrupt the game and its community by doling out god-like items in game . . . . |
|
|
11/01/06 7:32:07 AM#27
Jesus people, you really don't get it do you? Maybe I need to use all caps or leetspeak to get the point across...
-MMORPG.COM DID NOT PUBLISH THIS REPORT FIRST. -THE PLAYERS WERE ALREADY IN JEOPARDY. -THIS REPORT FORCED EII TO FIX THE PROBLEM. -WHEN PROBLEM IS FIXED, PLAYERS NO LONGER IN JEOPARDY. -CELEBRATION. Any better? There were already people who knew about this exploit. There were people who were already using it. By making the community at large intimately aware of the details, EII was forced to bring down the server and fix it. Just telling them about the problem was obviously not enough... because people have been talking about it for years. Also... please don't compare this incident to troop casualties in Iraq. I have family there, and if you think those are equal problems, then you need to see a shrink. Immediately. |
|
|
11/01/06 8:01:51 AM#28
Hate to say it but anyone who plays the game and didn't know about it lives in a cave. I never played the thing and have heard all about this game and knew about the report before it was linked here.
Point is the people who "could" use this code already where (actually slightly diffrent) long before and I know this for fact and have never played the game. How do I know this for fact? I use to be really big onto finding security holes without getting caught back in yester year so to speak. I long sense quit that activity to find more productive things to do with my life. However I stay current on latest issues and frequent alot of old sites that are still up. That being said this was already well known and talked about on some sites even before that reports release, much less the link here. And ya people were taking advantage of the issue. You can believe me or not I don't really care but this just places it in the "authorities spot light" so someone actually fixes the problem instead of denying it ever existed in the first place or by sweeping it under the rug by just making general statements that ya it can be done. |
|
|
11/01/06 8:12:20 AM#29
silly fools
60 days after the fact. Some idiot hacker already discovered this a long time ago and already got what they needed from the security hole. Don't be a tool and know what you are talking about before posting such crap on what is and is not reponsible. If it took EII 60 days to fix such a major hole than MMORPG.com is not the one's you should be angry at. I feel sorry for anyone foolish enough to have an active account with Horizons at this time. |
|
|
11/01/06 10:46:56 AM#30
As much disdain as I have for Hadesprime's past flames/trolling of the Horizons boards, he and the other posters with similar opinions are absolutely right. Not only is MMORPG.com not at fault for posting this, but I believe it was their DUTY as an industry news source to do so. I am surprised you can still log into the game at this point. I can only hope that someone is taking legal action to shut the servers down and secure or erase all of the comprimised personal data before anymore opportunity is created for massive identity theft. Keep in mind, Horizons may have a small current player-base, but there is likely 1000 times more accounts that are no longer in use that still remain on those servers. |
|
|
11/01/06 12:17:52 PM#31
"We reported this hole in beta and got banned to shut us up..." Yeah, riiiight.... Without analyzing previous versions of the launcher code, nobody can say for sure how long this specific weakness has existed. The web launcher was tweaked & updated several times after launch; the beta version didn't even use .NET, for example. If this specific hole DID exist in beta, anyone who knew about it should have reported it. "This software has a bunch of security holes and everyone knows it!" isn't a valid bug report. A valid bug report is specific, detailed, and has all the information available to the submitter so that the programming team can reproduce the issue. I don't believe anyone who says they reported this and were banned or ignored, because other serious security issues were reported and were addressed. It's in the best interests of the company and the game to address issues like this as soon as possible, so punishing people for reporting them makes no sense whatsoever. The vulnerability in question doesn't endanger players unless their password has been comprimised. Even then, most of the things this vulnerability allows someone to do are related to playing for free - which anyone can do now anyway, thanks to EI's billing system issues. The threat is to EI, but only from someone who has the server password. It's still a critical issue, but it's not a situation where the player base as a whole is threatened. Without knowing when the vulnerability was introduced, without actual proof that a legitimate bug report about this specific issue was submitted prior to the report in question, the only facts available right now are that EI was advised of the issue in August and that the issue was still not addressed 60 days later. Tulga couldn't do anything about it; everyone who could have fixed it had already been fired by Chris Baker and all the game assets had been turned over to EI at that point. EI did not fix the issue and there is no evidence that they would have ever done so on their own. That failure is totally on EI. Good luck getting it fixed; I doubt anyone who knows the code will be willing to take a contract with a company that has already bounced paychecks for two other contractors. Guildleader, Mithril Council, Chaos |
|
|
11/01/06 1:04:15 PM#32
From a security standpoint, KNOWING how a breach is done, is step one in fixing it.
For this reason I laud MMORPG for reporting this. Perhaps some feel this should not have been openly revealed, but such people don't want this known, since it might upset the game they love. They fear the game will end, and don't want to believe that it really could. Such a view is a denial of reality. All things end, including games. Some posters are incorrect in thinking this hurts the players. If anything, it forces Eii to actually learn to do their job. I say learn, because it's very obvious that they have little clue what they are doing. I cancelled my accounts last month. The happy little website said it was cancelled. But just to be safe, I checked with PBT and, you guessed it, the change in status was never uploaded to PBT to update thier records, so it was never really cancelled. So, I ask PBT to cancel the accounts, and they were very happy to help. Next, I check to see if my accounts are actually non functional, and lo and behold, I can STILL login. The short of it is, without even being able to successfully stop a player that has cancelled thier accounts from logging in, do ANY of you actually believe that they have the needed skills to fix the security hole reported on by MMORPG? if your answer is yes, then it is obvious to all, that you are over-medicated. |
|
|
11/01/06 2:30:10 PM#33
|
|
|
11/01/06 3:41:53 PM#34
Klaus is correct. You cannot damage another person's account. It's been stated repeatedly that this only affects accounts with KNOWN passwords - so it hurts EII. But it can affect the players in that it allows the hacker to give themslves GM/WM powers - as indicated in the report. Somehow, I think if this hole were known and being abused for years, this particular abuse would have been seen previously. People do so like their shinies! |
|
|
11/01/06 3:55:47 PM#35
you mean something similar to the Blackstaff controversy a while back? |
|
|
11/01/06 4:13:35 PM#36
Sort of. That was a case of a player with a ton of money being given WM powers and allowed to play developer, though. It wasn't a hack, just one of the worst decisions in the history of the game. The items recently discovered on Order were (as far as has been divulged by Amadan) created by someone who was given WM abilities but who was not a Tulga employee. This person abused the trust that was placed in them, and has been dealt with. In both cases, the persons involved had been set up with a WM account by AE/Tulga. No hacks were involved. Guildleader, Mithril Council, Chaos |
|
|
11/01/06 4:22:44 PM#37
THANK YOU MMORPG.COM! *big hug* Really. Information like this needs to be out in the public. Game companies give consumers the run around all the time and only through efforts like this are we going to see them begin to change. I can only think of one other business that can treat it's customer base so badly but still get the business and that is drug dealers. Maybe less of a difference in the 2 than we think. (people do get addicted to a games) Again, thank you. Thank you for keeping the thread going. Thank you for not removing the link. Thank you for helping us, the players, have a voice.
|
|
|
11/01/06 7:28:19 PM#38
I would just like to say thank you to the staff here for posting this.
 The writer of this report gave EI 60 days to resolve this issue before making it public. EI either ignored it, or was incapable of fixing it. Sometimes people need a smack on the head to get things done, and guess what, the smack seems to have worked. People can bash AE/Tulga/Bowman, etc until they're blue in the face. But they're all gone now, and this is EI's game now. This was published under their watch and they did nothing about it. |
|
|
11/01/06 9:16:41 PM#39
naaah good on em for posting it. Otherwise people would ask "Where is the document" |
|
|
11/07/06 6:22:02 PM#40
A big "thank you" to the staff of mmorg.com for some excellent reporting on the *huge* problems in this sorry piece of gaming, ie, "Horizons". The replies by the EI staff said it all.
And may I say that the few fanboi's that posted here in Horizons defense gave us all a good insight into the mind of people in deep, deep denial. Man, those were some feeble attempts at justifying their weak positions! *snicker* |
|
