Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Diablo2: Apocalypse Now!

Hemos posted more than 13 years ago | from the bad-news-for-blizzard dept.

Games 235

Weyoun writes "All those who play Diablo2 know that their characters on the battle.net 'Realms' servers are supposedly secure and unhackable. This has been the case up until a few days ago, when a group of crackers discovered a method whereby they could log on as any character. Since then, they have reigned over a virtual apocalypse as hundreds of the top ladder players have seen their items stolen (including that of one well-known Blizzard employee). Even worse, beginning last night one of the hackers began systematically murdering the top hardcore ladder players, by logging in as them and getting them killed (death is PERMANENT for them). As of yet there has been no official reaction from Blizzard, but the entire community is in a state of shock over this situation." Update: 01/02 04:30 AM by T : It appears that Blizzard has now corrected the problem. See below for more.

Gaile - DiabloII.Net sent this update: "Blizzard has posted their response to the Diablo II Realm Character losses on their Realm Status Forum. The losses have been stopped (as of this morning), and characters are secure once more on the Realms. In addition, dead Hardcore Characters will be restored automatically, on January 8th, as outlined here:

[On] Monday, January 8, we will be reviving all hardcore characters who died between December 19th and January 1st. The restored hardcore characters will be revived with the experience, skills and items possessed as of Tuesday, December 19th. This restore will be automatic and players do not need to contact Blizzard to request that their character be restored. Note: Only dead hardcore characters that died between December 19th and January 1st will be revived.
In addition, a mechanism is in place for the retrieval of items, as well. The Blizzard post is on the Blizzard Site. We'll have more soon in the DiabloII.Net Bug Bytes section, which is an overview of the current game build."

cancel ×

235 comments

Sorry! There are no comments related to the filter you selected.

Maybe... (1)

okmar (266773) | more than 13 years ago | (#537960)

they thought they were playing UT??


.

Security through Obscurity (2)

verbatim (18390) | more than 13 years ago | (#537962)

I guess this proves one thing: Obscurity is not a form of Security.

Battle.net uses *obscurity* to implement it's security. It seems to trust the client too much. Worse yet it seems that a simple logic flaw has cost Blizzard it's reputation. Ack.

Another thing this proves is that the more obsure something is, the more complicated the system is, etc. It lends into being more of a challenge for 'hackers' and 'crackers' to break, which only fuels the fire. Though, if the system was open and exploits available and commonly known, you get the scr1pt k1ddies comming. Sheesh.

Or maybe it's just me..

Maybe it's a good thing... (1)

kidlinux (2550) | more than 13 years ago | (#537963)

Now all those players can get back to reality and get a real life, maybe even a job. Maybe even do something productive.

Re:Yeah, imagine how horrible it would be (1)

Daemien (268095) | more than 13 years ago | (#537965)

Someone hacking Everquest or UO, wow, that would be 'some' bad.

Teaches them a lesson (2)

LostScorp88 (249884) | more than 13 years ago | (#537966)

This is very true. It shows how silly the people that work and work for these characters are. They spend insane amounts of time developing their characters, when something as simple as this can just throw it away. Maybe all of these obsessive players will learn a lesson (but probably not) - games are for fun. In the end, they are just GAMES. Hopefully, some of them can see that their work has led to nothing other than being victimized by some asshole hackers. Perhaps they should work on something more permanent, such as their relationships with friends and family, instead of playing a silly game 24/7. Look how easy it was thrown away.

sympathy? (1)

CroyDax (211988) | more than 13 years ago | (#537967)

it's interesting to note how the people on those forums in general have noooo sympathy whatsoever for those affected... i can imagine that adds to the frustration... so what does one do? start over? or is it a message to stop playing d2 and go outside? that's actually how i think when i lose some huge piece of work. croydax

Re:The general flaw: server side data (2)

rknop (240417) | more than 13 years ago | (#537968)

You can't store anything client side, because you cannot trust the clients. It doesn't matter how much encryption or checksums you have on the client - the bad guys have all the code on the client, and can reverse engineer it down to the metal if they have to. They can write proxies that pretend to be properly checksummed, and behind the scenes are doing whatever they want.

You have all of the code to PGP (or GPG). You can reverse engineer it all you want. Are you able to easily change a digitally signed message and still have the digital signature check out? No. Hence, if done right, why would a game client be able to change a character and have a decently implemented checksum come out right the next time you try to use the character on the server?

I'm certainly not advocating storing things client side and relying on security through obscurity! I'm advocating reasonable authentication, but not putting all the eggs in one basket, storing all the characters out there on a single server wehre anybody can get to it.

I'm also not saying that the client code is the code that should authorize any changes to the character. That should be done from the server side, yes. What I'm saying is that the character *data* should be stored on the client side, not in a central server location, but it should be done in such a way that the server can authenticate the data and verify that it is in fact a character it had approved before.

-Rob

Why don't they use a PKI? (1)

Halo- (175936) | more than 13 years ago | (#537969)

I should start by saying I am employed by a company designng PKI's, so I am a bit biased. :) I also don't play much in the way of OL games. Anyway, doesn't this seem like the perfect application for a smartcard based PKI (Public Key Infrastructure) Think of the problems which could be solved: 1) No more lame password based authentication 2) Copy protection. (I know, I know... it's not something I like to admit, especially in these days an times of the CCA/MPAA...) 3) A nice toy /gimmack for the game. I dunno, just a thought. -T.

It's a game, non? (1)

SirFlakey (237855) | more than 13 years ago | (#537970)

This will probably be marked as redundant =). But as so many have pointed out it's a game not real life hence isn't "the shock of the community" a little strong. I mean when 300 people get killed at a chinese x-mas party we should be shocked - let's not lose focus on meatspace.

Mind you, I can understand the anger of people that have "worked" hard on their characters to achieve those levels. I am not nearly patient enough to do these things.
--

Re:call me silly... (1)

gimpboy (34912) | more than 13 years ago | (#537971)

if i walk up to an NT box and login as Administrator with no password would you say it i "cracked" their computer?

from what i've read that seems to be what they did. they said he i'm user "x" and the server said ok.. have fun "x".



use LaTeX? want an online reference manager that

Re:ouch (1)

agentZ (210674) | more than 13 years ago | (#537972)

Yes, but the MS marketing engine will be good enough to convince a lot of sheeple that they are far more secure than a bunch of silly computer gamers, pardon my french.

[sarcasm]I mean, when was the last time anybody was able to break into Microsoft...

Re:prosecute for what? (1)

agentZ (210674) | more than 13 years ago | (#537973)

Ha!

Seriously though, the US computer crime laws, most of which are in 18 USC 1030, do make it a crime to cause more than $5,000 of "damage" to a system, and "damage" includes money paid to system administrators and investigators to figure out what happened.

Blizzard. (1)

I_redwolf (51890) | more than 13 years ago | (#537974)

This is not surprising to me. Blizzard makes very good multiplayer games at least they are king of the hill; for now. However this same thing took place with Starcraft. People cheating, and showing the whole map while playing etc. I stopped playing starcraft because of it. I haven't bought a Bizzard game since. Not because I don't like diablo 2 but the games reach a peak and then the hacks and cheats don't make the game worth playing anymore. Why would I waste my money to have my character ripped of all glory to a mere peasant?

Blizzard needs to do something, INFACT because of this they should send everyone that has a registered copy of Diablo 2 some form of coupon or something to solace the people that have spent hours building up characters.

If Starcraft wasn't so old I'd demand my money back if I knew that I was going to play and that I'd be cheated against. It's not fair, it's no longer fun to play and I sincerely hope that Blizzard plans to do something about it. If they don't this will not be the last time we hear about this.

Servers suck! (1)

Palverone (166646) | more than 13 years ago | (#537975)

Hmmm ... I wonder if that's why USEAST has been so friggin' laggy for the past couple of weeks now? All the "crackers" are trying to break in. I am completely fed up with it and would like for Blizzard to ask me what they can do with battle.net-- I dare them!

I will definately NOT miss people begging for SOJ, FROSTBURN, or all the other UNIQUE/RARE's i can never get ahold of.

"This completely sucks... I'm going back to inventing that damn lickable wallpaper wonka teased me with when I was a kid ..." -- Me

Re:It is dark. (1)

Dynedain (141758) | more than 13 years ago | (#537976)

bhwahahahaaa!!!! that's brillaint!!!! Zork meets script kiddies! I love it!

What are you smoking? Thats how D1 was (3)

zatz (37585) | more than 13 years ago | (#537978)

And Diablo 1 was notorious for cheating! The correct answer is to centralize the important things on the server, because otherwise clients are free to modify them. Checksums are just obfuscation, unless you do crypto things to make a private key necessary to log in to your account... which, IMO, is overkill for a game. Of course, you also have to avoid bugs in your database system that completely circumvent the usual login procedure :)

Your post shows a complete lack of awareness of the history here--I think you are trolling.

Re:Uh (1)

Enahs (1606) | more than 13 years ago | (#537980)

/*
* 2000-09-29 07:28:04 Foresight Institute Using Slash for Nanotech Weblog (articles,science) (rejected)
* 2000-11-26 22:16:58 PCR with your G4 (articles,science) (rejected)
* 2000-11-28 03:54:25 Canada Reelects Liberal Party (articles,news) (rejected)
*/

Try those stories on kuro5hin. Duh.

It is dark. (5)

mwalker (66677) | more than 13 years ago | (#537992)


You appear to be in a cave. It is dark.
north
You go north.
You appear to be in a cave. It is dark.
You are likely to be eaten by a grue.

west
Sorry, you can't go that way.
north
You appear to be in a cave. It is dark.
cast create light
You fumble over the somatic gestures for create light
look
You appear to be in a cave. It is dark.
Someone says "0wn3d j00 d00d!"

cast detect in
Your eyes tingle.
3l33t d00d says "0xDEAD 0xFFFF 0xBEEF"
3l33t d00d casts Buffer Overflow
You have been killed!
Play again? (Y/n)?
N

Re:prosecute for what? (1)

gimpboy (34912) | more than 13 years ago | (#537996)

so lets say i put a double quote in a comment, and /. isn't equiped to handle it. next lets say it crashes their db server. and it takes them a day to fix it. in the process they loose $5000 in banner ads plus taco doesnt get to work on his arcade game. then they figure out it was me that put in the double quote. can they successfully sue me for damages?

use LaTeX? want an online reference manager that

Wow! (2)

taniwha (70410) | more than 13 years ago | (#537999)

The first online mass murders! (or is it mudderers?)

Feeding Frenzy (5)

carlfish (7229) | more than 13 years ago | (#538001)

From reading the comments posted so far, there's a long stream of "So what? Get a life!" posts. To see that sort of thing coming from slashdot readers has got to be the biggest case of "Pot. Kettle. Black" that I've seen in a long while. It seems that even amongst geeks, there continues to be the constant need to place yourself on the next social rung up from the person beside you - to take something that someone else enjoys, and say "Hey, you're just a nerd. You should be doing something cool instead."

I don't play Diablo myself. I didn't even particularly like nethack. But being the sort of person who can happily spend an entire weekend coding, I can understand people who give their spare time away to something they enjoy, and in which they find some kind of challenge and fulfilment. And to have some fuckwits come along and callously erase all that hard work is going to hurt a hell of a lot of people.

Human nature depresses me. I say we take off and nuke the site from orbit, it's the only way to be sure.

Charles Miller
--

Nelson said it best. (1)

expunged (30314) | more than 13 years ago | (#538002)

ha-ha! [cartoonsounds.com] .

Re:Something kind of Ironic (2)

Chester K (145560) | more than 13 years ago | (#538005)

From what I've read, the bug (Creating a character with the name of the one you want to hack, and retrying till the server barfs and accepts it) existed in EverQuest as well

No, EverQuest's character stealing bugs (which have been fixed for almost two years now) relied on extremely unusual situations and were hardly exploitable because of the rarity of their occurance.

From what I've been reading, the Diablo2 bug can be easily reproduced. The competition ladders in Hardcore are a graveyard now. These are characters with hundreds of hours of play into them. I hope Blizzard kept backups. ;)

I don't mind (1)

piking (157151) | more than 13 years ago | (#538006)

Hopefully, I'm already dead.

ouch (2)

syrinx (106469) | more than 13 years ago | (#538008)

Certainly the idea of server-side characters is a good one. And I guess lasting half a year without any cheating incidents is pretty good, compared to most other online games.

But this really sucks. I know people who played solo Realm characters, despite the added lag (well, back when it came out anyway), just so they would not be accused of cheating if sometime they might want to play them multiplayer.

Obviously this needs to be addressed. How, though? Stronger encryption maybe?

(Hm, maybe it was a Y2K+1 bug.)

Re:The general flaw: server side data (5)

Azog (20907) | more than 13 years ago | (#538010)

No. No. No.

You can't store anything client side, because you cannot trust the clients. It doesn't matter how much encryption or checksums you have on the client - the bad guys have all the code on the client, and can reverse engineer it down to the metal if they have to. They can write proxies that pretend to be properly checksummed, and behind the scenes are doing whatever they want.

The real solution to problems like this is to store everything server side, have really comprehensive backups, and really good log files.
The server must only send the clients what they should be seeing, according to the game rules.

When someone breaks something, fix the bug, and then roll back the game state to where it was when the bugs were first exploited. With sufficient backups, even if the bad guys completely take over each server, recovery is possible.

Take down the servers, rebuild their software from scratch, fix the bugs, restore the data from backup, and you are back where you started before the exploit. Then use the log files to track the crackers and sue their asses.

Slashdot had a big discussion on this subject back when the GPL'ed version of Quake led to some people creating hacked clients that gave them more capabilities than they should have had (like being able to see through walls, etc.)

You can't trust the client. End of story.

Torrey Hoffman (Azog)

... or maybe not (1)

Len (89493) | more than 13 years ago | (#538013)

DiabloII.Net [diabloii.net] says that the "normal", not "hardcore", ladder was reset, which wouldn't help those permanently killed characters, and it didn't stop the problem anyway.
--

call me silly... (3)

gtx (204552) | more than 13 years ago | (#538019)

but maybe we're taking video games a bit too seriously...

My question - Will there be an official response? (5)

The Optimizer (14168) | more than 13 years ago | (#538020)

Setting aside my comments about not being too surprised (give enough users/hackers enough time and a jucy enough target/challenge) - my big questions is this:

What, if anything, will Blizzard do in the form of an 'official response' that acknowledges the cheats and lets the online community know how it will be dealth with?

As fellow slashdotters probably remember, I wrote an article on online cheating last june that was printed in Game Developer and posted to gamasutra.com [gamasutra.com]

I asked people at several companies if they would talk about exploits that had occured in their games. One of those requests went to Blizzard, asking if I could talk about what happened to Diablo 1. Now at that point in time (last spring), the cheats and exploits on Diablo 1 were well known and old news. Yet the response I got back from Blizzard was (this obviously is not the exact quote) "No - we can't talk about anything regarding any cheating on any of our games and if you did say something too specific we'd strongly discourage you as we might get mad". For the record, in the article, I discussed the various cheats in my own games (Age of Empires series) most of all.

Now, this was actually about par for the course - for every developer willing to talk, there were ten that were in public denial mode. And as you might have guessed, it's a peeve of mine. Wishful thinking won't make anything go away and it only can further hurt the honest players.

I do think the climate is shifting, and that users are becoming less tolerant of 'head in the sand' tactics by developers and publishers.

I'm waiting to see what happens next.

I'd ramble on, but I have to leave.

-Matt Pritchard

Re:My stuff got stolen too (1)

Caine (784) | more than 13 years ago | (#538022)

And maybe you should let people do what they want.

How to catch the Bad Guys (2)

shannara256 (262093) | more than 13 years ago | (#538024)

Are they going to start tracing IPs or something now? They got in trouble for collecting data from computers with bad CD-keys a while ago, and I doubt that they are eager to repeat that.

-Jason-

The crackers have no sympathy ... (3)

hoss10 (108367) | more than 13 years ago | (#538025)

Must have been like what John Malkovich felt like

-----

Ladder reset (2)

Anonymous Coward | more than 13 years ago | (#538026)

Ladder was reset :(

http://www.diabloii.net [diabloii.net]

We have received email after email from people reporting that their characters have been stripped of all their equipment, and many have been killed as well, costing experience, or in the case of Hardcore characters, permanent death. The USEast HC ladder is now a graveyard, with the top 15 or so dead, and we've heard from several of them, they were all alive, even sitting in chat when their chars suddenly turned to ghosts. There is no known way to prevent this, and if you want advice, I took every item off of my highest lvl HC char last night, and if she's dead next time I get on, I won't be surprised.

As for the ladder reset, it appears to have been undone on East, as there are numerous characters in the 90's. West already has characters in the 60's, and there are a bunch in the 50's on Europe, so either bugs are letting older chars on the ladder, or else a lot of people did some impossibly fast levelling in the past 9 hours. Happy New Year.

Re:not just you (1)

Enahs (1606) | more than 13 years ago | (#538036)

>2. Re-read my post. Note the title. Realise I was agreeing with you.

Perhaps, but it's hard to tell, as you expend most of your effort toward insulting the original poster.

Go away, troll.

Re:Security through Obscurity (2)

Chester K (145560) | more than 13 years ago | (#538039)

I guess this proves one thing: Obscurity is not a form of Security. Battle.net uses *obscurity* to implement it's security. It seems to trust the client too much.

This doesn't prove that at all. What this proves is that your servers need to make damn sure that no one can create an account with the same name as an existing account.

There's no trust in the client here that's being exploited, it's a bug in their server software.

What's happening is this:

Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Uh, no.
Client: I want to make a character named 'Bob'.
Server: Okay. Here you go.

Re:yeah, this is gonna get modded down, but... (1)

Sancho (17056) | more than 13 years ago | (#538040)

There's a distinct difference between q3a and Diablo2. In the former, you don't build up your character over time, and in the latter you do. Thus if you are killed in q3a, you may get another death on your record, but nothing else. In Diablo 2 (hardcore) if you die, you start over from the beginning, potentially losing hundreds of hours spent creating and building your character. I won't try to claim that the game is an RPG, in fact I hate it when it is called such. But there is a true loss of time and abilities when the character is killed off, so I think your comparison to q3a/ut is slightly off-kilter.

Re:good.. (1)

Zebbers (134389) | more than 13 years ago | (#538043)

thats what I was thinking...I can understand being upset and pissed for about 5 minutes. After that, get a fucking life.

I like muds and it always amazes me the amount of people who freak out over stuff...but...ITS A GAME. It's like the people that freak at sporting events, especially when the event is some littleass rec league or something...I mean..in the end, wheres your life? You are spending it bitching at 2am because you lost a sword and your mudwife is leaving you for a troll? Wow.

And I like the people who try to write it off as roleplay. When you are spending more time roleplaying, than living a real life....what then is your life? And it's very easy to tell when people aren't rping characters and are just being crybabies in their basement.

Games are fun. And if you want to choose to spend your life playing them, then go for it. But in the end, they are still games. That next experience level might be what you worry about for a week, but it's all in your head ;)

Just like anything, it's all about moderation.

Diablo... (1)

AFCArchvile (221494) | more than 13 years ago | (#538044)

No forehead can contain him...

...but he can be hacked!

Can these folks move on?? (1)

httpoet (231453) | more than 13 years ago | (#538047)

Now that some guys' Diablo characters are dead, maybe they can go out and enjoy sunlight, talk to humans (who are not also playing Diablo), and generally help out the world...I dunno

Andy

I cant... (1)

SomeOtherGuy (179082) | more than 13 years ago | (#538049)

htink of anything funny enough that would be a worthy responce...However -- I bet we can keep our eyes on satire wire, bbspot, and segfault over the next few days for a few good laughs over this one.

not just you (1)

Anonymous Coward | more than 13 years ago | (#538053)

A verbatim quote from the GNUtard handbook.
Good job.

Security through Obscurity is a form of security, just not a reliable one. Zealots like you fail to understand than Opening code is not a magical security cure all. Repeating 'Security through Obscurity' like some sort of mantra does not protect you.

The real problem here is that Blizzard have been slow in fixing the issue. I hope they have backups and can simply 'roll-back' a few weeks, or however long is necessary, otherwise they'll have _zero_ credibility left. I certainly won't risk wasting my time playing their games online.

Re:Beware the closed source (1)

quantum pixie (266938) | more than 13 years ago | (#538059)

Good open source games are unhackable.

Unfortunately, it's because they don't exist. :(

Re:Blizzard may be taking action (1)

mayonaise (29272) | more than 13 years ago | (#538061)

That also shows that I don't know how to properly close anchors. =)

Re:Interesting... (3)

Gerad (86818) | more than 13 years ago | (#538062)

The bug (Which is unconfirmed, but 3-4 hours after GFrazier (Blizzard Staff Member) forwarded the bug to the dev team, the realms went down for maintainence, which is all the confirmation I need), operates off realm names, and has absolutely nothing to do with standard account names. So no, Starcraft, WC2BNE, and CD should be safe.

Not likely (1)

TheWhiteOtaku (266508) | more than 13 years ago | (#538077)

Blizzard? Keep backups? HAHAHAHAHA!

No seriously, they should, but I am skeptical of them having actually had the time to implement a backup system, since they spent so much time getting battle.net up AT ALL (am I the only one who remembers the five weeks shortly after release when it was nearly impossible to log onto battle.net?)

Unfortunately, Blizzard has little incentive to remedy the situation. Unlike a game like Everquest, where fraud is usually detected early and punished (emphasis on usually) Blizzard does not charge a monthly fee, so they have little to gain from their most loyal players leaving.

Sure, they lose $30 for each of these attacks they do nothing about, since its one less expansion pack they sell, but unless the attack is of massive proportions (and it causes players to leave as well) Blizzard doesn't really care.

hmm... (1)

enrico_suave (179651) | more than 13 years ago | (#538078)

Isn't a person's D2 character kinda like their intellectual property(in a way) I realise that supposed IP is created within Blizzard's universe and probably EULA'd away... but if you spent hundreds of hours developing a character, do you have any rights to it? Does it get protected as a psuedo property in any sense...?

More of a rambling than a coherent thought.

YMMV,

e.

Re:The general flaw: server side data (1)

Cuthalion (65550) | more than 13 years ago | (#538079)

You can't store anything client side, because you cannot trust the clients. It doesn't matter how much encryption or checksums you have on the client - the bad guys have all the code on the client, and can reverse engineer it down to the metal if they have to. They can write proxies that pretend to be properly checksummed, and behind the scenes are doing whatever they want.

That is false. Store the character on the client, and a checksum on the server. when you connect, send the character to the server (it has to know it anyways). If they don't match, you lose. If they do match, well it doesn't matter what you do from there since that's the character you're using, and now that you're playing the server can make sure it doesn't do anything funky!

A more appealing alternative is to keep a encrypted checksum on the client side rather than the server side. If you want to play on a different computer instead of moving the character file you need to move a checksum, which at least is smaller. If your desktop box gets hacked, then your diablo 2 character is comprimised (assuming that there is not password authentication also), but that's doable anyways with keyboard sniffers and so on.

isn't it interesting.. (1)

theeds (300421) | more than 13 years ago | (#538083)

that people honestly thought that bnet's servers would remain "unhacked" throughout their existance. Give me a break.

illegal? (5)

hugg (22953) | more than 13 years ago | (#538084)

So is this an example of a prosecutable hacking offense? Or is it just a different way of playing the game? Be kinda weird if Quake bot authors started disappearing under vague circumstances...

Re:Oh please (2)

quantum pixie (266938) | more than 13 years ago | (#538086)

Hush you. I'm in tears over this, and I've never even played Diablo 2.

Re:My stuff got stolen too (1)

Maurice (114520) | more than 13 years ago | (#538088)

Amazing, given that Diablo 2 has been out for less than 9 months. You working 30 hours/day or something?

Re:ouch (5)

Sancho (17056) | more than 13 years ago | (#538089)

Hmm... didn't MEAN to post anonymously...

And I guess lasting half a year without any cheating incidents is pretty good, compared to most other online games.

But there were other "cheating" incidents. Two major ones come to mind. In the first, characters were able to go "hostile" on another character from anywhere in the game. Normally you can only go hostile on another character if you are in town (where you can't attack) thus preventing a quick hostility + attack to surprise kill players.

The second hack increased running/walking speed tremendously by exploiting a feature in the game's frame rate code. This in general was not a major problem until people used it to go hostile in town and then run and kill someone.

The problem with the new hack is that it's not done in-game. The "hack" is just a bug in the server code that lets a player jump into another player's character, then join games and play as that character without ever typing in a password. At first all that happened was that characters were losing all their items (read a few threads at the lurker lounge or in the forums of www.diabloii.net [diabloii.net] ) but then characters started dying. That's when the REAL uproar happened.

Frankly this disgusts me. It's one thing to use legitimate, in game features to attack, kill and steal, it's quite another to exploit a bug to do it covertly. And don't expect Blizzard to do anything about it, there have been lots of scamming and other Bad Things (tm) going on for awhile now, and even though they *could* disable specific CD keys from Battle.net, they apparently refuse to do so.

Stronger encryption isn't the answer either, incidentally, since it's a bug in the server code (or, so says the forums).

Re:not just you (1)

gimpboy (34912) | more than 13 years ago | (#538090)

depending on the system a roll back might not be that difficult/expensive. this hole situation is going to be expensive for them reguardless-i'm sure the users that were killed off are pretty pissed right now.

as for people who bought items for real money. come on it's a game-these people have more money than sense. they will probably get pissed and go buy the stuff again on ebay. don't waste your money on the shielded schlong of power-donate it to the march of dimes or some other worthy charity.

use LaTeX? want an online reference manager that

Re:ouch (1)

Sancho (17056) | more than 13 years ago | (#538091)

I wasn't logged in. *shrug*

I'd gladly have retracted my version of the AC post if it was possible.

Re:Beware the closed source (1)

hammock (247755) | more than 13 years ago | (#538092)

http://quakeforge.net [quakeforge.net]

QuakeForge is a 3D graphics game engine based on id Software's legendary Quake and QuakeWorld game engine. Our purpose? To improve the state of the game by improving the engine and making it accessable to the largest number of players we can.

Quake 1 was GPL'd by Carmack himself.

Dumb Game Anyway (1)

TheWhiteOtaku (266508) | more than 13 years ago | (#538098)

In a way isn't this sort of better for the poor nerds who had previously spent thousands of hours away from society building up their characters? I mean, some fresh air and real social interaction could do them good.

Re:The general flaw: server side data (4)

YU Nicks NE Way (129084) | more than 13 years ago | (#538100)

Actually, server side data is probably a good deal more secure than any data you can store on your machine. As SuiteSisterMary [slashdot.org] pointed out [slashdot.org] last week, in a discussion of the recent Microsoft hack, ease of use is inversely proportional to functional security. It's not easy to secure a server, of course, but it is a great deal easier to secure a server than it is to secure a device that has to give users face time. Your computer at home or at your office is certainly less secure than any server at, say, Microsoft, Red Hat, or Sun -- you depend on security through obscurity to hope that it doesn't get attacked. They don't.

And keep in mind that an attack can consist of something as crude as stealing a whole computer, lock, stock, and barrel. That's a lot more efficient than working across the network, believe it or not. I can't speak for all corporations, but most majors have their key servers in rooms with alarms and/or armed guards. I'll bet that your backups aren't stored in such safe conditions.

This is the same fallacy that leads people to be scared while the plane is landing, and then be blase when they pull out onto the freeway. Guess which of those is more dangerous?

Clarification to prior comments (2)

The Optimizer (14168) | more than 13 years ago | (#538103)

A couple of people have taken my prior post to mean that I actively dislike Blizzard, and that just isn't true.

When I said I had a big question, I meant just that - it is a Question that interests me.

Blizzard can fix this particular problem independant from having to acknowledge publically that it was hacked and players were damaged. So the question remains: Will they say something they don't have to?

I find it interesting because because of all the factors involved (installed base of game, popularity, striking at top (most time invested) players, etc) and am curious as to how it will play out.

Personally, most of the guys at Blizzard I've met in person are pretty cool, and some of them wanted to talk about specific things that happened to D1. (BTW: What I asked them was to discuss the technicals on problem they had already fixed so both the problem and a solution could be presented - Thus educating other developers while not putting the current D1 player base in any possible harm - The guys in the trenches were cool with it, but when they ran it up the chain of command is when it hit the snag)

I do stand up for my personal belief that faliure to disclose successful cheats is not the best thing to do. The developers and publishers do not have exclusive control of the flow of information about their games (/shudders at the thought) and therefore run a considerable risk of being cast in a bad light and upsetting the people who are, after all, their paying customers when an exploit becomes well known (or posted to /. ;-) I do believe that acknowledging problems and telling people what is being done to fix them is a better way to service your online community, and has fewer downsides.

I regret any confusion my prior comments may have caused.

-Matt Pritchard

Stupid (1)

whodi (254745) | more than 13 years ago | (#538104)

A community in a state of shock because some characters have been hacked! Oh my God! That's worse than the president being assassinated.

Nerds, seriously, get a life, there's more important things then that crap.

Screw online, just play alone or w/ friends. (4)

Lurking_Saint (239626) | more than 13 years ago | (#538105)

As if there wasn't enough about b-net to be pissed over already.

This is just UO-"Death of Lord British" all over again. Yet another blow to online gaming. How many more companies are gonna step up and offer this for free if this keeps up? And, boy, wasn't UO a colossal rip-off anyway? You pretty much HAD to treat it like a job to get your damn money's worth out of that dog. I'm glad that noone else has attempted to put out a purely ol game since.

We now have one more example of why parents should just buy their snotty little brats consoles instead of P5s. Better yet, just buy them a pack of playing cards and watch them crow about their superiority through cheating at solitaire.

My real point is that I don't play with anyone online anymore. It's ALWAYS a fucking mistake and a bad return on the investment(time/money/stress). It's been proven on every ol game that unless you have someone supporting you so you can play 16 hours a day, you might as well forget having fun with anyone you don't personally know. Unless you can track someone down and kick their ass physically as a means of enforcement, there is nothing preventing them from using any number of means to thumb the scales.

Actually, I've found that even hacks don't need to be employed. All you really need is Google and the time and seediness to want to learn the bunny-strafe or the x-unit rush or the gold-multiplyer exploit or the mystery-vertex-glitch camping spot. And if your opponent is just up for casual play, well, he wanted to be meat. If he was serious, he'd be scouring the web as well. Since when did I need to be serious about a fucking game?

And ol guilds as a response/defense is specious at best, due to its status as more of a symptom of the disease rather than anything close to a cure. I bet T-cells in an AIDS victim have similar conversation threads as the PKK-guilds and whatnot.

Realms was a puss-ass attemp at a gated community, anyway. Well, freaks can still ride in through the front gate if they are in the parent's back seat. Or if they're employed by the residents. Or if they just plain have the time/energy/malicious boredom.

Of course Blizzard hasn't said anything. This activity negates one of the promises that made me even buy their software. They can't respond until they can close the hole. And they won't be able to close the hole for a good while(the next 12 hours would qualify as that). Anyone want to lay money on the security of their CD-key system now? Anyone want to lay money on whether the crackers were using valid CDs?

In any case, this is one more reason why I don't factor online play into any of my game purchases anymore.
ol != fun^sum(players)

Re:not just you (1)

Sancho (17056) | more than 13 years ago | (#538106)

Oh don't get me wrong, buying stuff like this is kinda crazy. But if they have the money and nothing else to spend it on, they should be able to, and they shouldn't have to worry about Blizzard rolling back the clock and causing problems like this.

A lot more people were not affected by this than were, there's no reason to cause them problems just to "make it right."

As for doing it character by character... There was a bug awhile back that was considerably less widespread than this one that caused characters to be deleted completely. Blizzard would restore them for you if you email the account name, realm and character name. Unfortunately you were in for about a 2-3 week wait per character.

How to prevent, blizzard response, etc (2)

MattW (97290) | more than 13 years ago | (#538107)

First, for those who play and haven't heard: your best defense is to make a new mule character, with a non-guessable but not obvious name. (don't use the name jwiefiasjda, because ppl can see you entering and leaving chat, and that name is a giveaway). Mule your equipment over to that character.

What's insane is that blizzard took the Realms down last night for 'emergency maintenance'. After a couple hours, they came back up, with no mention of the reason they were down or mention of a fix. A lot of people mistakenly thought things were repaired -- and paid the penalty. What we can't figure out: why haven't they said ANYTHING? Why not just shut the realms off? Or say ahead of time: all characters will be rolled back until as of now, so you can play, but it will be rolled back, along with all the thefts. Only Blizzard knows what's going through their heads, and they aren't saying.

I have one friend who makes $2500-$3000 systematically acquiring, trading, and selling on ebay the best items you can get in the game. He anticipates his income will be devastated by this incident, because people used to trust that their stuff would remain their stuff -- and now, who could trust the realms?

Re:not just you (1)

verbatim (18390) | more than 13 years ago | (#538108)

I see why you remained anonymous.

I said: when it's closed you attract hackers and crackers and when it's open you attract script kiddies. Either way we, the end users, get fsck'd.

Never did I say "If Blizzard went open source, this never would have happened."

Grow a brain.

Re:not just you (1)

gimpboy (34912) | more than 13 years ago | (#538109)

Oh don't get me wrong, buying stuff like this is kinda crazy. But if they have the money and nothing else to spend it on, they should be able to, and they shouldn't have to worry about Blizzard rolling back the clock and causing problems like this.

i dont play this but i have friends who do. i believe they told me blizzard didnt approve of selling your stuff in the real world.

until the cure for cancer is found and starvation is nipped in the butt there will always be better things to spend your money on. i'm not one of those tree hugging hippies, but i'm pretty realistic. if somone wants to spend their money on a 3 nippled midget to follow them around in a video game then more power to them. i just find it depressing.

use LaTeX? want an online reference manager that

Re:Screw online, just play alone or w/ friends. (1)

Loligo (12021) | more than 13 years ago | (#538110)

>This is just UO-"Death of Lord British" all over again.

To be fair, the Death of Lord British at the town meeting was caused by a UO employee not resetting his invulnerability flag - hardly a hack.

-LjM

Re:Maybe it's a good thing... (2)

SuiteSisterMary (123932) | more than 13 years ago | (#538113)

Maybe even do something productive.
Childish snipes on a message board being an example of something productive?

As we all knew... (1)

loren (2875) | more than 13 years ago | (#538118)

..."Security by obscurity" wins again...
NOT!

Re:Dumb Game Anyway (1)

dangermouse (2242) | more than 13 years ago | (#538127)

This from a guy named "Otaku"? Get real.

Wow, who didn't see this coming... (5)

Dark Nexus (172808) | more than 13 years ago | (#538128)

I can't remember how many months I spent before the release of Diablo II trying to tell people that the realms didn't make it hack-proof, just harder to hack. Saying it was hack-proof was inviting trouble.

The only computer that can't be hacked over the internet is a computer that can't be accessed over the internet.

Dark Nexus

Re:Beware the closed source (1)

Schnedt Microne (264752) | more than 13 years ago | (#538130)

Right. If it were Open Source, it would have been destroyed the way online play in Quake I was destroyed, after it was Open Sourced.

Re:cool (1)

Anonymous Coward | more than 13 years ago | (#538132)

Yes. I wasn't kissing or fucking anyone, but at least I was getting drunk and not just sitting on my computer.

Re:The general flaw: server side data (1)

n2143666 (266255) | more than 13 years ago | (#538134)

Yes, I think a client-side checksum, preferrably digitally signed by the server, would be a good idea. Without knowing the flaw the crackers used, I couldn't say that this would have stopped them. However assuming that there where no backdoors in the protocol/implementation or glaring flaws, this would be a good way to check that the person logging in is really the person that owns the character. If a similar idea is good enough for most banks, then it should be plenty good for a gaming server.

Re:not just you (1)

Asgard (60200) | more than 13 years ago | (#538137)

It seems that they could create a webpage where one enters those three datums and have your character restored, which balances the needs of the people who don't want to be restored and the people who do.

NOOOOOOOOOOOOOOOOOOO (1)

dashmaul (108555) | more than 13 years ago | (#538139)

Ever hear of open battle.net? The info is stored client side. Guess what the level of hacking is unbelieveable.

Re:prosecute for what? (2)

mattmcp (81328) | more than 13 years ago | (#538140)

There were dates to pass up?

Re:not just you (1)

Sancho (17056) | more than 13 years ago | (#538141)

You're kidding, right? Roll back a few weeks? If they try to do this on a character by character basis, they're going to take forever to do it and waste tons of man-hours and money. If they do it overall, they're going to have a LOT of pissed off users who advanced their characters over the past few weeks. Not to mention people who bought items for real money having problems....

Re:Security through Obscurity (2)

Sancho (17056) | more than 13 years ago | (#538142)

Battle.net uses *obscurity* to implement it's security. It seems to trust the client too much. Worse yet it seems that a simple logic flaw has cost Blizzard it's reputation.

I disagree here. Have you played the game? You can't do anything in the game without the client asking the server to make sure it's ok. It's probably the single biggest reason lag is a problem in the game. You can't even pick up an object from your inventory without asking the server if it's ok (and you can't drop it either, making for problems if you're holding an item and need to run away quickly).

As far as how they implement their security... what, by having it closed source? There are other closed-source forms of security, would you call those "obscurity"? This is a bug in the battlenet servers. It could be corrected client-side by making a check, although that could probably be hacked to change it back. It *should* be correctable on the server side, but they haven't done it yet.

Re:Uh (1)

Rickboy (300434) | more than 13 years ago | (#538143)

Gee, let me take a "stab in the dark"....I think that someone who spent hours upon hours of their spare time getting their character to such a level would care that the character was killed off. Why even bother to reply if you don't care?

How will this affect other MMP games? (2)

Doomsdaisy (90430) | more than 13 years ago | (#538144)

Since the net-enabled multiplayer games seem to be becomming the norm for most RPG and strategy types of games, do you think that there will ever be away to make a game completely safe? For example: Neverwinter Nights will be using two methods of character storage: one will be to store characters locally on the 'DMs' computer (i.e. the computer that is hosting the game, since in NWN anybody can set up a server), the other will be the official 'character vault' where people check out their characters and take them to whatever server they're playing before checking them back in. It would seem that between these two storage methods, the kind of abuse that is plaguing Diablo II would have a much reduced affect since people's characters would be distributed over the entire net. If you haven't been keeping up with NWN and their character vault concept, check out http://www.planetneverwinter.com

Re:call me silly... (1)

stixman (119688) | more than 13 years ago | (#538145)

If I understand what actually happened correctly, then these guys did not do anything illegal. I'm sorry if Diablo II is your life and you've spent hours/day to get where you were, only to have your precious things 'stolen' and your characters 'murdered'.

Maybe now you'll do something better with your time.
===================

Re:Stupid (1)

dgris (454) | more than 13 years ago | (#538146)

Imagine it this way--how would you feel if someone guessed your slashdot password, logged in as you, and posted a whole bunch of insightful comments. You'd be pissed, especially when none of your troll friends would talk to your karma-whoring self anymore and you were left to a life of loneliness and misery.

daniel

prosecute for what? (5)

Sabalon (1684) | more than 13 years ago | (#538147)

criminally prosecute the perpetrators.

I'll admit I don't know what you have to agree to when you play on battle.Net, but I can just see the case:

Prosecutor:
Your honor, the defendant killed off a top 10 hardcore character after stealing a Bow of Major Virtue from him. He created a character by the name of Pokedin, who he obviously should have known was a high-level characters name, and tried to connect with this character name until he got in. After he connected, he then allowed this character be killed. Since our client was playing a hardcore realm character, he could then not reconnect as his character. We suing for lost time my client spent building this character up, damages in the amount of 834,342 gold pieces, one pair of Plate Boots with +40 to mana, and three dates he passed on to play the game.

Yeah...it sucks, but I doubt it'd fly.

Re:ouch (1)

rknop (240417) | more than 13 years ago | (#538148)

Actually, I'm not so sure that the idea of server side characters is a good one. What would be better is client-side characters, with server side checksums (using a strong checksum like md5) to prevent client-side cheating. That model would have prevented the sort of meddling we're seeing here.

I hope that the world also makes the connection between what happened here and the propsects for systems like .NET. Store all my documents on a central server, however, well it claims to be protected? No thank you!

-Rob

Re:How will this affect other MMP games? (1)

piku (161975) | more than 13 years ago | (#538149)

That checking in thing probably wont work. Any second your character isn't controlled by their servers is a second it could be hacked.

You check out a level 1 character and check in a level 50...

We know when this started, right? (2)

evanbd (210358) | more than 13 years ago | (#538154)

So doesn't Blizzard keep backups? it seems to me they should fix the hole, restore the backups, and criminally prosecute the perpetrators. I can't imagine they aren't guilty of unauthorized computer access or whatever its called. I also can't imagine that Blizzard doesn't have good log files.

CmdrTaco/blackmail (1)

Krakus Irus (149295) | more than 13 years ago | (#538158)

Let me post a story or I kill your perso :-). New kind of blackmail !

Interesting... (2)

hunnr (157273) | more than 13 years ago | (#538165)

Does this bug have any relevance to other Blizzard games? (could it be used to hack starcraft, etc, accounts too?)

You would think blizzard would have some sort of database backup that they could recover for this type of event. They have so much riding on the information, it would seems silly to only have one copy.

Re:good.. (2)

Sandor at the Zoo (98013) | more than 13 years ago | (#538169)

thats what I was thinking...I can understand being upset and pissed for about 5 minutes. After that, get a fucking life.

So, you are the arbitrator of how people should spend their time, and you've decided that playing Diablo 2 isn't an approved activity?

I agree that some people go way overboard with some games, but that's their right.

Clearly, everyone should be playing Unreal Tournament.

Re:How will this affect other MMP games? (1)

Cirvam (216911) | more than 13 years ago | (#538170)

They check for reasonable gains, i.e. if you check out at level 1 and check back in at 50 in a hour then they will know something it up

Re:The general flaw: server side data (1)

n2143666 (266255) | more than 13 years ago | (#538171)

"I can't speak for all corporations, but most majors have their key servers in rooms with alarms and/or armed guards. I'll bet that your backups aren't stored in such safe conditions."

Yes but a corporation is a much more juicy target, since it is a collection of many individuals information. It still more likely statistically speaking for a corporation to loose data then for an individual. Remember the bigger the data store, the juicier the target. So what if they can't get past newtwork or physical security, in a company of large size, there's always someone over-worked, under-paid and under-appreciated who have access to that data, and who might be encouraged to divulge that information to a third party if the correct cash incentive is used.

The general flaw: server side data (2)

rknop (240417) | more than 13 years ago | (#538172)

I think that calling this Apocalypse for loss of game characters may be a bit alarmist.... However, there are lessons to be learned here for people doing actual *work* on the internet.

The basic flaw here is that the characters are all stored on the server. I don't care how good your crypto is, one day somebody will find a bug and figure out how to exploit it.

The damage may be mitigated if Blizzard had good backups. One can only hope.

However, the hack would have been made a lot harder in the first place if the characters were *not* stored server side. Store them client side, with a checksum stored server side to prevent client side cheating. Yeah, somebody may still figure out how to delete your server-side checksum, but they won't be able to muck with your data as much that way. And, if you use public key crypto, the "checksum" stored server side may be something that never needs to get sent anywhere but the server, making the thing intrinsically harder to hack.

There is a serious lesson here for systems like .NET. No matter how good the people running the server assert that their security is, you're asking for trouble by storing your data on a centralized server rather than on your own machine. I for one plan never fully to go to what is being touted as "the next platform". Some stuff I'll keep on servers, but I'm going to keep local backups on my *own* machine (and my own tapes), and I'm going to keep the documents I care more about on my own machine. Then I only have to worry about the security of just my machine, not some central server that's designed to be accessed by many people from many places.

-Rob

You wouldn't have to trust the clients (2)

roystgnr (4015) | more than 13 years ago | (#538173)

Wow... Two score:4 posts in a row with fundamental misunderstandings. There's the main problem with Slashdot moderation: it's easier to sound correct than to be correct.

Azog: If you have a proper one way hash function doing the server-side checksum, you don't *have* to trust the client. You have the client send you all it's character data, and if the checksum of the client data doesn't match the stored checksum, you don't allow that character to play. Perhaps rknop was misleading in his use of the word "checksum" (since a real checksum would make it easy to generate an upgraded character profile with the same checksum), but his mention of public key crypto should have made it clear that he was talking about a 1-way hash function, which would make client cheating as difficult as faking a PGP signature.

rknop: Except for saving disk space (reducing the amount of server-side data that must be stored while the client is disconnected), what problems would storing a hash of the character data instead of the whole data solve? If someone hasn't hacked your server, they can't change the server-side character data. If someone has read/write access to your server, then they can read your hash function, calculate a hash of their own altered character data, then write that new hash. It would make altering a character more tedious, but not more difficult.

The Craven (5)

Psibolt (300435) | more than 13 years ago | (#538174)

(with Apologies to Edgar Allan Poe)

Once upon a millenium dreary, while I pk'd, weak and weary,
Over many a faint and furious game of DiabloII,
While I killed 'em, illiciting yapping, suddenly there came a hacking,
As of some one gently a-hacking, hacking at my character's door.
"'Tis some rapist," I muttered, "hacking at my character's door-
Blizzard: "Only a ladder quirk, and nothing more."

Ah, distinctly I remember it was in the bleak December,
And each separate dying hardcore wrought its ghost upon the floor.
Eagerly I chugged a bull;- vainly I had sought to mule
From my PC internet of lust- all my items turned to dust-
For the rare and radiant things with my Amazon bonded-
All were quickly by evil absconded!

And the anguished cries of all those that died & lost sweet things
Saddened me- maddened me with fantastic terrors never felt before;
So that now, to still the beating of my heart, I stood repeating,
"'Tis some hacker entreating entrance at my character's door-
Some late hacker entreating entrance at my character's door;-
Blizzard: "Only a ladder quirk, and nothing more."

Presently my soul grew stronger; fervently I sought of Schlonglor,
"Boy," said I, "or Madam, truly your assistance I implore;
But the fact is I was napping, and so gently it came a-hacking,
And so faintly it came a-hacking, hacking at my character's door,
That I scarce was sure I heard you"- here you (Blizzard) opened wide the door;-
Schlonglor replied, "Deal with it!".

Deep into that toilet peeing, long I stood there wondering, fearing,
Doubting, dreaming dreams no heroes ever dared to dream before;
But the silence was unbroken, and from Blizzard came no token,
And no word there spoken, all my characters lay dead & broken
Blizzard: "Only a ladder quirk, and nothing more."

Back into Bnet a-turning, all my soul within me burning,
Soon again I heard a hacking somewhat louder than before.
"Surely," said I, "surely that is something at my windows 98 Reg?:

Let me see, then, what the threat is, and this mystery explore-
Let my heart be still a moment and this mystery explore;-
Blizzard: "Only a ladder quirk, and nothing more."

Open here I flung the shutter, when, with many a flirt and flutter,
In there stepped a stately Craven of the saintly days of yore;
Not the least obeisance made he; not a minute stopped or stayed he;
But, with mien of lord or lady, perched above my character's door-
Perched upon a bust of Diablo just above my character's door-
Perched, and sat, and nothing more.

Then this ebony turd beguiling my sad fancy into smiling,
By the grave and stern decorum of the countenance it wore.
"Though my character be shorn and shaven",
Thou I said, "art surely a Craven,
Ghastly grim and ancient craven wandering from the Nightly shore-
Tell me what thy lordly name is on the Night's Millenium shore!"

Quoth the Craven, "You've been jacked, w h o r e."

Pay closer attention (2)

rknop (240417) | more than 13 years ago | (#538175)

Your post shows a complete lack of awareness of the history here--I think you are trolling.

I'm not trolling at all. And, yes, I'm unaware of the history. And, no, you didn't understand what I said. Obviously, the client-side character in D1 was implemented poorly, from what you say. Obviously the D2 server-side character was implemented poorly, from the original news story. From just that alone, it's not obvious that one or the other is better. But I still believe that a client-stored character is safer.

Obviously, yes, it's really easy to have data stored on the clients in a manner that makes it too easy to cheat. Think it through; what I was in fact proposing was a checksum which uses public key cryptography to authenticate itself. It's not that big deal to make a private/public key; it can be an internal part of the program, and the user never has to know it is happening. All the keys can be stored internally to the client data. I don't see why this is overkill for a game, any more than getting the fastest CPU out there is overkill for a game. It's just using technology to help enhance the gameplay.

Basically, the server could authenticate the character exactly the same way that you authenticate digitally signed PGP messages. Digitally signed PGP messages store a checksum. The message can go anywhere, but people can check that the message fits the checksum. This isn't just obfuscation at all.

Changes to the character have to be approved by the server, but the characters then don't need to be *stored* on the server. The server just needs information to be sure that when a character comes back, it's an approved character. Digital signatures with decent public key cryptography serve this need to a T.

If the character data is on the server, then people who hack the server can muck with it. It probably could be done better, again using some sort of public-key cryptography. However, if the character data is on the client side, then somebody has to hack your client to screw with your character. Yes, it can happen, but it's less likely that we'll see the kind of wholesale hacking we're seeing here. If the server has decent autentication of the client's character, then that prevents you from cheating by modifying your character offline and coming in with an upgraded character.

-Rob

Re:call me silly... (1)

anderman (242958) | more than 13 years ago | (#538178)

Umm bobo, Hacking into people's system is a crime. Maybe now you'll do something better with your time, like use your brain?

Something kind of Ironic (5)

Gerad (86818) | more than 13 years ago | (#538186)

From what I've read, the bug (Creating a character with the name of the one you want to hack, and retrying till the server barfs and accepts it) existed in EverQuest as well, and caused some pretty severe problems till it was fixed. The difference is the bug in EQ was identified and closed in a matter of days (hours? I can't remember) after it began, not weeks like the D2 stuff's been going on for. You would think with all their commitment to hack-proofing the realms, as they have said, Blizard would at least of checked how other MMORPGs were exploited in the past and made sure they weren't vulnerable to similar bugs.

Re:We know when this started, right? (2)

Wire Tap (61370) | more than 13 years ago | (#538190)

Maybe in their hubris of thinking that their servers were unhackable they lacked the foresight to have backups of the characters and *really* good log files. Talk about putting one's foot in one's mouth. It happens to so many people/companies..... get really good in one area, and let all the others wane. Shame.

good.. (3)

AlbanySux (248858) | more than 13 years ago | (#538192)

now these top players can leave their basements and return to reality a bit more often. maybe, goto work, see their families and "live" friends.. hell maybe they could even go outside.. but thats not going to happen, they will chain themselves to their boxes and play 24/7 until they regian their position...

This brings up another issue (1)

Kancer (61362) | more than 13 years ago | (#538193)

I'm not going to rant about what I think about this other than I saw it coming a mile away. But I am going to say this. This brings up the issue when items are actually being sold in meat space for real currency these companies, in this case Blizzard, have to take action on these issues and beef up security. Do the prices on certain auction sites drop for specialty items now? -Kris
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>