Hell is not frozen yet! (Diablo 3)

[Crni Vuk]

yeah right, because editors from gaming sites that suffered from this item-loss are all lieing. Not that they say they have been hacked ... but it is rather obvious that something is smelling fishy here. As said. It could be a hard to fix/find loop hole. And it would not be the first time in gaming history where a gaming site/software developer had to deal with such loop holes that are hard to find and fix.

Next, you guys should go bitch on MMO forums about the "always-online DRM" requirement. Have fun asserting your hearsay-derived hacking theories in the meantime, though.

Maka I like you, but stop ... posting that. It does not really show any intellect.

We are not bitching here about an "MMO" the last time I heard Diablo 3 was some kind of Singleplayer game with Coop mode/multiplayer. If you think to be online all the time and expose some part of your player base to the risk (even if it is just assumption) is right, so be it. But some of us think that you should have at least always have the option to play offline if you want so because then there is NO risk of losing any items. Be it your fault or not. And I doubt it would have been any problem to make single play and online play SEPERATE worlds.

I think one of the argument for this always-online crap was that Diablo would be "more secure". More secure? My ass.

You want the reality? People still get equipment which they dont own rightfully (just like in Diablo 2) what ever because of stupid users or loop holes in the system which they now can even sell to players thx to the acuction house. And now Blizzard can even earn money on that. Is this the future? Screw them all then. This kind of gaming is really lost for me then. If this is the alternative to how it worked in Diablo 2 then they can keep it for all I care.

 

[Brother None]

Next, you guys should go bitch on MMO forums about the "always-online DRM" requirement.

MMOs aren't single-player games.

This is exactly what I was afraid of happening. Valve, by being so cuddly and heroes of PC, managed to normalize online-validation DRM in the form of Steam. Now Blizzard is making the big push to normalize always-only DRM and the fanboys are just jumping to their defense. EA, Ubisoft, etc, they're all overjoyed to see this.

The consumer is losing, and what's worse is that they're losing to the consumer.

 

[The_Noob]

I give the gaming industry 5 years before it collapses.

 

[Makagulfazel]

*sigh*

I'm sure they're not lying. But what they are doing is putting the blame squarely on Blizzard's shoulders without a speck of proof because...
The percentage affected is miniscule. People that have claimed they had had authenticators have been caught in a lie. Blizzard has responded saying that acquiring session IDs should be impossible. Yet.. YET, more people are still still relying on hearsay. And the snowball keeps rolling.
Did Sony fuck up big time? Yes, proving corporations might be lax enough to not encrypt user data. Do we have anything other than assumptions right now? No. I know you're all butthurt about the DRM scheme, but that doesn't prove a single.fucking.thing. Dig it?

EDIT:
Just to throw this in here, but I agree on the DRM. They should've added a single player option out of consumer courtesy, that didn't have ANY access to online features(auction house, friends, etc.) That way, people could play by themselves without any worry of anyone wanting to steal their items. Also, people that find cheating enjoyable could've gotten their fix. BUT, I still am giving the benefit of the doubt to Blizzard on the hacked/phished accounts.

Edited again due to crappy sentence flow.

 

[Brother None]

I'm sure they're not lying. But what they are doing is putting the blame squarely on Blizzard's shoulders without a speck of proof because...

...What? Yeah, if you're working on a clean computer with a unique password and you still lose access, the simplest answer is "there's a security problem".

We don't *know* anything, but the most likely answer is there's some kind of security issue. A lot of evidence points to it. Why deny it? Security issues happen, it's a likely explanation here, what's your rationale for refusing to acknowledge that?

 

[Sander]

*sigh*

I'm sure they're not lying. But what they are doing is putting the blame squarely on Blizzard's shoulders without a speck of proof because...
The percentage affected is miniscule. People that have claimed they had had authenticators have been caught in a lie. Blizzard has responded saying that acquiring session IDs should be impossible. Yet.. YET, more people are still still relying on hearsay. And the snowball keeps rolling.
Did Sony fuck up big time? Yes, proving corporations might be lax enough to not encrypt user data. Do we have anything other than assumptions right now? No. I know you're all butthurt about the DRM scheme, but that doesn't prove a single.fucking.thing. Dig it?

Yip. It still looks like people were, quite simply, 'hacked'. Perhaps in various ways, non-obvious exploits - but that doesn't mean any of this is Blizzard's fault. If there was a consistent problem on Blizzard's side that could be exploited, then you'd see a lot more accounts stolen.


As for the always online thing, it's an interesting strategy. There's no real reason for Blizzard to remove the offline single player part of it other than to maximize their profits, and that's what they're doing. Using Diablo 3 to push this strategy is relatively safe, because there was really no way that game would not be a major success.

I wonder how long it will take before we see subscriptions for single-player games.


EDIT:

My boss over at GameBanshee was hacked. He's never had an (online gaming) account hacked before, he's a professional who keeps his PC clean, he uses unique passwords for every account. But please, no, keep blaming the end-user. Totally realistic.

Wait, he was hacked?

Okay, never mind, I revise my opinion.

 

[Crni Vuk]

Its more about the way how the whole situation is played out by the "fans" you know. I want t avoid the term "drone" here ... but think about it if we would be talking here about EA, Ubisoft or Sonny for a moment.

Its not important if it would be an accident or loop hole. It would be the company which people would blame.

Thing is. its Blizzard. And everyone knows. Blizzard is the reincarnation of Jesus. Hence. People which say they lost their equipment are noobs or watching to much porn over stream on their PC.

I don't think that the people with the articles "directly" blamed Blizzard simply because they say as well ... no one knows what is going on. And THAT is the worst part here if you consider how close we are to the release of the real-money-auction-house and that Blizzard is so secretive about the subject. At least that is how it seems to me.

 

[Korin]

http://us.battle.net/d3/en/forum/topic/5592454673?page=9#176

We've investigated several reported claims of "session spoofing," as discussed both in these forums and elsewhere on the Web. We treat these kinds of reports very seriously -- however, to date, we have yet to identify a single case of compromise that was the result of a player joining or participating in a public game.

Additionally, as we mentioned before:

Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible.

For clarity, when we say "technically impossible" it means we determined (after many, many days of research) that session spoofing, as described in the claims we've seen, cannot occur within Diablo III. To avoid confusion, read "technically impossible" as "technologically impossible."

Even so, we're continuing to investigate related reports. If you believe you possess solid evidence of some sort of "hack," then please relay that information to our support representatives as soon as possible, or email hacks@blizzard.com. In the meantime, if you don't possess such evidence, we ask that you please refrain from spreading hearsay.

The claims of "session spoofing" have no supporting evidence, other then armchair experts claiming it can be done. There's a thread here people reference:

http://www.cinemablend.com/games/Diablo-3-Session-Spoofing-Real-Do-Join-Public-Games-43162.html

But even this doesn't include anything of relevance... like a copy of the trace file from the supposedly revealing packet sniffing session. Screenshots, logs or any kind of documentation. These things aren't particularly difficult to acquire.

 

[Makagulfazel]

Why deny it? Security issues happen, it's a likely explanation here, what's your rationale for refusing to acknowledge that?

Korindabar is expressing my same thoughts more politely and effectively. It's a bummer that your boss got hacked, and it sounds like he knows what he's doing, but out of all of these IT experts no one has been able to come forward yet and show an example of sessionID acquisition. It's all just speculation, without any data files or logs for analysis. I would have expected a white-hat hacker to come forward by now, laying down the hurt on Blizzard for just the matter of pride(much like people post gameplay exploits to get them fixed), but all that it circulating is a bunch of hearsay.
A new computer does not guarantee that you will not get hacked; it can probably go unmentioned, but you don't get all new user accounts for every website you log in to when you purchase a new computer. NMA had user data acquired even with some very bright individuals in control; how is the personnel at GameBanshee different?
I agree, in your boss' case, it's very strange he was able to log in directly after being forced out by another login to his account. This would signify that his password was not yet changed, ruling out an acquisition of his email login information followed by a password reset of his battle.net account. It seems damning, but as an adult, I understand the memory of humans can be fallible, especially with minute details. I have tied a mobile authenticator to my account because I do not have absolute faith in Blizzard's security, but I don't think it's appropriate to jump the gun without any solid proof.

 

[Korin]

This is what your Diablo 3 data looks like in transit, if anyone is curious. It is all encrypted:

[spoiler:b47c22064c]

[/spoiler:b47c22064c]

Of the theories floating around regarding how someone might steal a session this rules out someone sniffing it as they wouldn't be able to decrypt the information. Claims that public games or strangers in your recently played list are some how related would need to have some reliance on your session information being transmitted to other client PC's where it would be available in the client memory for "spoofing" which would also have a reliance on sessions not being IP bound. Anyway, from a technical stand point it just sounds silly when you really get into it.

Make no mistake, there's all kinds of interesting data in client memory. I just don't see anything that would tie particular players to a session that could be grabbed. Here's a shot of one of my friend's and some information surrounding his "party ID" which what the quick join is:

[spoiler:b47c22064c]

[/spoiler:b47c22064c]

 

[Kyuu]

We don't *know* anything, but the most likely answer is there's some kind of security issue. A lot of evidence points to it.

We don't know anything, but somehow the most likely explanation is a security exploit with Blizzard's online service? I'm not following your logic.

The claims of "session spoofing" have no supporting evidence, other then armchair experts claiming it can be done.

This. If the purported security exploits were happening, somebody somewhere would be able to provide tangible proof of it. There is none. Until somebody provides such, the most reasonable explanations are the usual suspects (keylogging, phishing, etc.), not some magical "sessionID hax" or whatever.

 

[Crni Vuk]

how did they managed to get the informations from BNs Boss? Considering the fact that the only accout which was compromised was with Diablo 3 and nothing else. And considering the fact that he is probably a long time gamer and not a rookie.

I mean hackers always find holes in a system. Why not here? Sonny was breached. Hell even the Pentagon a few times.

 

[Brother None]

Korindabar is expressing my same thoughts more politely and effectively. It's a bummer that your boss got hacked, and it sounds like he knows what he's doing, but out of all of these IT experts no one has been able to come forward yet and show an example of sessionID acquisition.

I never said I think the security issue is sessionID acquisition. I said it is quite likely there is a security issue, based on the accounts we have. I have no idea why you guys are suddenly pretending as if the sessionID acquisition theory is the only valid explanation, and that by having it dismissed the entire problem of a possible security leak is dismissed.

NMA had user data acquired even with some very bright individuals in control; how is the personnel at GameBanshee different?

NMA hadn't been updated/security checked in eons. I don't understand the comparison.

 

[Phil the Nuka-Cola Dude]

It's pretty fucking hilarious when you consider that WoW accounts are hijacked EVERY SINGLE DAY, yet there isn't a peep about it in the media because we all know that keyloggers are a fact of life. We accept it and move on, "Better luck next time" "Should have used a better antivirus" "Shouldn't have downloaded so much porn lololol" yadda yadda yadda. Meanwhile, a few D3 accounts are stolen and the the lolgamingpress whips up a shitstorm of epic proportions. SQL INJECTIONS!!!11, SESSION SPOOFING!!1 ONLINE ONLY DRM!!! FUCK YOU BLIZZARD HNGGG!!!!!!!!!

If someone gets your Battle.net login/password, they have EVERYTHING. They have access to your WoW, your SC2, your D3, and every legacy cd key you registered. It has nothing to do with D3 in particular. Anyway, here's a little story.



I consider myself rather computer savvy and security conscious, and I was convinced that I was virus free. Authenticator? Hah those are just for people who don't take care of their system. Well, it turns out that AVG doesn't catch everything.

-One morning I'm dicking around on WoW with my Shaman, and decide to take a quick break to whip up some breakfast. I come back not 10 minutes later, and... that's weird, why does my character list look so weird? Moreover, why is my mage selected as my last played character.

-Booted to login. The fuck?

-Logged back in, and now I see why my character list looks weird. My shaman is straight up gone, and ALL OF MY CHARACTERS ARE NAKED.

-Booted to login.

This all happened in the space of 20 or so seconds, and then I realized what was happening. I go to the blizzard account site aaaannnnd... invalid password. Lovely.

Turns out, they cleaned out my 200k gold, my private guild bank with another couple hundred thousand in mats, sold everything on my alts, and server transferred my shaman. After getting my shit restored, I bought an authenticator, because $6.50 was looking awfully cheap after going through all that bullshit. Oh, and Comodo found a rootkit that AVG never picked up on.



Moral of the story, it doesn't matter how security conscious you consider yourself to be. No antivirus is perfect, so just spend the fucking $6.50 and never worry about that shit again.

 

[Ilosar]

Yay, I died moments ago due to a massive lag spike as I was in the middle of the Soul Jar event. No, it wasn't me, there's a thread in the Blizzard forums about this right now.

Was so frustrated that my single-player experience is so tainted by that online-only BS I quit and probably won't play for a few days. I can deal with moronic general chat and AH to a degree, but this is just plain ridiculous. Imagine I was rolling a Hardcore character. Poof, he just died because of a 10 second lag spike. Capital.

 

[Dragula]

Oh boohoo, someone dies on softcore. Big deal. Lot's of the really big names have died on hardcore due to lagspikes, which, funnily enough, was on their side of the connections. ;DDDddd!!3421

 

[Makagulfazel]

I have no idea why you guys are suddenly pretending as if the sessionID acquisition theory is the only valid explanation, and that by having it dismissed the entire problem of a possible security leak is dismissed.

I'm not dismissing anything, hence why I installed the free mobile authenticator and tied it to my account. What I am not willing to do is blame Blizzard with speculation as my evidence.

 

[aenemic]

all this talk about hacking aside, what I'm more worried about is bots and exploits to get gold. people are using bots. some get banned, others get away with it. these are mainly bots that farm gold, and these people are stinking rich already. add to that several AH exploits which can make you rich rather quickly. when the real money AH is launched, the economy in this game is gonna be royally fucked. and probably will be in the near future any way.

 

[HerrMike]

Forget the account hacking issues, I'd be thrilled if that was the only problem. The game itself sucks ass. I was far from a fanatic but I did enjoy the previous games. The stories were fun, there was at least a little character building, and the chance of finding a better bit of loot kept me playing.

With this game, all pretenses at being anything other than fantasy pacman have been dropped. The story is utterly ho-hum, the world is more lifeless than ever, and it takes maybe 6 hours to finish.

But more than anything the auction house and the approach to gear in general really makes this game a bad joke. Multiplayer is ruined when your friends are 4 times as good as you because of the gear they buy in the auction house. Single player is ruined because of the aforementioned brevity and general lameness.

Yeah you can avoid the auction house altogether but have fun playing far into hell difficulty with the crap you find.

 

[aenemic]

Yeah you can avoid the auction house altogether but have fun playing far into hell difficulty with the crap you find.

I'm on act 1 inferno and haven't bought one single item on the auction house. hell was easier than nightmare for me, except for some lame elites and bosses. guess I was lucky with drops.