NwN Server and security update

[Legacy_Squatting Monk]

               

Lazarus Magni wrote...

Well the master server for player authentication in multiplayer play and the website are 2 separate issues. Related, yes, but distinct.

If they turned back on the master server, but not the website, there would be no danger of having the thieves log into the website and wreaking havoc. But this would re-instate the first line of defense for PWs, and the on line community as a whole.

But the website wasn't the only issue, remember. The Master Server authenticates the username and password the user enters when they go to Multiplayer mode. If those passwords were obtained by hackers, they could use those to log into the game as that player, the Master Server would give the OK, and the server would still be vulnerable.

Getting the Master Server back would be a difficult undertaking. You couldn't just go back to the old database, because that was compromised. You'd have to have every user set up a new password, but you'd have to be sure it was them doing it. If you just started over with a fresh database, you'd have to worry that people creating accounts were not actually the owner (e.g., I'd be worried that someone would create the Squatting Monk username, enabling them to access all my old haunts and keeping me from being able to log in). I'm not sure what the best way to go about fixing this would be.

But what is equally as bad with the master server being off is the ability for people to key gen, and not only log in as whoever, but completely avoid server bans. A ban meant a lot more when it was actually a CD key the person bought. Now it’s a total joke.

Don't forget that you can also ban people by IP address. That also doesn't stop them, of course, but it can slow them down and make it less fun. The system I set up uses a combination of CDKey, IP address, and player name bans. It associates them all together to more easily detect when someone is trying to get back in after a ban. If that turns out not to be enough, I may link player accounts to accounts on my forums.

Remember, regardless of whether there is a Master Server or not, all security is just a temporary barrier. Given enough time and dedication, people can get around any security system. Your goal is not to find a system that magically stops the bad guys; it's to slow them down and make it too much of a hassle for it to be worth it to them. This is the princple behind fences, locking doors, or burlar alarms. Yes, a thief can get around them. But each barrier you add can screen out more and more criminals.
               
               

               

                     Modifié par Squatting Monk, 31 août 2012 - 09:13 .
                     
                  

            

[Legacy_Lazarus Magni]

               This is one my points. Right now anyone can log in as anyone (unless the server is using Funky's system or something similar, which isn't retroactive. It onlyapplies to accounts that log into the server since it was installed.)

If the master server were back up, using the old DB, only those hackers would be able to do this. In other words... You would be able to find out who this was.

Furthermore, as you mentioned the Master Server is only the first line of defense. Turning it back on would not disable the PW security systems they have put in during it's absence. So turning it back on would do no harm, and only good.

And as far as bans... it's easy to use a proxy. The guy who visited us last night for example. By the time I banned his/her player name, public cd key, and IP, and then restarted the server. He was the first one back on with all new ones of all of those. It didn't slow him down in the least. It was a total joke. Now if he actually paid for those CD keys, a ban would have a lot more teeth to it. And if he was stil able to pull them out of thin air, this might be a good indication he is one of the individuals responsible for the hak, or if not, is downstream from them.
               
               

               
            

[Legacy_Squatting Monk]

               

Lazarus Magni wrote...

If the master server were back up, using the old DB, only those hackers would be able to do this. In other words... You would be able to find out who this was.

No. Typically, hackers don't keep data only for themselves. A data drop on Pastebin a la Anonymous and everyone has your passwords. That said, I do wonder about the likelihood that the hacker or the stolen data is still around at all.

Furthermore, as you mentioned the Master Server is only the first line of defense. Turning it back on would not disable the PW security systems they have put in during it's absence. So turning it back on would do no harm, and only good.

Assuming that everyone has put those security systems in place (some servers may still be requiring Master Server authentication, but these would largely be servers whose admins have been inactive over a year), this would be true... to the extent that everyone remembers they need multiple lines of security, and not just to rely on the Master Server. Getting a gate around your community doesn't mean you can leave the doors unlocked.

And as far as bans... it's easy to use a proxy.

Hence why I said "That also doesn't stop them, of course." There are ways around every security system.

Now if he actually paid for those CD keys, a ban would have a lot more teeth to it. And if he was stil able to pull them out of thin air, this might be a good indication he is one of the individuals responsible for the hak, or if not, is downstream from them.

Unlikely. You don't need to steal CDKeys. There's this really obscure website called Google that can hook you up with additional keys.
               
               

               
            

[Legacy_Lazarus Magni]

               

Squatting Monk wrote...

Lazarus Magni wrote...

If the master server were back up, using the old DB, only those hackers would be able to do this. In other words... You would be able to find out who this was.

No. Typically, hackers don't keep data only for themselves. A data drop on Pastebin a la Anonymous and everyone has your passwords. That said, I do wonder about the likelihood that the hacker or the stolen data is still around at all.

Well exactly, and if they drop that somewhere they are cought. Nothing is truly anonymous on the net. I am pretty sure a warrant would reveal the source.

And again what on earth could possibly have been the point of this? Why isn't anyone asking that? We are talking about a website for a 10 year old game being hacked, that didn't store any finacial data. It just doesn't add up...

Squatting Monk wrote...

Furthermore, as you mentioned the Master Server is only the first line of defense. Turning it back on would not disable the PW security systems they have put in during it's absence. So turning it back on would do no harm, and only good.

Assuming that everyone has put those security systems in place (some servers may still be requiring Master Server authentication, but these would largely be servers whose admins have been inactive over a year), this would be true... to the extent that everyone remembers they need multiple lines of security, and not just to rely on the Master Server. Getting a gate around your community doesn't mean you can leave the doors unlocked.

Right, assuming every active server has this. Those that don't have already been screwed... But as I mentioned the community security systems aren't a fix all. With out the first line of defense they merely stop the bleeding, they don't cure the wound.

Squatting Monk wrote...

Now if he actually paid for those CD keys, a ban would have a lot more teeth to it. And if he was stil able to pull them out of thin air, this might be a good indication he is one of the individuals responsible for the hak, or if not, is downstream from them.

Unlikely. You don't need to steal CDKeys. There's this really obscure website called Google that can hook you up with additional keys.

Umm... your scarcasm aside, correct me if I am wrong here, but isn't one of the functions of the master server to authenticate a CD key with a registired user? You can CD key gen (or torrent) til you are blue in the face but if you don't register those keys (opening yourself up to being cought) you wont be authenticated.

P.S. I am pretty sure torrenting is actually considered stealing... If that is what you are refering to as googling...
               
               

               

                     Modifié par Lazarus Magni, 01 septembre 2012 - 02:08 .
                     
                  

            

[Legacy_Lazarus Magni]

               Double post removed.
               
               

               

                     Modifié par Lazarus Magni, 01 septembre 2012 - 02:08 .
                     
                  

            

[Legacy_Squatting Monk]

               

Lazarus Magni wrote...

Well exactly, and if they drop that somewhere they are cought. Nothing is truly anonymous on the net. I am pretty sure a warrant would reveal the source.

If BioWare/Atari is not willing to put in the time or effort to get the Master Server up and running, do you think they're going to spend much time trying to get a criminal investigation going?

And again what on earth could possibly have been the point of this? Why isn't anyone asking that? We are talking about a website for a 10 year old game being hacked, that didn't store any finacial data. It just doesn't add up...

To steal passwords and have access to any account you want, maybe? It's also possible they didn't steal anything, but they just got in to see if they could. People don't only hack for financial gain.

Umm... your scarcasm aside, correct me if I am wrong here, but isn't one of the functions of the master server to authenticate a CD key with a registired user? You can CD key gen (or torrent) til you are blue in the face but if you don't register those keys (opening yourself up to being cought) you wont be authenticated.

P.S. I am pretty sure torrenting is actually considered stealing... If that is what you are refering to as googling...

No, the Master Server ensured that the same CDKey cannot be logged in from two places at the same time (and may have done the same thing for player names, too; not sure), but it did not force the player to use the key they registered. Remember, you didn't even have to register CDKeys in order to be play. Registering your CDKeys online was just a handy way to keep them accessible in case you lost the manual. No, the primary function of the Master Server was to associate the player's name with a password (the same one used to log in to nwn.bioware.com).

And no, I don't mean torrent. I mean literally Google. It's easy to find lists of gen-ed keys for any software.
               
               

               

                     Modifié par Squatting Monk, 01 septembre 2012 - 03:27 .
                     
                  

            

[Legacy_Lazarus Magni]

               

Squatting Monk wrote...

If BioWare/Atari is not willing to put in the time or effort to get the Master Server up and running, do you think they're going to spend much time trying to get a criminal investigation going?

If they actually cared, do you think they wouldn't? I guess the answer to that question answers many other things...

Squatting Monk wrote...

And again what on earth could possibly have been the point of this? Why isn't anyone asking that? We are talking about a website for a 10 year old game being hacked, that didn't store any finacial data. It just doesn't add up...

To steal passwords and have access to any account you want, maybe? It's also possible they didn't steal anything, but they just got in to see if they could. People don't only hack for financial gain.

Again, we have a major hak (oh and if this was not the case, then what is the justification for shutting down the master server?), for what purpose? It doesn't seem logical to me by any means... Some nwn 1 player get's jealous of another player and perputrates a major online criminal hak just to log in as that other player? I don't think so...

Squatting Monk wrote...

Umm... your scarcasm aside, correct me if I am wrong here, but isn't one of the functions of the master server to authenticate a CD key with a registired user? You can CD key gen (or torrent) til you are blue in the face but if you don't register those keys (opening yourself up to being cought) you wont be authenticated.

P.S. I am pretty sure torrenting is actually considered stealing... If that is what you are refering to as googling...

No, the Master Server ensured that the same CDKey cannot be logged in from two places at the same time (and may have done the same thing for player names, too; not sure), but it did not force the player to use the key they registered. Remember, you didn't even have to register CDKeys in order to be play. Registering your CDKeys online was just a handy way to keep them accessible in case you lost the manual. No, the primary function of the Master Server was to associate the player's name with a password (the same one used to log in to nwn.bioware.com).

And no, I don't mean torrent. I mean literally Google. It's easy to find lists of gen-ed keys for any software.

Actually I don't remember that, I pretty distincly remember registring my CD keys. But regardless, the end result of bringing the master server back on line would be the same. Your saying this is worthless because the hackers could still log in as anyone? I am saying no it isn't because, currently anyone can log in as anyone. And in either case the community submitted security systems prevent this (to a certain extent, not retroactively but moving forward.) So leaving the master server off, basically means anyone can log in as anyone. Turning it back on means only the hackers can do this, which might result if actually finding them, and putting a stop to it.

Oh and as far as google... I tried it, I found one you tube video with a pseudo key gen... I am pretty sure that would not be hard to stop if anyone actually cared.
               
               

               
            

[Legacy_Squatting Monk]

               

Lazarus Magni wrote...

Again, we have a major hak (oh and if this was not the case, then what is the justification for shutting down the master server?), for what purpose? It doesn't seem logical to me by any means... Some nwn 1 player get's jealous of another player and perputrates a major online criminal hak just to log in as that other player? I don't think so...

Major? I doubt it. Likely the reason the server was shut down is because it was the easiest solution to the problem. Why did it not end up coming back up? With the trickle of money NWN is bringing now, it was probably just not worth it to them to put significant time or effort into it.

Actually I don't remember that, I pretty distincly remember registring my CD keys.

This was always done on the nwn.bioware.com website. It had nothing to do with the Master Server.

But regardless, the end result of bringing the master server back on line would be the same. Your saying this is worthless because the hackers could still log in as anyone? I am saying no it isn't because, currently anyone can log in as anyone. And in either case the community submitted security systems prevent this (to a certain extent, not retroactively but moving forward.) So leaving the master server off, basically means anyone can log in as anyone. Turning it back on means only the hackers can do this, which might result if actually finding them, and putting a stop to it.

Did I say it was worthless? Lemme re-read my posts here...

Squatting Monk wrote...

All things being equal, I'd prefer to have the Master server and have server admins implement tight security practices, but we're stuck with just the latter. People need to get used to it.

Oh and as far as google... I tried it, I found one you tube video with a pseudo key gen... I am pretty sure that would not be hard to stop if anyone actually cared.

If that's all you turned up, your Google-fu is pretty weak.
               
               

               
            

[Legacy_Failed.Bard]

               Cd-Keys weren't automatically registered, but player names were automatically linked to the CD-Key when you made up a new log in, assuming it wasn't one already registered to somebody.  That was the only real function of the master server, linking player names to CD-Keys, as far as security goes.

Since it was possible (and easy) to circumvent the master server check, server side linking of CD-Key to player name is actually more secure than the master server ever was.
               
               

               
            

[Legacy_Lazarus Magni]

               Ok, so basically what you all are saying is the master server did nothing, and we are better off with out it (or no worse off at least)?

I guess I should withdraw my petition, and just let this go?

NWN 1's legacy... a hacker's paradise...

Wow, that's awesome.


13k+ views on this thread but no one seems to care anymore... I wonder why that might be? I didn't happen to mention something about the intentional death of the bulk online NWN 1 community, and the complacency of the survivors did I?
 
               
               

               

                     Modifié par Lazarus Magni, 01 septembre 2012 - 07:30 .
                     
                  

            

[Legacy_Squatting Monk]

               

Lazarus Magni wrote...

Ok, so basically what you all are saying is the master server did nothing, and we are better off with out it?

I guess I should withdraw my petition, and just let this go?

NWN 1's legacy... a hacker's paradise...

Wow, that's awesome.

We said the Master Server didn't do what you think it did. How do you conclude that therefore it did nothing?

13k+ views on this thread but no one seems to care anymore... I wonder why that might be? I didn't happen to mention something about the intentional death of the bulk online NWN 1 community, and the complacency of the survivors did I?

You're really reaching here.
               
               

               

                     Modifié par Squatting Monk, 01 septembre 2012 - 07:34 .
                     
                  

            

[Legacy_Lazarus Magni]

               Ok, and so why am I the only one asking for it to be re-instated? Please explain to me the merits of having it remain off line?

And reaching... umm... I didn't pull that number out of thin air. It's the number of views show here:
http://social.biowar...egory/199/index

Oh yeah and as far as my "google-fu" I pretty much self taught myself a Masters degree level of education in the ability to identify Lysteria monocytogenes, or Salmonella, or E. coli o157H7, or a myriad of other pathogens, using a variety of different methods (USDA, FDA, EP, AOAC, ect...) and applied it in the work place mostly from google. But I guess my google fu is weak.

Or how bout this, more relevantly to us all (aside from everyone's need to eat). Set up an on line petition to Bioware via google in less than 5 minutes. Something that should have been done a year ago, but apparently no one else thought of? Kinda sad I had to be the one to do this. I am far from an upstanding or well respected member of this community. I am what I am, and this whole f-3d up situation is what it is too. I think I may have also mentioned something about how the future is bleak...
 
The saddest thing to me in all this is that people are resisting this because it is me that presented the idea. Not because of the idea it self. It's almost as if you all can't put aside your own personal hatered for me personally to look past the presenter to the actual idea, and concepts presented. Kinda like here:

http://social.biowar...ndex/13633358/8
               
               

               

                     Modifié par Lazarus Magni, 01 septembre 2012 - 08:00 .
                     
                  

            

[Legacy_Squatting Monk]

               

Lazarus Magni wrote...

Ok, and so why am I the only one asking for it to be re-instated?

You're not. This thread is filled with requests — nay, demands — from people wanting it to be restored. But it's been over a year and people have figured out it's not going to happen. But it's not the end of the world. Funky and others have developed fixes that mitigate the gravest harms. Virusman even modded the game files so it never even bothers to check with the Master Server, so we don't have to deal with the annoying messages all the time.

And reaching... umm... I didn't pull that number out of thin air. It's the number of views show here:
http://social.biowar...egory/199/index

No, I was referring to this silliness:

I wonder why that might be? I didn't happen to mention something about the intentional death of the bulk online NWN 1 community

Oh yeah and as far as my "google-fu" I pretty much self taught myself a Masters degree level of education in the ability to identify Lysteria monocytogenes, or Salmonella, or E. coli o157H7, or a myriad of other pathogens, using a variety of different methods (USDA, FDA, EP, AOAC, ect...) and applied it in the work place mostly from google. But I guess my google fu is weak.

I'm so proud of you.

Set up an on line petition to Bioware via google in less than 5 minutes. Something that should have been done a year ago, but apparently no one else thought of? Kinda sad I had to be the one to do this.

The community was quite loud on the forums. You'll note that this thread was started by a BioWare employee. They knew we wanted the master server back. A petition is a nice gesture, but it isn't going to do much at this point.

I think I may have also mentioned something about how the future is bleak...

Yes, you've said that multiple times. The problem is that you're incorrect. Yes, things are slowing down around here, but that's largely to do with the fact that this is an aging game and people are moving on to other pursuits. That's life. The loss of the Master Server didn't cause this, and getting it back won't change it, either. So in the meantime, make the best of the tools at your disposal. Keep creating, keep playing, and keep having fun. That's what the game is here for.

The saddest thing to me in all this is that people are resisting this because it is me that presented the idea. Not because of the idea it self. It's almost as if you all can't put aside your own personal hatered for me personally to look past the pressenter to the actual idea, and concepts presented. Kinda like here:

http://social.biowar...ndex/13633358/8

No, most folks that remain in this community are fairly mature. If we disagree with each other, it's typically because we disagree, not because we have vendettas against each other. Yes, occasionally someone says something insulting and we chafe. But that doesn't mean we therefore have to disagree with everything that person says ever again. That would be silly.
               
               

               

                     Modifié par Squatting Monk, 01 septembre 2012 - 08:52 .
                     
                  

            

[Legacy_Lazarus Magni]

               ^^

*that's me raising my eyebrows btw...*
               
               

               
            

[Legacy_PlasmaJohn]

               Ultimately Atari/Infogrames was responsible for the operation of the Master Server.  For whatever reason, Bioware performed that function.  Prior to the Master Server being taken down, Infogrames had some significant financial troubles.  In that time frame Bioware got acquired by EA.  So now you have a division that's operating a service for a bitter rival.

Some of us connected those dots early on.  It's not coming back no matter how hard anybody wishes.

I'm sorry you're having issues with a problem player.  I'm guessing that FS's scripts auto-approve new players.  If there's an option to make that approve only, turn that on.  At the very least they have to wait until somebody approves their app.