NwN Server and security update

[Legacy_ultima03]

               It's not a priority for Bioware to not look bad?
               
               

               
            

[Legacy_NWN DM]

               

ultima03 wrote...

It's not a priority for Bioware to not look bad?

A 10 year old game made for a different publisher is probably a ways down the list.
               
               

               
            

[Legacy_ultima03]

               

NWN DM wrote...

ultima03 wrote...

It's not a priority for Bioware to not look bad?

A 10 year old game made for a different publisher is probably a ways down the list.

10 years or not, as long as the service is running, the security must be top priority. i think
               
               

               
            

[Legacy_NWN DM]

               Personally I agree with the essence of your statement.

However, in practical terms, the game is 10 years old and the revenue stream isn't going to the current owner of BioWare, so I think we need to be realistic.

Whatever is being worked on is likely a side project or a personal interest in "spare time" type of endeavour for one person.

That we're still getting any support/acknowledgement at all is amazing frankly.

Anyone who is so worried that they create an account here to complain about it should probably stop playing until it's fixed (there is a Community solution posted btw).
               
               

               
            

[Legacy_ultima03]

               Not only we should all stop playing, but when Master Server Authentification is down, everything should be down.  Until now ignorance was the only thing that prevented against 9 years of potential hack, vault wipes and other troubles stated previously, because MSA was down time to time also by then. The fix provided by funkyswerve and other people are just weak workarounds that will never replace MSA.  And I'm being realistic when I'm saying that the Bioware name is engaged when the security of its old or newer community is compromised, and that's really worth time and cash investment. Not sure how much effort that would require, but it's necessary, or close entire nwn traffic : no more problems. (but even old diablo online is still running) Also i know 2-3 well known servers that got partially wiped just because a guy decided to write down players account and log into them, and they wait a good protection to launch server again.
               
               

               

                     Modifié par ultima03, 04 janvier 2012 - 04:05 .
                     
                  

            

[Legacy_ehye_khandee]

               

ultima03 wrote...

I'm not sure for how long this thing is down but there is a security breach for all servers

1 - Anyone can enter any account without knowing the password
2 - Inside the account they can delete the character if the server offer the option
3 - They can delevel - relevel if the server offers the option
4 - They can impersonate
5 - They can mess with the purchased items (sell them) and also mess with quicklots

Some server offers the option to protect their character with an in-game password, and thats another security problem :

1 - We don't know if they encrypt password
2 - No notice to prevent people from using a password that's used for an email or other importants things.

Putting
a password in-game only protect against server options (delete/relvel)
if coded properly, it won't protect from selling all items,
impersonating, etc.

It is therefore critical that the master
server authentification comes back as fast as possible. It has been away
too long and that caused a lof of torouble, character wipes, and vault
wipes.

Please take this into serious consideration

Obviously, this is all new for you. For the rest of us and certainly for most of the server operators out there, we are and have been aware for some time (months and months and months). Some server operators have taken action to tighten security and prevent these very things (again months and months ago), some with the offered code, others with custom systems. While some few server operators have not done so, the risk is all theirs and their players'.

In later portions of this thread you suggest NWN should be 'disabled' this is an utterly foolish kneejerk response. Those of us who understand the situation have taken suitable action. It is as it has been ALL UP TO THE SERVER HOST to secure their systems as they see fit. There are still many of us who play this game, how would angering all of the remaining players help bioware's image? Your logic is lacking here.

If you are fearful of playing, do not play.

If you are fearful of hosting, do not host.

Insisting that the rest of us stop playing because you are afraid is a total non-starter.

Be well. Game on.
GM_ODA

24x7 we bring the game. 66.232.100.90  cep2.1 +
http://playnwn.com
               
               

               
            

[Legacy_ultima03]

               

ehye_khandee wrote...

ultima03 wrote...

I'm not sure for how long this thing is down but there is a security breach for all servers

1 - Anyone can enter any account without knowing the password
2 - Inside the account they can delete the character if the server offer the option
3 - They can delevel - relevel if the server offers the option
4 - They can impersonate
5 - They can mess with the purchased items (sell them) and also mess with quicklots

Some server offers the option to protect their character with an in-game password, and thats another security problem :

1 - We don't know if they encrypt password
2 - No notice to prevent people from using a password that's used for an email or other importants things.

Putting
a password in-game only protect against server options (delete/relvel)
if coded properly, it won't protect from selling all items,
impersonating, etc.

It is therefore critical that the master
server authentification comes back as fast as possible. It has been away
too long and that caused a lof of torouble, character wipes, and vault
wipes.

Please take this into serious consideration

Obviously, this is all new for you. For the rest of us and certainly for most of the server operators out there, we are and have been aware for some time (months and months and months). Some server operators have taken action to tighten security and prevent these very things (again months and months ago), some with the offered code, others with custom systems. While some few server operators have not done so, the risk is all theirs and their players'.

In later portions of this thread you suggest NWN should be 'disabled' this is an utterly foolish kneejerk response. Those of us who understand the situation have taken suitable action. It is as it has been ALL UP TO THE SERVER HOST to secure their systems as they see fit. There are still many of us who play this game, how would angering all of the remaining players help bioware's image? Your logic is lacking here.

If you are fearful of playing, do not play.

If you are fearful of hosting, do not host.

Insisting that the rest of us stop playing because you are afraid is a total non-starter.

Be well. Game on.
GM_ODA

24x7 we bring the game. 66.232.100.90  cep2.1 +
http://playnwn.com

Your work-around, and funkyswerve workaround, and other workaround, are nothing but workarounds.  And the way you see things is not very professional nor responsible. Master Server Authentification is the responsibility of bioware, if its down, all consequences are their fault.

What's going on now? Passwords (what a joke) simply don't work.
Let's tell another company, maybe it will do their day.
               
               

               

                     Modifié par ultima03, 04 janvier 2012 - 06:46 .
                     
                  

            

[Legacy_NWN_baba yaga]

               I love nwn!
               
               

               
            

[Legacy_wyldhunt1]

               consequences?
I wonder what consequences you've endured which make shutting down all of NWN the best option.
Did someone manage to steal any of the following from you by bypassing MSA?
Real Name?
Credit Card Info?
Home Address?
Imaginary Pixel Sword +3?

For starters, it is possible to make a server secure without MSA. If a server is not completely secure, then their programmer needs to fix it. You can prevent hackers from deleting your character or dropping your items from the event scripts and/or the code they use to delete characters. Just set a var on login that tags the character as potentially hacked and don't allow them to do anything until that var is cleared.

Second, the worst info that they could steal would be your IP. That could only happen if the server admins were very inefficient, and it'd be much easier to grab your IP from a anywhere else on the internet anyway...
If you're afraid that hackers will somehow grab your personal info, they can't. Servers don't keep it. Even if they did, it would usually be easier to just Google peoples screen name to grab a load of info on them.

If you're saying that you'd rather shut down NWN rather than take a chance on someone stealing your Imaginary Pixel Sword +3, I disagree. Your sword is not worth that much.
And, it'll only happen if the server admin can't figure out how to

if (GetLocalInt(oPC, "HACKED")) return;
               
               

               

                     Modifié par wyldhunt1, 04 janvier 2012 - 07:46 .
                     
                  

            

[Legacy_Himmelweiss]

               It is not the job of the people who host the servers to secure any bioware accounts!

NWN1 Diamond edition is still being sold on Amazon and several other shops.
People who buy it today will notice that the game currently is broken due to no Master Server.

I do not care about any workarrounds, the current lack of an Master Server is a high risk for any consumer who buys the product and plays the game online.
Not everyone is going to read these forums, they will just install and play the game only to figure out sooner or later that someone logged in with his toons.

It is amazing how long it takes to setup a new Master Server.
Nobody would be pissed if the speed was a bit better at bioware. I seriously do not know what takes bioware so long to setup a new simple Master Server. And yes it is very simple to set one up. Takes you at MAX 1 week. And even 1 week would be a slow rate.

We wait since what... how many month? This is a joke and shows zero respect to the consumers.
               
               

               
            

[Legacy_WhiZard]

               

Himmelweiss wrote...
We wait since what... how many month? This is a joke and shows zero respect to the consumers.

BioWare has many games, and this one is not priority.  Also due to the BioWare account hak, there may be several legal constraints needed to be met to allow MS authentification hosting to continue.

As for work-arounds, one simple one is to only allow a character to login to the IP address from which it was created.  Doesn't block other people impersonating the account or viewing the account's characters, nor does it help you login from many different computers, but it would block in-game control and impersonation of the character.
               
               

               
            

[Legacy_wyldhunt1]

               @WhiZard
Using IP's seems like a good way of doing it until one of your players has a power outage or has to re-boot their modem for some reason. Their IP will change and they'll be locked out.
The easiest way is actually very similar to the one stickied on these boards. Compare the Player Name with the CD key and make sure that they match (The sticky allows a player to register multiple cd keys). Mark them as HACKED to make sure that they can't take any actions at all and either boot/ban them by IP/CD Key as you see fit if they don't match.

@Himmelweiss 
We don't have to secure any of Biowares accounts. We don't even have access to your Bioware accounts. We can't protect them or create any vulnerabilities.
All we have access to, and can protect for you, are your server side NWN characters. My server is not a Bioware account. Neither are the toons in my server vault.
You keep acting like there is some risk of something important being stollen if a server admin fails to protect your toon for you.
Is there something I'm missing here?
               
               

               

                     Modifié par wyldhunt1, 04 janvier 2012 - 10:30 .
                     
                  

            

[Legacy_henesua]

               There is nothing that you are missing, wyldhunt1. Its merely hysteria about something that isn't all that important. People are being slaughtered in syria for demanding basic democratic processes in their country. And yet this is what upsets someone? Absurd.
               
               

               
            

[Legacy_Himmelweiss]

               

WhiZard wrote...

Himmelweiss wrote...
We wait since what... how many month? This is a joke and shows zero respect to the consumers.

BioWare has many games, and this one is not priority.  Also due to the BioWare account hak, there may be several legal constraints needed to be met to allow MS authentification hosting to continue.

As for work-arounds, one simple one is to only allow a character to login to the IP address from which it was created.  Doesn't block other people impersonating the account or viewing the account's characters, nor does it help you login from many different computers, but it would block in-game control and impersonation of the character.

That is not an reason why it takes several month to set up a simple, secure server with an simple database that takes care of the simple bioware nwn accounts.
I'm a developer since 17 years and in our office we have several pros that can setup a super secure server in 1 or 2 days.

Many games is for sure not a reason why a company can't setup a server. You just need 1 dude to accomplish this.

Also, the IP workarround is absolutely stupid, what do you make with players who do not have a static IP?
A good example here is germany's telecom, reconnects every 24 hours, every 24 hours you do have a new dynamic IP!
               
               

               
            

[Legacy_Himmelweiss]

               

@Himmelweiss 
We don't have to secure any of Biowares accounts. We don't even have access to your Bioware accounts. We can't protect them or create any vulnerabilities.
All we have access to, and can protect for you, are your server side NWN characters. My server is not a Bioware account. Neither are the toons in my server vault.
You keep acting like there is some risk of something important being stollen if a server admin fails to protect your toon for you.
Is there something I'm missing here?

Yes, you are missing something.
I know that a NWN server only stores the char name, account name and a simple version of the CD-KEYs, of course server admins can set this up however they want.

I was talking about newer players, and not mainly about NWN veterans who know how every backend works.
You can't expect from a new player that he knows what servers are secure or not secure. The new player most likely will think that all servers that are listed are secure.
What happens is that the new player, or even some veteran players simply get their chars, levels, items etc. stolen. This might be not important to you, but it is a big hit in security for the enire online modus of NWN1.

You simply can't argue that this isn't an security issue, everyone, you and me, everyone here in this thread who posted could just simply type in any username and just play with it.
Alot of people use the same username like they did on the forums here. Some serious bored people will make use of this simple method to get on different characters!

This needs now a fix, not 1, 2 or, 5 month or even years later!