<big>Secure your Accounts!</big>

• 1) Never give out your account name OR password to anyone ever!
  2) Use a <a href="http://netsecurity.about.com/cs/general ... tm">secure password</a> (New accounts have secure passwords)
  3) Change your password often!
  4) Make sure the email your account is linked to is secure!
  5) Never give out your account name OR password to anyone ever!

It has come to my attention that a few prominent people have been the targets of a malicious attack resulting in the loss or characters, items or both. Much panic hit the forums as people suddenly feel all their accounts are at risk.

First off I would like to put to rest the notion that somehow Obsidian has been hacked or account information has somehow been leaked. At present moment there is absolutely no possible way for someone to obtain account passwords unless they own the email address an account is linked to. When you request a lost password lookup, an email is sent to the linked account and only that account. The only staff member with the ability to view passwords is myself and only a select few staff have the ability to change passwords.

What has been the cause of similar problems in the past is the players desire to share their accounts. While it may be nice to have a friend check up on your houses or mine with your alt, revealing your account information is a huge risk, even to those you trust. We have blatantly gone about making things secure by creating extremely secure passwords on account creation, not allowing the client to save your password and urging players to NEVER share their account info.

You need to realize that someone wanting to log into your account is going to need both the account name AND the password. If you never share either of these with anyone then you have made it nearly impossible for anyone to get into your account. The only other fault is if you link your account to an email address that you share or is not secure.

While I would love to magically make items and characters reappear for players who were "hacked" it's not feasible. The only way to put everything back to the way it was is through a timewarp which would result in many hundreds of hours of cumulative playtime lost by all players who were in-game. To make things even more difficult I rarely know the account name, character names, house locations, etc of a hacked player and by the time I get it an even greater rollback is necessary.

While I can't do much to go back in time, I have informed the staff that they are to help out Barney and Ashes as best they can. It'll be up to them if they want to stay, but I would like to say we're doing everything we can to help them in this situation.

rollback wont change anything i can agree to it but from that what bb has wrote looks like its ashes fault if he shared his account pass/name. if not dont mind what i wrote ^

_________________
http://brutalos-maximis.mybrute.com

Wait a sec BB///

Lets get something straight.. One of two things are true..

#1 Something other than them sharing their passwords happend here.. in which case something other than telling them to change their pass is warranted..

Or #2 They do not deserve to have anything recreated?? Will the same be done for me? Cause it wasnt.. And all i did was accidently delete a char long ago and was told oh well.. Too bad.. (its not as big a deal i know but it was a almost GM miner which was alot of work, and it was after i had already had an account stolen which i didnt even bother to ask for back because i had shared the password and knew it would never happen).

Lets get some consistancy.. But i do personally believe something else happend here.. I dont see ashes and barney giving their passes to the same person who would totally F them over..

_________________
Philostetes
truth-<>-
MaxCarnage
Lysol-former
Maximus-former
Dracula-former
Kuka
Bl8dinc4K3

Let's look at this from a logical viewpoint:

To login to an account, you must know the account name, and the password.

Let's assume that somehow, you know the account name.
You still lack the password. To bruteforce a password that is 5 characters long would take hours, not to mention raise several red flags in the server logs, so let's rule out that possibility.

To bruteforce an accountname that is 5 characters long would do the exact same thing w/ the same time requirements.

Also, both would require specialized programs tailored to breaking ultima online accounts in general.

So let's rule out the theory that the accounts were "hacked" by someone who knew neither the account nor password.

Let's assume someone has hacked into the server that hosts obsidian instead.
Well there they could find a list of account names, but the passwords are stored encrypted, so they have a bunch of useless hashes. They can't change data without resetting the server which would alert the admins. So then they'd have to bruteforce the hashes, which would take less time, but is more imporbable as hacking into a fully updated server is something of myths and people bigger then smalltime hackers we'd worry about in this game.

So, you have three remaining fesible options:
1. a corrupt staffmember, of DEV level or higher, is changing people's account info. Please note that to my knowledge, the staff at this level are broadband, blinkers, cybervic. Also, this would be logged and show up when the logs are gone over, so whoever did it would be found out immediatly.
2. They have easily guessable passwords/account names, or have shared part of thier information out in the past.
3. They didnt' share their account information, but the email that the account is linked to, and got hte password requested that way.


"Hacking" accounts in obsidian is near impossible, social engineering is usually the culprit.

_________________
Ano hi chikatta makenai koto.
"Give me an inch, and you've given me too much of a head start. "

lets assume im not a nerd or a little kid so i cant understand what duo or drac either one are saying.

im guessing what duo said is brilliant though and of course what drac typed probably makes no sense i dunno, cant read little kid language.

but what Broadband said pretty much clears it up. i do feel awful for ashes and barn though.

_________________
LOV FOR LIFE

Everyone pm me your account info so I can check to see if its safe enough!

isn't it possiable to create programs to generate the passwords for you? yes this would take time but there was what a week? between barney loosing his account and Ashes loosing his....sounds like enough time for a program to generate a password to me.


If Im just being a dumb broad again ignore this

_________________
[email protected]

Ankhesenamun
Dedo Serenity
Fisherwmn
Ruby Estella
Enchantress

Yeah, there are tons of programs that could do it, in general, but what Duo was saying was that even if someone were to use a program like that, it would be "brute forcing" its way into your account, generating hundreds and thousands of access attempts that would, I assume, show up on the server logs, sending up red flags because I don't think any human would be making several thousand login attempts per minute

_________________
Hating geeks is totally pointless because everyone depends on geeks -- you might as well hate air...

Boog Dunsward[Brown Coats] -- PvM Warrior
Grinlar Helmsire[GWAR] -- Smithy/GM Miner
Endar Seaspire -- Fisher (maybe alchy?)
Ogden Wile[TLC] -- Tamer/ GM Tracker

In absentia luci tenebrae vincu

To generate a password, the program would have to contact the obsidian servers, send the account/password, and wait for a reply whether it's valid, it would try this for every combination.
a-z = 26
aa-zz = 26*26
aaa-zzz = 26*26*26.
Note: this is only alphabet characters, if we add numbers (0-9, 10 total) or other characters like !@#$, around 56 total. the number shoots from 26 to something near 100, at which point a password with 3 characters would take 100*100*100, or 1,000,000 attempts.

Now, the connection to obsidian is not instantaneous, most people probably notice it takes around a half second to login. Let's assume it processess at that speed, or 2 logins a second.
That's 120 logins a minute, 7200 logins an hour, and 172,800 logins per day. That is assuming around the clock, with one computer doing it.
At that rate even in a week it wouldn't guess a password longer then 3 characters.

Now let's assume we're not using a bruteforce attack, but instead a dictionary based attack, I.E. instead of trying every combination, it just tried basic words, like mom, dad, accountname, password, hello, hello1, 121212, and the like. If you have a weak password like mydog or hollie or mikejones, then it would probably be found with a dictionary attack in a couple million tries.
This would still raise flags in the server logs.




SUMMARY: For a password to be hacked in a reasonable amount of time would require a specialized program and a LOT of computers constantly working on it, and would leave millions of logs in the server that the admins could notice. basically, it can't happen.

_________________
Ano hi chikatta makenai koto.
"Give me an inch, and you've given me too much of a head start. "

The admin would have to be looking at the server or the logs to notice though Duo..

Anyways, I thank Broadband for taking notice and giving his blessings, now I just need to get ahold of Blinkers to help me out.

_________________
R.I.P Will A.K.A Affliction/Bush-Fire/Decayed-Stone - "Stoners live and stoners die. f*** it all, let's go get high"
You should either love me with a passion, or hate me to death..

my first pass i set was ''qwerty'' hehehe that was like 2 years ago when i was new here

_________________
http://brutalos-maximis.mybrute.com

Did you not read the entire post I made?
If you need that rephrased It means: I can't do a rollback but I've told the other staff to help these two out the best they can by helping to recreate the most important things that they lost.

Thanks very much for the support.

_________________
R.I.P Will A.K.A Affliction/Bush-Fire/Decayed-Stone - "Stoners live and stoners die. f*** it all, let's go get high"
You should either love me with a passion, or hate me to death..

i remember i lost my vamp warrior and no one helped me but i just remade some chaters and restarted




psst any news on the patch?

_________________

sucks that it happens, but i don't think they should be helped with items due to there carelessness, same ting happened to me, did i get helped when i asked for it? nope I got laughed at by just about everyone. and a few others got the same treatment, but it's not like one of our current victims wouldn't do the same thing and hasn't done the same thing to others, remeber mexican? lol I DO!

but i'm sorry barney lost his account

_________________
sub zero- The SnowMan
interceptor- frost warrior
DK- pvm in training
chips- Lord of the Sea