Electronic Arts, owner of BioWare, is asking users of the Neverwinter Nights forums to re-register on the site after hackers stole several thousand accounts. neverwinterscreenshot An email from BioWare GM and Electronic Arts veep Aaryn Flynn said no credit card or social security numbers had been pinched: "However, hackers …
somebody shoot these f**kers in the head! and then b*tch slap the companies for have such lax security.
This article failed to mention Sony.
liquidphantom, let me get this straight.
On the one hand, you're saying 'b*tch slap' the companies for such lax security and on the other you're saying 'shoot the f**kers' who are 'b*tch slapping' the companies for such lax security?
Seems like a reasonable policy to me
Kill everyone involved in this sordid affair and start from the ground up.
... Starting with the users.
They either chose bad passwords or accepted lax security.
I really hope they didn't mistake me legitimately logging into my account a few days ago (trying to download the latest patch to NWN which I was having trouble finding on my machine) with the idea of someone hacking the system.
I just followed the link in an email from when I bought stuff from the old bioware store (which unfortunately isn't there anymore, so I can't redownload the add on modules I had bought some years ago. Oh well hopefully I can find them somewhere on one of my disks). Plenty of broken links on the old forum server unfortunately.
Sure would be nice if they would keep all the patches around on their new support server, but apparently they don't care about older games they released anymore.
Please tell me they were using at least salted hashes.
Why is it every one of these large companies are apparently hiring complete idiots? I just don't understand, this is such basic stuff. Is there something I'm missing?
The thing you are missing, in this case, is that the NWN forums are 10-year old legacy systems - probably some really old version of vBulletin or something that hasn't been patched in almost a decade (though to be fair, I can't be arsed to look).
What about the end users?
What do we the end users need to do to secure our data, passwords, credentials etc?
I can relate to both liquidphantom and b166er comments. I also had to laugh at b166er, because he's right. Which do you want.
None the less, what do we do? We can point fingers all day but one of the weakest points in security is ourselves and our crappy security. Studies find most people use the same password for both serious web use like banking and for recreational web use. If you do, all it takes is one of these breaches to gain the keys needed to access all your accounts.
Use complex pass phrases - Try the techniques near the end of this article for easy ways to create unique and strong pass phrases you can remember. http://wp.me/p1rE6R-4O
I also recommend using LastPass for multiple reasons. First off, its free! One of the other big advantages is its ability to help you easily create and manage strong, unique passwords for as many web accounts and services as you may need. You can see a review here http://wp.me/p1rE6R-dO
Mr Natural sez. . .
encryption don' mean shit . . . when the issue is man-in-the-BROWSER attacks. They even say in their own forums -- when forced to admit it -- that you should not use LastPass on an infected PC, that LastPass is not a security product, and that security is best left to the big players in that business.
It is a convenience, and that has long proven to be inversely proportional as security. You are insane to trust your passwords to such a --- ah, screw it. Convenience trumps all.
Storing passwords in the clear
How long before we get some laws to make the storing of passwords in the clear (or encoded in such a way that they can be trivially recovered) illegal?
They need to start assuming that any perimeter security is going to be breached, so make sure there's nothing valuable to steal.
Storing passwords in the clear
Ok, I agree with you on clear text passwords, but for passwords that can be trivially recovered?
What is securely encrypted today, is tomorrows trivially encrypted stuff. All it takes is time and power, and they are both growing exponentially to the home user.
And who would decide how securely encrypted something is....MPs? Don't make me laugh.
Re: Storing passwords in the clear
Trevor 3, "What is securely encrypted today, is tomorrows trivially encrypted stuff"
But it was you that assumed I said "encrypted".
ENcrypted implies they can be DEcrypted, which would be bad. That's why (properly salted etc) hashes are a much better strategy for password comparison. Please read what I write before going off on one.
And if there's no way to 'draw the line' at what's 'good enough', simply add transparency, so mandate that beside every password box there's a link to info about how it's stored - and let the market decide.
You said ENcoded. Which also suggests they can be DEcoded. Pedant.
Also wasn't getting at you directly (you are anon after all how could I?) I was just making the point that anything man can code, encrypt and lock, man can decode, decrypt and unlock. It's just a matter of time, no matter how salty you make it.
As for your mandate idea...are you suggesting that there are no rules? Just customer feedback?
Don't you think that users will go for shiny and usability instead of security?
I've got you a beer. this story is old anyway... :-)
Another day, another significant hack.....
I dont know whether to get depressed or start buying IT security company stocks.....
Since it's Bioware..
"GO FOR THE IIS, BOO!"
Since Bioware is now owned by EA
"A den of stinking evil, cover your nose Boo"
But I plan to leave their crevices untouched.
Well, even though I had an account with the old NWN site, I can be fairly sure I'm safe as when they setup the new stuff my account was supposed to be migrated but got thoroughly trashed.
Of course, knowing my luck it would work perfectly for hackers.....mutter mutter mutter
Make any site requiring registration, clearly state how they store your details. Then you can either decline to register or sue the bastards when you find out they lied. Simples
If u read my post on LulzSec's attack on EVE online
This is what I posted last night:
What gaming company will be Lulzsecs next target.
A - Blizzard/Activison
B - Vaulve
D - Bungie
Make your selctions at anytime!
So it was C!...
if u read my post...
Having EA as a choice is a bit of a cop-out, considering they own a good 20 or so game companies, many of which the size of bungie.
and this *was* an old legacy forum thing rather than ea as a whole.
no, not credit card details, but...
they WILL have got the serial numbers for games we registered there - at Bioware's demand.
So now our serial numbers are out in the wild on warez sites as valid serials, we get banned from online servers, we paid for their games, now we can't use or install them. Thanks.
Hey Bioware.... I vowed to never buy Sony again after their cockup, guess who just joined the list?