reddit is a source for what's new and popular online. vote on links that you like or dislike and help decide what's popular, or submit your own!
Blizzard intentionally makes passwords non-case sensitive by oterenin netsec
[–]chrismsnz 1 point2 points3 points 1 day ago
Bingo.
And for those who want maximum security: Use the OTP authenticator.
[–]chrismsnz 16 points17 points18 points 1 day ago
They have an authenticator FOB or a free smartphone app that will give you a OTP for 2-factor login. Secure enough for you?
When you have that enabled, your password can be 1234 and you're still more secure from brute force than 90% of other services.
Is there any expiring encryption algorithms? by mycallin netsec
[–]chrismsnz 2 points3 points4 points 1 day ago
I think your problem is likely to be finding a source of time that you can trust.
PSR-1 and PSR-2 to be Approved as Standards by hariktin PHP
[–]chrismsnz 0 points1 point2 points 2 days ago
Until you try and align a line continuation, then everything goes to shit.
Suck it up and conform.
Ask any Python developer worth their salt what PEP8 has done for their ecosystem. EVERYTHING is written in the same style.
[–]chrismsnz 1 point2 points3 points 2 days ago
Yes - and it was Zend's coding standard before this also.
People should just turn on smart tabs in their editor.
Editing and navigating freedom of tabs, writes spaces to the file, every thing aligns perfectly. At this stage, I don't care whether they had picked spaces OR tabs - I'm glad that they picked one.
Hopefuly the PSR-* can be like PEP8 from the Python world and bring in standardised code.
Then you're trying to align a continued line with spaces against an indented line with tabs that could be anywhere from 2-8 characters wide.
Diablo 3 accounts hacked, gold and items stolen by xmidoin Games
[–]chrismsnz 0 points1 point2 points 3 days ago
In that case, I think you may be disappointed here.
If that's the case I wouldn't worry about it, there's literally nothing you can do to not be hacked in-game.
Would really, really like to see some proof or at least some actual information around this apart from chinese whispers and conjecture. Would be tempted to fire up wireshark myself if the servers were running :)
Yeah, nothing's perfect of course but in the case of malware/keylogger - the authenticator token reduces the attack surface by such a huge factor it would almost be impractical to exploit.
[–]chrismsnz 7 points8 points9 points 3 days ago*
Ok, well that's not MitM but session hijacking. Same thing if I took your reddit cookie.
If D3 client is disclosing a trusted secret then that allows access to the game, yes, this is srsbsns.
But I'm seriously skeptical that the "session ID" grants access to the account management. Even the D3 client kicks you out to a web browser to change your password etc...
IMO, it's way more likely that some D3-related site got owned and the attackers sucked down a list of user/passwords that line up with battle.net logins. Guess we won't know until we see some evidence or at least some more data on who's getting hacked here.
EDIT: Oh you edited, my comment doesn't line up to yours now but I'll leave it here.
Yeah - anything is possible, for sure.
I'm just saying that most of Blizzard's infrastructure is relatively mature and the majority of it (e.g. authentication) has been battle tested for years by Starcraft and WoW, the latter already being a juicy target for attackers, with very little to show for it.
The D3 specific part is relatively new and untested but with D3 and WoW Blizzard has been absolutely obsessed with stopping hackers and cheaters - I would be thoroughly surprised if it turned out to be something so simple it was exploitable within the first few days of launch.
A much more likely story is that some lamers site got hacked and the attackers are relying on the axiom that most internet dwellers will happily use the same user/pass/email across everything and hate security options that are inconvenient.
[–]chrismsnz 3 points4 points5 points 3 days ago
It's not MitM. Lets just take a moment to reflect the EPIC amount of effort and infrastructure one would have to leverage to be able to MitM communication between a random game client and Blizzard's game servers.
Given:
You're pretty much left with attacking ISP's (DNS or route poisoning) between the two and I'm sure Blizzard would have correlated that by now.
[–]chrismsnz 1 point2 points3 points 3 days ago
I seriously, seriously doubt it was SQL injection on Blizzards side. I would say that their game and authentication infrastructure is far too advanced and convoluted for such a simple exploit.
However, if any site that caters to D3 players were to have such a vulnerability, then, that would be an excellent source of very likely credentials.
The forum system likely won't have access to the username and especially password as battle.net authentication is centralised (e.g. not part of the forums).
That being said, all it takes is for one semi-popular Diablo 3-related site to have a vulnerability like you describe and suddenly you have a pile of very likely logins.
[–]chrismsnz 5 points6 points7 points 3 days ago
Yeah, the current theory is a session hijack - you don't need MitM to do that. The victims session ID may have been sniffed from network traffic or dug out of the clients memory.
Could you please elaborate? I would have thought any obvious weakness in the authenticator system would have been borne out in WoW.
It certainly makes it harder.
Apparently some of the attacks have been characterised by the victim being disconnected and then password being reset to lock the victim out, presumably to prevent a session reset when the victim logs straight back in again. Account changes are not possible without a code from the associated authenticator.
Doesn't stop them from hijacking your session but definitely narrows the attack surface.
How do I condition an if statement based off a function's return value? by redelman431in PHP
The fact that the string "0" == false is the one that bakes my noodle.
Pretty clear signal that: maybe types are pretty important and perhaps we shouldn't carelessly shift them around.
PHP DateTime. tl;dr: lol by ImpactEventFanin PHP
[–]chrismsnz 1 point2 points3 points 8 days ago
Zend_Date is even worse with it's horrible Locale issues :\
What was this SQL injection attacker after? by revetsin PHP
[–]chrismsnz 6 points7 points8 points 15 days ago
The script seems to be for retrieving a page given the ID - You definitely want to use GET for that.
If it was /change.php?id=123&action=delete then, yes, POST is a lot more appropriate.
The 10 commandments of Diablo 3 by Bumblebeebakeryin diablo3
[–]chrismsnz 0 points1 point2 points 15 days ago
Yeah... What exactly is wrong with the SC2 community? It's been the most friendly and mannered gaming community I've ever been involved in...
Any tips on developing enterprise level software? by nickhelixin PHP
God no!
Start by using automated testing to test your code. You'll find that the properties of code that is easy to test are much the same as code that is decoupled and modular. e.g. Code only does one thing, is deterministic, does not keep state it doesn't need, has very few dependencies and those it needs are injected, have a structured interface etc...
It's hard - it's usually something you learn with experience but I'll take a look around to see if there's some easy resources to get started and I'll get back to you.
VPN's in New Zealand? by fraseyboyin newzealand
[–]chrismsnz 1 point2 points3 points 16 days ago
Actually, when I was playing Aion I found that I had much better ping tunneling over an SSH connection to an american server than connecting directly.
I approached the issue with Orcon, provided the ports etc... they basically confirmed they were deprioritising the traffic but refused to make any changes.
view more: next
all it takes is a username and password
create account
is it really that easy? only one way to find out...
already have an account and just want to login?
login
chrismsnz
Blizzard intentionally makes passwords non-case sensitive by oterenin netsec
[–]chrismsnz 1 point2 points3 points ago