General

Yeah. Well, this thread has about played itself out. SSL is not a factor in the current situation. Thanks for posting.

[quote=BobR]You completely missed the point. You (and possibly the whoever brought up that old thread) are the only ones talking about SSL.
Yes it has nothing to do with the current situation. Say that and move on to the real problem.

Also, reread what I said about apologizing. Again it has nothing at all to do with SSL. I'm wondering when you plan to apologize for calling the current exploit situation a "lie" (in the "OFFICIAL Confirmed MTS Hack" thread. I can quote you if you'd like), virtually moments before Nexon admitted there IS an actual exploit.

I normally wouldn't say anything about it, but your rhetoric has been bordering on being abusive of the victims in your zeal to defend Nexon's world class programming and security. That's not helpful in any way.

We can agree failure to use SSL logins has nothing to do with the current situation. Now it would be nice to stop blaming the victims and continue helping everyone improve their security.[/quote]

If you're talking about that other thread, then sure, that certainly helps clear up a lot of the confusion. I'll be glad to take it there. (I was as surprised as anyone to see this thread get resurrected after weeks of SSL not being an issue, and still not being an issue).

However, I firmly and unequivocally stand by the fact that there it is a disgraceful, panic-inducing, hyperbolic LIE to be claiming that there was anything approaching a significant security breech.

IDs are absolutely worthless with a strong password. No one that has followed anything approaching Nexon's tips and security suggestions is in any remotely significant increased risk of being hacked.

It is a bald-faced lie to claim that anyone on some magical list, or who used MTS is going to be hacked if they had anything approaching a secure password.

Here's an ID for you: bill at microsoft.com. Go log into the microsoft network as bill now. That's the ID! Wait- that's not going to happen? And why is that? Because the password is what counts.

The same thing goes for your yahoo account (or gmail, or hotmail, or whatever you prefer). Everyone knows your ID every time you send an email. But no one accesses your account since the ID is meaningless- it's the password that counts.

Yes, Nexon never intended the IDs to get out. They made a mistake. But it's an inconsequential one for anyone that has followed the most rudimentary of internet security principles.

Does that mean victims deserve it? Of course not, foolishness doesn't make one deserving of theft (which is what hacking is). But a handful of people having terribly insecure passwords does not a massive security glitch make.

[quote=myrdrex]Calm down there- I was responding to a very specific individual who demanded an apology (for this ===3 WEEK OLD THREAD that is completely unrelated to MTS===), claiming that the recent hacking prove I was wrong.

I was simply responding that this thread from ===3 WEEKS AGO=== has absolutely nothing to do with the current hackings! HTTPS is in no way, shape, or form responsible for these hackings.

The current issue is with MTS and people having insecure passwords.

If you have some sort of evidence that the use of SSL is somehow related to poor passwords, I would love to hear it.

In the meantime, I think demanding apologies for a technical thread that is 100% accurate is absolutely out of line. I would expect far better from a moderator.

Take the time to read through the technical details before demanding an apology. If you find any technical fault, I will gladly appoligize. Until then my description of SSL, wireless networks, and all the other things I discussed are quite accurate.[/quote]
You completely missed the point. You (and possibly the whoever brought up that old thread) are the only ones talking about SSL.
Yes it has nothing to do with the current situation. Say that and move on to the real problem.

Also, reread what I said about apologizing. Again it has nothing at all to do with SSL. I'm wondering when you plan to apologize for calling the current exploit situation a "lie" (in the "OFFICIAL Confirmed MTS Hack" thread. I can quote you if you'd like), virtually moments before Nexon admitted there IS an actual exploit.

I normally wouldn't say anything about it, but your rhetoric has been bordering on being abusive of the victims in your zeal to defend Nexon's world class programming and security. That's not helpful in any way.

We can agree failure to use SSL logins has nothing to do with the current situation. Now it would be nice to stop blaming the victims and continue helping everyone improve their security.

For the first time I actually read a wall of text on basil xD I feel a lot better now haha and now stuff makes sense for me

Definitely something everyone here should know.

[quote=BobR]Yes, and it had absolutely nothing to do with woolly mammoths roaming across the northern plains attacking servers, or space aliens abducting people and using mind rays on them to get their passwords either.

Your treatise about HTTPs and ARP poisoning had absolutely nothing to do with the current situation, and NO ONE HAS SAID THAT IT DID.

You've been deftly ignoring the fact that Nexon has ADMITTED that it's their sloppy, BAD programming which has exposed users needlessly to security risk, and instead have been running around blaming the victims instead of trying to help very much.

I still haven't seen any retraction or apology from you for calling the current situation a lie just before Nexon admitted it was real.
When can we expect to see that..?[/quote]

Calm down there- I was responding to a very specific individual who demanded an apology (for this ===3 WEEK OLD THREAD that is completely unrelated to MTS===), claiming that the recent hacking prove I was wrong.

I was simply responding that this thread from ===3 WEEKS AGO=== has absolutely nothing to do with the current hackings! HTTPS is in no way, shape, or form responsible for these hackings.

The current issue is with MTS and people having insecure passwords.

If you have some sort of evidence that the use of SSL is somehow related to poor passwords, I would love to hear it.

In the meantime, I think demanding apologies for a technical thread that is 100% accurate is absolutely out of line. I would expect far better from a moderator.

Take the time to read through the technical details before demanding an apology. If you find any technical fault, I will gladly appoligize. Until then my description of SSL, wireless networks, and all the other things I discussed are quite accurate.

[quote=myrdrex]Nothing of the technical information I posted was in any way wrong. You are simply showing a profound ignorance by claiming so.

But that, in no way, shape, or form, is a fault of Nexon. And it has absolutely nothing to do with HTTPS.[/quote]
Yes, and it had absolutely nothing to do with woolly mammoths roaming across the northern plains attacking servers, or space aliens abducting people and using mind rays on them to get their passwords either.

Your treatise about HTTPs and ARP poisoning had absolutely nothing to do with the current situation, and NO ONE HAS SAID THAT IT DID.

You've been deftly ignoring the fact that Nexon has ADMITTED that it's their sloppy, BAD programming which has exposed users needlessly to security risk, and instead have been running around blaming the victims instead of trying to help very much.

I still haven't seen any retraction or apology from you for calling the current situation a lie just before Nexon admitted it was real.
When can we expect to see that..?

[quote=pantburken]The threadstarter was dead wrong about this situation. They were able to get the login data from a pack3t from the MTS. Period. That's a fact.

Many of the passwords to those accounts were figured out because the passwords on sites like BasilMarket matched. This hash info was stolen from BasilMarket during a server attack and used to crack accounts they could match the data to on the list.

The people hacked either had easy PICs to crack, like 111111, or the person doing it has the ability to disable hackshield and inject script into the client to make the PIC que not pop up.

Either way, accounts were hacked, and not due to the negligence of the account holders. Their info was safe, as far as they were aware. You can critize these people all day long, and it doesn't change that fact. They didn't tell anyone their info, they didn't get keylogged, and they didn't try to download hacks or put their info into a phishing site or program. They were simply compromised [b]due to crappy security practices.[/b]

I watched the threadstarter run all around this site during the last few weeks, trying to blame any and everyone that got hacked as it being their own fault, and their fault alone. Simply put, the threadstarter was [b]WRONG.[/b]

You owe a lot of people an apology, myrdrex.[/quote]

Nothing of the technical information I posted was in any way wrong. You are simply showing a profound ignorance by claiming so.

A lack of HTTPS was in no way responsible for any of the recent hackings.

You were right about 1 thing- people were hacked due to having incredibly weak passwords and pics. But that, in no way, shape, or form, is a fault of Nexon. And it has absolutely nothing to do with HTTPS.

Nexon has a variety of tips/in game messages, dev posts, etc related to proper password techniques. Following them will ensure no one can guess your password.

Not following them in no way, shape, or form has ANYTHING to do with HTTPS.

So, before you demand an apology, I would LOVE to hear your explanation of how HTTPS is in any way, shape, or form related to someone choosing to have a password of "12345" or something absurd like that.

If anyone owes the community an apology it's people like you who, for some sick reason, enjoy panicking people and spreading false information. Your previous posts in other threads were filled with such classic unfounded conspiracy theory statements like "I know people who have been hacked even though they had strong passwords", etc... Sure, we all "know someone" who has proof of bigfoot, and whose cousin's roomate's girlfriend's sister saw a UFO. Focus on facts, not spreading hysteria. Although it's fun to get all worked up over stuff, it doesn't help the situation.

[quote=BobR]Excellent information. I've been wondering exactly that, since Nexon uses a separate "Passport" login server for it's game logins.

I don't know enough about html to slog through the source on the site and be able to determine exactly where the logins are taking place, nor whether or not there's any indication if they truly do use SSL just for the login function.

Good to know..!

(This leaves us with the question of why, in the face of all the controversy and outcry over the Maple site itself not displaying an https URL, Nexon doesn't just announce this fact to its users to reassure them that at least the logins are secure. But then again, it's Nexon.)[/quote]It's very easy to spot if you use a tool like Firebug which let's you browse through a webpages source easily. You'll see that the URL of the login form points to https://www.nexon.net/api/v001/account/login

And yeah if I were Nexon I'd have advertised it to make users feel more safe. Plus they could've just served the whole site through SSL so it shows the https+lock icon in the address bar...every webuser that get's educated about security is pointed to these to indicate if they're safe or not.

[quote=thomas1985]False, Nexon does use SSL for logins on their webpage. Fire up your Wireshark or w/e traffic sniffer you use and log in on the Maplestory website. You'll notice that no clear text info (password/ID) is sent from the form, but there IS encrypted TLSv1 traffic (SSL).

Lesson: The whole site doesn't have to be served as "HTTPS" just to secure one request.[/quote]
Excellent information. I've been wondering exactly that, since Nexon uses a separate "Passport" login server for it's game logins.

I don't know enough about html to slog through the source on the site and be able to determine exactly where the logins are taking place, nor whether or not there's any indication if they truly do use SSL just for the login function.

Good to know..!

(This leaves us with the question of why, in the face of all the controversy and outcry over the Maple site itself not displaying an https URL, Nexon doesn't just announce this fact to its users to reassure them that at least the logins are secure. But then again, it's Nexon.)

(Long rambling response withdrawn due to the info posted by thomas1985)

False, Nexon does use SSL for logins on their webpage. Fire up your Wireshark or w/e traffic sniffer you use and log in on the Maplestory website. You'll notice that no clear text info (password/ID) is sent from the form, but there IS encrypted TLSv1 traffic (SSL).

Lesson: The whole site doesn't have to be served as "HTTPS" just to secure one request.

First thumbs up I've ever done on basil. Interesting read, very informative. Thank you. Now I just hope the RIGHT people read it...

I actually read it. (Kinda falling asleep now though.)
Thank you!

[quote=doid]yay finally now people can shut the banana peel up.[/quote]

Don't start that,its already on southperry basil doesent need it to.

When I was hacked last year, it was because of 1: a data breech (There was a MASSIVE data breech that had happened at the time), and 2: Nexon itself. The person who hacked into my account did a PIC reset. He was able to change my PIC without logging into my email (email was never hacked into at all) and clicking on the link. I only found out about this issue when I saw the PIC reset email in my inbox.

At the time, I had no one in my household that played Maple, and none of my RL friends played Maple. No one had any of my info because it wasn't useful to them at all. Nexon apologized to me, but still has not rectified the situation. I still have an ongoing ticket with them, since I lost NX cash as well as items I will never get back. I know they will not replace the items, but the NX was real money that was stolen from me.

[quote=Frasier]http://www.youtube.com/watch?v=olm7xC-gBMY[/quote]

http://www.youtube.com/watch?v=vjt1iuwPCBg

I guess it's for both games

[quote=NoCookieforYou]@Frasier: Haven't you played Halo before? O:[/quote]

http://www.youtube.com/watch?v=olm7xC-gBMY

@Frasier: Haven't you played Halo before? O:

@myrdrex: That's also why I try and log on soon after each server check and afk instead of log out. They can't get on if I'm on. Unfortunately d/c hacks are way too common.

[quote=SlovakHocky]@myrdrex: Yeah, I'm pretty dumb on the stuff actually. I just know math so I understand encriptions lol. What would be a good course of action for the average player if there was another data breech? Honestly with how nexon's security has been getting tested more often and how thier apathy is continuing, I wouldn't be surprised if this were to happen again.[/quote]

That's why data breeches scare me so much- there really is no foolproof course of action for the average player. Assuming Nexon patches it shortly after it's detected, your only hope is to change your password/pin. That way the information the hackers pulled from the DB is invalid.

If it goes unpatched, or if you're one of the unlucky few who are targeted before Nexon takes corrective action (informs us and forces us to change our passwords), then there's little you can do. That's what makes a data breech truly frightening.

Diversification also helps. Keeping valuables spread across multiple mule accounts means that even if 1 is wiped out before Nexon can announce the breech and force us to change our credentials, you'll still have some of your valuables.

However, understand this- if such a thing occured, you're hosed, regardless of how much you worry about it ahead of time. So, it ultimately becomes like worry about 2012- either we all die during next December's doomsday, or we don't. No point in worrying about what happens between now and then!

Here's another example- It's possible someone could, through DNS spoofing, route ALL traffic from Nexon.net to their own computer. However, such an attack is so devastating (it would impact everyone that played that time), and so unbelievably unlikely, that it's simply not worth considering. So, focus on the stuff accounting for 99.99% of all hackings- keeping your password private, and not visiting websites with malware on them.

@myrdrex: Yeah, I'm pretty dumb on the stuff actually. I just know math so I understand encriptions lol. What would be a good course of action for the average player if there was another data breech? Honestly with how nexon's security has been getting tested more often and how thier apathy is continuing, I wouldn't be surprised if this were to happen again.

[quote=SlovakHocky]@myrdrex: Ahh okay. My appologies then! [/quote]

Not a problem, I appreciate the questions. I'm simply trying to clear up a few misconceptions here, so all those types of questions and comments are more than welcome!

Next time there's a suspected data breech, I look forward to writing a little post about how that could theoretically work. (Those actually do scare me a bit more than this SSL stuff. Fortunately they require quite a bit more sophistication than what most people consider 'hackers' possess).

@myrdrex: Ahh okay. My appologies then!

thanks, I actually knew none of that until you posted it. I really appreciate that you put the time and effort into it.

[quote=athos28]There's a few hackers who actually find the username of any person and the password gets e-mailed to them. I'm pretty sure they hacked the Nexon database in order to do this though.[/quote]

If they have to have the password mailed to them, it's likely they simply used social engineering or other techniques to get the victim;'s email, and then did a password reset.

In that case it's not SSL or any other type of realistically preventable 'hack', it's carelessness on the user's part.

FYI, social engineering would be using human behavioral knowledge to gain access to unauthorized data/locations. For example, you could call a company and speak to a random person and claim to be from IT and be amazed at how much information they will give you. Or, in the case of hacking MS accounts, pretend to be a GM.

Or, my favorite, simply gain access to someone's email by correctly answering their password reset questions. Given someone's name, once you find the wealth of personal information they've shared about themselves on Facebook, it can be disturbingly easy to reset their password to their email. (It's how Sarah Palin's email was compromised).

Once you have that email, you're golden- reset their Nexon account and you have what you need.

Of course perhaps there's some critical flaw in Nexon's system that allows an intruder access to their databases. But I find that fairly implausible in the overwhelming majority of 'hacking' cases when compared to the much more logical and realistic explanations of breaking the TOS by sharing your account info or downloading malware (albeit accidentally)

There's a few hackers who actually find the username of any person and the password gets e-mailed to them. I'm pretty sure they hacked the Nexon database in order to do this though.

[quote=PallyCookie]Y'all people think ONE page is too long to read?

Lol. Just wow. Don't even comment if you have the attention span of a millipede.[/quote]

Even if the majority of Basilers are 12 years old (Which I'm assuming is true), by that age, they should have read several novels by then...
This is child's play compared to what you have to do in high school.

[quote=SlovakHocky]There have only been 2 times in which I think an encription could have protected several people's accounts. There have been a couple of cases (strangely, both times during server upgrades) in which data has slipped out of nexon's grasps and led to hacked accounts. I have known multiple victoms in both cases.

These cases are very isolated and have a very low chance of happening.[/quote]

Those sound more like data breeches, not SSL-related hacking. Likely a SQL injection attack.

In that case, yes, encrypting the database could thwart some hacking attempts. However, that's a different topic. I was simply trying to address the current trend of "OMG! NO https! We're all going to be hacked!"

There have only been 2 times in which I think an encription could have protected several people's accounts. There have been a couple of cases (strangely, both times during server upgrades) in which data has slipped out of nexon's grasps and led to hacked accounts. I have known multiple victoms in both cases.

These cases are very isolated and have a very low chance of happening.

You shoulda linked my thread.
@mrtouchngo Pat, I thought you were in China. Rawr.
But anyways, this is nice. Now my corrupt methods are above suspicion.

[quote=NoCookieforYou]If this was Halo I'd be all like BOOM HEADSHOT.

Off topic: China called. They said they want there wall back [/quote]

Pretty sure you're speaking of CounterStrike..

Yeah, there's nothing to fear of. Seriously. People that say that they were "Hacked" 99.9% of the time is them going onto some website & putting in their info. Lately my friend got keylogged from one of his friends because he had sent him a file with a keylogger on it a while back. Pretty sad.. Friends > Items.

Helped me understand how that stuff happens. Thanks.

[quote=MrTouchnGo]If you're talking about the thread that GazimoEnthra made, his thread advised against playing on [b]unsecured public wi-fi[/b].
If you're not, then thanks for trying to calm everyone down xD[/quote]

If GazimoEnthra advised against using unsecured public wifis, then I'm in 100% agreement with them.

As I mentioned, that is very much 1 area in which SSL could help. Though, as I pointed out, anyone willing to take the time to stalk out public wifis is probably not going for Mesos. And even if such a dedicated, fictional, mesos-obsessed hacker existed who forsakes all real money to be made for mesos, they would certianly be knowledgeable enough to SSL spoof. In which case, SSL hardly offers any protection to the average player anyways.

This shows the "monkey see monkey do" personality of a Basiler.

"OH MY GOD THERE'S NO S IN THE HTTP OF NEXON.NET YOU'RE GONNA GET HACKED"
"OH MY GOD NEXON FAILS"
"YEAH YEAH NEXON FAILS"
"I HATE NEXON!"

>The reaction of the first thread that posted that

Heres something: SSL Certs doesn't do much besides giving the client confidence in the website.

@Roboskill got owned by the original poster on the thread ahahah

[quote=myrdrex][header]What about wireless networks?[/header]
Yes, an unsecured wireless network does pose a much greater problem. All those bits and bytes floating around can easily be sniffed out of the air with simple tools (such as wireshark). This is one area where SSL could help, as they'd be less likely to be caught and read by hackers.

However, we're still talking a hacker has to be sniffing YOUR unsecured network. So although the risk is there, it's pretty much non-existent for the overwhelming majority of players. And don't even get me started about the possibility of them brute-forcing their way past wireless security. Yes, it's doable in hours, but come on, we're talking some serious effort here- for mesos?

So certainly use common sense with wireless networks- don't do anything important (be it banking or playing MS) on an unsecured wireless network.[/quote]

If you're talking about the thread that GazimoEnthra made, his thread advised against playing on [b]unsecured public wi-fi[/b].
If you're not, then thanks for trying to calm everyone down xD

[quote=Viet2010]Wow, you must be pretty good at computers and networks. ^_^ This wall of text proved to be very interesting to me. I'll just keep playing my other games despite not playing MS anymore.

I have one question though. What is SSL? You went and explained everything, but what is SSL?[/quote]

Doh! Good point- I'll add that!

It's encryption used on websites- it's when you see https instead of http

Everyone that has gotten hacked has probably:
1. Entrusted others with personal information
2. Downloaded hacks with keyloggers

Hmm the TS pretty much summed up what I spammed at basilers who complained about PvP.

[quote=ikillerbarney]This is implied if the hacker lives in the same campus as you, which makes me wonder that why would someone go through all this effort just to hack a Maplestory account while they could do this to steal your banking information that you stated in your context.[/quote]

For one thing the lack of SSL does mean the hacker can skip the step of SSL spoofing. That means the user won't have to ignore the "Accept this new certificate" message that we've all seen and likely clicked through without a second thoughts.

I'm also imagining the penalties for hacking a bank are a bit more severe than Nexon.

However, yeah, the point does remain that if you're that knowledgeable you can simply write your own trainer and charge $30 a month for it- you don't need to resort to petty theft.

[quote=Greenlee]i'm not worried lol just curious on what all that ssl talk is about[/quote]

Ha! Sorry, I guess I simplified it too much! =)

It simply explains how hackers can see what others are doing on a network. However, it's a bit tricky and VERY easy for the dudes running the network to detect.

Anyone willing to attack an entire network (like on a college campus) and risk getting expelled/arrested will probably not be going after your mesos. They'll probably be looking for Citibank logins!

Therefore- relax and enjoy the game. =)

Oh snap, someone actually knows what they're talking about.
Was a good read, hopefully SOME people will pay attention to what you've written up. Kudos.

[quote=Greenlee]Too many ''big'' words. someone dumb this down for me in a sentence or two ploxy poo [/quote]

Don't worry. Play the game and have fun.

"A lack of SSL hardly makes the game any less secure. Relax and play the game. If you're going to get hacked, it's because you gave your info away or downloaded malware from a non-Nexon.net MS related site."

That's all that's needed to be said.

[quote=myrdrex]I wrote it on the Nexon forums. =)

@xxrikku360xx I'm sorry reading is such a challenge. I hope things improve. There seems to be a lot of people who suffer from that fear of words on these forums, so rest assured you're not alone my friend.[/quote]
I read all of it. It was fun. I love reading passages and explanations. From my knowledge and common sense, it [i]seems[/i] right.

[quote=DualBlades]He never said reading was a challenge. He clearly stated it was too long and that he obviously wasn't going to read it.[/quote]

That sounds like a challenge to me? LOL

Anyway, this is quite interesting to know~ Thanks.

I read gone with the wind,Dracula,Frankestein, And more long pointless books (even twilight)
yet i cant even read This without taking a break and re reading
OT Well They do u have secruity mesures and such
Most people just showed a 1 sided Veiw of it
Gj showing the other side

[quote=myrdrex]I wrote it on the Nexon forums. =)

@xxrikku360xx I'm sorry reading is such a challenge. I hope things improve. There seems to be a lot of people who suffer from that fear of words on these forums, so rest assured you're not alone my friend.[/quote]

If this was Halo I'd be all like BOOM HEADSHOT.

Off topic: China called. They said they want there wall back