CORE Connect Bug Report Thread

My character avatar is missing
http://img822.imageshack.us/img822/242/charactere.png

I am NOT the leader of amazon. I'm the leader of DARKnes.b:sad
http://img718.imageshack.us/img718/5974/guildkn.png

Most of the members of DARKnes profiles are showing that they are members of amazon.

looks like there is a glitch in the achievements database - went to look at mine which was populated and it seems to have cleared the achievements. it has done the same on the couple of my friends that i looked at. hopefully it is just a display issue and will not require a reload of all that data again.

ChaoticShelly wrote: »

I wonder if anyone else is having this issue as I am; When I click any username on the PWI forums it directs me to their old PWI forum profile (URL example) and not to their Core profile, and the following message appears:



Please let me know if you're experiencing this issue as well.

I just clicked your name and the link you provided and it shows your Core profile.

to X_Trinity_x Where did you get the FF theme I want it?

Alphae - Lost City wrote: »

+1, seriously. Why did it have to go? .-.

+2 n_n

Shulkie - Dreamweaver wrote: »

think you need to clear your internet cache shelly..

Been there done that b:surrender This seems to be the only forum this issue occurs in so I'm quite surprised to see no one is experiencing it. Weird...

You know what, I haven't thought of that. I'll try and see if it happens on my normal account. Thanks for the tip...

EDIT: Yes, must be a glitch caused by my MOD account/privileges.

IMHO having the users account name displayable is a huge security hole since it gives 50% of the info needed to do bruteforce hacking, and unfortunately its the 50% thats hardest to get, so, i.e. you just made it really simple for hackers to get access to everyones accounts.

What do you mean by brute-force hacking?

You mean, if they have access to the database? If they have access to the encrypted passwords they already know your username... so cracking the passwords via bruteforce means they kinda need access to database anyway and the encrypted passwords.

Bearleeable - Lost City wrote: »

IMHO having the users account name displayable is a huge security hole since it gives 50% of the info needed to do bruteforce hacking, and unfortunately its the 50% thats hardest to get, so, i.e. you just made it really simple for hackers to get access to everyones accounts.

thats not the account name on core profile as far as i remember when making an account you could make 2 names one for forum and one for logging in which of course i maded them different.

Tremblewith - Heavens Tear wrote: »

Basically a brute-force **** is where the system checks all possibilities starting from the easiest ones (Occasionally the user can actually take a guess at what they "Sorta" think it would be, then the program will check all possibilities around your guess), and working to the hardest ones.

That is completely impractical, if you mean the program is sending requests to the server everytime to verify the random password and username? It would take ages doing this once per second or so... you need to verify hundreds of thousands of passwords per second to expect it in a lifetime.

The server would just stop incoming connections from that IP if it's a single one. If you have a large network all working together to "crack" this you'll just get the server down. Too many requests, it's called Distributed Denial of Service attack. (DDoS).

When people say you crack passwords what they mean is, retrieve the encrypted password from the database (which means they have access to the database, so usernames too), then try combinations, encrypt them, and see if they match.

The thing with encryption is that it is easy to encrypt one way (i.e encrypt "mypassword" into some byte sequence) but not the other way (from the byte sequence you can't 'extract' "mypassword").

Once you have the encrypted form of the password, you can't "login", since you have to send the password as a request to the server along with username, then server encrypts that, and checks if it matches with the stored encrypted value. Due to the fact that you can't "extract" the plain password from the encrypted value, you need to brute-forcefully try all password combinations, encrypt them, and see if they match. Once they match you know the password.

Example: We have the encrypted form "encryptedpass" from the database. Let's try to encrypt "somepassword". It encrypts to "someotherpassword", so it's not it. Let's try "mypassword". It encrypts to "encryptedpass". Woot we found it via bruteforce. (obviously it's not silly like this but you get the point).

Sorry for detailed explanation.

Let's see now, even thought it says 2 characters my alt doesn't show up. It says i'm in a guild i never heard of. Approximately 30% if my accomplishments are missing. It doesn't affect the game so will not worry much about it. The sad thing is they will probably fix this, while never fixing the bugs in the game.

Borsuc - Raging Tide wrote: »

That is completely impractical, if you mean the program is sending requests to the server everytime to verify the random password and username? It would take ages doing this once per second or so... you need to verify hundreds of thousands of passwords per second to expect it in a lifetime.

once per second? why would an automated brute-force attack go that slowly? a hundred times per second is quite doable, unless the server places limits on things (which, honestly, it really should --- but does it?); even then, you might be able to distribute the attack sources to generate aggregate volumes at or above that rate.

plus, your modern day "brute force" attack usually starts with a dictionary of likely and/or common passwords and elaborates on that. when people insist we use strong passwords, ones that aren't words or variations on words --- there's a reason for that; even a dictionary of the english language doesn't take long to go through at a hundred tries a second.

When people say you crack passwords what they mean is, retrieve the encrypted password from the database (which means they have access to the database, so usernames too), then try combinations, encrypt them, and see if they match.

such encrypted-password databases, stolen from relatively major websites, have escaped into public knowledge in the past. statistical analysis of the most common passwords people use makes for depressing reading, and the dictionaries one can compile for future brute-force attacks... well, they're already long since compiled; use strong passwords that aren't actual words, everybody.

The thing with encryption is that it is easy to encrypt one way (i.e encrypt "mypassword" into some byte sequence) but not the other way (from the byte sequence you can't 'extract' "mypassword").

ideally, yes. unless somebody decided to use a collision-prone hash function, thinking it wouldn't matter since the password database was unlikely to get stolen.

no reason you have to send requests to the server one at a time, in sequence; open several different connections and do it in parallel. unless server-side DoS countermeasures block that, of course --- as they should, among a number of other things i can think of that i'd be doing if i were helping write the server; you're quite right about that. i've no idea what anti-hacking countermeasures are actually in place, though, and i'm not about to try black-box testing to find out. an IP ban might be the least of the worries for whoever did anything that foolish, as IIRC there are actual laws in place that might be brought in to cope with severe DoS situations.

Other then all my characters not showing up and me lists as in no Faction/Guilds.. I think its doing ok x.x


!~ Me

now showing pvp kills but still not showing my Lost city server guild , but showing a guild on heaven tear which i didnt log in ages.