
Entire cities dead on some World of Warcraft realms - rpledge
http://wow.joystiq.com/2012/10/07/reports-entire-cities-dead-on-certain-realms/#continued
======
patio11
Admin consoles: the soft underbelly of billion dollar software operations
since...

Seriously, though: you almost certainly have one if you run a software
business. Client side SSH certificates are your friend. If you're not able to
do that, because it is _really_ annoying, separate it from the main app and
lock it down as much as possible. (Separate authentication from the main
site/app's authentication scheme. Lock down access, ideally at the network
level. Strongly consider two-factor auth.)

~~~
klodolph
There are a few scenarios in which client-side certificates just aren't good
enough by themselves.

So you have folks administering the servers. A certain percentage of them
_need_ root access. One of them gets his certificate revoked and then laid off
-- in that order -- but he already installed a back door account. Okay, so
you're a good admin and you check the logs and make everyone use "sudo" for
everything.

* But maybe it won't even show up in the logs. Maybe he was editing a file in sudo with vi and ran ":! bash". Okay, so you're a good admin and disabled that.

* Maybe he was editing crontab one day and added a one-shot script to create a nefarious account. Okay, you are a good admin and you have tripwires.

* Maybe he knows where your tripwires are. Do you honestly think you know every possible attack vector someone with legitimate sudo access could use?

It's really hard to stop an inside job. The principle of least privilege is a
nice maxim, but there's a cost to figuring out exactly what the least
privilege is, and there's a cost to giving someone too little privilege --
downtime when they can't fix something they're supposed to fix.

~~~
danielweber
I once wrote a tool to automatically connect to all the company boxes. I
became actually frightened by it, because in the wrong hands the tool could
destroy the company in a matter of minutes. I eventually just deleted it and
discouraged anyone from building another.

~~~
sargun
How does this differ from tools like puppet or mcollective, which are commonly
deployed in operational environments today, and almost necessary for day-to-
day operations?

~~~
jahewson
Puppet use client certificates, and is pull-only so you'd need to hack the
puppet master machine to cause any damage.

------
jpxxx
I think that there's something kind of fascinating and romantic about the idea
that an entire world and the ongoing social affairs of thousands of people can
fit on a single server blade in the middle of nowhere.

~~~
bsphil
That's what makes EVE so much more interesting to me. There's only one server.
The monthly fee can be earned in-game. The economy is tied to actual dollars
because it's so reliable. There have been plenty of universe-spanning
conflicts that impact the entire game with genuine political drama, and the
dev team steps back to let it unfold with minimal intervention.

~~~
pooriaazimi
Can someone explain what EVE is? And explain it like I don't know anything
about it (and I don't). Wikipedia, etc. don't cut it and I still don't
understand what EVE is and why people like it.

Thanks a lot!

~~~
saraid216
Let's slingshot you into the future, where empires span hundreds of solar
systems, spaceships abound everywhere, cloning technology is available to an
elite class called capsuleers, and human beings still act human.

You're a capsuleer. A capsuleer is someone who can pilot certain specially
designed ships. As someone who has ascended into virtual godhood by the
benefit of effective immortality, you have entered a new plane of power
dynamics. And because you're a gamer, the galaxy is an oyster to exploit for
your amusement.

The simplest play is to fly around and shoot things. There are pirates, other
players, other factions. They all shoot back, probably. Some of them do it
better than others. Eventually, you run out of ammo, or your ship is
destroyed, or you want something bigger and badder. That gets you to start
thinking about how you shoot things and how to do it efficiently and
effectively. That gets you thinking about which ship to fly, which guns to put
on it, and so on... and how to get all those things cheaply, or at least for a
smaller cost than it takes to make money with it.

The ships, the guns, the ammo: these all _come_ from somewhere. Other players
make it. They do it by stripping asteroid belts of resources, holding
territory where they can conduct R&D, and build every bullet you expend, every
ship you pilot. Some of those resources are more elusive: they come from gas
clouds which are hard to detect, or components found in uncharted systems.
There are ways to get there and exploit those resources, too.

And naturally, with so many moving pieces, so many different agents, you get
hierarchical organizations, larger infrastructure, traders conducting
arbitrage and moving freight, bigger and badder ships and bigger and badder
groups to hold vaster tracts of territory. And with that comes opportunities
to scam and con others, opportunities to be a leader or a spy, and so on.

And all of that is supported by the game. You're constantly going to have to
deal with the social repercussions of whichever path you take: a lone pilot
won't have support infrastructure from their corporation; an alliance leader
has to maintain the interest of his members; time spent shooting things is
time _not_ spent mining asteroids; and so on.

What sounds cool? What do you want to do? Can you stomach what it'll take to
be in that role? Can you understand mechanics and people well enough to make
it happen? Then you can probably do it. That's EVE.

~~~
pooriaazimi
Thanks a lot. It suddenly seems so clear.

But I wish you hadn't responded! I suddenly want to be 14 again so bad it's
hard to get back to work on the app I'm building ;-(

EVE will be around for a few years, I hope. And by then I should be able to
play it.

~~~
sliverstorm
It sounds really cool, but I've done some reading and it sounds like the most
amazing moments of emergent gameplay (like the hostile takeover of a monster
in-game corporation a few years back) are brief and rare, and the rest of the
time I'm told it winds up feeling like a second job.

~~~
podperson
I think obsession with EVE is yet another example of the kind of Stockholm
Syndrome like devotion intentionally tedious MMOs engender in players (I speak
as a recovering victim, although not of EVE which is unbelievably tedious and
boring even by the pretty vaunted standards set by earlier MMOs).

<http://loewald.com/blog/?p=59>

~~~
doesnt_know
As an EVE player I don't usually make a habit of defending it so sorry if this
comes across as "fanboyish". I'm in one of the largest alliances in the game
and general consensus is that it can be "a terrible game", but there is so
many things that are wrong or is just misunderstood in that post that it would
take me all day to go through them individually.

Setting aside all the inaccuracies and misunderstandings of basic game
mechanics in it (which is in part due to the steep learning curve of the game
I admit, so it's somewhat understandable) EVE Online at it's core is
ultimately a geek social hierarchy with a thin veil of "science fiction video
game" masked over it.

Nowhere in the post did it mention ever interacting with other players, let
alone leaving the safety of high security space to join one of the established
social powerhouses in player controlled space. This is where the real "game"
takes place and which is why the retention rate of new players is so extremely
low, they don't get to see it.

If you are wondering why people keep playing this game, it isn't because they
are stuck in some kind of "WoW-like" grind trance and just want to see a
progress bar inch forward. It's ultimately the chance to ruin another social
groups day and proclaim that your social group or culture "is better then
theirs". You can visibly view a generated map of player controlled space[1]
and say "we own this, we took it from you". The large super capital ships used
in these battles are also worth upwards of $1,000 USD. A battle not long
ago[2] resulted in the destruction of somewhere around 13 to 15 thousand
dollars worth of capital ships.

Ultimately, EVE Online is a social experiment first, a war simulator for
privileged first world geeks second, and a science fiction video game
somewhere down at the bottom of the list.

[1] <http://go-dl1.eve-files.com/media/corp/Verite/influence.png>

[2] <http://themittani.com/news/supers-tackled-station>

~~~
podperson
I am sure there are good things about EVE that keep players engaged, but the
initial experience with the "game" is so terrible as to boggle the mind. It
isn't sold as a "social experiment". (Its qualities as a "war simulator" I
won't go into -- it's a simulator of its own assumptions, which aren't
terribly interesting.)

As an aside:

Way back in the early 80s, I was acquainted with a fellow who ran a worldwide
play-by-mail game called "Cluster II", and a number of my friends were
players. There had been an earlier game whose title I leave as an exercise to
the reader. The game was run using Australian Tax Office mainframes in
downtime. It was conceptually kind of a gigantic interstellar conquest run
using Traveller's "High Guard" combat rules, and it allowed players to operate
as corporations, spies, or straight out interstellar empires.

My point: the experiment has been run before.

~~~
doesnt_know
"My point: the experiment has been run before."

And as long as there are new generations that want to spend their free time
with such an experiment, history will repeat itself. Not to mention
experiencing it in a new medium (heh, play-by-mail) and taking it to another
scale. Hell, our alliance has it's own custom authentication application that
strings together dozens of various applications that serve our coalition. We
have a small team of system admins that run our services. A single jabber
broadcast for a fleet reaches thousands of members instantly, followed by a
flurry on logins to the game server.

As far as the "initial experience" being terrible, I completely agree with you
on that one. CCP have put a lot of effort into improving the new player
experience but it's still extremely lacking and I honestly don't think this
will ever change.

I also admit choosing "war simulator" may not of been the best phrase. You're
right, it's a simulator of something, but when you are in a science fiction
setting where spaceship pilots are immortal, it's never going to represent any
war we are familiar with. You're wrong about it not being interesting though,
if it wasn't interesting, thousands of us wouldn't log in at one time to take
part in a battle over a bunch of pixels.

In regard to your comment about it not being sold as a "social experiment",
you'd be surprised. CCP went in that direction with their marketing material
for a few years:

"The Butterfly Effect" - <http://youtu.be/08hmqyejCYU>

"Causality" - <http://youtu.be/uGplrpWvz0I>

"I Was There" - <http://youtu.be/OSxSyv4LC1c>

I'm stop posting about EVE now. I fear about coming across as overly defensive
about the game, when that isn't really my intention.

~~~
podperson
I appreciate the insights. I'm hardly immune to the alleged charms of EVE (I'm
an old school tabletop/board wargamer and game designer), I just think the
price (in terms of poor gameplay) outweighs those charms.

------
blibble
apparently it's a client side hack for "WoW-plus", here's the ringleader on
his own forums:

[http://www.ownedcore.com/forums/world-of-warcraft/world-
of-w...](http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-
bots-programs/wow-memory-editing/198650-screenshot-thread-94.html#post2535108)

this isn't the first time Blizzard have messed up like this: they originally
set the "Game Master" access level by a bit transmitted client side, and the
same socket bit twiddling could be used to get into their private alpha
servers...

------
Ogre
There was a plague in WoW in 2005 -
<http://en.wikipedia.org/wiki/Corrupted_Blood_incident>

Could be a similar sort of thing, or it could be a hack.

~~~
niggler
Debating whether to be impressed or disappointed that this has its own
wikipedia article ...

~~~
waterlesscloud
It certainly raises some questions for the "notability" police.

~~~
dangrossman
It's a historical event that affected millions and spawned research in at
least 4 distinct fields. The wiki article cites several scholarly journals on
top of BBC, Wired, Reuters, NPR and The Times. How much more notable could you
want?

~~~
waterlesscloud
It was a short-lived bug in a video game. There were research proposals that
never went anywhere because it was concluded that the model would be a poor
match for the real world.

Plenty of things happen every single day that affect millions and are covered
in multiple world news sources. They don't have their own pages, so clearly
that's not the standard.

~~~
dangrossman
> There were research proposals that never went anywhere

Multiple published research papers, not proposals. Over 600 Google Scholar
results. It also made its way into several books.

~~~
waterlesscloud
What were the findings of these published research papers?

~~~
dangrossman
We were discussing whether this event met Wikipedia's notability requirements.
Those requirements are that the topic be 'worthy of notice' -- that it's been
mentioned by more than one verifiable, third-party source. Clearly that
requirement has been met and this event is notable. The fame, importance or
popularity of the subject are not considerations for Wikipedia's notability
requirement.

Should you wish to discuss the event and the research it spawned, I'm sure you
can find a discussion group for that. I'm not your research assistant, and I
doubt the sincerity of your interest, given you dismissed these papers'
existence outright mere hours ago.

~~~
waterlesscloud
The papers I have found were all proposals or investigations of the
possibility of further research.

You seemed to be saying there was actual research based on the incident, and I
wondered if you had found something different. I assume you did not.

Also, to directly quote the wikipedia page on Notability: "Notability is the
property of being worthy of notice, having fame, or being considered to be of
a high degree of interest, significance, or distinction."

~~~
dangrossman
You're quoting the wrong notability page. "Determining notability does not
necessarily depend on things like fame, importance, or popularity"

<http://en.wikipedia.org/wiki/Wikipedia:Notability>

~~~
waterlesscloud
Cutting the sentence off in the middle doesn't help your case.

"Determining notability does not necessarily depend on things like fame,
importance, or popularity—although those may enhance the acceptability of a
subject that meets the guidelines explained below".

I also note the page has been marked for merging, so I'm hardly alone in my
opinion.

~~~
dangrossman
Two mentions in any medium make a topic notable for Wikipedia purposes. This
event's article cites 19. The "notability police" wouldn't go near it. Why do
you think I'm "making a case", or would need to? This discussion effectively
ended hours ago, it's only continuing to muck up the real discussion on this
story because you feel compelled to argue with me for some reason. If you feel
the need to continue, tweet me or something, this pointless back-and-forth
doesn't belong on HN.

~~~
waterlesscloud
It does take two, you know.

I'll make one final point and then let it go. If you want the last word, it's
all yours.

Two mentions in any medium is definitely not the standard for notability on
wikipedia. Read the very page you linked for confirmation of that, there's
quite a bit more about the standard there.

------
brador
It's interesting to comprehend the amount of lives a hack like this will
positively affect.

How many will pick up a book, or go for a walk, now that they no longer have
their go-to fix of virtual reality. How many WOW addicts will have time to
think "never again" and follow through.

Equivalent to all the cigarettes in the world vanishing for a few hours?
Possibly. And equally as effective I say.

~~~
npsimons
_Chuckle_. How many of those will go out and rob a liquor store? How many will
perform an act of vandalism? How many will kill themselves because they are
cut off from the only friends they've ever known?

While I can emphasize a bit (I used to play WoW, but "grew away from it" and
now spend a large portion of my time in search and rescue and musical
performance), I have to say that this is a very judgmental POV to take. You're
seriously going to compare playing WoW to smoking? Even in the worst case, at
least playing WoW is a step up from watching some inane TV show with no
interaction. It's not like anybody suffers from second-hand MMORPG.

And you can always play moral superior: instead of reading a book, why don't
they start their own company? Instead of going for a walk, why don't they run
a marathon? Hell, I could see how someone could look down on the activities I
choose ("why rescue idiots who got themselves into trouble? Let natural
selection sort it out!" or "why perform music that's already been performed
thousands of times before by better performers?"), but FFS, sometimes "wasting
time" is some of the best time well spent.

~~~
adgar2
> It's not like anybody suffers from second-hand MMORPG.

Addicts always say they're making a personal choice that doesn't affect anyone
else, whether it's WoW or booze or blow. And they're _always_ wrong.

The last AA meeting I went to, someone spoke for the first time and told a
story about a typical night at the bar. Drinking, watching the game and
minding his own business. Just like every night. Except this time, 8 beers
deep, his daughter walked from home to the bar and tugged on his sleeve -
there was nobody at home but her and she was scared.

Bet you'd never heard of "second-hand drinking" either.

~~~
npsimons
_Bet you'd never heard of "second-hand drinking" either._

Until someone gets a case of cirrhosis of the liver from someone else's
drinking, there is no such thing as "second-hand drinking", just as there is
no such thing as "second-hand carpal tunnel syndrome" from someone else
playing too much WoW. I'll be the last to say that addiction doesn't affect
others, and yes, I will agree that people can spend too much time playing
video games (or getting drunk). But much like the alcoholic telling someone
else they should never drink because it's "Evil", I won't take my advice from
someone who obviously thinks that WoW is inherently evil.

~~~
adgar2
I don't think WoW is inherently evil - were you referring to your parent
poster, or me? I just think nearly everyone in this addiction subthread is
woefully underinformed about the realities of addiction.

------
negamax
2012 - End of World.. of Warcraft.

Mayans knew this.

~~~
bravoyankee
All joking aside, maybe this is what it's about?

~~~
negamax
That be pretty awesome imo

------
tibbon
If I remember right, there was a post on HN here a while ago about how there's
a dot pattern embedded in all WoW screenshots, so they can identify who the
user is even if they remove the character name from the screen.

If they have the account information on this, I have to wonder if they could
actually sue someone (instead of just banning them) for using this hack?

~~~
ben0x539
Those screenshots are probably the victims', anyway. While Blizzard probably
does have enough logging to track this down on their end, it's fairly easy to
get a trial account with bogus account information, so it would be back to
grabbing their IP addresses and pleading with some ISP to reveal their real
identity.

~~~
yozmsn
As it turns out there are a couple of guys publishing videos youtube of their,
POV as the attacker/killer, so if the dot-pattern thing isn't a hoax then
those guys are screwed... but from what I read it sounds like it's a bunch of
guys who are annoyed that the hack exists and so they're abusing it until
Blizzard fixes it.

~~~
aesopiate
The dot pattern only exists in in-game screenshots, and only if they're set to
9/10 quality or lower. They won't exist in a frapsesque video.

~~~
iso8859-1
Source?

~~~
ohashi
[http://www.ownedcore.com/forums/world-of-warcraft/world-
of-w...](http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-
general/375573-looking-inside-your-screenshots.html)

------
sespindola
Interesting hack.

As some of the MMORPGs have multi-million dollar economies, they'll need to
increase their PCI level compliance.

This reminds me of Charlie Stross's Halting State[1].

1: <http://en.wikipedia.org/wiki/Halting_State>

------
beedogs
> Editor's Note: Please do not link to the source of these hacks. Any
> nefarious links will be removed, and repeat offenders will be banned.

I hate this kind of crap.

------
mtgx
And this is why making Diablo 3 work on servers, too, was a terrible idea
(among other reasons).

~~~
macspoofing
Why?

------
fchollet
Here's a video posted by one the script kiddies responsible for this:
[http://www.youtube.com/watch?v=YoM_sOC7jMA&feature=playe...](http://www.youtube.com/watch?v=YoM_sOC7jMA&feature=player_embedded)

Nothing too impressive to this "hack"...

~~~
ChuckMcM
Interesting, if that is in fact related to this incident it suggests that they
got a copy of the Game Master(GM) private key, they are activating GM only
'features' of the game. In this case the 'kill all' aura, another feature is
to imbue your weapons/armor with arbitrary stats. Saw a character doing that
in 2008 or so.

No doubt this is related to this problem :[http://kotaku.com/5933454/blizzard-
network-breached-change-y...](http://kotaku.com/5933454/blizzard-network-
breached-change-your-passwords)

------
lazyjones
it's fixed: <http://eu.battle.net/wow/en/forum/topic/5616171565>

------
sonnyhe2002
I personally dont think it was a hack. I think it more likely a warcraft
developer did something wrong and not an external hack.

------
lutusp
> Entire cities dead on some World of Warcraft realms

1\. Wait -- was I just teleported into my favorite South Park episode?

2\. I can't wait to see the civil lawsuits for psychological injury against
the perpetrator of this outrage.

3\. Don't these people do nightly backups? It's not as though WOW isn't an
important cybernetic resource meriting industry best practices.

~~~
ben0x539
Just to clarify, death in WoW is something that happens all the time. It's
very unlikely that it causes anyone more than a minute worth of inconvenience
in this case, and certainly less than it would to take the servers down to
apply a backup.

------
flexxaeon
Thought "massive destruction" meant to the game infrastructure, or at least
character data/inventory.

This is kinda funny.

~~~
nilved
Yeah, there's no actual destruction here besides less than half an hour of a
player's time.

------
theevocater
I am... very impressed. This is some pretty bad news for the current king of
MMOs. I wonder if someone finally stole a GM's account or if this is a live
hack. I'm more inclined to believe someone just made off with an account but
hey crazier hacks have happened.

------
EGreg
It looks like there were some videos posted from the point of view of the
hackers. Doesn't Blizzard put watermarks in each of the clients? They can
track it to the licenses which people bought, and probably to the people
themselves, no?

~~~
josso
The watermarks was only added, if you used the builtin screenshot-feature of
WoW, and only if you didn't had it on quality-level 10 (max). So it won't work
with videos and I guess that the hackers haven't used the builtin screenshot-
feature, if they have released pictures.

~~~
EGreg
They could have rather easily added other watermarks, for videos, etc. There
are lots of watermarking techniques that survive lossy compression.

------
sbarre
Impressive hack, if that's what it turns out to be. I would guess that
Blizzard has appropriate backups though..

WoW forums appears to be down too..

~~~
Ogre
Don't really need backups for that, death is not permanent. No one's going to
lose anything but time and patience.

Edit to add: Players who get killed by this aren't going to lose anything,
which is what the link was talking about, but I guess its letting people who
are in on it exploit content too - some of them may be rolled back, banned, or
otherwise dealt with other than just the thing getting fixed, whatever it is.

------
podperson
And here was I thinking it was caused by players leaving the game in disgust
over the latest expansion. Oh well.

------
aidos
OT: dealing with the livefyre comments on that page on a mobile is a
frustrating experience.

------
djbender
There's no confirmation of a "hack." This is purely speculation.

------
patrickmay
There's more discussion and videos on ownedcore.com.

------
sageikosa
Epic level spell?

