Account hacking incident
Don’t care how justified this person felt they were, they were simply wrong in doing it this way. They could have just as easily did this and then returned everything to prove their point, at the end of the day it was wrong and anyone supporting it should be banned from GW2.
Exactly. Destroying Gaile’s progress wasn’t at all necessary to showcase the system’s flaws. He/she could have just done the dead and then notified A-net. This just shows the person was being a prickly kitten.
And saying “We/I did this to get your (company’s) attention” is reprehensible. Hurting a person to send a message is inhumane and wrong.
Couldn’t agree more Gaile. Blaming the victim is a sad and all to common response in our society. Let’s all take a step back and let Anet deal with it without the witch hunt.
I’m not above saying Please…
Those same CS agents are unbanning any GW1 account if you simply ask them to.
It bears repeating, so I’ll say it again – the hacker who got Gaile tried multiple times until he got a CS rep that granted him access.
That is inexcusable.
So could this person know Gaile and maybe have a beef with her and took it out on her this way! I mean they could have sold the stuff if they were just a jerk hacking but this feels so more on a personal level to me! Maybe put the word out on GW 1 and tell people what stuff was taken ! I know i’ m probably being over enthusiastic but she might get it back…….
and also try to warn anet about this thing months ago on reddit, but anet said it’s impossible to hack something and ignore this person who actually trying to help and warn them to prevent this kind of security breach.
Pride goeth before fall, a lesson Anet repeatedly not want to hear. History repeats itself unfortunately.
But in the end we are all likely to be safer because of it, assuming Anet actually takes this as the wake up call it should be seen as.
I’m glad you believe that. Because I don’t.
They’ve been warned over & over about how easy it is to gain control of accounts with minimal information.
And nothing (that we can see, anyway) has changed.
That’s why I said “assuming they take it as a wake up call.” This incident has a lot better chance of prompting change than anything else I can think of. I’d be surprised if this didn’t result in at least some wrath coming down onto the support staff.
Seer Of The Divine | Sarina Starlight | Tireasa | Caedyra
It bears repeating, so I’ll say it again – the hacker who got Gaile tried multiple times until he got a CS rep that granted him access.
That is inexcusable.
This isn’t just ArenaNet’s problem. It’s an industry wide issue. Here is a wonderful case study read on social engineering. If you’ve never heard about the Apple & Amazon social engineering attack, it’s worth your time. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
The point I’m trying to make is, a lot of people in this thread are demanding drastic changes. The ones that really bother me are the people demanding the CS agent be fired for what happened. That’s the absolutely wrong way to approach it. Education and defending against the human element is the proper first step.
Proud member of [coVn] on Fort Aspenwood.
Rasern, I would read that but it noticed I block ads and won’t show me the article unless I whitelist it to show me ads or I subscribe, neither of which I wish to do for the sake of reading one story.
The part I could see said that the hacker went into the guy’s google account and daisy chained from there to his Twitter so as to send out nasty comments in his name. Before I could read how social engineering was involved I got the big block of “pay up or you may not read.”
I have seen some people demanding the things you say, but mostly I’ve seen concern about how multiple attempts did not raise any flags. I agree with those concerns. Why wasn’t anything added to her account profile to note the attempts? I recently was my brother’s gmail account restoration backup source while he was overseas, in case his phone got stolen, and until he removed me I got a notice every time he accessed things from a new computer. Heck, when I add a gmail account on one of my devices, I get an email notifying me of the recent activity. Why wasn’t Gaile sent a notice each time the attempt was made, so she could then notify Support from her authorized email that “someone is trying to hack in, it’s not me” and have that added as a flag?
Rasern, I would read that but it noticed I block ads and won’t show me the article unless I whitelist it to show me ads or I subscribe, neither of which I wish to do for the sake of reading one story.
The part I could see said that the hacker went into the guy’s google account and daisy chained from there to his Twitter so as to send out nasty comments in his name. Before I could read how social engineering was involved I got the big block of “pay up or you may not read.”
I have seen some people demanding the things you say, but mostly I’ve seen concern about how multiple attempts did not raise any flags. I agree with those concerns. Why wasn’t anything added to her account profile to note the attempts? I recently was my brother’s gmail account restoration backup source while he was overseas, in case his phone got stolen, and until he removed me I got a notice every time he accessed things from a new computer. Heck, when I add a gmail account on one of my devices, I get an email notifying me of the recent activity. Why wasn’t Gaile sent a notice each time the attempt was made, so she could then notify Support from her authorized email that “someone is trying to hack in, it’s not me” and have that added as a flag?
I don’t use a regular ad blocker, but I do use a massive hosts list which does the same thing. I was able to “select all / copypasta” to read it in notepad…
I have seen some people demanding the things you say, but mostly I’ve seen concern about how multiple attempts did not raise any flags.
This.
I’ll admit it is a little disturbing that after several tries no flags were raised.
I logged in to GW1 last night just to look around, and ended up opening years of presents and putting endless gift vouchers in my storage. Other than 1 seemingly real player talking in trade, it was nothing but gold spam from tons of different sites. Seriously, they were all just named their website or Ecto Trade or crap like that. It’s nice that they left GW1 running so people can go back and get achievements (which I still can’t bring myself to do), but it has definitely been abandoned by Anet.
Te Nosce [TC]
I’ll admit it is a little disturbing that after several tries no flags were raised.
Mike O’ Brien didn’t say a single thing in his post about no flags being raised. That’s an assumption being made by the posters here.
Just because flags are raised, it doesn’t mean those flags will protect someone’s account.
Gaile, again I’m sorry this happened to you. In a different MMO I played I and my guildies could only watch as someone who hacked a friend’s account logged in character after character draining her of everything. It was heartbreaking to witness, and I can only imagine what it would be like to experience.
~EW
I’ll admit it is a little disturbing that after several tries no flags were raised.
Mike O’ Brien didn’t say a single thing in his post about no flags being raised. That’s an assumption being made by the posters here.
Just because flags are raised, it doesn’t mean those flags will protect someone’s account.
Gaile, again I’m sorry this happened to you. In a different MMO I played I and my guildies could only watch as someone who hacked a friend’s account logged in character after character draining her of everything. It was heartbreaking to witness, and I can only imagine what it would be like to experience.
~EW
IF flags were raised and subsequently ignored, that speaks to an even larger issue with security.
IF flags were raised and subsequently ignored, that speaks to an even larger issue with security.
And that’s an ‘if’ we don’t know either… just more assumptions. And, it doesn’t make the issue any larger since it was a “social engineering” hack… a hack that preyed on human fallibility. Flags aren’t always proof against clever (albeit despicable) people.
~EW
One thing that could maybe help would be some sort of (optional?) delay on any email or password change to an account and then send an SMS and email to the existing account email and phone number to alert them.
Time is really the enemy when all this is going down – inserting a window of time (24-48 hours) before they are able to take over would be minimally inconvenient for the account holder but possibly catastrophic to an attack – unless they had full command over the account holders email and cell phone (in which case the account holder probably has much bigger problems anyway).
IF flags were raised and subsequently ignored, that speaks to an even larger issue with security.
And that’s an ‘if’ we don’t know either… just more assumptions. And, it doesn’t make the issue any larger since it was a “social engineering” hack… a hack that preyed on human fallibility. Flags aren’t always proof against clever (albeit despicable) people.
~EW
If there were flags and this agent still accepted inaccurate/non-matching personal info (posts on reddit did show made-up info) as confirmation of ownership, that person has no business being in a position to make decisions concerning access to a player’s account.
If there were no flags, then we should be asking why multiple failed attempts to access an account didn’t result in some indication to other agents and the account owner about an ongoing security issue. Additional attempts should be met with greater scrutiny, not offering account thieves a fresh start with a new agent.
In either scenario, there are some major security problems with Anet/NC’s support staff, policies, and operating procedure that absolutely have to be addressed. This not a rare isolated incident that we can attribute to a single mistake by one person. It has happened before and it will continue to happen until actual improvements are made. Expecting perfection isn’t reasonable, but the degree of carelessness displayed in this and other incidents is simply not acceptable.
Seer Of The Divine | Sarina Starlight | Tireasa | Caedyra
…snip…
As I’ve said previously, nothing is 100% secure. Any shouldas, wouldas, what-ifs, and if-thens you can conceive aren’t going to change that.
Yes, hopefully whatever checks/flags/whatnot that were bypassed will help security be tightened going forward. We’re all hoping that. But, even then, it will never be 100%. Kitten happens, and it’s better to deal with the reality in front of you than dwell on the fantasy you want it to be… and consider placing your anger where it deservedly goes: to the hacker.
~EW
…snip…
As I’ve said previously, nothing is 100% secure. Any shouldas, wouldas, what-ifs, and if-thens you can conceive aren’t going to change that.
Yes, hopefully whatever checks/flags/whatnot that were bypassed will help security be tightened going forward. We’re all hoping that. But, even then, it will never be 100%. Kitten happens, and it’s better to deal with the reality in front of you than dwell on the fantasy you want it to be… and consider placing your anger where it deservedly goes: to the hacker.
~EW
I think anger towards Anet’s security procedures is justified as well.
And +1 to everything mrstealth said.
One thing that could maybe help would be some sort of (optional?) delay on any email or password change to an account and then send an SMS and email to the existing account email and phone number to alert them.
Time is really the enemy when all this is going down – inserting a window of time (24-48 hours) before they are able to take over would be minimally inconvenient for the account holder but possibly catastrophic to an attack – unless they had full command over the account holders email and cell phone (in which case the account holder probably has much bigger problems anyway).
I’m fairly certain there used to be email notifications for attempts to change/reset email or password. They might still be in effect, but don’t occur if support initiates the reset on their end. There should always be some notification sent to all on-file contact methods to offer the chance to deny/undo the change.
Multiple services that I use send notifications via email or SMS even on successful two-factor logins from a new device/location. We know that at least GW2 is capable of supporting this extra bit of security, as email verification is an option for two-factor authentication. It should also be an optional (probably even mandatory) feature when other forms of 2FA are used.
Seer Of The Divine | Sarina Starlight | Tireasa | Caedyra
I’m not sure how much I would put stock in screens of emails posted by someone that ‘socially-engineered’ their way into someone else’s account.
It’s hard to believe someone that lied to gain access.
Nevertheless, it is an unfortunate incident.
…snip…
As I’ve said previously, nothing is 100% secure. Any shouldas, wouldas, what-ifs, and if-thens you can conceive aren’t going to change that.
Yes, hopefully whatever checks/flags/whatnot that were bypassed will help security be tightened going forward. We’re all hoping that. But, even then, it will never be 100%. Kitten happens, and it’s better to deal with the reality in front of you than dwell on the fantasy you want it to be… and consider placing your anger where it deservedly goes: to the hacker.
~EW
That is why I said perfection cannot be expected. But there is a huge gap between 100% security and the absurdly lax security demonstrated here.
As for the hacker, he/she/they deserve anger for stealing/giving away Gaile’s items and removing cape trims. That was completely uncalled for and there is no justification for doing it. On the other hand, I am grateful for this problem being brought to light and for Anet being forced to at least acknowledge it.
The first step to fixing a problem is admitting that there is one. And as of a week before this happened, Anet was still refusing to admit that there was a problem. So there has already been progress because of this hacker.
Seer Of The Divine | Sarina Starlight | Tireasa | Caedyra
And just to clarify – The main reason I’m a tad upset is the whole “hacker tried multiple times until he got a CS rep that handed him the account” bit.
No security measures will ever be 100% foolproof.
But.
Anet can do better than they did here.
And if I haven’t said it before now, I do hope Gaile gets her account restored.
Nobody deserves that.
And just to clarify – The main reason I’m a tad upset is the whole “hacker tried multiple times until he got a CS rep that handed him the account” bit.
This is the real problem.
It would be much more understandable had this happened on the first attempt. That you can just pin to a single person’s failure. But for this to happen after multiple attempts is a failure for that person and the system itself. We can’t expect the people to be perfect all the time, but we should expect the system and procedures to be as close to fool-proof as possible.
Seer Of The Divine | Sarina Starlight | Tireasa | Caedyra
I thought such thing was impossible to happen. Glad economy wasn’t hit by this at all. At one point I thought user database might be injured. Happy this didn’t happen.
Nothing like feeling of your characters being safe and sound.
It bears repeating, so I’ll say it again – the hacker who got Gaile tried multiple times until he got a CS rep that granted him access.
That is inexcusable.
This isn’t just ArenaNet’s problem. It’s an industry wide issue. Here is a wonderful case study read on social engineering. If you’ve never heard about the Apple & Amazon social engineering attack, it’s worth your time. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
The point I’m trying to make is, a lot of people in this thread are demanding drastic changes. The ones that really bother me are the people demanding the CS agent be fired for what happened. That’s the absolutely wrong way to approach it. Education and defending against the human element is the proper first step.
While I do agree that social engineering is a serious problem and we could do more to secure our valuable information, you cannot shift the blame solely to the lack of security.
If an army comes and attacks your castle, and they destroy the front gate of the castle (that was not built to the correct specifications) you obviously blame the army for attacking your castle, as well as the person who built the gate because they cut corners.
The person that got into Gaile’s account has to be dealt with, and new people can be hired that can follow the rules (build the gate to the correct specifications).
I guess the real question at the end of the day is “Should I buy gems?”
I was thinking about it with LS3 but honestly I’ve never actually bought anything. And this happens … _
Don’t mix the message the activist tried to send, with mean reactions from community. It’s two very separate things. I know activism can hurt but it has it’s purpose, do you disagree?
This wasn’t an “activist”, this was a criminal. If someone wanted to simply bring the issue to Anet’s attention, they could have gotten the account info, recorded doing it, and given that information directly to Anet. No need to access her account at all.
Can you change your personal detail info in order to make your account more secure?
In any fashion really
Gaile,
Sorry to hear about that. Hope everything gets worked out for you.
However, I see a bunch of people on this thread playing the “blame game” trying to point fingers about how and why, etc. Instead, Anet, and the players, should be focusing on What happened, and what can be done to prevent it in the future.
I had a similar type of experience at work last night. I work as a security guard.
I received a call that someone was having access badge issues and couldn’t get into the facility. I allowed them access to the facility. Turns out, they had been fired. Which is a HUGE no-no. Long story short, I had followed our post orders (although I should have taken additional steps before allowing access). Now we need to re-examine our orders and create a new policy to avoid future happenings.
Anet needs to do the same thing. Find out what went wrong, and fix it. Either the agent involved blatantly disregarded the access control policy, or there was a misunderstanding in the policy process itself (as was in my case). In which case the policy needs to be revisited.
P.S. I did get wrote up, but still have my job
It’s the chain I beat you with until you
recognize my command!”
One of the main problems with a socially engineered account take over is that it’s well known that many players do not use their real name or real contact info when they create an account.
I would guess that the reasons range from privacy concerns to people being under age to carelessness, (“it’s only a game!”, etc) to concerns that the system could be hacked and their private data (social security number in the US, address, etc) could be released.
Account Recovery has to remain relatively lax because there are so many people who legitimately own their account, but don’t have very complete or accurate information.
It’s frustrating because I’m willing to include accurate personal information – my real name, telephone number, etc but because there seems to be an assumption that that could all be fake, or somehow all my information could suddenly change – it does not seem like we can establish a permanent ID in the system and then have recovery attempts be based on knowing or proving that info (as opposed to just saying you forgot all your real ID info).
Maybe I’m a bit off in my perception, but I wish there was a way to established a verified ID that includes some static personal information and sets the bar much higher for account recovery.
I don’t know how lax you expect it to be but when I lost my account info I gave them a picture of my state id or license to prove residency, who I am. To me it’s not unreasonable to prove who you are with your id…
Even state IDs can be photoshopped. How many people have a Facebook or other social media with their real name? And how many people talk about their characters on social media? Now you’ve put information out there for someone to Social Engineer your account.
(edited by Djinn.9245)
Rasern, I would read that but it noticed I block ads and won’t show me the article unless I whitelist it to show me ads or I subscribe, neither of which I wish to do for the sake of reading one story.
The part I could see said that the hacker went into the guy’s google account and daisy chained from there to his Twitter so as to send out nasty comments in his name. Before I could read how social engineering was involved I got the big block of “pay up or you may not read.”
I have seen some people demanding the things you say, but mostly I’ve seen concern about how multiple attempts did not raise any flags. I agree with those concerns. Why wasn’t anything added to her account profile to note the attempts? I recently was my brother’s gmail account restoration backup source while he was overseas, in case his phone got stolen, and until he removed me I got a notice every time he accessed things from a new computer. Heck, when I add a gmail account on one of my devices, I get an email notifying me of the recent activity. Why wasn’t Gaile sent a notice each time the attempt was made, so she could then notify Support from her authorized email that “someone is trying to hack in, it’s not me” and have that added as a flag?
GW1 is in Maintenance mode. I can’t see a company adding this type of security to a game that is probably not making them any money. It is very unfortunate.
What it comes down to is that each company provides the least security they think they must have. And these are “just games”.
(edited by Djinn.9245)
Wait so, this wasn’t the real Gaile? Sucks, I guess she missed out on meeting a fantastic person such as myself, maybe if she gets lucky enough for our paths to cross again.
No that was the real Gaile. Only her GW1 account was hacked.
This is her GW1 character (after the hacker gave her items away):Ugh. That screenshot. The people cheering the guy on and willingly taking her stuff are just as gross as the guy himself.
Exactly. And I bet the hacker brags to people in Real Life who don’t dis him for it. If no one was friendly with people who were criminals / cheated, less people would do it.
@Gail…
Feel real deeply how this must have hit you, so sorry you were unlucky enough to experience the ‘dark’ side of the game community in this way.
If you need ANYTHING in the way of gold/gear/materials that the Company can’t restore for you, drop me a PM ingame or through the Forum – if I have it its yours, just to remind you the community cares and because years ago when I was first starting out we met once in pre-AC GW1 and you were kind enough to help me (Femaura Silverfox) with a ‘social’ problem involving another player.
On a related topic, if you or Anet haven’t already spotted it, maybe take a close look at the reddit posted screenshots of chat by the kitten responsible – those showing two GM command lines. Suggest you ask/push reddit to take those down, just in case.
Breeze
I feel there’s more to the CS story than is let on, but that is another issue, and I think, one for Anet themselves to address and sort out.
As for the hacker — social engineer (No real hacking seems to have been done) — Personally, I find his behaviour reprehensible.
What he did is certainly not white hat. He gives people in the infosec industry a bad name. This is the sort of thing that breaks trust, not builds it. It hurts people. Any “point” he wanted to make is destroyed and overshadowed by his own narcissism. He was on a power trip, not trying to “point out the issues” to ANet regarding the security.
If he wanted to do that, he would have PMed Gaile and said “Your account was compromised in this manner. Please get them to adjust their security protocols”, changed her password randomly and then deleted his own access to her account.
There’s nothing noble or good, that was done here.
(edited by CathShadow.9507)
Everyone who thinks hacking to prove a point is acceptable should have a conversation with those sitting in prision who also thought it was exceptable. Gail I hope you get all your stuff back. Oh and they also stole no matter whether they kept it or gave it away. It was not their’s to do anything with. Sad to see people that believe that the (criminal(hacker)) is not fully accountable for thier behavior. And worse finds it acceptable to blame the victim.
nice reaction..
“bla… we are sorry… security is important… bla” – deal with it
You need help. In other news, I’m sorry you lost your GW1 items Gaile and I hope you’re able to recover them through Anet ><.
People asking more security why? Security is in place, but support can always circumvent that if they want, even with 2 auth.
But why? Gw1 is an old game, a lot of players once played that and maybe want to get their account back after years. So Anet was rather easy in questions, as a lot of them didn’t know specifics about their account.
Not many people are also interested in stealing a gw1 account now. So there was a hacker (i don’t call it a hacker), who thought let’s give Anet a lesson now. Probably he was doing this since a long time on unknown accounts, but now he thought let’s take Gail’s account for fun.
Some people say: nice, he has done that to let Anet know to give some more attention to gw1. A Robin Hood in gw1?
Let see what he has done:
1. From now on, honest people trying to get their account back in gw1 will have a hard time, probably they never will.
2. Instead of reporting this flaw, he misused the account.
Not for me to say what they have to do to prevent this again but i’m sure they did already and this will not be in the interest of most players.
So again thx fake hacker.
ps. Sry Gail, he just destroyed everything you stand for, don’t let it come to your hart. The very most people appreciate what you do for them, so please go on like you did.
Don’t mix the message the activist tried to send, with mean reactions from community. It’s two very separate things. I know activism can hurt but it has it’s purpose, do you disagree?
This wasn’t an “activist”, this was a criminal. If someone wanted to simply bring the issue to Anet’s attention, they could have gotten the account info, recorded doing it, and given that information directly to Anet. No need to access her account at all.
This is not how majority of companies work. Unless you can do a lot of damage to their services and/or reputation they will not bother.
Don’t mix the message the activist tried to send, with mean reactions from community. It’s two very separate things. I know activism can hurt but it has it’s purpose, do you disagree?
This wasn’t an “activist”, this was a criminal. If someone wanted to simply bring the issue to Anet’s attention, they could have gotten the account info, recorded doing it, and given that information directly to Anet. No need to access her account at all.
This is not how majority of companies work. Unless you can do a lot of damage to their services and/or reputation they will not bother.
Damage and reputation are 2 things, as i can see they reacted relative fast to direct damage. They are also open in communication otherwise this post won’t be open, so i give them credit, majority companies will act else. Also given the fact they try to make the accounts as secure as they get, without losing the human aspect, it’s a difficult balance.
(edited by RedZebra.2345)
I’m sorry this happened, Gaile. I’d be extremely upset if something like this happened to me. Can Anet roll back your account to before it was stolen?
Don’t mix the message the activist tried to send, with mean reactions from community. It’s two very separate things. I know activism can hurt but it has it’s purpose, do you disagree?
This wasn’t an “activist”, this was a criminal. If someone wanted to simply bring the issue to Anet’s attention, they could have gotten the account info, recorded doing it, and given that information directly to Anet. No need to access her account at all.
This is not how majority of companies work. Unless you can do a lot of damage to their services and/or reputation they will not bother.
You can damage their reputation through proving that you have been able to access accounts, not through hurting one person who isn’t responsible for security.
This happens in all industries everywhere. Years ago, when the internet and all this was new and this began to happen, it irritated me so much that I took it upon myself to enter the server security field and dedicate my career to beating those at their own game. I’ve seen every “excuse” in the book, I’ve seen just about every way of doing this..nothing changes the fact that wrong is wrong….socially inept vigilantism is the most cringe worthy excuse I’ve seen for those examples. Odd, you could have just applied a simple principle everyone learned in Kindergarten…“if its not yours don’t touch it”
Bottom line is, this is something that will continue to happen in small percentages, this is a constant vigilance that needs to be maintain and is, accessing accounts for any reason is wrong, damaging, and the consequences should be severe for each and every person that not only did the account compromise but those who participated in knowing it was being done and doing nothing about it. They are the future ones who have obviously made their viewpoint on account compromise known as acceptable so are a danger as well.
Last thing….and most important. People are people, not computers, they are not perfect, that is exactly why procedures and protections are put into place in the first place. Mistakes will be made…its the nature of the business, the people business that make it so unpredictable. Every angle, every step, one step ahead at all times is an unacceptable expectation, its not possible. 20 years experience says its not physically possible. Do not blame the victim, blame the “kitten” who took it upon themselves to do this.
Not to worry though, they will be found, the hole they crawled in on will be not only closed but vigilantly watched from this point forward. Each time, the holes close tighter and tighter. People like me, and others, laugh in your face when we close your spider holes, another pest eliminated, crying and denouncing us and our procedures all the way. “If its not yours, don’t touch it.”
J.R.R. Tolkien, The Lord of the Rings
This happens in all industries everywhere. Years ago, when the internet and all this was new and this began to happen, it irritated me so much that I took it upon myself to enter the server security field and dedicate my career to beating those at their own game. I’ve seen every “excuse” in the book, I’ve seen just about every way of doing this..nothing changes the fact that wrong is wrong….socially inept vigilantism is the most cringe worthy excuse I’ve seen for those examples. Odd, you could have just applied a simple principle everyone learned in Kindergarten…“if its not yours don’t touch it”
Bottom line is, this is something that will continue to happen in small percentages, this is a constant vigilance that needs to be maintain and is, accessing accounts for any reason is wrong, damaging, and the consequences should be severe for each and every person that not only did the account compromise but those who participated in knowing it was being done and doing nothing about it. They are the future ones who have obviously made their viewpoint on account compromise known as acceptable so are a danger as well.
Last thing….and most important. People are people, not computers, they are not perfect, that is exactly why procedures and protections are put into place in the first place. Mistakes will be made…its the nature of the business, the people business that make it so unpredictable. Every angle, every step, one step ahead at all times is an unacceptable expectation, its not possible. 20 years experience says its not physically possible. Do not blame the victim, blame the “kitten” who took it upon themselves to do this.
Not to worry though, they will be found, the hole they crawled in on will be not only closed but vigilantly watched from this point forward. Each time, the holes close tighter and tighter. People like me, and others, laugh in your face when we close your spider holes, another pest eliminated, crying and denouncing us and our procedures all the way. “If its not yours, don’t touch it.”
You are now my favorite person for the day.
~EW
This happens in all industries everywhere. Years ago, when the internet and all this was new and this began to happen, it irritated me so much that I took it upon myself to enter the server security field and dedicate my career to beating those at their own game. I’ve seen every “excuse” in the book, I’ve seen just about every way of doing this..nothing changes the fact that wrong is wrong….socially inept vigilantism is the most cringe worthy excuse I’ve seen for those examples. Odd, you could have just applied a simple principle everyone learned in Kindergarten…“if its not yours don’t touch it”
Bottom line is, this is something that will continue to happen in small percentages, this is a constant vigilance that needs to be maintain and is, accessing accounts for any reason is wrong, damaging, and the consequences should be severe for each and every person that not only did the account compromise but those who participated in knowing it was being done and doing nothing about it. They are the future ones who have obviously made their viewpoint on account compromise known as acceptable so are a danger as well.
Last thing….and most important. People are people, not computers, they are not perfect, that is exactly why procedures and protections are put into place in the first place. Mistakes will be made…its the nature of the business, the people business that make it so unpredictable. Every angle, every step, one step ahead at all times is an unacceptable expectation, its not possible. 20 years experience says its not physically possible. Do not blame the victim, blame the “kitten” who took it upon themselves to do this.
Not to worry though, they will be found, the hole they crawled in on will be not only closed but vigilantly watched from this point forward. Each time, the holes close tighter and tighter. People like me, and others, laugh in your face when we close your spider holes, another pest eliminated, crying and denouncing us and our procedures all the way. “If its not yours, don’t touch it.”
You are now my favorite person for the day.
~EW
Yes, so much this.
I have just found about all this story… It makes me sick on any angle.
Sick of hackers who, as Gaile said, hurt and even terrorize in their way to others just to prove something.
Sick that they actually proved their point.
Sick that the ones that allow hackers to prove their point play as “the victims”…
To me all 3: the hacker, the CS and the “great policies” of this game, are bad, the 3 need to change, the 3 need to be fixed.
I personally dislike how from anet, both MO and Gaile try to put the hacker as the only one “bad”. He/She is not the only one… The CS who gave Gaile’s account to the hacker and the policies that allow a CS to do that are both equally wrong. You guys in anet cant fix the personality of the hacker or its motivationts (thought you may persue him), but you definetly can protect against him and fix your CS issues and your policies… And not only you should, after what have happened i think is clear by all (at least by all outside anet) that you must. Puting a victim hat in this situation is not the solution, at all.
And yes, i understand we all are humans, noone is perfect and we all make mistakes in life and in jobs. But i also understand that Anet is not a charity company, if someone makes a huge mistake, must be fixed. And precisely cause noone is perfect and we all know it, we should be able to identify when someone was not perfect or when a policy is not perfect (and when i say “perfect”, i actually mean at least “good enough”)
Not only for the company’s sake, but for the guy who commited the mistake. Most of the times you learn better from your failures, thanks to the consequences of those failures. If the consequence of that CS is telling him that he was a victim and that a bad person has play with him… he will never learn, and neither will do the company.
So to me the real issue is that you should not give a CS the power of changing an account mail. at least not with the current specificationts. and if MO is true, and the policy is accurate and the hacker tried with other CSs that refused to change the email, and only 1 Cs actually changed it, then what failed was that CS, not the policy. Either way, all is really easy to fix: either change the CS or change the policy or both. And persue the hacker so he/she can stop terrorize the company, the game and the players.
But stop playing victim, and assume responsabilities. A hacker cant hack something that cant be hacked… and if something is hackeable, is childish to blame the hacker for it.
Said all that, i think is fair to end saying that GW2 doesnt have this problems, only GW1. They could not access to gw2’s account from Gaile. So the problem is more distant than it seems
(edited by Silicato.4603)
Why you think they didn’t already fixed this? Certainly they wont say how and when. Only to blame is the would be hacker. I have respect for some hackers who want to prove a point (they point out flaws in systems without doing damage, ex the https security), but certainly not for him.
(edited by RedZebra.2345)
But stop playing victim, and assume responsabilities. A hacker cant hack something that cant be hacked… and if something is hackeable, is childish to blame the hacker for it.
I really hope you mistyped something in that statement, because otherwise you are ABSOLUTELY AND OBJECTIVELY WRONG.
First, nothing online is unhackable.
Second, by the logic of your statement: it is childish to blame the guy who drinks, drives and runs over someone because he’s old enough to buy alcohol and have a licence. It’s childish to blame the guy who paints graffiti all over the walls because he can buy spray paint and someone built a wall. It is childish to blame a pet abuser because their pet is close enough to kick. It is childish to blame the car thief, because the car owner parked on the street.
Just because you can do something doesn’t mean it’s okay to do it, nor does it absolve you of responsibility when you do it.
The hacker chose to hack, they chose to hurt someone, and the blame AND consequences rest on them because THEY MADE THAT CHOICE. There is nothing childish about that.
~EW
(edited by EphemeralWallaby.7643)