Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Submission + - Blizzard's Warcraft servers compromised by hackers (wow-europe.com) 1

Phil Duffy writes: "Blizzard's Warcraft servers compromised by hackers

Blizzard's World of Warcraft servers have been compromised by hackers and are allowing users' accounts to be logged into and modified without the owner's authorization. This is a repeat of the issue that Blizzard's Diablo II servers experienced in December 2000. Accounts are logged into, characters are stripped of their items, used to farm gold, and are even deleted. Through the experience related below as well as others posted on the official World of Warcraft forum (forums.wow-europe.com), it is obvious that this is a security issue originating with Blizzard and not with the end user.

When contacting Blizzard's account support for assistance on resolving the issue, players are constantly pressured to buy a Blizzard authenticator for their account. However, various players' experiences have proven that this authenticator can be removed by social engineering. Game Masters (in-game assistance) are slow to respond and can do little to resolve the issue and prevent the account from being logged into once hacked, regardless of account name change, password resets, booting the hacker from the server, etc. Account support has been able to track the IP of a hacker and yet still been unable to prevent reconnection.

These hacking incidents seem to initiate when the player's account is merged into a Battle.net account without their permission. The Battle.net account setup and merge process is inherently insecure and allows account modification without the confirmation of the account owner via the original email address. A standard security feature for most sites is that any account modification must be confirmed through the registered email. Even Youtube is superior to Battle.net in this respect. If you try to log into Youtube and have forgotten your password, you may initiate a password change request which is then sent to the registered email address. Once the email is received, a link may be selected within it to return the user to the Youtube password reset screen. However, if you forget your Battle.net account, or feel like hacking into one, you may initiate a password change request on the Battle.net site and are immediately prompted to answer your security question. Once the correct answer is entered, a new password may be chosen. The only verification required is the answer to the security question. And let's be honest, it's not too difficult to figure out a mother's maiden name. Also, submitting the answer may be attempted any number of times. The only notification the owner receives in their email, is a message stating that the password was changed and that they may contact account support if they did not initiate this change. Given this standard procedure Blizzard has chosen, their only responsible course of action is to provide 24-hour account support. However, Blizzard Europe does not provide evening or weekend support. For a company that receives over $190 million per month in subscriptions, their account support center is either severely understaffed or simply does not choose to provide adequate account support and security.

Even for accounts that are originally hacked through an end user's compromised computer, such as through a keylogger, the user is unable to resecure their account once they have regained access to it and resolved their computer's security problem. This is because even once they have regained access to their account, unmerged it from the unauthorized Battle.net account, removed any added Blizzard authenticator, and changed their email and/or password for it, they are unable to change their security question and answer. Once you obtain the security answer for an account, you may always reset the password for it. This feature is another indication that this current security breach is on Blizzard's end. As seen from the experience related below, the account password was never changed by the hacker. If the hacker was using a keylogger and/or had access to the user's personal system, they could have easily locked the user out of their account.

Below is a post from the official World of Warcraft — Europe forum. It is referenced with the writer's permission. It was submitted to the wow-europe.com forum on September 4, 2009. At the time that this story is submitted to the media, there has been no forum response from Blizzard to the request for assistance, although multiple players have responded that they have experienced a similar situation. The original post and responses is located at http://forums.wow-europe.com/thread.html?topicId=10711183739&sid=1.


Battle.net / Login servers Compromised

Early this week, I posted regarding this issue, and my post was deleted. I'm now posting again hoping that Blizzard might actually deal with a problem that is very real.

Two of my accounts were hacked on Sunday, Aug. 30th. The hacker bound my account to a battle.net account. I scanned my PC with AVG, Spybot and Avast, which all came back clean. I called Blizzard on Monday to have my account unbound.

So, Blizzard unbinds my account, resets my password, and when I try to log in with the new password, the hacker is still on my account. I log into my 2nd account, contact a GM, the GM kicks the hacker offline, and then I log in as well as change all my passwords. Within 1 hour the hacker is back on my account. Then I bind my account to my own battle.net account, change the passwords etc, and within minutes the hacker is back on the account. At this point I call my wife who is at her office. I give her the passwords to my battle.net and email and ask her to change them from her work. She works in IT support; her system is on a secured network and has never had Warcraft run on it. Within 2 minutes the hacker is back on my account. Throughout this time I've been logged into my 2nd account watching him, and at this point I've given up.

I wait till the next day as Blizzard phone support is closed for the evening. Tuesday I call Blizzard again. I get the same person on the phone as on Monday. This person was no use at all. When I ask her why this is happening, she can't give me an answer other than "buy an authenticator". Then she says she only works in Billing. I ask to speak to someone in technical support; she refuses to do that, but she asks for my contact number and says she will have technical support call me. So I give her my number and wait for technical support. What a surprise... no phone call.

So I call them again. This is now Wednesday, and I get someone who seems to actually know something. He checks IP logs. At first he can't see anything, but just then the hacker logs onto my account. I tell him "He is on right now", so he contacts a GM. I tell him everything that's happened. He finds it hard to believe, so he sets up a new battle.net account for me on his PC. I make a new email address, the GM kicks the hacker and all seems well. He also suggests that the only thing to do is to format the PC and get an authenticator if this happens again. Well, within an hour the hacker is back on again.

At this point I am really tired. I log onto Blizzard's store, and I try to buy 2 authenticators. They are sold out, so I drive to Best Buy and I buy one new 500g SATA drive and one brand new Laptop. I disconnect my desktop, I unplug both of my old SATA drives, I put in the new drive and I format it and install windows XP. On my new laptop, I make a new email address, and I change my passwords and email address for my battle.net account. I download WoW while Windows is installing on my desktop. 3 hours later it's downloaded and installed. I log on, and the hacker is on my account. He gets disconnected several times because I'm also connecting. He seems to give up and logs off. Thursday goes by and there's no sign of the hacker on either account. I check Blizzard's website, and they have authenticators back in stock. I order two. Today comes, I wake up, I log on and guess what? Hacker's back on my account farming again. I try to call Blizzard, this time very angry, and phones are closed early since it's Friday. And, of course, down all weekend.

Now, I have worked in IT support for Morgan Stanley. I have a CCNA. My wife works in IT support for a major pharmaceutical company. We are hardly IT illiterate. I have never in all my years and experience seen anything like this. What this tells me is that Blizzard's database on their login server or another area has been compromised. I would like some kind of response if anyone, particularly Blizzard, can give a straight and honest answer about this issue."


Journal Journal: Slashdot port scanning

My logs today revealed the following two port scans.

Fri, 2009-09-04 15:24:10 - TCP Packet - Source: Destination:X.X.X.X - [PORT SCAN]
Fri, 2009-09-04 15:24:12 - TCP Packet - Source: Destination:X.X.X.X - [PORT SCAN]

So I left wondering why slashdot is port scanning from


Submission + - Is a CS PhD worth it ?

An anonymous reader writes: I am CS grad working in a startup. The job is pretty enjoyable and the people around me are great. However, thinking of life beyond this startup scares me, since most job postings seem to be full of buzz words (SOAP/XML/RoR etc) and my current job involves none of these (one of the reasons which makes it fun). For a long time, I have been thinking whether I should chuck it all and go back to school for a PhD. I am extremely passionate about CS and can pretty much imagine myself working in CS-related areas for the rest of my career. The problem is that I am not sure whether the 4 year or so effort is worth it.
Is finding a challenging CS related job really difficult for a guy with just an MS degree ?
Do PhD holding/about to acquire slashdotters have any regrets about getting it ?
More importantly in these times of economic hardship, does it make any sense to chuck a high paying job for 4-5 years of almost no earnings and uncertain future?
Role Playing (Games)

Submission + - Blizzard ignores huge problem in Warcraft

blast3r writes: "Blizzard has been aware of a serious problem where players are unable to enter Instances (Dungeons) where at some times it can take over and hour to get in. The problem originated earlier this year when they were trying to fix over population of these instances which would often cause the instance to crash and the players would have to start over. They are saying they need to tweak hardware (July 2, 2009) yet refuse to give updates to their customers and are even banning those that are complaining in this thread. This is not a very good situation for Blizzard especially since Blizzcon is just around the corner. So what did Blizzard do with the hundreds of millions of dollars they made between early this year and the release of patch 3.2? Everyone knows that new patches generates more traffic. In any event, their PR people probably need to be prepared to meat some disgruntled customers!"

Submission + - US cell phone plans amongst world's most expensive (oecd.org)

Albanach writes: An OECD report published today has shown moderate cell phone users in the United States are paying some of the highest rates in the world. Average US plans cost $52.99 per month compared to an average of $10.95 in Finland. The full report is available only to subscribers, however Excel sheets of the raw data are available to download.

Submission + - GSA Web-Tracking Plan Stirs Privacy Fears

quadwrench writes: GSA under the Obama administration are considering revamping a policy that allows tracking of users website visits. I'm posting this because it could be easily construed as a slippery slope for web-tracking by agencies. "U.S. Web-Tracking Plan Stirs Privacy Fears" http://www.washingtonpost.com/wp-dyn/content/article/2009/08/10/AR2009081002743_pf.html

Submission + - The Future of Farming (popsci.com)

eldavojohn writes: With hunger being a major problem in the world, PopSci offers eight innovations in farming that are currently being tested and implemented. They are: farming the desert, soil sensors to cut fertilizer/water waste, genetically engineering rice, using nitrogen collecting microbes in place of fertilizer, gathering extensive data on land to improve usage, robot labor, biochar (nutrients for plants while sequestering carbon) and supercrops like a super resistant, super nutritious bioengineered cassava (also known as yucca). While some of the estimates on these things are five or six years into the future, many are already in place and available.
The Internet

Submission + - Torrents Being Honey Potted

digital_gods writes: The company MediaSentry unit of SafeNet, Inc. owned ARTISTdirect, Inc. is targeting P2P downloaders of torrents. They have recently unleashed a new Anti-Piracy strategy of Honey Potting torrents in order to discover downloaders IP address. Upon the discovery of the downloaders IP address, they contact the ISP of the IP address. There sending out letters informing the ISP about the downloaders recent activities. In return the ISPs are sending out warning messages and or canceling service because of violations of Terms of Service. I just recently received on of their letters that included a strong arm push towards purchasing a legal copy from iTunes. Attached is the letter i received.
RE: Unauthorized Distribution of the Copyrighted Published Work Entitled Harry Potter and the Prisoner of Azkaban (Document) Dear ISP Customer: On behalf of the rights holder for the content listed below, we are writing this letter to state that we have a good faith belief that the unauthorized sharing (distribution) and downloading of this content has occurred by an individual making use of the IP address below at the date and time referenced at the end of this notice. Harry Potter and the Prisoner of Azkaban (Document) xxx.xxx.xxx.xxx We also state, under penalty of perjury, that the information in this notice is accurate and that we are authorized to act on behalf of the rights owner. Since you own this IP address, we request that you inform the individual who engaged in this conduct of the following: Unauthorized file sharing is illegal. However, we truly appreciate your interest in Harry Potter and the Prisoner of Azkaban (Document). We are making every attempt to provide this wonderful content to you in a host of legitimate ways, one of which is through the following website: http://www.apple.com/itunes If you believe you have received this notice in error, please contact us at CLCopyright@mediasentry.com ., and kindly include this identification number xxxxxxxxxx, also noted above, in the subject line. Thank you for your cooperation in this matter. Respectfully, A Kempe MediaSentry Operations — INFRINGEMENT DETAIL — Infringing Work: Harry Potter and the Philosopher's Stone (Document) First Found: 8 Aug 2009 00:36:43 EDT (GMT -0400) Last Found: 8 Aug 2009 00:36:43 EDT (GMT -0400) IP Address: xxx.xxx.xxx.xxx IP Port: xxxxx Protocol: BitTorrent Torrent InfoHash: 64C9951D7A910E5BAF24CB3512B7DECBEA0245E3 Containing file(s): eBooks & Texts.torrent (2,554,748,198 bytes) Infringing Work: Harry Potter and the Chamber of Secrets (Document) First Found: 8 Aug 2009 00:36:43 EDT (GMT -0400) Last Found: 8 Aug 2009 00:36:43 EDT (GMT -0400) IP Address: xxx.xxx.xxx.xxx IP Port: xxxxx Protocol: BitTorrent Torrent InfoHash: 64C9951D7A910E5BAF24CB3512B7DECBEA0245E3 Containing file(s): eBooks & Texts.torrent (2,554,748,198 bytes) Infringing Work: Harry Potter and the Prisoner of Azkaban (Document) First Found: 8 Aug 2009 00:36:43 EDT (GMT -0400) Last Found: 8 Aug 2009 00:36:43 EDT (GMT -0400) IP Address: xxx.xxx.xxx.xxx IP Port: xxxxx Protocol: BitTorrent Torrent InfoHash: 64C9951D7A910E5BAF24CB3512B7DECBEA0245E3 Containing file(s): eBooks & Texts.torrent (2,554,748,198 bytes)

Submission + - Green Cement Absorbs Carbon

Peace Corps Online writes: "Concrete accounts for more than 5 percent of human-caused carbon-dioxide emissions annually, mostly because cement, the active ingredient in concrete, is made by baking limestone and clay powders under intense heat that is generally produced by the burning of fossil fuels. Now Scientific American reports that British start-up company Novacem has developed a "carbon-negative" cement that absorbs more carbon dioxide over its life cycle than it emits. The trick is to make cement from magnesium silicates rather than calcium carbonate, or limestone, since this material does not emit CO2 in manufacture and absorbs the greenhouse gas as it ages. "The building and construction industry knows it has got to do radical things to reduce its carbon footprint and cement companies understand there is not a lot they can do without a technology breakthrough," says Novacem Chairman Stuart Evans. Novacem estimates that for every ton of Portland cement replaced by its product, around three-quarters of a ton of CO2 is saved, turning the cement industry into a big emitter to a big absorber of carbon. Major cement makers have been working hard to reduce CO2 emissions by investing in modern kilns and using as little carbon-heavy fuel as possible, but reductions to date have been limited. Novacem has raised $1.7 M to start a pilot plant that should be up and running in northern England in 2011."

Submission + - Hadoop Creator Doug Cutting Leaving Yahoo!

e9th writes: "The New York Times reports that Doug Cutting is leaving Yahoo! Cutting, the creator of Hadoop, will be joining Silicon Valley start-up Cloudera. His leaving Yahoo! makes sense, since Microsoft's Bing will be taking the place of Yahoo!'s own search engine, however Cutting states that he was in discussions with Cloudera before the Microsoft-Yahoo! deal was reached. The Register has a few more details."

Submission + - VMware Acquires SpringSource

Comatose51 writes: VMware today announced the acquisition of SpringSource. SpringSource is the privately held company responsible for the Spring framework for Java and other various Java development tools. According to the VMware blog, "... whether it's around speed of deployment, application performance guarantees, or providing resiliency in the face of component outages, we will be able to provide even more capabilities as we bring even more knowledge of the application and infrastructure layers together. We will do this by adding interfaces into vSphere that SpringSource offerings (and other application frameworks) can take advantage of and by extending our management and automation capabilities to be aware of these interactions."

Submission + - The iPhone SMS Hack Explained

GhostX9 writes: Tom's Hardware just interviewed Charlie Miller, the man behind the iPhone remote exploit hack and winner of Pwn2Own 2009. He explains the (now patched) bug in the iPhone which allowed him to remotely exploit the iPhone in detail, explaining how the string concatenation code was flawed. The most surprising thing was that the bug could be traced back to several previous generation of iPhone OS's (he stopped testing at version 2.2). He also talks about the failures of other devices such as crashing HTC's Touch by sending a SMS with "%n" in the text.

Submission + - Better Living Through Electromagnetic Radiation

Doug Treadwell writes: "Nason Schooler, who holds an M.S. in Pharmacology and Toxicology from the University of Louisville, believes it may be possible to use lasers to destroy lipofuscin — the junk inside our cells that builds up over time and likely contributes to aging. Similar lasers are already being used cosmetically to treat age spots. The next stage is to find out how to destroy this junk safely. Apparently, some test subjects have been known to explode. (Worms.) If Schooler's research is successful we could be one step closer to ending aging."

Submission + - PrankNet hijinks are considered cruel or funny?

BStorm writes: "The Globe and Mail in both print and online has a story about a group of anonymous "pranksters."
The gist is that members of PrankNet have been using VOIP and counting on anonymity to pull puerile pranks. Members are able to listen on the prank as it being performed. It started with members pretending to be radio DJ's and convincing people to smash dishes on air by promising them $200.00. This behavior had escalated where people have been conned into triggering sprinkler systems by a prankster claiming to be a person in authority.
This raises some interesting issues:

Should the anonymity of a prankster be protected?

If not, what steps should be taken that would protect privacy rights of most people, while enabling individuals and authority a means of identifying those responsible for pranks causing damage?"

Slashdot Top Deals

The only perfect science is hind-sight.