1  2  |   Order by index

May 15, 2002, 8:21pm

Today one of the veterans of AW - rypp - who is a well-known citizen of Pata
and other worlds - suddenly couldn't enter AW - his name didn't exist
anymore. He entered as a tourist and found out that his name had been
replaced with Legato on his buildings. If anybody knows this Legato or meets
him remember he is a thief and treat him like this asshole deserves.
If you have info about how password/identity theft is done and - even more
important - how to prevent it, please tell!
rypp wanted to write to this newgroup himself about the theft - but since he
no longer had any identity or password he wasn't allowed. rypp has contacted
AWcorp and hopefully they will act quickly and give him back his stolen
identity.

Rocambole

May 15, 2002, 8:54pm

The only thing I can think of that would be within the grasp of the
"average" computer user would be if the legitimate citizen shared
(intentionally or otherwise) their password with this person. Of course,
this doesn't make it right to use someone else's information, but people
should be careful with their passwords.

-Agent1

[View Quote]

May 15, 2002, 9:00pm

THat sort of stuff happens daily why make a scene?

[View Quote]

May 15, 2002, 9:00pm

I remember back when I was a newbie someone imed me on aim saying they were
Enzo and I had to give them my pw took me 1 hour to get account back. I hate
people who steal accounts.

[View Quote]

May 15, 2002, 9:51pm

Hi Roc:)

Sorry to hear about Rypp's problem:(
Did he keep pw info in a file in his pc somewhere and was possibly
hacked?
Did he share his pw with anyone?
Hopefully he will get it back quickly.
Please give him my best and tell him to get back soon!
Hugggs:)
Bit:)

May 15, 2002, 9:53pm

People are taken advantage of (IRL) every day....why make a scene?
That is a rhetorical question btw...no need to reply:)

[View Quote]

May 15, 2002, 10:00pm

Ok, so we know the average computer users could get it from someone else by
them being stupid enough to give their password.
But if this guy knows how to hack into someone elses machine, I would advise
something to you...

NEVER have your passwords on REMEMBER.
All they need to do is get your aworld.ini file which would have inside it
the following:

name=Anduin
pass=9bz80c221eaf9g0937246e
(NOTE, I scrambled and changed the pass, don't bother)

All they need to do from there is copy those 2 lines into their OWN
aworld.ini file or simply use that one, and they have your account! They
don't need a special program to unscramble the letters and numbers, they
just need to place it in a aworld.ini file... It's much like people do to
get others MSN, Yahoo, AIM, ICQ passwords.

I guess another thing to say would be not to give anyone out there your
aworld.ini files if you save passwords or even privilege details, cause it's
all in there.

Ok, so the script kiddies that read this post have learnt a new way to get
details, so what, this will teach those that don't know how to protect their
account to NOT SAVE PASSWORDS!

I have more to say:

> rypp wanted to write to this newgroup himself about the theft - but since
he
> no longer had any identity or password he wasn't allowed.

I never thought the newsgroups were so fast at changing details to log in...
Especially under 1 day... You can get your account expired from AW and still
post in the groups for a few more days, sometimes more than a week.

--
Anduin
Citizen 317281
http://www.anduin-lothario.com



[View Quote]

May 15, 2002, 10:38pm

Well, in 3.2 that's not possible, because Roland implemented an encryption
algorithm that's different on each computer. Thus, you couldn't just copy
the aworld.ini information anymore.

[View Quote]

May 15, 2002, 10:39pm

Well, the "average" computer user could also guess the password on an E-Mail
account, or even easier, guess the answer to the hint question of a Hotmail
or Yahoo account, especially if it's your mother's maiden name - that sort
of information is easy to locate. If someone was able to delete 200,000
objects in AWTeen this way, they could easily steal a citizenship and change
its name :)

[View Quote]

May 15, 2002, 10:43pm

If you're a serious hacker and know enough about computers, you could
probably easily convert it.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

May 15, 2002, 11:13pm

Well, if someone is lazy enough to use the same password on both their email
account and for Activeworlds, maybe they deserve a wake-up call...

-Agent1

[View Quote]

May 15, 2002, 11:27pm

I do. But I make bullshit questions for the hints and stuff :-P Oh well ;-)

[View Quote]

May 15, 2002, 11:28pm

But you'd have to have the information of the computer you got it from.

[View Quote]

May 15, 2002, 11:46pm

Easily obtained. Just get a person to run a program which gathers hardware
information without their knowledge. There's lots of ways around that. He
could've even gave a bot out that stole his password, it's happened before.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

May 15, 2002, 11:47pm

Actually, you can. I've done it with my sisters account, works well.
She has AW in a seperate folder on the network, got her ini file, copied
those 2 lines, and logged in as she had remembered password.

I did this as a test, warned her to stop remembering her password, so
obviously this 3.2 feature doesn't do much work.

--
Anduin
Citizen 317281
http://www.anduin-lothario.com
[View Quote]

May 16, 2002, 12:56am

Go die in a field

[View Quote]

May 16, 2002, 1:06am

The lag time and differences are most likely due to the way the universe
server (which keeps track of cits) synchronizes it's information with the
news server. (These could be running on the same machine, most likely not
though.) Most news servers are based off of the username/password database
of whatever system they are running on. Thus, you must have a username and
password on the news server for your post to be accepted.

What I believe is happening is this: When you change your password the
Universe server contacts the news server and changes your password, not only
on the universe server, but on the news server.... However, the Universe
server does not keep track weather of not your account has expired
constantly. The account being non-expired is checked once each time you log
on. If you're over your 1 year then you just simply won't be able to log in,
no further action is taken. So, daily, weekly, or just whenever they feel
like it, AWC runs a program that compares the news groups user list to the
Uniserver's group list and removes the expired cits. This would explain the
lag between expiration and deletion of NG rights.

Again, this is just my educated guess... Talk to Roland or one of the other
development team members if you want to know the details.

-Jeremy

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeremy Booker
JTech Web Systems
(www.JTechWebSystems.com -- Coming Soon)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[View Quote]

May 16, 2002, 2:52am

that was extremely uncalled for.

[View Quote]

May 16, 2002, 5:16am

Maybe it would be a good idea to have a second password
for an AW web page, where you can maintain your AW citizenship
and get your citizenship back from thieves, as well as
maintain all citizenships that come with your own worlds.
It should be a password that isn't used anywhere else in AW,
so there's no chance at all to steal it.

I hope rypp can get his cit. back soon, currently it's still
Legato in my contact list :(

[View Quote]

May 16, 2002, 7:21am

Actually, the person who hacked the account requested for a password to be
sent to the account, then once he had control of the hotmail account, they
were able to retrieve the password, and log in. Simple, yet very effective.
So be warned! If you have anyone coming up to you asking funny questions
like "What is your pet's name" for no reason, don't tell them.

May 16, 2002, 10:05am

My question on Hotmail is "What is my Pets Name?" And my answer would happen
to be something like lkhfglkj3lkjqlkjfdlkjq4lkj34
I don't even know what it is...
I simply don't forget my passwords...

--
Anduin
Citizen 317281
http://www.anduin-lothario.com

[View Quote]

May 16, 2002, 3:18pm

"anduin" <anduin at NOSPAM.centercom.com.au> wrote in
news:3ce30fc0 at server1.Activeworlds.com:

> Actually, you can. I've done it with my sisters account, works well.
> She has AW in a seperate folder on the network, got her ini file,
> copied those 2 lines, and logged in as she had remembered password.
>
> I did this as a test, warned her to stop remembering her password, so
> obviously this 3.2 feature doesn't do much work.

uh, you said on the network, it wouldn't happen to be on the same
HD/machine, would it?

KAH

May 16, 2002, 6:13pm

same here :-P

[View Quote]

May 16, 2002, 8:09pm

Please don't be upset with Chickengurl Dion:)
I'm sure she was just having a bad day....or something:)

[View Quote]

May 16, 2002, 9:22pm

Hey,

> uh, you said on the network, it wouldn't happen to be on the same
> HD/machine, would it?

Well, I have 2 other PC's connected to this one. But I also have Windows XP
and had two installations of ActiveWorlds 3.2 with seperate cache's,
contacts, aworld.ini and everything. Windows XP allows you to do such if you
know how without making both programs screw up ;)

That may explain though, why the aworld.ini file worked?
I guess it just doesn't work on seperate computers and hard drives eh? Good
enough :)

--
Anduin
Citizen 317281
http://www.anduin-lothario.com

[View Quote]

May 16, 2002, 11:02pm

everyday's a bad day for Chickengurl :-P

[View Quote]

May 16, 2002, 11:52pm

The encryption is based off of the computers harddisk serial I believe. If
someone were to steal your 3.2 aworld.ini and use it on another harddisk
with a different serial, it should not work. Although, the serial may not
even be the key. I heard something about the serial somewhere, and I
believe that this is what its for. I doubt you'll get much out of Roland
about how the key is generated ;).

-Joe

[View Quote]

May 17, 2002, 4:22am

Its a common solution. The Rational suites use that or the NIC serial
number for the same purposes on their node-locked licenses. If its good
enough for software retailing in the 10's of thousands of dollars, its must
be reasonably safe.

[View Quote]

May 17, 2002, 5:21am

I don't forget my passwords either - but I often forget
which one I used where *g

[View Quote]

May 17, 2002, 9:44am

Hmm.. it's based on something from within the OS. Maybe the OEM #? Because
everytime I go to linux and run AW it asks me to re-enter my Password. Then
when I go back to Windows, it asks again. No other time will it. Odd.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

1  2  |   Order by index