Can someone explain to me HOW this exploit is supposed to have worked.
Unzipping a .ZIP CANNOT run a program. Period (unless the specific unzip program has been exploited which no-one seems to be claiming).
Someone said there's a .INI file and a .EXE.
So? The process of unzipping the .ZIP file will simply create these two files in the target directory. NOTHING WILL CAUSE THE .EXE TO RUN!
So how is the act of unpacking the archive supposed to have launched the key logger?
I am in no way suggesting the OP is lying here, but something in the description of what happened is missing, simply running Winzip, unzip32 etc. will not have triggered the exploit.
Edited, May 17th 2007 3:24am by Kragorn
·Theme
- Forums
- Final Fantasy XI
- General Discussion
- Keylog Attack ~How My Story Ended~
Keylog Attack ~How My Story Ended~Follow
I am sure that it was explained in an earlier post on how a .zip file can be used to launch a program. It might have well been someone just conferming it is possible too, I dont rightly recall.
While I am not expressly sure if this applies but I do know that a few years back there was a case dealing with child pornography and the fact that the person obtained it from overseas servers. It was ruled that under current US law that while yes child pornography is illegal that they could do nothing to the company that was selling the photographs because the servers nor the company were US based.
SE is not a US based company and their servers are not in the US so I will wager a guess that US law applies no more to them then does it to the case involving the pornography.
There have also been a number of cases where identity theft has occured through computers and servers in other countries and the investigating team from the FBI eventually had to drop the charges becuase they were powerless to go after the criminals.
US law or any countries laws only work inside that country, just because you or I live in the US does not mean in any way that those laws apply to anyone living outside the country regardless of wether or not we are using a service that they provide.
SE does provide protection against ID theft, it might not be very good but if it meets the standard in Japan (the country SE is based in) then i'm sure there is very little that can be done about it legally.
From a political standpoint I doubt there is a court in the US that would see a case dealing with a Japanese based company. For starters who is going to make them send a lawyer to the US for it, are you going to fly there and tell them to come. A court here could send a sepeena but it would mean little to them simply because they would recieve no legal reprocushion for not showing up. I am sure nothing in their laws state that they must attend court in the United States or any other country just because that country might want them to. If by chance they happen to be breaking Japanese law then you could most likley sue them for it but not before then.
At most if a court in the US made a ruling against SE they would have to discontinue service to the US accounts and stop selling their product here, no court is going to do that just to help you out. There is to much money in taxes and terrifs for them to care about a few gamers.
Think of it another way. It is legal to smoke pot in Amsterdam, there are companies in Amsterdam that will mail it to you. If you live in the US and place and order for some it will be caught by costomes and not sent through. You will most likley see some police officers within a few days of that but the US is powerless to go after the company in Amsterdam. What they did was completly legal where they are. You just happen to have used their service and it not worked for you.
I really do hope that the OP gets his account back and I do feel that SE should be more responsible for such things but looking at it if they don't want to do anything about it then there isn't much that can be done. I'm sure they have a good team of lawyers that have already looked at these situations long ago and made sure that they couldn't be held responsible for such things.
Best that any of us can do is complain to them and when it threatens to hurt their profits they will do something about it, untill then I do not hold out much hope for changes.
That is all from me, good luck, I am going to go to sleep.
While I am not expressly sure if this applies but I do know that a few years back there was a case dealing with child pornography and the fact that the person obtained it from overseas servers. It was ruled that under current US law that while yes child pornography is illegal that they could do nothing to the company that was selling the photographs because the servers nor the company were US based.
SE is not a US based company and their servers are not in the US so I will wager a guess that US law applies no more to them then does it to the case involving the pornography.
There have also been a number of cases where identity theft has occured through computers and servers in other countries and the investigating team from the FBI eventually had to drop the charges becuase they were powerless to go after the criminals.
US law or any countries laws only work inside that country, just because you or I live in the US does not mean in any way that those laws apply to anyone living outside the country regardless of wether or not we are using a service that they provide.
SE does provide protection against ID theft, it might not be very good but if it meets the standard in Japan (the country SE is based in) then i'm sure there is very little that can be done about it legally.
From a political standpoint I doubt there is a court in the US that would see a case dealing with a Japanese based company. For starters who is going to make them send a lawyer to the US for it, are you going to fly there and tell them to come. A court here could send a sepeena but it would mean little to them simply because they would recieve no legal reprocushion for not showing up. I am sure nothing in their laws state that they must attend court in the United States or any other country just because that country might want them to. If by chance they happen to be breaking Japanese law then you could most likley sue them for it but not before then.
At most if a court in the US made a ruling against SE they would have to discontinue service to the US accounts and stop selling their product here, no court is going to do that just to help you out. There is to much money in taxes and terrifs for them to care about a few gamers.
Think of it another way. It is legal to smoke pot in Amsterdam, there are companies in Amsterdam that will mail it to you. If you live in the US and place and order for some it will be caught by costomes and not sent through. You will most likley see some police officers within a few days of that but the US is powerless to go after the company in Amsterdam. What they did was completly legal where they are. You just happen to have used their service and it not worked for you.
I really do hope that the OP gets his account back and I do feel that SE should be more responsible for such things but looking at it if they don't want to do anything about it then there isn't much that can be done. I'm sure they have a good team of lawyers that have already looked at these situations long ago and made sure that they couldn't be held responsible for such things.
Best that any of us can do is complain to them and when it threatens to hurt their profits they will do something about it, untill then I do not hold out much hope for changes.
That is all from me, good luck, I am going to go to sleep.
I read a lot of the posts, but scanned through the last few.
Why can't SE just make it impossible to change billing information without the previous billing information ? It wouldn't be 100% full proof, but maybe just enough to reduce a lot of stolen accounts. It may even hinder people from selling their own accounts.
Why can't SE just make it impossible to change billing information without the previous billing information ? It wouldn't be 100% full proof, but maybe just enough to reduce a lot of stolen accounts. It may even hinder people from selling their own accounts.
90war 90bst 90nin 90whm 75pld 62brd
CoP - RoZ - ToA - Complete (Retired 2011)
Blescius Hawksclaw Ultros
CoP - RoZ - ToA - Complete (Retired 2011)
Blescius Hawksclaw Ultros
Hamunaptra wrote:
I am sure that it was explained in an earlier post on how a .zip file can be used to launch a program. It might have well been someone just conferming it is possible too, I dont rightly recall.
No it wasn't, nothing of the kind. Someone made the assertion that:
Quote:
It is very easy to have a program executed while opening .zip file, hell it's an option developers use from time to time to run content for a client demo in my line of work
Which is not true, the poster clearly doesn't understand the details of how these client demos he refers to are constructed. I suspect these demos are probably self-extracting archives which will be .EXEs not .ZIPs.
I re-state, THE MERE ACT OF UNZIPPING A .ZIP ARCHIVE CANNOT, BY ITSELF, CAUSE A PROGRAM TO BE EXECUTED, the standard ZIP specification provides for no such ability and nothing posted in this thread demonstrates otherwise. Using something like InfoZIP's freeware UNZIP32 for example this cannot happen.
Unless more details are given about just what program was used to unpack it then it isn't possible to understand how this alleged exploit took place.
Edited, May 17th 2007 7:51am by Kragorn
Sorry to nitpick, but "identity theft" is severely overused these days...
There is a difference between theft, credit theft, and identity theft...
Let me tell you a story...
One day my mother got a call from a credit card company that had recieved an application in her name. The call was to verify that she had made the application - she had not. They called because they didn't think it looked like a womans signature (yea, they actually look for that).
They verified the address - it turned out to be me ex-cousins (he's no longer part of the family as far as we're concerned). After investigation it turned out that he had taken out other cards in her name. That, is identity theft - stealing someones identity to make new contracts.
It turned out he was also living on his brothers identity - using a drivers liscense in his brothers name, etc.. - That, is identity theft.
He was also stealing credit cards at work and using them to make purchases for himself - that is NOT identity theft - that's just credit theft.
Now this - stealing someones character in FFXI, and then changing the credit card information - it's neither identity theft nor credit theft. It's theft for sure, but you're not losing any money once the credit card has been changed...
It sucks, and SE method of dealing with it sucks, but it's not identity theft or credit theft.
There is a difference between theft, credit theft, and identity theft...
Let me tell you a story...
One day my mother got a call from a credit card company that had recieved an application in her name. The call was to verify that she had made the application - she had not. They called because they didn't think it looked like a womans signature (yea, they actually look for that).
They verified the address - it turned out to be me ex-cousins (he's no longer part of the family as far as we're concerned). After investigation it turned out that he had taken out other cards in her name. That, is identity theft - stealing someones identity to make new contracts.
It turned out he was also living on his brothers identity - using a drivers liscense in his brothers name, etc.. - That, is identity theft.
He was also stealing credit cards at work and using them to make purchases for himself - that is NOT identity theft - that's just credit theft.
Now this - stealing someones character in FFXI, and then changing the credit card information - it's neither identity theft nor credit theft. It's theft for sure, but you're not losing any money once the credit card has been changed...
It sucks, and SE method of dealing with it sucks, but it's not identity theft or credit theft.
Interesting, if you google MrWildRabbitRadar you get a bunch of links to a website yy33.kakiko.com and sakura01.bbspink.com.. and it looks like a CGI script. There is mention of Trojan-Spy.Win32.agent.pn If you google it.. it would probably be a bad idea to click the links, it may be something from a AV report or spyware report. Better to be safe than sorry.
Googling Trojan-Spy.Win32.agent.pn shows that it is a recognized password keylogger that looks like it was added to the lists just a few weeks ago. Be careful out there and run your spyware checkers often.
Googling Trojan-Spy.Win32.agent.pn shows that it is a recognized password keylogger that looks like it was added to the lists just a few weeks ago. Be careful out there and run your spyware checkers often.
Kragorn wrote:
Hamunaptra wrote:
I am sure that it was explained in an earlier post on how a .zip file can be used to launch a program. It might have well been someone just conferming it is possible too, I dont rightly recall.
No it wasn't, nothing of the kind. Someone made the assertion that:
Quote:
It is very easy to have a program executed while opening .zip file, hell it's an option developers use from time to time to run content for a client demo in my line of work
Which is not true, the poster clearly doesn't understand the details of how these client demos he refers to are constructed. I suspect these demos are probably self-extracting archives which will be .EXEs not .ZIPs.
I re-state, THE MERE ACT OF UNZIPPING A .ZIP ARCHIVE CANNOT, BY ITSELF, CAUSE A PROGRAM TO BE EXECUTED, the standard ZIP specification provides for no such ability and nothing posted in this thread demonstrates otherwise. Using something like InfoZIP's freeware UNZIP32 for example this cannot happen.
Unless more details are given about just what program was used to unpack it then it isn't possible to understand how this alleged exploit took place.
Edited, May 17th 2007 7:51am by Kragorn
I won't flame you for being ignorant, but suffice it to say there are more ways to skin a proverbial cat than you could imagine.
Suppose you're right about the zip file itself. Do you have any idea how easy it is to configure a web site to handle a cgi/asp/perl script that ends in .zip through the normal CGI processor? Imagine a script called "mrwildrabbbitradar.zip" that looks like:
if (hackable) {
DoDownloadHack();
}
SendZipFileToUser(); In such a case, the user's browser has been transparently exploited, because the end result is that they receive the zip file they though they were following a link for. What the user does after saving the file to disk is irrelevant. Your argument is moot, as this thread's main argument is about SE's failure to handle the situation, not what actually happened on the user's computer.
#134REDACTED,
Posted: May 17 2007 at 7:01 AM, Rating: Sub-Default, (Expand Post) LMAO, STILL frivolous, regardless. It doesn't matter if it was a cup of friggin lava, YOU KNOW IT'S HOT. Whether or not you know HOW hot it is, you should still know it is not intended to be poured into your lap! It was not being used the way it was intended to be used. I can go to Sears and buy a chainsaw and cut my own damned leg off, but would I then have the right to sue Craftsman because I used their product in a matter for which it was not intended??? It doesn't matter if it was accidental or not, people need to take responsibilty for their own actions. Yeah, go ahead rate me down, like I give a shit. There's a thing called natural selection, which makes for the betterment of the species. These stupid laws and lawsuits are just going against it. I saw a label on a hairdryer once that said "do not use in the shower". The sad, sad, reality is that this label was probably the result of a similar lawsuit. If you need a label like this, you SHOULD use it that way.
Unfortunately, it seems like this dude already started the process of cleaning out Hiro's character.
http://www.ffxiah.com/player.php?id=352002&sid=4
Edited, May 17th 2007 11:12am by moogii
http://www.ffxiah.com/player.php?id=352002&sid=4
Edited, May 17th 2007 11:12am by moogii
moogii wrote:
Unfortunately, it seems like this dude already started the process of cleaning out Hiro's character.
http://www.ffxiah.com/player.php?id=352002&sid=4
Edited, May 17th 2007 11:12am by moogii
http://www.ffxiah.com/player.php?id=352002&sid=4
Edited, May 17th 2007 11:12am by moogii
As strong as I stand on my previous points, that is just depressing to see. Sorry Hiro. I do hope SE does something for you.
Quote:
It doesn't matter if it was a cup of friggin lava, YOU KNOW IT'S HOT. Whether or not you know HOW hot it is, you should still know it is not intended to be poured into your lap! It was not being used the way it was intended to be used. I can go to Sears and buy a chainsaw and cut my own damned leg off, but would I then have the right to sue Craftsman because I used their product in a matter for which it was not intended??? It doesn't matter if it was accidental or not, people need to take responsibilty for their own actions. Yeah, go ahead rate me down, like I give a ****. There's a thing called natural selection, which makes for the betterment of the species. These stupid laws and lawsuits are just going against it. I saw a label on a hairdryer once that said "do not use in the shower". The sad, sad, reality is that this label was probably the result of a similar lawsuit. If you need a label like this, you SHOULD use it that way.
That's all this world is anymore, just a bunch of whiney little ******** blaming everyone else for their mistakes. Own up, damn!
That's all this world is anymore, just a bunch of whiney little ******** blaming everyone else for their mistakes. Own up, damn!
word,ppl get rewarded for being stupid and whiney nowerdays. what happend to the good old "thats your problem, deal with it"...
Dude, sorry to hear what happened, but the f*ckers are selling your expensive stuff now. I was gonna blast them for you, but they aren't online....
http://www.ffxiah.com/player.php?id=352002&sid=4
http://www.ffxiah.com/player.php?id=352002&sid=4
Quote:
McDonalds Coffee Case Facts. Before you go attacking something, know something about it. I'm not saying there aren't frivolous lawsuits attempted in the US, but this wasn't one of them.
If anything that website proves how ridiculous the case was.
Why the HELL would you put a hot cup of coffee between your legs with the intention to open it?
moogii wrote:
Unfortunately, it seems like this dude already started the process of cleaning out Hiro's character.
Hiroleonheart, I don't even want to think what the people in Ramuh would do to the person who stole your account. If only they had a way to find out their real name, or address... Heck, I'm on Siren and I already feel an urge to go kick the damn Account Burglar's behind!
Quote:
Blah blah blah, let's blame the victim
Yes you should take every means to protect your self. but you people that are excuseing theft and don't care about if SE does any thing when they have the power to are callous bastards that seriously need to reevaluate thier ethics.
Everytiime I read one of those responses I thought of the case of a woman who took a short cut down a dark alley to get to a club and was raped. People actually said "she was stupid" "She shouldn't of done that" No, the guy shouldn't of raped her. In this case these people should not of conspired to take advantage of people to steal thier characters.
Some of you people need to reevaluate a quote
The Greatest evil in life is when good men do nothing.
SE needs to look at that quote too.
I had refused to reply to that comment about me being a graduate student and i should know more about coffee temperature, but I will post again since someone brought it up again.
It does not take rocket science to know what to do and what not to do with common objects and encounters in the world. You can cite whatever figures and fancy stuff, it is still does not change the fact the plaintiff of that case is being malicious and refuse to take complete responsibility to common sense.
If distortion and abusing the power of law is above common sense, I think it is time to review how the court works. In a lot country, that case would be thrown out of the court room without a trial.
I used to travel between Canada and United States quite often on car.... isn't it disturbing whenever I cross from Canadian side of Niagara Falls to the US side, one of the first few things (after US border control) I saw is a Buffalo-based injury lawyer ad sign? It is almost laughable to see that in the point of view of Canadian or Niagara Falls tourist.
I didn't really see that as "natural selection." I saw it as people refuse to be responsible. People sin or make mistake all the time; but being stupid or being sinful, one should be ashamed of it. Instead of being shameful of making an error and go out to fix it, people "yank up the rice pot cover like a dead chicken feet" (a Chinese saying referring instead of feeling ashamed or defeat and then surrender or amend the mistake, people just argue on and insist no wrong doing).
Edited, May 17th 2007 12:01pm by scchan
It does not take rocket science to know what to do and what not to do with common objects and encounters in the world. You can cite whatever figures and fancy stuff, it is still does not change the fact the plaintiff of that case is being malicious and refuse to take complete responsibility to common sense.
If distortion and abusing the power of law is above common sense, I think it is time to review how the court works. In a lot country, that case would be thrown out of the court room without a trial.
I used to travel between Canada and United States quite often on car.... isn't it disturbing whenever I cross from Canadian side of Niagara Falls to the US side, one of the first few things (after US border control) I saw is a Buffalo-based injury lawyer ad sign? It is almost laughable to see that in the point of view of Canadian or Niagara Falls tourist.
Quote:
There's a thing called natural selection, which makes for the betterment of the species. These stupid laws and lawsuits are just going against it.
I didn't really see that as "natural selection." I saw it as people refuse to be responsible. People sin or make mistake all the time; but being stupid or being sinful, one should be ashamed of it. Instead of being shameful of making an error and go out to fix it, people "yank up the rice pot cover like a dead chicken feet" (a Chinese saying referring instead of feeling ashamed or defeat and then surrender or amend the mistake, people just argue on and insist no wrong doing).
Edited, May 17th 2007 12:01pm by scchan
Amanada (Cerberus-Retired) (aka MaiNoKen/Steven)
-- Thank you for the fun times in Vana'diel
Art for the sake of art itself is an idle sentence.
Art for the sake of truth, for the sake of what is
beautiful and good — that is the creed I seek.
- George Sand
A designer knows he has achieved perfection,
not when there is nothing left to add,
but when there is nothing left to take away.
- Antoine de Saint-Exupéry
-- Thank you for the fun times in Vana'diel
Art for the sake of art itself is an idle sentence.
Art for the sake of truth, for the sake of what is
beautiful and good — that is the creed I seek.
- George Sand
A designer knows he has achieved perfection,
not when there is nothing left to add,
but when there is nothing left to take away.
- Antoine de Saint-Exupéry
DancerRonin wrote:
Quote:
Blah blah blah, let's blame the victim
Yes you should take every means to protect your self. but you people that are excuseing theft and don't care about if SE does any thing when they have the power to are callous bastards that seriously need to reevaluate thier ethics.
Everytiime I read one of those responses I thought of the case of a woman who took a short cut down a dark alley to get to a club and was raped. People actually said "she was stupid" "She shouldn't of done that" No, the guy shouldn't of raped her. In this case these people should not of conspired to take advantage of people to steal thier characters.
Some of you people need to reevaluate a quote
The Greatest evil in life is when good men do nothing.
SE needs to look at that quote too.
She may not have been stupid, but it was her decision to head that way. Could she have prevented it, yes, did she know that, probably not. Was the rapist innocent? Definitely not. This argument is ridiculous because you are apparantly trying to make a point of SE needing to take responsibility for something someone did, but how does SE relate to your rapist argument? Is SE the rapist? SE is NOT the criminal here, and they shouldn't be treated like one. Is their decision to sit idley by and do nothing illegal? No. Immoral? yes, probably. Do I think it's the right thing to do? No, I don't, and I do hope they take care of Hiro, as I stated above. It's a shitty thing to happen to someone, and I would like to see SE comp Hiro in some way, but I still don't believe it's their responsibility to do so.
And where the bloody hell did ANYONE excuse theft? I think everyone reading this thread wants to see the RMT's and account thiefs disappear. No one here is supporting the thief. No one here condones his actions. Think dude, that's why god gave you a brain. Use it, or go hop in the shower with a hair dryer.
Quote:
This argument is ridiculous because you are apparantly trying to make a point of SE needing to take responsibility for something someone did, but how does SE relate to your rapist argument? Is SE the rapist? SE is NOT the criminal here, and they shouldn't be treated like one. Is their decision to sit idley by and do nothing illegal? No. Immoral? yes, probably.
Use your brain, think. Did I ever say SE was a criminal? No. I simply stated that I think thier actions are unethical. In reality they are supporting the criminal by thier in action. It's just a fact.
And hate to break it to you everyperson that takes (wheather you like it or not) the tact of blameing the victim is downplaying the criminal's responsability. You should inform people on ways to protect themselves. You should not hold them responsiable for the actions of others.
#146scchan,
Posted: May 17 2007 at 8:12 AM, Rating: Sub-Default, (Expand Post) In fact, SE did that, so is Yahoo, your bank, or whatever you have passwords or codes or keys warn you not to do that.
SE should take any character in question and cut it in half and give one half to both, in my experience its best to call dibbs on the top half or right half depending on the cut.
DancerRonin wrote:
Use your brain, think. Did I ever say SE was a criminal? No. I simply stated that I think thier actions are unethical. In reality they are supporting the criminal by thier in action.
Use YOUR brain, think. Did I accuse you of saying SE was a criminal? No, I simply asked if that was what you were implying. I also agreed that their actions are immoral/unethical. Also,
Quote:
It's just a fact.
Quote:
And hate to break it to you everyperson that takes (wheather you like it or not) the tact of blameing the victim is downplaying the criminal's responsability. You should inform people on ways to protect themselves. You should not hold them responsiable for the actions of others
edit: typo
Edited, May 17th 2007 11:22am by Daboder
Quote:
Everytiime I read one of those responses I thought of the case of a woman who took a short cut down a dark alley to get to a club and was raped. People actually said "she was stupid" "She shouldn't of done that" No, the guy shouldn't of raped her. In this case these people should not of conspired to take advantage of people to steal thier characters.
I love it when folks try and equate MMORPG account theft with rape as if the two are on the same moral level.
I was expecting it sooner, though, I'm surprised this didn't pop up until the 3rd page.
Scholar
37 posts
I have heard of a case in Ragnarok ending with the 'victim' in question having regained control of his character successfully with all rare/ex items intact, though the gil and tradable items were gone. I suppose that would be the best that can be done given the implications of the items being sold to 'legitimate' buyers.
However, this wasn't a friend of mine but a person I know of, so the relevance is somewhat questionable...
In any case, I'm very sorry to hear what happened and I wish you all the best Hiro. Don't give up hope and keep trying.
However, this wasn't a friend of mine but a person I know of, so the relevance is somewhat questionable...
In any case, I'm very sorry to hear what happened and I wish you all the best Hiro. Don't give up hope and keep trying.
Quote:
It's a ****** thing to happen to someone, and I would like to see SE comp Hiro in some way, but I still don't believe it's their responsibility to do so.
Not so sure. FF/POL is probably one of the worst programs security-wise I can think of. Some antivirus/antispyware programs don't get along with ff. Then there is that stupid feature that allows someone to login and knock you off the game. Its about time SE fixes the security holes in the game,
"We apologize for the inconvenience"
- SE Cruciatus Curse
- SE Cruciatus Curse
Recent Visitors: 18
All times are in CST
Anonymous Guests (18)
- Forums
- Final Fantasy XI
- General Discussion
- Keylog Attack ~How My Story Ended~
© 2024 Fanbyte LLC