Ex-Hacker Finds RIFT Account Flaw, Talks to ZAM
Thanks to a community "white hat," the RIFT account security exploit (that had nothing to do with ZAM) has been squashed. Read our exclusive interview here!
ZAM: This seems like something Trion should’ve found during their QA testing. Why do you think it was missed? Was it something really obscure? And how were you able to track it down when Trion couldn’t?
ManWitDaPlan: I can't go into too many details, but can say that the exploit would be easy to miss because you'd have to be looking for something very specific in a very specific place to find it. I found it because I was actively digging for it. Trion was looking for it as well, according to what they and I had discussed. I basically found it before they did.
ZAM: Do you still have confidence in the team? What’s their response to you been thus far?
ManWitDaPlan: Trion's response to the revelation of the exploit has been spot-on. Steve Chamberlin, the dev lead for Rift, was on the phone with me within five minutes of my sending the technicals on the exploit, and while I was talking to him, the engineering team was likely already editing and recompiling code. A patch was deployed just over two hours after the exploit was revealed. A few extra fixes (to Coin Lock) were also pushed in at the same time to further tighten things up. The phrase "epic win" is cliched from its overuse as a meme, but it nevertheless certainly fits here.
Trion hit this like Jackie Chan channeling Bruce Lee, which is what you do when you find an exploit. No playing the blame game, no whining, just find and fix and slam the door on the hackers. "Crush the hackers, see them driven from before you, and hear the lamentation of their women!" (Apologies to Ahnold for that...)
ZAM: Do you feel comfortable with Trion’s response?
ManWitDaPlan: Extremely so. The response was flawlessly executed, and should become a textbook example of how a MMO company should respond to any discovered bug - contact the person that found it, get the details, verify their findings, act to secure the bug. Not only did the Trion crew take the exploit seriously, they took fixing it seriously. I mean, come on, reported discovery to implemented fixes in TWO HOURS? I've never seen anyone in IT respond to bug reports that fast.
ZAM: There were a number of folks that helped you. Can you point them out?
ManWitDaPlan: TheScoo was the hapless-but-willing victim of my tests once I locked down the exploit's specifics. He allowed me to remotely access his account (while he watched) and even let me delete a test character.
HomeFry helped me with some LAN tests and anti-malware scans on my systems, and was on the network monitor while I was wrecking TheScoo's characters and annoying Coin Lock with my escapades.
I bounced some of the details I was seeing off the_real_seebs, who was also looking into the hacking problem and came up with many of the same conclusions I did. Basically I worked out a few key aspects of the exploit before he did, so one way or another this mystery was gonna be solved - if I hadn't gotten to the magic trick he surely would have.
ZAM: Are these sort of things common in MMOs, and do other companies simply keep it quiet?
ManWitDaPlan: Security exploits can and do happen in any complex system. MMOs, operating systems, you name it, the more complex the system the more opportunities there are for something to go wrong. There are rootkits for OSX and many Linux variants, Windows is notorious for security issues (althogh that's slowing improving finally), the Stuxnet virus targeted embedded systems in nuclear power plants, etc. etc. etc.
Security is fickle. It's finicky. It's nitpicky. It demands attention to the minutae but will chastise those that cannot also see the big picture. And it punishes the slightest mistake or miscue or omission with the greatest severity.
Anyone that says _insert_MMO_name_here_ is hackproof is delusional. Hacks exist for ALL of them. To use a relevant example, WoW went to two-factor authentication to stop the hacking it had since it launched, so the hackers simply turned around and broke the algorithm that makes their keyfobs for 2FA work. There's a lot of real money in selling virtual things, and that means RMTers can afford to hire the best and brightest of the bottom of the coding barrel. If there is a way to break a MMO, there are people whose working time is devoted to finding it.
The million-dollar-a-month question isn't whether a vulnerability kept quiet - no matter who you are and what you do, you never reveal an exploitable weakness until after it's corrected - what makes the difference is how it's handled once it's discovered. Trion wins one-point-five Internets for their handling of this particular nightmare.
Continued on Page 3.