Entire cities dead on some World of Warcraft realms

There are a few scenarios in which client-side certificates just aren't good enough by themselves.

So you have folks administering the servers. A certain percentage of them need root access. One of them gets his certificate revoked and then laid off -- in that order -- but he already installed a back door account. Okay, so you're a good admin and you check the logs and make everyone use "sudo" for everything.

* But maybe it won't even show up in the logs. Maybe he was editing a file in sudo with vi and ran ":! bash". Okay, so you're a good admin and disabled that.

* Maybe he was editing crontab one day and added a one-shot script to create a nefarious account. Okay, you are a good admin and you have tripwires.

* Maybe he knows where your tripwires are. Do you honestly think you know every possible attack vector someone with legitimate sudo access could use?

It's really hard to stop an inside job. The principle of least privilege is a nice maxim, but there's a cost to figuring out exactly what the least privilege is, and there's a cost to giving someone too little privilege -- downtime when they can't fix something they're supposed to fix.

It's just speculation that someone used GM powers to do this. Most likely they tracked down a boss mass wipe ability (i.e. kills all players within 30 yards) that was incorrectly flagged as useable by players. You can then write an AddOn that uses CastSpellByID() to give you that ability.

The GM interface requires a special build of the WoW client, a specially flagged account, and a two factor auth token to login. It's pretty hard to emulate the client as opcodes are randomly shuffled based on the hash of the binary itself.

Blizzard does use client side SSH certificates according to a dev at BlizCon 2 I think. If I had to hazard a guess, I'd guess that someone laid off in [1] took some of the family jewels with them which enabled [2] and ultimately this as well.

[1] http://massively.joystiq.com/2012/02/29/blizzard-announces-l...

[2] http://kotaku.com/5933454/blizzard-network-breached-change-y...

Take a look at Authy for a reasonably easy way to add two-factor auth to your normal SSH login. It's intended for website authentication, but there is a Github project for adding it to sshd.

https://www.authy.com/

https://github.com/authy/authy-ssh

Good advice, but I think you're underestimating the sort of attackers going after WoW. It's not going to be some drive-by script kiddies looking for an easy target... it's people specifically targeting this game. I'd be more worried about spearphishing and social engineering.

> Client side SSH certificates

What are those? We're talking key-based ssh authentication? Or something else?

>Client side SSH certificates are your friend

Of note, if you do use a client-side SSH cert, disable username and password auth.

FWIW, we used client certificates for the Beijing Olympics ticketing system. I have to admit they were a giant pain in the ass, but I still have to image they saved us more pain than they created.

That's what makes EVE so much more interesting to me. There's only one server. The monthly fee can be earned in-game. The economy is tied to actual dollars because it's so reliable. There have been plenty of universe-spanning conflicts that impact the entire game with genuine political drama, and the dev team steps back to let it unfold with minimal intervention.

This hack is eerily reminiscent of Morpheus coming to free the minds of all the people trapped in the matrix...

I'm going to assume it's much more than one physical box, probably big chunks of several data centres.

In MMO terminology "server" seems to refer to a single self contained game world.

You could easily be a Night Elf's World of Earthcraft avatar on some server blade in some cooler universe than ours.

Neal Stephenson's "Reamde" had some very interesting takes on this topic.

Debating whether to be impressed or disappointed that this has its own wikipedia article ...

Virtual plagues are interesting, but virtual genocide is certainly something to marvel at.

Chuckle. How many of those will go out and rob a liquor store? How many will perform an act of vandalism? How many will kill themselves because they are cut off from the only friends they've ever known?

While I can emphasize a bit (I used to play WoW, but "grew away from it" and now spend a large portion of my time in search and rescue and musical performance), I have to say that this is a very judgmental POV to take. You're seriously going to compare playing WoW to smoking? Even in the worst case, at least playing WoW is a step up from watching some inane TV show with no interaction. It's not like anybody suffers from second-hand MMORPG.

And you can always play moral superior: instead of reading a book, why don't they start their own company? Instead of going for a walk, why don't they run a marathon? Hell, I could see how someone could look down on the activities I choose ("why rescue idiots who got themselves into trouble? Let natural selection sort it out!" or "why perform music that's already been performed thousands of times before by better performers?"), but FFS, sometimes "wasting time" is some of the best time well spent.

Please allow me to correct your mistaken impression that WoW players are all addicts that have no lives and no hobbies that impress other people:

http://us.battle.net/wow/en/character/nordrassil/Spink/advan... is my main WoW toon (already level capped for the current just-released expansion and raiding), with weeks of /played time.

http://www.goodreads.com/review/stats/2444699-jane is the last couple of years worth of books I've read. How many people do you know read 50+ books a year?

I prefer to run, and I sustain an average of 8 minutes per mile in 5ks so I'm not an unfit slob. I don't run marathons though, I just run and swim for fun and exercise's sake.

I do all of this because it's fabulous stress relief, it's a great time-filler when I don't have the space/time to work (e.g. cooking/restaurants, boarding flights, random 5 minutes at places, right before bed), and WoW in particular enables me to spend time with friends no matter where they're located. I can do this in the first place because I don't do things many people do such as watching TV.

It's funny how people are incredibly judgmental about WoW but they find it incredibly impressive I read a lot of books and sustain reasonable times in runs. I find more rational reasons to play WoW (reasonably, that is, and not by ignoring people to do so) than to read. They're both hobbies. Take anything to an extreme and it's bad. But WoW overall is not as bad as the one off horror story you'll read about about parents ignoring their kids to raid.

> How many will pick up a book, or go for a walk, now that they no longer have their go-to fix of virtual reality.

Statistically, Zero. Trust me, they are all madly typing on forums, mashing refresh, trying to find out / talking about what happened.

> How many WOW addicts will have time to think "never again" and follow through.

A few.

That is properly one of the most arrogant comments I have seen here recently.

Who the fuck are you to tell people how they get their enjoyment out of life?

All joking aside, maybe this is what it's about?

Those screenshots are probably the victims', anyway. While Blizzard probably does have enough logging to track this down on their end, it's fairly easy to get a trial account with bogus account information, so it would be back to grabbing their IP addresses and pleading with some ISP to reveal their real identity.

Wow, I missed that first time around. Neat. http://news.ycombinator.com/item?id=4505584

Yes - easily circumvented though with a few tweaks to the config.

Maybe not with the dot-pattern but a more robust fingerprint.

Interesting, if that is in fact related to this incident it suggests that they got a copy of the Game Master(GM) private key, they are activating GM only 'features' of the game. In this case the 'kill all' aura, another feature is to imbue your weapons/armor with arbitrary stats. Saw a character doing that in 2008 or so.

No doubt this is related to this problem :http://kotaku.com/5933454/blizzard-network-breached-change-y...

private server...

Just to clarify, death in WoW is something that happens all the time. It's very unlikely that it causes anyone more than a minute worth of inconvenience in this case, and certainly less than it would to take the servers down to apply a backup.

Yes, they have backups and a precedent for doing rollbacks in response to bugs.