SRO Beefs up Security

uBeR · **Joined:** Jan 2007 **Posts:** 966 **Location:**

Link

I applaud them, and this makes me feel that much more safer. =)

1llu51on · **Joined:** Feb 2006 **Posts:** 305 **Location:**

I put it here to make it easy for others.

Quote:

System Updates For Security Reinforcement
Date : 1/18/2007
inquiry : 6927
Hello. This is Silkroad Online.

In order to strengthen the security of Silkroad Online, we will be progressing following system updates.

These system updates are progressed for the protection of our users’ valuable information and the stability of the game. Thus we ask for our users’ understanding for the inconvenience that can occur after the system updates are applied.

[Image Code Verification]

- Users will need to verify when the register as a member, and when they log in, through the use of [image code verification].
- This is a verification system that asks a user to enter the text or number on an image.

Date of Application : 2007/1/23

[Automatic Block Function]

- When incorrect password is entered 3 times, the account will be blocked for 10 minutes.
- Accumulated number of incorrect password entered will be reset everyday, at 00:00 Silkroad Standard Time.

Date of Application : 2007/1/23

[Email Verification]

- To use important functions within the web, users will be required to enter a code that is sent via email.
- After this system is applied, there will be limits in changing personal information.
- Those who have lost their password will be able to regain their password through this email verification.
- There is also intention of preventing account stealth.

Date of Application : February

I have to say, this is looking good. SRO is improving day by day. Good Job. And some of my suggestions are actually being applied. =)

Keep it up.

CrazyAztec · **Joined:** Jan 2007 **Posts:** 419 **Location:**

+100 for joymax!! Next time use greater bots detector. So the gms can eat pizzas and chew some mint.

1llu51on · **Joined:** Feb 2006 **Posts:** 305 **Location:**

And to everyone who input'd their email information by random. I'd suggest you guys to do it right this time. They're going to make it permanent. So if you forget your secret answer, your email can still save your ass. =)

RuYi · **Joined:** Apr 2006 **Posts:** 7145 **Location:** Done.

Yay for Joymax!

With better security, people don't have to worry so much about their account being stolen.
I'm glad they do something about it now!

Chaby · **Joined:** Apr 2006 **Posts:** 1468

As I said before, auto block is super retarded.

1llu51on · **Joined:** Feb 2006 **Posts:** 305 **Location:**

Quote:

auto block is super retarded.

Huh ? You can't input your pass right within these 3 times ? =p
It's to prevent brute force hack. I'm glad.

Chaby · **Joined:** Apr 2006 **Posts:** 1468

1llu51on wrote:

Quote:

auto block is super retarded.

Huh ? You can't input your pass right within these 3 times ? =p
It's to prevent brute force hack. I'm glad.

It would be ok if JoyNax did their job, but, they allowed my ID to be globaled in SRO. HEO/HeroesVN will gladly spamm auto block to block me...

Blyth · **Joined:** Jul 2006 **Posts:** 1025 **Location:**

Chaby wrote:

1llu51on wrote:

Quote:

auto block is super retarded.

Huh ? You can't input your pass right within these 3 times ? =p
It's to prevent brute force hack. I'm glad.

It would be ok if JoyNax did their job, but, they allowed my ID to be globaled in SRO. HEO/HeroesVN will gladly spamm auto block to block me...

LOL, owned chaby

How did they get it in the first place?

Chaby · **Joined:** Apr 2006 **Posts:** 1468

Blyth wrote:

LOL, owned chaby

How did they get it in the first place?

It's a little thing called SRO forums, where you dont quote nicks, but user ID's... :roll:

1llu51on · **Joined:** Feb 2006 **Posts:** 305 **Location:**

Good point, Chabz. It sure is annoying as hell. Hope they have a solution to stop these pranksters

PR0METHEUS · **Joined:** Aug 2006 **Posts:** 4093 **Location:** Earth

Chaby wrote:

1llu51on wrote:

Quote:

auto block is super retarded.

Huh ? You can't input your pass right within these 3 times ? =p
It's to prevent brute force hack. I'm glad.

It would be ok if JoyNax did their job, but, they allowed my ID to be globaled in SRO. HEO/HeroesVN will gladly spamm auto block to block me...

Chaby, how is it Joymax's fault that your ID got globalled? Don't blame them for that. Joymax is undergoing several security fixes, and that can only be a good thing. If some player is going to global your ID, it's that player's fault, not Joymax's.

Personally, I think Joymax is doing a fine job. Sure, there have been plenty of problems with security, but they are working to fix all of that.

//:Protocol · **Joined:** Apr 2006 **Posts:** 702 **Location:**

What a lazy fix.

Image verification and auto-blocking.

Still. I suppose its better than nothing.

Chaby · **Joined:** Apr 2006 **Posts:** 1468

PR0METHEUS wrote:

Chaby wrote:

1llu51on wrote:

Quote:

auto block is super retarded.

Huh ? You can't input your pass right within these 3 times ? =p
It's to prevent brute force hack. I'm glad.

It would be ok if JoyNax did their job, but, they allowed my ID to be globaled in SRO. HEO/HeroesVN will gladly spamm auto block to block me...

Chaby, how is it Joymax's fault that your ID got globalled? Don't blame them for that. Joymax is undergoing several security fixes, and that can only be a good thing. If some player is going to global your ID, it's that player's fault, not Joymax's.

Personally, I think Joymax is doing a fine job. Sure, there have been plenty of problems with security, but they are working to fix all of that.

It's their fault because they made my ID public!!!!!!111

PR0METHEUS · **Joined:** Aug 2006 **Posts:** 4093 **Location:** Earth

Chaby wrote:

It's their fault because they made my ID public!!!!!!111

Well when I posted that response, I forgot about the whole user ID quoting thing on the official forums. I wonder if they have any plans to fix that?

Well, even if someone has your user ID, as long as you have a strong password, you should be fairly safe. A password of 10 characters or more should be fairly safe, especially if it has a mix of letters and numbers in it. Joymax should also allow upper case letters in passwords, but they don't... At least some of the changes they're making will help prevent brute forcing of accounts.

PR0METHEUS · **Joined:** Aug 2006 **Posts:** 4093 **Location:** Earth

Chaby wrote:

Blyth wrote:

LOL, owned chaby

How did they get it in the first place?

It's a little thing called SRO forums, where you dont quote nicks, but user ID's... :roll:

I just logged into the official forums a few minutes ago. Apparently they fixed that issue, at least partly. I browsed several threads, and there is no quote button anywhere. It appears you can't quote anyone in the official forums anymore, unless I'm missing something.

EwwBabel · **Joined:** Oct 2006 **Posts:** 716 **Location:**

isn't sro still in beta? stfu.

Godlikez · **Joined:** Jul 2006 **Posts:** 955 **Location:**

EwwBabel wrote:

isn't sro still in beta? stfu.

i lol´ed

LuV3r8o1 · **Joined:** Oct 2006 **Posts:** 1194 **Location:**

PR0METHEUS wrote:

Chaby wrote:

It's their fault because they made my ID public!!!!!!111

Well when I posted that response, I forgot about the whole user ID quoting thing on the official forums. I wonder if they have any plans to fix that?

Well, even if someone has your user ID, as long as you have a strong password, you should be fairly safe. A password of 10 characters or more should be fairly safe, especially if it has a mix of letters and numbers in it. .

The point isn't gaining acct access. It's that you can prevent someone from logging in just by failing their verification every 10min.

And these new security steps are good. But way too late. All 3 steps (auto-block, image code verification, and email verification) could have and should have been implemented since day one. Email verification being the main one, imo.

uBeR · **Joined:** Jan 2007 **Posts:** 966 **Location:**

Chaby wrote:

It's their fault because they made my ID public!!!!!!111

You're the one who exposed your ID.

LuV3r8o1 · **Joined:** Oct 2006 **Posts:** 1194 **Location:**

uBeR wrote:

Chaby wrote:

It's their fault because they made my ID public!!!!!!111

You're the one who exposed your ID.

Are you serious?

SRO forums had a bug. It's not Chaby's fault. Its SRO's fault that everyone's info was so freely available.

Pan_Raider(`_´) · **Joined:** Jul 2006 **Posts:** 4737 **Location:**

1llu51on wrote:

I put it here to make it easy for others.

Quote:

System Updates For Security Reinforcement
Date : 1/18/2007
inquiry : 6927
Hello. This is Silkroad Online.

In order to strengthen the security of Silkroad Online, we will be progressing following system updates.

These system updates are progressed for the protection of our users’ valuable information and the stability of the game. Thus we ask for our users’ understanding for the inconvenience that can occur after the system updates are applied.

[Image Code Verification]

- Users will need to verify when the register as a member, and when they log in, through the use of [image code verification].
- This is a verification system that asks a user to enter the text or number on an image.

Date of Application : 2007/1/23

[Automatic Block Function]

- When incorrect password is entered 3 times, the account will be blocked for 10 minutes.
- Accumulated number of incorrect password entered will be reset everyday, at 00:00 Silkroad Standard Time.

Date of Application : 2007/1/23

[Email Verification]

- To use important functions within the web, users will be required to enter a code that is sent via email.
- After this system is applied, there will be limits in changing personal information.
- Those who have lost their password will be able to regain their password through this email verification.
- There is also intention of preventing account stealth.

Date of Application : February

I have to say, this is looking good. SRO is improving day by day. Good Job. And some of my suggestions are actually being applied. =)

Keep it up.

BBC wrote:

Neil Armstrong steps onto the Moon: "One small step for man, one giant leap for mankind "

Not rly that kind of moment, but i'm hoping 2 experience 1 of these on SRO

zphantom · **Joined:** Jun 2006 **Posts:** 251

Chaby wrote:

1llu51on wrote:

Quote:

auto block is super retarded.

Huh ? You can't input your pass right within these 3 times ? =p
It's to prevent brute force hack. I'm glad.

It would be ok if JoyNax did their job, but, they allowed my ID to be globaled in SRO. HEO/HeroesVN will gladly spamm auto block to block me...

Smart...

Guess you better not log out!

Quote:

[Image Code Verification]

Prevents easily making accounts right...? Hardly useful, a slight annoyance at most.

Quote:

[Automatic Block Function]

See Chaby's post, previously known ID's will go through hell.

Quote:

[Email Verification]

Another slight annoyance at best.

SRO should make a PIN number system like MapleStory where after you put in your PW, a keyboard simulation pops up with randomly placed numbers that you use your mouse to click in your PIN number = no keylogging.

When someone is logged in, another attempt to log in should boot the account, otherwise once a hacker is in, there is no stopping them.

RuYi · **Joined:** Apr 2006 **Posts:** 7145 **Location:** Done.

zphantom wrote:

SRO should make a PIN number system like MapleStory where after you put in your PW, a keyboard simulation pops up with randomly placed numbers that you use your mouse to click in your PIN number = no keylogging.

That's indeed a good way to prent keyloggers! Perhaps they'll use this way of logging in one day.

uBeR · **Joined:** Jan 2007 **Posts:** 966 **Location:**

Yes, we might as well get rid of the keyboard while we're at it.

PR0METHEUS · **Joined:** Aug 2006 **Posts:** 4093 **Location:** Earth

LuV3r8o1 wrote:

The point isn't gaining acct access. It's that you can prevent someone from logging in just by failing their verification every 10min.

The same can be said for most Windows Domains, and pretty much any other type of account out there with any real security on it. Usually company policy, and best business practices in general, states that user accounts must automatically lock for either a set time, or permantently (allowing admin to unlock) if someone enters the wrong password a few times. If someone is trying to get into an SRO account and failing, the account SHOULD be locked. Since we can't walk over to the GMs and show them valid identification, the accounts should be locked for a specific time (e.g., 10 minutes), and then unlock themselves again. This is a good thing.

Perhaps what Joymax should do is have some system set in place where if a certain IP (or subnet) repeatedly fails at logging into a certain account, a block is put on that IP or subnet. That way Chaby (for example) can have the account back after 10 minutes and the attacker gets blocked, at least temporarily.

borat2 · **Posted:** Sat Jan 20, 2007 6:28 pm

RuYi wrote:

zphantom wrote:

SRO should make a PIN number system like MapleStory where after you put in your PW, a keyboard simulation pops up with randomly placed numbers that you use your mouse to click in your PIN number = no keylogging.

That's indeed a good way to prent keyloggers! Perhaps they'll use this way of logging in one day.

you cant prevent it when you are infected the only way to protect yourself is not getting the keylogger or actually cleaning your system frequently.

here you go http://www.hispasec.com/laboratorio/cajamurcia_en.htm
dont trust the link? go here http://www.virustotal.com click the new technique against ....

- Accumulated number of incorrect password entered will be reset everyday, at 00:00 Silkroad Standard Time.

that is probably the block the hacker/whoever trying to use your id gets so he fails a number of times then get a ban till midnight. Not the actual account he was trying to get in. at least that sounds logical to me don't know if Joymax thinks the same way (lets hope so)

uBeR · **Joined:** Jan 2007 **Posts:** 966 **Location:**

At least now we know anyone who has their account "stolen" is almost 100% certain to have download something "illegal."

ImpeK · **Joined:** Sep 2006 **Posts:** 64

WONDERFUL! now the security will be that of a regular forum..
GG JoyMax is bad at this shit..

Silkroad Online Forums

SRO Beefs up Security

Who is online