exploits
Latest
FFXI "Special Task Force" takes on cheaters
Square Enix proves once again that they are willing to bring the hurt on people who use hacks or exploits to gain an unfair advantage over other players or destabilize the economy of Final Fantasy XI. In a Special Task Force Report, they break down the approximately 8000 bans and suspensions that they've doled out since this time last month. Among the groups most actively targeted are people using illegal fishing bots, Chinese gil farmers, and people abusing the auction house system for use in real money trading schemes. In so doing, Square plucked a staggering 2.3 billion gil from the hands of cheaters and money traders.It makes you wonder why more companies aren't actively reporting the numbers of exploiters and gold farmers that they're busting every month. It's not like we don't know the practice exists, just tell us what you're going to do to stop it!
'Vast' memory card claims tool-less unlock for PlayStation 2
From the "too good to be true" department comes the "Vast" advanced memory card, capable of providing PlayStation 2 owners with the same functionality found in modified consoles. This means everything from playing imported titles to other nefarious and totally discouraged deeds.MaxConsole claims to be in contact with the developer of this new memory card that is being prepared "to be launched within the next two weeks." While we have our doubts, it should be noted that an exploit of this nature has popped up before, known as Independence. That exploit, however, was nixed with the Slim line of PlayStation 2's.Prove us wrong, Vast ... and would you mind doing it before Arcana Heart is released? Thanks![via Engadget]
'Vast' memory card promises tool-less PS2 unlocking
One of the main impediments keeping many people from modding their own consoles is their lack of handiness with a soldering gun -- not to mention the whole voided warranty thing -- but now a new product is said to be on the horizon that moots both these points in a single blow, the 'Vast' advanced custom memory card for PlayStation 2. According to MaxConsole, which claims to have a dialog going with the developers, Vast "essentially exploits a flaw in the PS2 memory card system" to give you the same functionality derived from a hard-wired mod chip sans the need for a single power tool. The only real "proof" we have of this product so far is the above screenshot, which MaxConsole tells us was captured from the card's proprietary operating system; if this is all on the level, we should know more before the scheduled launch, which is said to be a mere two weeks away.
Windows Safari bugs and exploits "popping up like hotcakes"
Safari has been available on Windows for less than 24 hours, and already the hacker community is apparently tearing it to shreds. The Errata Security blog has been keeping track of a few announcements across the web, including a fully disclosed 0-day exploit that Thor Larholm apparently found yesterday within two hours of the software's release (and says more are "popping up like hotcakes"). And just to be clear on the use of 0-day exploit: it means Larholm found a way to execute any piece of code on a Windows box when Safari visits a properly crafted site to successfully exploit a vulnerability on the day the vulnerability was found. What will this mean for Safari's reputation and traction in the Windows market? I'm not really sure yet. There are any number of reasons behind Apple's decision to develop Safari for Windows, and even though a healthy pool of tech-savvy users are already tinkering with it (for better and for worse), the real results will be seen once it reaches much more of the mainstream market. One of the primary reasons (besides making it easy for Windows-based web developers to write web apps for the iPhone, of course) for SafariWin, as some are calling it, is because that tiny little search box in the upper right of a browser has become quite a revenue generator if the browser does decently in the market. When users search through that box, the browser manufacturer makes some money off the resulting ads that are displayed along with that search. Firefox reportedly made around $50-75 million last year for Mozilla because of that little search box (not bad for an open source product, eh?). You don't have to be Internet Explorer to bring home at least some bacon for your company; heck, I would bet that Opera is still in business largely due to their search box as well.But none of these reasons will mean anything, and Safari won't generate nearly as much revenue for Apple, if it doesn't gain at least a respectable share of Windows users who are actually firing up Safari to search, browse the web, view and click on ads. But If Safari keeps getting torn apart like this within 24 hours of a release, it could gain a terrible reputation before it ever hits the radar of a crucial portion of the general public. In this new web browsing and computing world where security is everything when you talk about a browser, Safari needs to plug these exploit holes ASAP if it plans to get any farther than the fleeting front page of digg.
Rolling restarts for US realms Friday morning
Drysc informs us to expect rolling restarts for all US realms starting at 5:00 AM PST to apply a "minor hotfix." Downtime is expected to be minimal (around 15 minutes), and US players probably won't notice any interruption. But a hotfix? Blizzard's not said what they're fixing, which leaves us to guessing games as to the exact nature of the problem. However, poster Tuhljin seems to be on the right track when he points out that "if they won't tell you what the hotfix is for, at least part of it probably involves fixing an exploit." After all, they wouldn't keep us in the dark just for the fun of it... would they?
Battleground sploitz and Blizzard's responsibility
Been jumping into PVP as often as I can lately, and I've noticed two little quirks still floating around the PVP system.The first one's fairly harmless. I too wasn't sure how to get out of a battleground until a friend informed me of the /afk trick. You're not allowed to go AFK in a battleground, so just purposely go /afk and Blue will boot you (with a deserter buff that wears off without consequence shortly).The other exploit is a little more troublesome. Apparently, when a raid leader joins a battleground "as group," members of the group can click the button to join in without the group leader doing so. Which means those members can check the player screen to see if they're up against another premade (by noting if all the other faction's players are from a single server), and if they are, the group leader, still out of BG, can then join another BG (say AV if the original players are in WSG), and then join back to WSG when another instance of it opens up. Understand all that? Basically they're using the fact that a group leader can stay out of a BG to constantly enter and reenter battlegrounds until they're matched up with a nonpremade. Then it's honor farming time, and 3 captures later the process starts all over.Now, I'd hate to be the tattletale on this, but I'd assume Blizzard knows about both of these "sploitz" (the first one isn't really an exploit in the strictest sense, but it is using an ingame function for a benefit it's not meant to confer). What players have done here is construct their own fixes for Blizzard's "bugs"-- there is no PVP matching system yet, so they've created their own (even though this system matches for the win, not for fairness). And there is no easy command out of the BGs (even /leavebg would be great and easy to implement), so players are using /afk.Which begs the question: does Blizzard care about the battlegrounds as they are now? Or are they too focused on expansion PVP to fix these "flaws"? And if they are too focused, is that a bad thing? We already know the honor system will be scrapped, as well as the current LFG and most of the PVP system. Does Blizzard have a responsibility to fix what we have, or is it OK that this musical chairs of premades continues until expansion release?
MacBook wireless hack possibly much ado about nothing?
Several weeks ago, we regaled you with the tale of how a pair of hackers, David Maynor and Jon "Johnny Cache" Ellch claimed that they could pwn a MacBook in a minute flat. The dynamic duo then showed the exploit to Brian Krebs, a reporter at The Washington Post and a controversy ensued over the next few weeks as to who had shown exactly what to whom when. The most recent episode involved Apple telling Macworld two days ago that SecureWorks, Maynor's employer, hadn't showed Apple any specific information -- however, on its own, Apple discovered a problem, then released security and wireless patches for PowerPC-based and Intel-based Macs. Meanwhile, SecureWorks has been awfully mum on the issue, refusing to say anything further to Krebs or to the IDG News Service. Glenn Fleishman has a very lengthy blog entry over at Wi-Fi Net News that provides a play-by-play of this whole situation, but points out that Maynor and Ellch are scheduled to speak at Toorcon in San Diego later this month, and concludes by saying that he thinks the pair will show their cards and tell all, which may finally settle this torrid affair.
HP dons white hat to hack customers' servers
Usually the term "hacking" has some rather negative connotations, so it almost seems counterintuitive to pay someone good money for breaking into your system, but that's exactly what HP is offering to do for its corporate customers with a new service called HP Active Countermeasures, or HPAC. As you'd imagine, HP's hackers won't do anything malicious once they break into a client's server -- propagating a worm, for instance, would seem to be bad for business -- but they will use a combination of buffer, heap, and stack overflows to exploit a system in much the same way that black hatters cause Internet terror on a daily basis. Specifically, the company will employ one of its own servers to launch attacks using eight to ten scanning clients for every 250,000 devices that are part of the program, and offer customers a temporary patch until they're able to hire a dedicated security firm for shoring up any vulnerabilities. Pricing is promised to be "aggressive," with firms using less than 20,000 IP addresses expected to pay only a few dollars per user per year for the privilege of learning how shoddy their security really is.[Via The Inquirer]
