Gaming politics
Frankly, I think MS and Bungie are both full of crap on this one.
I can’t seem to find the article I was first looking at (damn google for making it so easy, yet so hard, to find things), but a security consultant was interviewed who had his account stolen by teens who threatened to do so over XBL, and found their web site online where they posted the names of people whose accounts they jacked, “for talking s***” and other things. I seriously doubt this security analyst was chatting about his credit card/address with these punks.
While most people on the XBL forums sound inane, I still think the problem of stolen ID’s is not about 50-some people all giving out their personal information to people who then later hacked their ID. It’s just not plausible. And if it’s totally true and there’s no other problem, their press releases sound distressingly like our government, with scant information and a quick redirection of blame.
I have to give them credit for being lightning-fast at spinning the matter, though. It’s a difficult situation – you don’t want to lose the trust of people, especially when you’re building up momentum for H3.
http://www.securityfocus.com/news/11452
So it looks like the problem isn’t users giving away their information so much as support personnel giving away the info.
Well, if it’s really a problem, as described it is either brute force hacking of passwords or someone calling and saying things like… “That’s not my name, it’s supposed to be X! Damn my little brother.” Then calling back and doing the same with more and more info until everything is changed.
What I read there was a little different from that, but essentially the same. Each time they’d call they’d get a little more information on the person, and then they’d call back and change all the info at once, saying all the information was false. Same result, but more likely to be pulled off if the previous calls weren’t logged due to inaccurate information.
Yeah, it could probably be resolved with a bit of process adjustment. But still, there will always be a way around.
Having dealt with a statistically-significant sample of the persons in question, in agonising detail, I wouldn’t entirely dismiss the chances that 50 of them out of 6 million could accidentally sabotage themselves so dramatically. Honestly, and without a trace of sarcasm, I could see it happening to a segment of the population that small.
Nevertheless, the article does suggest a systemic problem with “social engineering” hacks and I could see that as plausible. Too. Dangit.
— Steve can say that there’s no way “haX0rs” gained critical information from bungie.net servers… simply because billing information of that type is not stored there.
*nod* of the information given out by bungie and MS, I did totally get and believe that latter part. It doesn’t make sense to keep billing info on the same server. … which doesn’t mean some sort of weird IP spoofing might not occur.
Regardless, it’s not that I’m not sympathetic – there is a fine line between being courteous during a support call and accidentally giving out information – I used to do phone support, myself. I just have no tolerance for companies not owning up to a problem, and get annoyed when they start blaming their own problems on the people who’ve bought their product.
… and yeah. this particular set of people aren’t exactly quiz bowl champions.
Here’s the problem: The “security consultant” has about zero credibility with a lot of us. When the person leading the change has a history of blaming the wrong people and bering more interested in notoriety than actually helping other people, I find MS’s independently dubious claim more believable.
I’m willing to see that point, for sure – what’s the link about? I read the page, and i’m not really sure who the consultant is in that mess. Is that his site?
The site is Macalope – a macintosh commentary site, writing about the “Month of apple bugs” Site – Finnestyere’s project.