Well since the exploit was fixed for inf-leves I'll explain it simply required you to use a packet sniffer to find the packet sent when turning in the leve and simply sending the same packet repeatedly.
Well since the exploit was fixed for inf-leves I'll explain it simply required you to use a packet sniffer to find the packet sent when turning in the leve and simply sending the same packet repeatedly.
Pretty much the above. However, there are still a multitude of other packet base exploits that went unfixed. Chances are, if you saw someone standing next to a multi-turn in leve quest NPC that didn't move and was steadily gaining levels (non retards spaced out their packet sends to lower suspicion), he was exploiting. Reason being is you had to be locked in to the NPC leve dialogue after doing the initial turn in to manually send the "give me exp and gil" packets.
Color me unsurprised.
FFXIV: Now Less Secure Than Runescape!
This sort of thing may be reasonably easy to fix, but my gawd does it make S-E look unprofessional, and depending on how many ways you can cheat your way into various parts of the game system it could be another 1.0-level fuckup.
I'm kinda happy I've waited to seriously get into FFXIV. Major MMOs should not be able to be "played" this way.
You already know I'm not like that (NSFW mod here). I just wish I could have seen the vid better but still all this is very interesting to me. People that get/got away with it will horde until you need that gil and a time will come. I just didn't believe anyone ever made 50 grand off the rmts is the proof I was more wanting to see. 50 grand is a lick off rmt in a game that doesn't involve gil much yet.
I was just kinda wanting to see it in the XIV thread in spam because this isn't the place.
That is what I was saying to dude arguing with me but he just didn't/doesn't understand shit and never will.
Seriously SE, is it that difficult to put some basic low level encryption on packets to stop basic packet pushing like this? This company is unbelievable.
Majority of the packets aren't even compressed, let alone encrypted.
Well this would certainly explain why so many people have max melded i70 gear in a number of slots for every single job.
Um.. but how else would you have more shinies than I do if you didn't cheat?
Encrypting the packets wouldn't increase security, only privacy.
Obfuscation isn't security.
http://csrc.nist.gov/publications/ni.../SP800-123.pdf would be a good read for people wanting to know how to secure systems, but sadly it is unavailable until the government receives funding.
Well they did that in XI, for whatever that's worth.
Obfuscation *alone* isn't security. Obfuscation is still useful to enhance security.
My company is paying a firm for penetration testing right now. They've asked us for a bunch of information to help them identify our systems and help them proceed with the testing. Defeats the purpose IMHO.
Depends on the obfuscation method but I don't think you're seriously evaluating the statements. See my example above. I think you're considering the probability that obfuscation makes a target stand out by trying not to stand out (example - blank SSIDs), and that's not really going to my example at all.
Also your best case seems to basically take the position of O(29385902385923n) = O(n), which masks the fact that in this case we want to increase ω(n) (from memory here, forgive me if I'm using the wrong notation) so that we reduce the chances of a successful attack being carried out.
Don't confuse this with things like security theater. Techniques like port-knocking (however flawed they may be) don't even register on the scale of impact to the authorized user, but add a few orders of magnitude to the complexity for the random attacker, and without foreknowledge of the layer, make a target appear less vulnerable.
Do they stop a dedicated, focused attack? Eventually not, but it increases the likelihood of being able to see (and stop) the attack in progress.
If you'd like to continue to debate this I'm welcome it. If you'd rather just make blanket assumptions on the Internet and pretend you've always been right, then I'll just move on.