 |
07-15-2008, 21:57
|
#51 | ||||||||
|
Old Alpha
  
Posts:
Gender:
 Ingame: Avatar Name:
Minas alh Lhander Soc: Praetorian Guard
Location: Sweden
EFD: 634.90
|
Quote:
Quote:
In principle, the card contains a psedo random generator, that generate the next number in the sequence based on the previous number, the card id, and (I think) a secret id. Has the advantage that you can never "run out of numbers". So yes, there is an algorithm. And it can theoretically be brute forced... If you have a couple of millions of years to spend... Last edited by alh; 07-15-2008 at 22:05. |
||||||||
|
__________________
Entropia Resource Xchange  Find us on 3rd floor Twin Peaks Mall - www.erx.sePrice cut! Mind Essence now 190% + tax! (less then 192.2 incl. tax) For all piles! Piles of 250, 500, 1k, 2k, 5k and 10k. Always well stocked. |
|||||||||
|
|
|
07-16-2008, 07:02
|
#52 | ||||||||
|
Elite
 
|
Quote:
Just (pseudo) random numbers in a long sequence. You can't compute the next number from the previous. MA ofc has the same list of numbers, so they can keep track of where in the list the card is, and verify that the number sent is correct. |
||||||||
|
|
|
|
07-16-2008, 07:17
|
#53 | |||||||
|
Old Alpha
Posts:
Gender:
Ingame: Avatar Name:
Minas alh Lhander Soc: Praetorian Guard
Location: Sweden
EFD: 634.90
|
Quote:
A long list of numbers isn't practical, would need a lot of storage space on the card, and make it a lot more expensive. Plus.. you will run out of numbers. pseudo random algorithms are deterministic. They work such that you input a "seed" and then you get a number in the sequence. It will then store the result and use it in the calculation of the next number in the sequence. Thats how they work... With the GC, you can't use only the previous number you use for login, you have to find the id of the card, and the secret id too, and those are the ones you have to brute force to "hack" it. You need two numbers after each other in the sequence, and then you just have to run the publicly available algorithm with different card ids and secret ids until you generate number two from number one... Me and a soc mate once calculated how long time it would take to brute force it (and we used quite generous assumptions on computer speed and availability), and came up with a couple of million years... Plus, you can't be entirely sure you have the right sequence even if you get a match on two numbers. Might be another sequence that just happens to have these numbers next to each other. Having three numbers should make it less probable you hit a false one though, but will double time it takes to brute force... |
|||||||
|
|
|
|
07-16-2008, 08:37
|
#54 | |||||||
|
Dominant
|
Hi,
Quote:
MA would carefully check the cause, and if there's no possibility to blame you (i.e. if it is a clear hacking of the GC system) they'd present you with a non disclosure paper. By a hard penalty clause you'd promise not to tell anybody about it, and having signed MA would fully compensate your loss. This is how things like this are usually handled, and I'm quite sure the non disclosure waits on MA's desk because it was in use more then once already. Don't has to be GC fraud, could be users of exploits or similar, too ... Things MA doesn't want to see the light of the day. Thoughts about GC hacking: Guess it wouldn't be this hard - I'd attack a forum. These often have vulnerable forum software - and I wouldn't start with EF or one of the other big ones, I'd attack a Soc forum. These are often placed by free hosters, and compromising such wouldn't be this difficult maybe. A lot of ppl still use IE (or other older browsers), or have JS activated, or are still close to dementia when it comes to click "promising" links - and this way the forum hack would poison their PC. Then a man-in-the-middle attack. As soon as the victim has authorized the log in, crash his entropia.exe, and take over the session, pretending to be the victim to the server. Bingo. It's not this simple, I know. I don't want to give a how-to-do to wannabe hackers, I just want to point to a rather easy way to bypass even a system like the GC. Things similar to what I have described are happening every day, and they very often get regulated then in a way as I described above. It all comes down to the one before the monitor - is she/ he able to use a computer in a responsible way? Since I often have to do with IT security issues I'd say most are not. By far the most people are constantly catching trojans, worms and virii, they click anything that isn't on the tree when counted to three, they are too lazy and penny-pinching when it comes to things like a good AV, a NAT-capable hardware router with firewall, even to installing and configuring a browser & EMail client that refuses to install all & anything. Your EU account is perfectly safe if you keep the needed minimum of IT security level, even without gold card. But it takes some thoughts, a little effort, and very little money. Too much for many. For these a GC may add some little more security, but don't think it will help against a dedicated attack. I know what I'm talking about, it's part of my job to participate in some sinister forums, too - I need to know what "they" are doing to help protecting my customers. "They" wouldn't bother using brute force attacks, much more easy to push kind of root kit to your machine ... Don't try this at home, they are full of traps. But my machine is clean like a freshly changed baby's behind, for years now. I don't even have a personal firewall running on my computer - would be just another gate for attack. Feel free to try to hack me - my IP is 127.0.0.1, Have fun! ;-))) |
|||||||
|
__________________
No more Sig here.
|
||||||||
|
|
|
|
07-16-2008, 08:37
|
#55 | ||||||
|
Prowler
|
Alh is right, it's a logarithm.. that's how these kind of cards work. Banks use the same system..
 |
||||||
|
__________________
SPU is now an official EU Community Website ! Visit the SPU website and join our forum  The original storyline of PE/EU from the old days can be found here! |
|||||||
|
|
|
|
07-16-2008, 10:44
|
#56 | ||||||||||
|
Elite
|
Quote:
 Quote:
But true that 1M numbers would still take up much more storage space on the card. Not much compared to space on PCs etc, but I guess it'd be enough to increase the price on cards. Quote:
Thx for enlightening me.  Quote:
 |
||||||||||
|
|
|
|
07-16-2008, 12:29
|
#57 | ||||||
|
Stalker
Posts:
Gender:
Ingame: Avatar Name:
Kerawan Kerham Maddahy Soc: Project -X-
Location: to the moon and back
EFD: 6,493.16
|
Geez there's this idiot simple option to random login on 1st, 2nd or 3rd number from gc, you're still in sync with the server and no keylogger in the world or number generator can help a presumitive hacker.
Wth so much discussion on a 99,99% impossible situation? |
||||||
|
|
|
 |
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
|
|
| EntropiaTracker.com Loot Trends | ||
| Hunting Loot: - -4.44 % | Mining Loot: + 4.11 % | Crafting Loot: - -0.58 % |
| EntropiaTracker.com Latest Uber Loots |
