The Players Corner Archive

When I said that no GM has access to your account information, I meant the GMs that most of you interact with on the message boards and in the game. A few of the on-site people do have access to your information and they are technically considered GMs. For people who jump on Siara and Skirmisher about splitting hairs, you all dissect everything *I* say pretty damn well.

So... I'll revise my previous statement and say, no one but the few on-site people have access to your 'secure' account information. This is referring to your credit card information/password, etc since that is what this whole thread was about in the first place. And NO ONE has access to your password because it's stored encrypted (I had to ask about this one because I didn't know). Also, I believe the on-site people only have access to the last four digits of your CC number as well, not the whole thing. I don't know for sure about that though.

So in my opinion, the whole thread was a bunch of paranoia about nothing. No one there has access to information that they shouldn't have. The billing people at your ISP have the same information.

reg

CC was part of the issue.

GMs can access your accounts\characters. They can take coins oiut of your bank account, fixing a item, taking a item away from you and so on. What prevents then from doing this?

Now, how could that one GM, call people at home? Sayzor did that. I don't think he was a onsite GM. But could be wrong about that. Now that says ingame GMs have access to personal information. What prevents them from accessing that now?

So please NOI. Since you are onsite staff now. Get us some facts. You can do that. Don't post opinions. That would help us a ton in feeling safe or more secure. That is if you can back up what you say. Remember, no opinions please.

Everyone wants to know the truth. I know what has happened in the past. If they have put any security measures since those abuses. Then let us know.

I am going to try and refrain from the personal attacks. But when you got people like Siara telling us things she doesn't noow for sure about. Kinda makes you mad seeing people blinding defending something that isn't true.

So how do we know that Simutronics has any type of privacy with our personal information? What do they do to someone does abuse it? Why should we trust them? I mean they got a track record of not being truthful.

So please. Try and be our liason with Simutronics policy makers and enforcers. No deception. No smoke and mirrors. Be honest and truthful about it.

edge reg

I asked David about the passwords/CCs because I was curious. That's something any one of you could have written to billing and asked for yourselves.

Yes, GMs can access certain things on your account. They have to. That's part of their job. Just like people at the bank have access to your bank account. Your credit card company has access to your CC number. If you think that a GM is abusing that power, write feedback about it or write to Llearyn or an SGM or David or whoever you DO trust.

Siara and I are not friends and have not communicated through IMs or e-mails about any posts on this board. So I don't have her saying anything for me.

As far as the Sayzor situation you were talking about, I don't know anything about that. I do know that your name, phone number, SS#, address and all that information is on your GM/GH application for those people who have submitted them.

I don't think GMs go around calling random people at home and if they did, I would say write to feedback/billing about it or call or something because that sounds like abuse.. but I really don't know. <shrug>

I can't answer all your questions Edge because I don't know. I honestly am not on-site staff. Ask anyone. So when I know the facts, I post them. If I don't know, I ask. If I have an opinion, I state it as such. reg

<<7/15/01 2:23:01 PM
through
9/28/01 8:21:25 PM Password remains the same short string of characters

9/28/01 8:21:25 PM A minor (one character) change was made to the password.
9/30/01 12:23 PM You contacted our billing office to change the security
question and answer for the account. No other information was changed.
9/30/01 8:23:51 PM Password changed to something new via the website,
required old password.
9/30/01 8:28:37 PM The email address on file was changed via the website
(this would requires the person be logged into the account, and thus already
had the password).
9/30/01 9:54:01 PM Password returns to the same as password as 9/28/01
10/02/01 11:47:39 AM A request was made on the website for a reminder of the
current password to be sent to the email address on file for the account.
10/02/01 11:50:03 AM Our system sent the password to the email address on
record.
10/02/01 12:54:42 PM Password changed via the website after logging in with
the old password.>>

Kinda makes me think they can see your password, huh? For a moment, it almost looks as if they can only see how many characters a password is... like if they saw it as *****, and then it was turned to ******, one character change.... but lookit this CLOSELY

<<9/30/01 9:54:01 PM Password returns to the same as password as 9/28/01>>

How could they see it was changed to what it was, if they can't see your password?

From the topic starting post...

<<And NO ONE has access to your password because it's stored encrypted (I had to ask about this one because I didn't know). >>

Can i ask where you got this from?.... did the reply header say 'misinformation@play.net'?... I'm real curious as to who told you this...

-goyle reg

IF the system was able to log that information, don't you think the system would have mentioned what the passwords were? Hmm?

Honestly. When I was GMing I could see who was trying to logon but I had no way of knowing if the person making the attempt really was the account holder. The system doesn't know either. All it knows is that someone is trying, someone succeeded, someone failed. That's it.

Same with passwords in Gemstone. The system knows that the USER is changing a password. NOI is absolutely correct. The password is encoded, and anyone who is here posting on these very boards should not be surprised that when you change the password given to you by the Forum's administrator, he has no idea what you changed it to. He would only know that it was changed, if he even knows that much. It's a common thing in anything and everything that has a password attached to it. The only other way admin could possibly know what your password is, is if it had a mirror or ghost program to see your entire computer and everything you type in.

Some major corporations do that with their network computers. But for Simutronics to do such a thing would require them to be networked to your personal computer.

On the other hand -

Just because you're paranoid, doesn't mean they're not out to get you.

Have a groovy day.

Roberta rolls her eyes.
reg

I think that is odd. If it was the way you say it was. It would have just showed as the PW being changed. Not how many characters was changed.

9/30/01 9:54:01 PM Password returns to the same as password as 9/28/01

9/28/01 8:21:25 PM A minor (one character) change was made to the password

That makes me believe that they can see passwords.

edge reg

That is just odd.

Hiway reg

It's more like: FS&#*#NRD*S&F or something like that.

Check out some cryptology websites (http://www.rsasecurity.com/rsalabs/faq/3-6-6.html). It sounds like you
don't understand the technology behind password security and are, therefore, misinterpreting that email to mean CS people can determine someone's password. They can't.

reg

<And the mail clip was originally posted by edge in the 'hacking' folder>

If you call the phone company, and they say 'Well, we see that on this date, you changed your phone number... and then on this later date, you changed it back to what it was before' It's pretty obvious they can see your phone number, the same applies to passwords here....

By the way, Roberta, we call that logic, not paranoia.

Have yourself another.. heh.. blissful day.

Urgoyle rolls _HIS_ eyes in response. reg

quote:

---

Originally posted by Urgoyle:

If you call the phone company, and they say 'Well, we see that on this date, you changed your phone number... and then on this later date, you changed it back to what it was before' It's pretty obvious they can see your phone number, the same applies to passwords here....

---

It's entirely possible that the system keeps an encrypted record of all previous passwords, or at least the last one or last 5 or something. reg

Nearly any secure operating system can be setup to remember a certain number of passwords (still in their encrypted form) to prevent people from switching between two passwords. This option can then be turned on to add another level of security by forcing you to change your password to something unique a certain number of times. An example from my RL: DoD C2 level security requires for a classified network that every 6 months you must change your password and it will retain up to 10 old passwords. So you would have to change your password to 10 other unique passwords before it would let you reuse one. I don't know how anything onsite works but it is very common for financial systems to do this and actually is used to enhance not detract from security. Any NT MCP type can back me on this. Passwords are stored and checksummed and its easy to tell if they've been changed, again for security reasons, but telling what the password actually is nye near impossible. Normally a company will purchase a software package that blackboxes the passwords and as such they won't know what it actually is as they don't have the source code to decypher the encryption algorithm. All they have is the compiled version of the package that encrypts and decrypts the passwords. This is the same with any computer network as the Sys Admin/Sec Admin can reset your password. They can reset the password to something different, thats why companies use security questions. That is the voice equivalent of the password. So if anything never ever give out the answer to that. Make it difficult. No one would ever guess mine. Heck even I've forgotten it at times. If they reset the password (for ill or whatever reason) there's now way they can put it back to what you had it at so you would know immediately something was up. So there are alot of checks and balances built into the system. All the financial companies (CC, Banks) use this method so someone must think its secure enough.

Btw, this is only my knowledge of how computer security works. I have very little knowledge of the actual setup at Simutronics but I can't imagine it being far different than the industry standard setup. I was just concerned on how misconceptions on password authentication security were being looked at.

Uska bounces out. reg

quote:

---

Originally posted by Urgoyle:
Right, that means they can just see any changes you make to your password, and know you're changing it back to what it was before, when you change it twice... wonder how they knew what it was before... anyone else?

<And the mail clip was originally posted by edge in the 'hacking' folder>

If you call the phone company, and they say 'Well, we see that on this date, you changed your phone number... and then on this later date, you changed it back to what it was before' It's pretty obvious they can see your phone number, the same applies to passwords here....

By the way, Roberta, we call that logic, not paranoia.

Have yourself another.. heh.. blissful day.

Urgoyle rolls _HIS_ eyes in response.

---

Go learn about how encryption works and maybe you'll understand the system a little more. I can't explain it any further because I was asked not to .. because doing so might give hints to hackers about how the system over there works.

Your password is stored encrypted. No one at billing/feedback/whatever can see it.
reg

and let's not forget NOI
<<Go learn about how encryption works and maybe you'll understand the system a little more. I can't explain it any further because I was asked not to .. because doing so might give hints to hackers about how the system over there works.>>

Such a detailed and complicated encryption system!... dear me... my heart races just thinking about how safe and secure it is, and how nobody can see my password... funny how i can't even use CAPS while entering my password... very secure, very reliant..

But hey, if you all wanna think they can't see your password <and i started a topic on this, and got about 10 million replies of 'And this surprises you?'> go right ahead and make the same mistake i did. reg

I'm telling you the truth. If you don't want to believe me, fine. No skin off my back. All I'm trying to do is let you in on how it really works. There's no evil plot to steal your password and use it on all your other accounts at other websites/companies. Sorry. reg

And that was the last password, my AIM one, that matched my simu login, that i forgot to change.

No conspiracy, naah reg

quote:

---

Originally posted by Urgoyle:
You know, i would've believed that... until i IMed someone <who will remain nameless, you know who you are, and i know you read these boards>, and within 3 minutes suddenly started getting disconnected because someone else was logging in as me, luckily i managed to change my password before she did. And that was the last password, my AIM one, that matched my simu login, that i forgot to change. No conspiracy, naah

---

What does some chick who has your PW have to do with conspiracy?

When someone can guess your PW, it just means you made up a friggin' lousy one. Especially when your AIM PW is the same thing. Now if that said person continued to log onto your account within minutes after you changed your PW again. OK, then there's something wrong.

Bianca, "NEVER USE THE SAME PASSWORD TWICE" reg

quote:

---

Originally posted by Bianca:

What does some chick who has your PW have to do with conspiracy?

---

Was wondering that same thing myself.

reg

By the way, are your passwords, by any chance, stored on your computer?

Rysh...just askin' reg

quote:

---

Originally posted by Urgoyle:
Hey, if yer too dense to connect the dots, i'm not gonna bother releasin ya from the blissful state, that's all i have to say

---

You should really fork out more dough for that good stuff. I think you've been smokin too much of that cheap stuff laced with rat poison. The paranoia grand delusion side effects are really starting to get to you. Gem*stoner* indeed, eh?

Bianca, the blissful

PS. The truth is out there!!!
reg

Isn't that what the people trying to cover up the truth say to save face, eh?

The truth IS out there.

edge

reg

Hiway reg

quote:

---

Originally posted by Bianca:
You should really fork out more dough for that good stuff. I think you've been smokin too much of that cheap stuff laced with rat poison. The paranoia grand delusion side effects are really starting to get to you. Gem*stoner* indeed, eh?

Bianca, the blissful

PS. The truth is out there!!!

---

I haven't smoked or drank or anything in quite a while, darlin'. It's just thatcha can't percieve anything that's not directly in front of your eyes... would it kill you to think once in a while, miss bliss? reg