Pink Poogle Toy Forum

I should be more clear: Only cookies that come from neopets.com (or anything.neopets.com) can be taken. I don't have premium, and I don't know what information is stored in premium cookies. I wouldn't expect it to be anything important, because that would be stupid, but it's possible. What I can say for sure is that the non-premium cookies are safe.



Whoever used that phrase didn't really understand it...

"Salting" is adding random extra information into something to make it harder to get at. For example, the actual folder that your firefox profile information is stored in is something like p34oh0do.default, where everything before the period is just randomly generated. That way if someone breaks into your computer they can't just say "take everything out of this folder", first they have to figure out what the folder actually is. It's not perfect security by any means, but it is a mild deterrent.

What could be done is binding cookies to IP addresses. That would make it so if someone took your cookie and tried to use it on their computer, it wouldn't work, because they wouldn't have the same IP as you. This can be done securely (so the process is irreversable, i.e. it's impossible to change the cookie and insert another IP), and in fact is done other places.

However, it's not so simple for neopets. It has a problem, in that for many people if they restart their computer their IP will change and they'll be logged out. That might not seem like much to us, but for most users having to log in again every time you restart your computer (or it crashes) would be a real pain. It would be enough of a pain, in fact, that it would actually be harmful to neopets to do it.

I've asked about getting it as an advanced option somewhere, with a warning saying it might cause problems and if you find yourself being logged out you shouldn't use it; I got a "maybe" in response.

It really is a difficult problem for a company like neopets, where everything they do needs to make things as smooth as possible for users.

Slime Lord, these kids were CGing premium accounts and posting the users' billing information on the neoboards (I read a thread a while ago by a woman whose husband's info was spread all over). That is not "sticking it to the man" or showing Neopets the site has problems -- that's malicious and unnecessary. I see what you're trying to say, but I disagree entirely. I have no respect at ALL for these kids. Like someone said earlier, if dolphin wanted to, he could take advantage of any bugs on the site, whether to mess with people or to "prove something" to TNT -- but instead, he informs a programmer when he finds a problem. I have more respect for him than for some annoying little "hacker" who has no problem freezing innocent people, deleting guilds, abandoning people's beloved pets, and sharing their billing information (and yes, even if "Kaos" himself did not post that billing info, he has been involved in this thing all along, hosting the script and whatnot, so he is responsible). I hope that if TNT is able to prosecute these people, they will.

P.S. Why are you so convinced that "he is really protesting and taking drastic measures and prevent this from doing REAL harm to users"? I haven't seen any evidence of this. All I see is some bored little attention-seeking brat who likes to cause chaos for fun.

I want to make another thing clear: shutting down the site is not the correct thing to do.

With the exception of this current thing, which I don't understand, TNT fixes bugs as soon as they find out about them. These are all simple exploits, and simple to fix. Taking down the site before fixing them would barely be faster at all, and would disrupt the tens or maybe hundreds of thousands of people playing.

Taking down the site for a complete audit is also not helpful: an audit can be done just as easily with the site up, and if there are no currently known exploits, there's no reason for it to be down.

Finally, remember that having the site down even for a short time is very problematic financially. Their entire revenue stream comes from the web, and for every minute the site is down, that's a minute they're not making money. And when you consider that they're a $160 millon company, even a few minutes of not making money is big.

Q, I'm one of those clear everything after I visit any site kind of people. I've been laughed at by friends, telling me I'm "paranoid". Guess what, better to be paranoid than lose my and the other people who use this computer's information - any of it. I have my FF set to clear everything as soon as I close it. And then I'll go and run scans, then use CCleaner to look for anything the other scans may have missed. HijackThis gets run once a week, just to check things out.

As to the T&C, yes they have covered themselves and yes they can (and probably do) change it as needs be. But in a case where there's a proven cause and effect - someone takes your premium account and/or email, gains access to that and from there hits your paypal, bank, cc information, etc., that T&C to me goes out the window. Besides the fact that they talk about third party or outside sites and their lack of responsibility when they have ads that if you click will take you to an outside site. So, to me they're already violating their own T&C.

It is very important that we, all of us, take responsibility to protect ourselves and our computers to the best of our ability. That means getting updates (whatever browser you're using), having a firewall, av, spyware scanners/removers, etc.

I think it is also important for the sites we regularly visit to take their site's and our protection and security seriously. So in that regard I do look at TNT and some of the big things that have happened and have been swept under the carpet - the huge 4/04 security "glitch", dupe day (the big one - there'd already been a couple of small ones), cg/fake login pages - anything that people can, have and do put on their site that has no business being there. I mean, someone compromised the SDB search! Yes, Neo is a game site, yes it's free. But with the addition of premium (which I know is VSI - but it is a partnership with TNT) there are now paying customers. There's merchandise, there's the proposed movie. This is a business that is making a profit, paying employees, etc. Not just some little game being run for fun and completely for free. So they do share the responsibility for protection and security.

As to kaos, and whoever else is involved with this, let me repeat, I have No, Zero respect for anyone who cheats in any way, let alone this cg mess. There is never a reason that can justify doing things like this. When they're caught (and I hope it's a when, not an if), I'd love to be there just to see the look on their faces as the police Miranda them (if they're in the US).

SL, one of the "big" players got cg'ed and within seconds (his words) was completely cleaned out, his pet abandoned and later that pet was "sold" on what they're calling the black market - for real money. He's not the only one to lose everything or just about everything. Maybe that wasn't kaos, maybe it was one of his "minions" - that's what I mean by this thing proliferating.

That there are places that have these programs, cheats, selling of accounts, np, items and pets makes me ill. Where are the parents? Don't they know? Don't they care? If I had a child or anyone living under my roof and I found out they were doing something like this - or even if it was someone I knew outside of my home and I had proof, I'd turn them and their computers in to the authorities so fast, they'd never know what hit them.

So, is it even safe to log into Neopets? Are we not only compromising our neo accounts but other things? I don't think anyone knows. Maybe with the current cg that doesn't happen. Does that mean that if the site isn't made more secure that something else won't be written (or isn't already just waiting) that will compromise us? [/u]

What I would like to see neopets do is to at least have the option of binding to your IP address. I know that wouldn't help everyone but surely any security/deterrant is good?

Livejournal have the option to bind to your IP whenever you log in, you don't have to (if for example you want to be able to update from work etc) but the level of security is there for those who have static IPs and for those with dynamic ones that don't mind logging in each time for the security. Like I say it isn't perfect but it would be nice to have the option.

I've been looking through this and I think that many of you are dragging this converstaion off-topic a little, and starting to talk about other things.

Please, do not talk about whether evil commands respect, as that is a topic for the Debating board, and if youw ant to talk about it, can you keep it htere. This is a board for discussing potential problems/solutions/effect with the Neopets holes.

And cheers for the good work, dolphinling

OK, so getting personal, sensitive, financial information, as Cranberry has backed me up on, and posting wherever, people losing money, people cancelling premium, people quitting, people not going to the site out of fear or anger isn't costing the site money? It isn't costing the site in what reputation they have left as a child-friendly, safe site?

There are currently obviously known exploits (or none of this would be happening), and yes they probably can be fixed with the site up, but I don't know, if it were my site I think I'd be wanting it down until there was confirmation that any problems were fixed - not patched but fixed. I don't know that allowing people, especially ones who don't know there's a problem, to roam the site going to shops, lookups, anything customizable and getting grabbed is a good decision.

As far as having to log in every time you want to go on Neo, why is that a problem; why should it be a problem. Does it take that much time to enter your username and password? I know I do every time, I don't stay logged in anywhere. I also don't understand how or why 2 people can be logged into one account at the same time. Unless one party changes the password and kicks the other out, you could be playing a game, chatting on a board, etc. and someone else could be in your account cleaning you out and you wouldn't know it until you went to your sdb/trades/shop/inventory or even quick ref and found your pet (and anything equipped to it) gone. I know, I've had it happen on my first account. I got scammed and was cleaned out while I was on the site.

Protesting? Taking drastic measures to prevent this from doing REAL harm to users? Garbage, give me a break. This is not a protest. This is a bunch of people with nothing better to do with their time (and not being monitored by anyone else) wreaking havoc because they can. Real harm HAS been and continues to be done. A protest is going to a company headquarters with a group of people and signs, or a petition, a sit-in, etc. It's not disrupting innocent people for the jollies and the "rep" it's supposedly getting them by having their names out there. If they're not caught and prosecuted, what's next for them? They're already selling virtual items for real money; they're already posting personal financial information that could be used to steal RL money. What else has to happen before some people say it's "just pixels".

dolphinling, I'm not trying to give you any grief, you have been more than helpful. And I appreciate it. But for me, at least, some of the reasoning behind some of TNT's decisions being made on our behalf just aren't good enough, given the situation.

xxxx got a lot taken from him apparantly (Though I have no proof, he and others claimed stuff got taken - I can't check while logged out, and I'm not logging back in to do so). So its not all fun and games.

Well I hope this gets sorted out soon.

Someone just posted on the boards to say that there was a CG on the news page... Im sure hoping thats not true, ...

SS:)

As a mom who's kids play neopets activly it worries me to know that he had access to all my kid's personal information including names and ages and our home information because we are premium. What if this guy was a total perv and collected information on people first? I mean as a mod he can access all your premium information. There is enough info there to do serious damage.

Now not all my anger/frustrations are directed at this guy. I am also a bit dissapointed that this was possible. I had thought that neopets had taken care of these issues, prevented certin code from being placed on shops, lookups etc. A site that has soo many children accessing it.. It just turns my stomach if ya think about the other possiblities.

Alright. Let me try to sum what I'm going into something smaller then it could be.

I really don't see how you can have respect for someone who takes pleasure in hacking a childrens site for pixels. He's probably some fourty year old computer nerd that does nothing but sit around on the computer and try to hack childrens sites.

I really hope TNT can do something with this guy. Trace his IP and take legal action aganist him, hit him with some fine, jail time. Hacking is illegal you are all aware right?

As always, with 4/4/04, and ad0, ol' faithfull TNT will pretend like it didn't happen, and warn/freeze you for talking about it. If you post the word ad0 on the boards they'll freeze you.

I just really wish they would have turned the site off to fix everything. Personal information is at stake here. Things that bad people, people who would want that information for the wrong reasons, would love to have. I think Neopets really needs to step up the security, and disable all forms of anything other then CSS and HTML, even then. They really need to get their act together here in my opinion. Personal information is at stake, I really doubt that many parents will really want their kids going on a site that has such low security.

I just hope TNT can remain faithful to us and clear this up - ASAP. They really to acknowledge it and stop pretending that it can't be done when it can.

All in all. I have absolutely NO respect for this guy.

Hydro

All right, everyone, it's fixed.

...And it's time for me to go to bed. *yawn*

It just floors me to think what if this guy was a pedifile or what if a pedifile did the same thing he did and didn't make a big todo about it.. just silently gatherd our kids names, birthdates, sexes, home addresses and phone number cause all that information is there in premium and ya expect it to be safe at a site like this that is geared towards kids.

It's fixed ... whatever the other problem was? The cgs are fixed? Great! Have a good sleep

Does that mean that any of the cgs floating around on lookups, in shops or whereever are gone? As in completely gone and it's safe to browse the site, go to shops, etc.? I'm just asking. And trying to figure out how they could clear all that garbage out without clearing everyone's editable pages. And I'm sorry to say, even though I truly appreciate TNT working on this and working so quickly and I appreciate your posting here and doing what you can to help, that whatever was fixed is only fixed ... for now. Just like that last 2 cg'ers were fixed quickly. Only to have this past weekend a complete mess with more of them.

I do think the news page thing is a rumor. I doubt a monitor would have the authority to do anything to any pages like that.

Okay okay *whooshes in*

To my knowledge, the CGer more or less has been "stopped". How long that is, I don't know. But looking at Kaos'/Infamous' directory, the CGer is still up there and loaded, including the cookie.php file.

Oh yes. Another thing to know is that Kaos isn't ONE person. To my belief it's two. The mastermind behind majority of this is Infamous, whom I, and several IRC mods have talked to. He actually had pretty good knowledge of scripts, accompanied with a rather large resource of deragatory comments.

It looks like Chase (the more common "Kaos" on the boards) simply goes into the accounts, takes the action, blah... making him look like a scapegoat. That's just mine and some other's opinion though.

Lastly, maybe its been mentioned, I dunno *skims board*, but disable JavaScript. You can run across the CGer, but not get CGed if you disable JaveScript. Me and some others tested this several times. (Reason being, as someone noted before... it's run through javascript.)

What happened with the monitor was that she got CGed obviously. Of course, she was newly hired, and hadn't much but basic monitor privileges. You'd have to log in as neoadmin to actually change the news page.

Hydro: not to support TNT or anything, but IMHO, I don't think they hacked. Definitions of hacking though, are for the Debate board. It's easy to trace his IP, they already have. You can even find his address (a couple of us found this through a WHOIS - we're led to believe that it is Infamous') They can't take legal action without good evidence - you'd have to actually catch him cookie grabbing (fair enough - we caught the cg file).

jbolack: Your personal information isn't stored in cookies. Technically, your password isn't either, but all it really is, is encoding in MD5. If a person actually got into your account, they can't see your actual personal information (assuming that you didn't put in a real country/province/state/zip code/whatever - short of a email. Even then, you still have a pretty darned wide area.)