• Breaking News

    Sunday, May 24, 2020

    Guild Wars GW History: Why You Need a Character Name to Log In

    Guild Wars GW History: Why You Need a Character Name to Log In


    GW History: Why You Need a Character Name to Log In

    Posted: 23 May 2020 06:18 AM PDT

    Recently I've spotted a couple posts expressing puzzlement about why GW requires a character name to log in. I thought the history here was one of those things that everyone knows. But I guess not everyone knows the things everyone knows.

    So, here's the story:

    It was late 2009. The forum posts started in October, in places like GWGuru, with people complaining that their accounts had been stolen. At first, these were met with the usual combination of skepticism and fatalism: "It's probably your own fault for doing something stupid -- sharing your log-in info with a RMT shop or a false friend, downloading dodgy cheat software containing a keylogger, reusing your GW password elsewhere -- and what do you expect us forum readers to do about it anyway?" But more and more "my account got stolen" posts kept appearing. There were soon unequivocally more of them than the usual baseline rate of accounts stolen through user stupidity, and the volume was steadily increasing. Moreover, a large proportion of the victims steadfastly denied doing any of the usual stupid things. The notion that this ever-growing tsunami of account theft could be explained by the usual vectors grew less and less plausible. By mid-November it was clear that something was going on.

    Some patterns emerged in the reports that gave clues about that "something."

    The first pattern suggested who the perpetrator was. When victims reclaimed their accounts, they consistently found that gold, crafting materials, and armbraces had all been taken. They also found that their armor was missing, and sometimes partially used salvage kits were added to their inventories, suggesting the armor had been salvaged for materials. Everything else went untouched, even items of extreme value. Based on this, it was generally assumed that the perpetrator was an RMT seller who did not actually play GW (at least not enough to understand the value of individual items). Since most RMT shops operated out of China at that time, blame settled on some unspecified "Chinese RMT company."

    The second pattern suggested how the perpetrator was doing it. Like I said, most of the victims steadfastly denied doing any of the usual stupid things: They denied sharing their passwords with anyone, much less an RMT shop. They denied downloading anything dodgy, and they had clean anti-virus scans. They swore their GW passwords were never used anywhere else. But they had two thing in common: Their passwords had been changed, and they all had their GW account linked to a NCSoft Master Account (NCMA). Moreover, other games published by NCSoft -- Aion, City of Heroes, etc. -- were also experiencing a huge spike in account thefts at the same time. We didn't know exactly how, but it was clear that the perpetrator was exploiting some flaw in the NCMA.

    I suppose I should stop for a moment to explain what a NCMA was for those who don't know. A NCMA was an account on the NCSoft website that unified control over all of a user's accounts for games published by NCSoft. It was NCSoft's dream that they could induce people to buy more games through the NCMA by offering cross-game promotions and such. Ultimately it flopped and was retired in favor of the newer "NC Account," though NCSoft wouldn't accept that it was a flop until several years after the events I'm recounting. Linking your pre-existing GW account to a NCMA was optional, though NCSoft offered inducements like the Aion wings to bribe you into doing it. I'm not sure, but I believe there was a time period when linking to a NCMA was mandatory for new GW accounts. [Edit: As per CataphractGW, yes, there was a time period when NCMA linking was mandatory for new accounts.]

    As the NCMA's role in the account thefts came into focus, the mood on the forums turned to panic, tinged with outrage. Up till now, the simmering anxiety had been dampened by a universal belief that "At least I am good about computer security, so my account won't get stolen." Things boiled over once it became clear that your account could be stolen, no matter how careful you were, due to NCSoft's negligence. You can read a couple of the major threads archived on GWLegacy. See threads 01775 and 01727, plus many others from around that time. (Unfortunately, navigation is busted on the GWLegacy archive, so you've got to access each page of the threads from the index. I tried to find these threads on archive.org, but I couldn't locate them.)

    I'm not aware of any first-person accounts of what NCSoft said to their studios, but it's not hard to guess the gist from the parties' public words and actions: "You may not sever your games from the NCMA. Deny everything. Don't even admit the possibility of a problem with the NCMA. Blame account thefts on user stupidity. If you disobey, your studio will be terminated." And so Gaile and Regina marched out and tried very hard to sell us a bridge in Brooklyn. They denied everything. They deflected the conversation away from the NCMA. They blamed the account thefts on user stupidity. They claimed that people had reused their GW passwords on an unspecified fansite that got hacked. But, when pressed, they couldn't name the fansite or otherwise support that claim. They even issued some patronizing, blame-the-user--themed account security tips. This did not go over well. No one was convinced. And people grew even more outraged at the dishonesty, failure to accept responsibility, and failure to fix the problem. See some of the later pages in those threads.

    Then the other shoe dropped. Someone on the AionSource forums discovered the vulnerability in the NCMA by accident and posted it. There was some sort of session-confusion bug with the NCMA. If you just logged in and out of your own NCMA repeatedly, it would eventually bug out and log you in to someone else's account. (I speculate that it was also necessary that the victim had been logged in to their NCMA relatively recently.) Once you were inside someone's NCMA, it prominently displayed the e-mail used as their GW username, and it allowed you to change their GW password without knowing the old password. Stealing an account was that easy. This was rapidly verified by trusted members of the GW community, and also mistakenly confirmed by an Aion CM who didn't realize he was confirming the account-theft vulnerability. (He incorrectly thought it was just a cosmetic bug.) This forum thread from about two weeks later collects a lot of the discussion and verification. (Fortunately, this thread is on archive.org, so most of the links go to archived versions of their targets.)

    A-net was in a very bad spot. They were facing, and I think they realized that they were facing, an existential threat to their company. Their most hardcore fans were turning on them. The story was about to jump from the forums to the mainstream gaming press. (It did a couple week later.) And the volume of account thefts was about to explode beyond the already insanely high levels of the past few weeks, now that the full details of how to steal accounts were public knowledge. If they just kept doubling down on NCSoft's head-in-the-sand, "deny everything, do nothing" battle plan, their reputation would be ruined. They'd go into GW2's launch known as the studio who failed to protect their first game's users from rampant account theft enabled by their own incompetent publisher. They had to stop the account thefts, and they had to do it quickly, before knowledge of the vulnerability spread to any more RMT operators.

    But how? By rights, this was NCSoft's f-ckup, so NCSoft should bear the burden of fixing it. But NCSoft was manifestly incompetent, and (at least so far as their public behavior indicates) totally unwilling to lift a finger. There was no chance NCSoft would fix the vulnerability soon enough, so A-net had to do it themselves. The obvious solution was to sever GW from the NCMA. But NCSoft wouldn't allow that. What they needed was an additional authentication factor, one that a thief couldn't learn by ransacking your NCMA, and one that they could be sure every single GW user already had access to. It took them only four days (over the weekend no less) to figure out and implement the solution you already know: the name of a character on the account as an additional authentication factor.

    It worked. The tsunami of account thefts stopped the moment the patch dropped.

    So that's the origin of the character name log-in requirement. But why do we still have it today? Quite justifiably, A-net never trusted NCSoft on account security ever again. So it had to stay in place for as long as GW's users were stuck with the NCMA. A few years later, when NCSoft finally gave up on the NCMA, A-net jumped at the chance to link GW and GW2 under an "ArenaNet account," cutting NCSoft out of the picture. By that point though, A-net had moved on to GW2 and updates for GW were a very low priority, especially removing a working feature. Besides, even if it's no longer needed to protect you from account theft via the NCMA, it still protects you against credential stuffing attacks if you're dumb enough to reuse your GW password somewhere else. (While that was a red-herring bogeyman when Gaile invoked it in 2009, it's still a legitimate security concern in general. Also, for the love of Grenth, don't reuse passwords, ever.)

    This tale also explains a couple things about GW old-timers. If you ever wondered why many of us despise and distrust NCSoft, this is a big part of it. If you ever wondered why some of us avoid including our character names in public posts, well, we remember a time when that character name was quite likely our only authentication factor that wasn't already in the hands of a would-be account thief, and old habits die hard.

    If this was new to you, then I hope you enjoyed the tale, and maybe learned something.

    [Edited for typo, grammar.]

    submitted by /u/ChthonVII
    [link] [comments]

    One-Up ya

    Posted: 23 May 2020 11:37 AM PDT

    Looking for someone to do a (more or less) complete story playthrough of Guild Wars

    Posted: 23 May 2020 04:59 PM PDT

    Hey, i would like to do a story playthrough of prophecies, factions, nightfall and eotn doing all the mission and most of the quests on a brand new character (i'd prefer a proph char but that doesnt matter much to me)

    i have plenty of time aviable but doing it alone is less fun than with a buddy so write me if you wanna join me on my adventure

    ps: you can dm me on discord i you like my name is Moriarty#1615

    submitted by /u/angry_Mori
    [link] [comments]

    LF Korean Guild/Tag Creator!

    Posted: 23 May 2020 06:35 PM PDT

    Hey as title says,

    looking for a korean guild creator, put ur ing name!

    submitted by /u/AriaWhite
    [link] [comments]

    Giving ST Hero aggro

    Posted: 23 May 2020 01:38 PM PDT

    Something I noticed while doing difficult content with heroes is that the ST hero is occasionally late on gaining aggro (especially if the enemy has no melee that enters his aggro bubble) which causes severe problems due to the way hero AI works. I will make a few claims (you are welcomed to dispute it, i am not 100% certain about the claims) about the way gw ai works so we can perhaps come up with a good solution (apart from flagging the ST hero on the frontline, or perhaps setting him Aggressive. Although I do not know if setting him Aggressive would even work).

    • Heroes will not use spirits unless they themselves have aggro. It does not matter if everyone else in the team has aggro, it does not matter if the teammates are within aggro range of the spirit user, it does not matter if the spirits would help the rest of the team. A spirit user will stand there doing absolutely nothing as his teammates get destroyed an inch away from him. Life spirit is a notable exception, i am sure many of us have been annoyed by a hero randomly casting it in the middle of nowhere.
    • Spirit user will gain aggro if an enemy is in his aggro bubble. Against mobs with melee, this is enough to solve the problem, but against mobs without melee the ST hero ai will have huge problems if he is flagged back.
    • Spirit user will gain aggro if he damages someone or is damaged.
    • Spirit user will gain aggro if he uses a skill on an enemy or an enemy uses a skill on him.
    • Spirit user will gain aggro if he uses a targeted skill with an activation time on a teammate who has aggro. The spirit user will use targeted support skills on teammates in need even if the spirit user doesn't have aggro, consequently giving him aggro (desirable).
    • Spirit user will NOT gain aggro if he casts a non targeted skill on teammates (Aegis, Aria of Restoration, Stand Your Ground, Fall Back). Moreover, the spirit user will not use these skills in the first place (just as he will not use spirits), unless he himself has aggro.
    • Spirit user will NOT gain aggro if he uses a targeted skill with no activation time on a teammate who has aggro (shouts like Find Their Weakness)

    Overall, I think the ST ritualist should be given a targeted support skill if for no other reason than to ensure that he will gain aggro against mobs with no melee. This support skill should ideally be low energy (perhaps signet), low activation time, long recharge (we do not want the ST user to keep using this skill), and have some benefit if possible.

    What do you guys think?

    submitted by /u/nhremna
    [link] [comments]

    Any fun Paragon hero teams with new elite?

    Posted: 23 May 2020 03:39 PM PDT

    Hey paragon players! Anyone working on/running any fun hero/merc teams other than your run of the mill mesmer team? The new elite makes that mes team great just wondering if it also makes any other teams viable too.

    submitted by /u/doublegx33
    [link] [comments]

    Presearing Completionist Checklist

    Posted: 23 May 2020 07:24 AM PDT

    Hello :)

    As a mostly pre player, sometimes I get stuck not knowing what to do with myself after I complete my daily VQ and turn items for Nick, and since I love the completionist style content, I decided to make a small checklist so I can say I did it all in this small area. Often I get stuck in doing only what's efficient or best, so hopefully this will motivate me or inspire one of you to come back to your pre character and do some stuff.

    Titles

    - Achieve the "Legendary Defender of Ascalon" title

    - Achieve the "Legendary Survivor" title

    - Achieve the "Incorrigible Ale Hound" title

    - Achieve the "Connoisseur of Confectionaries" title

    - Achieve the "Life of the Party" title

    - Achieve the "Kind of a Big Deal" title by maxing the titles above

    Character Progression

    - Obtain all the available skills

    - Obtain full collector armor

    - Upgrade every armor piece with a rune and an insignia

    - Obtain the Small Equipment Pack

    - Obtain two Charr Bags

    Quests & Minigames

    - Complete all the quests

    - Complete every Vanguard Quest at least once

    - Complete a 6 bear run in "The Bear Hunters" minigame

    - Complete "The Prize Winning Hogs" minigame

    Loot & Bosses

    - Kill Skullreaver

    - Kill 4 Charr Bosses

    - Loot a Charr Salvage Kit

    - Loot a Black Dye

    - Loot a double mod wand or offhand

    - Obtain any Rare Material

    Miscellaneous

    - Uncover the whole map

    - Charm a bear

    - Receive a gift from Nicholas Sandford

    submitted by /u/CrystalF2P
    [link] [comments]

    Any way to stop the Jade Sea from flickering?

    Posted: 23 May 2020 07:25 AM PDT

    As many of us are, I've been replaying the game recently and was going to start working on the Luxon side of Factions for the first time ever (I've always preferred the aesthetic of the Kurzicks so never bothered in the old days).

    For whatever reason, the Jade Sea textures flicker like mad on my screen whenever the camera moves. It's insane on my eyes and I can't stand it, and nothing else in the game has been doing this. Has this always been a feature of the Jade Sea, and I just didn't have a good enough computer back then to see it? Is there a way to make it stop?

    submitted by /u/ZevNyx
    [link] [comments]

    What is the value of these items?

    Posted: 23 May 2020 07:52 AM PDT

    I'm rather new into the game and wanted to ask you guys what is the value of the following items for trading with players?

    https://imgur.com/gTlsEcJ

    https://imgur.com/Bx6odfF

    submitted by /u/Daidara103
    [link] [comments]

    B D S ~- {[May Edition] :; [TOPIC]} -~

    Posted: 23 May 2020 06:09 PM PDT

    Question regarding Survivor title

    Posted: 23 May 2020 10:17 AM PDT

    Is it possible to achieve Survivor on character that died in the past? Do I just need to get the required amout of exp without dying or without dying at all? Am I permanently locked out of this title if I died?

    submitted by /u/HumbleRook
    [link] [comments]

    Best cartography mod?

    Posted: 23 May 2020 10:00 AM PDT

    I've heard that there are mods for GW that modify your map to show areas you haven't discovered yet.

    Can anyone recommend the best one, & give a brief overview of how to install and use it?

    submitted by /u/Veltr
    [link] [comments]

    Best class for solo campaign?

    Posted: 23 May 2020 06:14 AM PDT

    Hello guys, I used to love this game back in the day and I just caved in to nostalgia a bought it again (I lost my old account :/) so I can replay that awesome story that this game had. The problem is that it looks quite barren so I will probably have to do most of the content by myself. Is there any particular class or build to choose? Even that am a veteran please consider me as a newbie cuz I forgot most of the mechanics etc.

    submitted by /u/testicular-jihad
    [link] [comments]

    [A]

    Posted: 23 May 2020 12:32 PM PDT

    Rune of Superior Vigor Investment

    Posted: 23 May 2020 06:56 AM PDT

    No comments:

    Post a Comment