Data Architect, Ph.D, Information Technologist, Gamer
5712 stories
·
25 followers

thealogie:where do I see myself in five years? hopefully replying to multi-paragraph work emails...

1 Share
thealogie:where do I see myself in five years? hopefully replying to multi-paragraph work emails...
Read the whole story
denubis
1 day ago
reply
Sydney, Australia
Share this story
Delete

Saturday Morning Breakfast Cereal - Dungeon Classes

11 Shares


Click here to go see the bonus panel!

Hovertext:
Anyone caught emailing me in regards to the accuracy of today's comic shall be tarred, feathered, and made to carry a sign that reads 'No fun.'

New comic!
Today's News:

Last full day to get your BAHFest East tickets! We moved over a bunch of cheap tickets, but after these are gone, there are no more!

Also, in case you missed it, I'll be signing books prior to the show at MIT Press Bookstore, from 3-430. If you don't want to wait in line after the show, this is the way to go. <3

 

Read the whole story
denubis
5 days ago
reply
Sydney, Australia
Share this story
Delete

How Cybercrooks Put the Beatdown on My Beats

1 Comment and 2 Shares

Last month Yours Truly got snookered by a too-good-to-be-true online scam in which some dirtball hijacked an Amazon merchant’s account and used it to pimp steeply discounted electronics that he never intended to sell. Amazon refunded my money, and the legitimate seller never did figure out how his account was hacked. But such attacks are becoming more prevalent of late as crooks increasingly turn to online crimeware services that make it a cakewalk to cash out stolen passwords.

The elusive Sonos Play:5

The elusive Sonos Play:5

The item at Amazon that drew me to this should-have-known-better bargain was a Sonos wireless speaker that is very pricey and as a consequence has hung on my wish list for quite some time. Then I noticed an established seller with great feedback on Amazon was advertising a “new” model of the same speaker for 32 percent off. So on March 4, I purchased it straight away — paying for it with my credit card via Amazon’s one-click checkout.

A day later I received a nice notice from the seller stating that the item had shipped. Even Amazon’s site seemed to be fooled because for several days Amazon’s package tracking system updated its progress slider bar steadily from left to right.

Suddenly the package seemed to stall, as did any updates about where it was or when it might arrive. This went on for almost a week. On March 10, I received an email from the legitimate owner of the seller’s account stating that his account had been hacked.

Identifying myself as a reporter, I asked the seller to tell me what he knew about how it all went down. He agreed to talk if I left his name out of it.

“Our seller’s account email address was changed,” he wrote. “One night everything was fine and the next morning our seller account had a email address not associated with us. We could not access our account for a week. Fake electronic products were added to our storefront.”

He couldn’t quite explain the fake tracking number claim, but nevertheless the tactic does seem to be part of an overall effort to delay suspicion on the part of the buyer while the crook seeks to maximize the number of scam sales in a short period of time.

“The hacker then indicated they were shipped with fake tracking numbers on both the fake products they added and the products we actually sell,” the seller wrote. “They were only looking to get funds through Amazon. We are working with Amazon to refund all money that were spent buying these false products.”

As these things go, the entire ordeal wasn’t awful — aside maybe from the six days spent in great anticipation of audiophilic nirvana (alas, after my refund I thought better of the purchase and put the item back on my wish list.) But apparently I was in plenty of good (or bad?) company.

The Wall Street Journal notes that in recent weeks “attackers have changed the bank-deposit information on Amazon accounts of active sellers to steal tens of thousands of dollars from each, according to several sellers and advisers. Attackers also have hacked into the Amazon accounts of sellers who haven’t used them recently to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash.”

Perhaps fraudsters are becoming more brazen of late with hacked Amazon accounts, but the same scams mentioned above happen every day on plenty of other large merchandising sites. The sad reality is that hacked Amazon seller accounts have been available for years at underground shops for about half the price of a coffee at Starbucks.

The majority of this commerce is made possible by one or two large account credential vendors in the cybercrime underground, and these vendors have been collecting, vetting and reselling hacked account credentials at major e-commerce sites for years.

I have no idea where the thieves got the credentials for the guy whose account was used to fake sell the Sonos speaker. But it’s likely to have been from a site like SLILPP, a crime shop which specializes in selling hacked Amazon accounts. Currently, the site advertises more than 340,000 Amazon account usernames and passwords for sale.

The price is about USD $2.50 per credential pair. Buyer scan select accounts by balance, country, associated credit/debit card type, card expiration date and last order date. Account credentials that also include the password to the victim’s associated email inbox can double the price.

The Amazon portion of SLILPP, a long-running fraud shop that at any given time has hundreds of thousands of Amazon account credentials for sale.

The Amazon portion of SLILPP, a long-running fraud shop that at any given time has hundreds of thousands of Amazon account credentials for sale.

If memory serves correctly, SLILPP started off years ago mainly as a PayPal and eBay accounts seller (hence the “PP”). “Slil” is transliterated Russian for “слил,” which in this context may mean “leaked,” “download” or “to steal,” as in password data that has leaked or been stolen in other breaches. SLILPP has vastly expanded his store in the years since: It currently advertises more than 7.1 million credentials for sale from hundreds of popular bank and e-commerce sites.

The site’s proprietor has been at this game so long he probably deserves a story of his own soon, but for now I’ll say only that he seems to do a brisk business buying up credentials being gathered by credential-testing crime crews — cyber thieves who spend a great deal of time harvesting and enriching credentials stolen and/or leaked from major data breaches at social networking and e-commerce providers in recent years.

SLILPP's main inventory page.

SLILPP’s main inventory page.

Fraudsters can take a list of credentials stolen from, say, the Myspace.com breach (in which some 427 million credentials were posted online) and see how many of those email address and password pairs from the MySpace accounts also work at hundreds of other bank and e-commerce sites.

Password thieves often then turn to crimeware-as-a-service tools like Sentry MBA, which can vastly simplify the process of checking a list of account credentials at multiple sites. To make blocking their password-checking activities more challenging for retailers and banks to identify and block, these thieves often try to route the Internet traffic from their password-guessing tools through legions of open Web proxies, hacked PCs or even stolen/carded cloud computing instances.

PASSWORD RE-USE: THE ENGINE OF ALL ONLINE FRAUD

In response, many major retailers are being forced to alert customers when they see known account credential testing activity that results in a successful login (thus suggesting the user’s account credentials were replicated and compromised elsewhere). However, from the customer’s perspective, this is tantamount to the e-commerce provider experiencing a breach even though the user’s penchant for recycling their password across multiple sites is invariably the culprit.

There are a multitude of useful security lessons here, some of which bear repeating because their lack of general observance is the cause of most password woes today (aside from the fact that so many places still rely on passwords and stupid things like “secret questions” in the first place). First and foremost: Do not re-use the same password across multiple sites. Secondly, but equally important: Never re-use your email password anywhere else.

Also, with a few exceptions, password length is generally more important than password complexity, and complex passwords are difficult to remember anyway. I prefer to think in terms of “pass phrases,” which are more like sentences or verses that are easy to remember.

If you have difficult recalling even unique passphrases, a password manager can help you pick and remember strong, unique passwords for each site you interact with, requiring only one strong master password to unlock any of them. Oh, and if the online account in question allows 2-factor authentication, be sure to take advantage of that.

I hope it’s clear that Amazon is just one of the many platforms where fraudsters lurk. SLILPP currently is selling stolen credentials for nearly 500 other banks and e-commerce sites. The full list of merchants targeted by this particularly bustling fraud shop is here (.txt file).

As for the “buyer beware” aspect of this tale, in retrospect there were several warning signs that I either ignored or neglected to assign much weight. For starters, the deal that snookered me was for a luxury product on sale for 32 percent off without much explanation as to why the apparently otherwise pristine item was so steeply discounted.

Also, while the seller had a stellar history of selling products on Amazon for many years (with overwhelmingly positive feedback on virtually all of his transactions) he did not have a history of selling the type of product that thieves tried to sell through his account. The old adage “If something seems too good to be true, it probably is,” ages really well in cyberspace.

Read the whole story
denubis
6 days ago
reply
Sydney, Australia
Share this story
Delete
1 public comment
superiphi
6 days ago
reply
I have reported a few of these to Amazon - accounts selling gaming laptops at too good to be true prices, but requesting an outside-amazon contact to sort out order details. When I looked at seller history, they had good ratings selling unrelated products. Amazon didn't care.
Idle, Bradford, United Kingdom

What any admin instantly thinks when they hear a dev say "This is an urgent patch, no time for QA!"

1 Share

W

Read the whole story
denubis
7 days ago
reply
Sydney, Australia
Share this story
Delete

When you see a C-level pushing the UID button on a Dell to turn it from blinking orange to blinking blue because they're having a walkthrough with a customer and want "things to look right" and don't want to hear 'If they know what they're doing, they're going to notice the blinky blue lights as a sign that we're covering up something.'

1 Share

Read the whole story
denubis
7 days ago
reply
Sydney, Australia
Share this story
Delete

Passages & Plunder – Underworldbuilding

1 Share

Passages & Plunder is a board game of exploration and greed I’m working on. There’s a playtest version available, try it! This post is a (somewhat retroactive) design diary that won’t make much sense unless you’ve played it, so there.

As this blog will readily attest, I play a lot of roleplaying games. And I like some roleplaying in my board games, too. It’s no surprise I’ve made a game about dungeoncrawl management with very subtle allusions to D&D that encourages players to talk to one another. Not only that, it encourages players to sometimes do so from the in-world perspective. The very first thing players have to do as they set up the game is come up with the name for their colony – this determines the first player. There’s a space on the central board to write it down, and ideally in the final published version there’ll be a gloss “panel” there fit for an erasable marker. Furthermore, whenever players do something that would earn them the favor of one of the sponsors, they’re supposed to loudly proclaim they did it in the sponsor’s name.

Beyond the prescribed in-character moments, there’re the actual interactions players have with one another. The most common ones are arguing about who should be helping the colony, or why what you did was actually not that bad. These are mechanical concepts being discussed: how many colonists you’ve spent on the colony last turn, how protected the colony is, how likely an attack is. Still, some amount of in-character banter sneaks in. The trick, I think, is in having simple mechanics and evocative setting.

The social deduction genre is a great example of the former. Take Resistance, or its (IMO) superior version Secret Hitler, or Sheriff of Nottingham. The actual mechanics are trivial. You are either a fascist or you’re not. You either have contraband, or you don’t. And yet players frequently argue about not just the mechanical bits, but the story of the game as well. “You say there’re only apples in the bag, where’d you get them? It’s not apple season.” (In-character accusations of fascism are somewhat rarer, I’ll admit.) When we’re not too busy calculating the probabilities and figuring out the next move, we naturally pay more attention to the flavor. Which is not to say you’re doing it wrong if you’ve never bothered with the (paper-thin) flavor, of course. It all depends on the group.

While P&P is more complex than these games, I did try to keep the actual gameplay simple. You only have a few options at a time, a few colonists to send out each turn. And everything you do, absolutely everything, is visibly either selfish or cooperative, or both. So any time someone is being selfish, it is obvious. And therefore open to challenge by the other players. Why did you do this? In-character spin comes naturally at this point. Another major element is the mayor. Not just the first player, it’s a moving spotlight that grants extra powers and extra scrutiny to those it highlights. I’ve even witnessed newly minted mayors do a little speech, promising how their rule will be better for everyone.

And then there’s the setting. There’s no detailed backstory. No lore as such. Fantasy settings are a dime a dozen, and a board game is hardly the place to develop another one. Instead, there are evocative (I hope) bits and pieces scattered throughout. There’re the diary entries below each calamity. Had to come up with lots of different ways of saying “it’s dark and spooky” for those, lots of different kinds of darkness. Not everyone reads the flavor text, but it’s nice to have it there. Then there are the titles of all the cards, and some day the art. You meet Giant Furry Slugs in the Underworld. Empress Elect can be one of your sponsors. They provoke questions. Tiny lights in a dark cave, that your imagination composes into a picture more terrifying than whatever I could describe in detail. More entertaining, I mean. Certainly.

Finally, I tried to tell a story with the mechanics of individual cards. Take Dragon’s Lair, for instance. When there are multiple Task block present on a card, you can choose which one to do. So in order to plunder the dragon’s lair, you can either fight lots; or investigate a bit, but increase menace in the process. Kill the dragon, or just steal its treasure and piss it off.

The end result, I hope, is a game that enables you, every now and then, to create a memorable story. Likely about yelling at your friends.

Read the whole story
denubis
8 days ago
reply
Sydney, Australia
Share this story
Delete
Next Page of Stories