Account hacking (Leo)

[Tiberius]

7 minutes ago, Bjorn Ironside said:

no one has proven Gorge logged on to Leo's account, all that has been proven is Gorge used the BK banking program to send himself money, no one has proven Gorge logged on to Leo's account.

As far as I am aware, Gorge did not have that amount of funds in BK bank to withdraw. As you have proven earlier, you create an account, deposit cash/rss and then you can withdraw those at any point. You cant withdraw more than you deposited. Therefore the only way Gorge could have got those funds was from being logged into Leo's account.

[Kastor]

2 hours ago, Tiberius said:

As far as I am aware, Gorge did not have that amount of funds in BK bank to withdraw. As you have proven earlier, you create an account, deposit cash/rss and then you can withdraw those at any point. You cant withdraw more than you deposited. Therefore the only way Gorge could have got those funds was from being logged into Leo's account.

But he didn't log into his PnW account, therefore he didn't break a PnW rule.

[Tiberius]

4 minutes ago, Kastor said:

But he didn't log into his PnW account, therefore he didn't break a PnW rule.

As has been described in this thread, to get funds from BK bank the following has to happen:

• You need a bank account
• You need to deposit cash/resources
• You can only then withdraw from your balance

Therefore that means Gorge can't send himself the amounts he did through the bank app. The only way he could do that is if he logged into Leo's P&W account to send those funds or alternatively if he knew Leo's P&W password he could have logged in as admin and done so. Incidentally while Leo's account was accessed for these funds, BK members were removed from the alliance, which suggests that Gorge was using the P&W account in-game. 

 

[Buorhann]

Isn’t account sharing against the TOS?  If you give your password to another player, doesn’t that fall into account sharing?

[Roquentin]

No. Any bot that is hosted would need a password potentially and Alex has allowed remote hosting for bots. There was even a service that offered recruitment bot hosting for in-game money. He didn't give it to anyone directly so they could access his account on their own computer/ip. It's in the system.

[Buorhann]

18 minutes ago, Roquentin said:

No. Any bot that is hosted would need a password potentially and Alex has allowed remote hosting for bots. There was even a service that offered recruitment bot hosting for in-game money. He didn't give it to anyone directly so they could access his account on their own computer/ip. It's in the system.

So in other words, BK's bot wasn't fool proof.

[Roquentin]

15 minutes ago, Buorhann said:

So in other words, BK's bot wasn't fool proof.

It's unauthorized access if someone put in a backdoor.

If someone works for you and puts in a backdoor into a program they worked on and uses it to get in after they aren't there, then it's pretty bad.

Was it naive to expect someone not to do that if they wanted to cross BK? Probably.

[Buorhann]

1 minute ago, Roquentin said:

It's unauthorized access if someone put in a backdoor.

If someone works for you and puts in a backdoor into a program they worked on and uses it to get in after they aren't there, then it's pretty bad.

Was it naive to expect someone not to do that if they wanted to cross BK? Probably.

I'm not going to disagree with that.  Personally I'd never tie my account to a bot in the first place.  As you can see what happens if done so.  I upset plenty of people as is, it'd be stupid for me to give up my access.

[Guest Frawley]

People seem to be missing point, the majority of security breaches and fraud are not usually as a result of someone actually 'hacking' the service in question, but usually credentials or other information are stolen from other sources.  An example would be someone breaking into an old recovery email address (say @yahoo or something), that has not been used in years, and using that to recover access to a secure gmail account, and then to banking details etc etc.

This appears to have been what has occurred here.  Someone, most likely Gorge, has illegally breached a separate service and has used the credentials sourced to make transfers within Politics and War.

In many jurisdictions, both the initial 'breach' and the supplementary attack on Politics and War would be considered illegal.

While conducting illegal acts is not strictly against the T&C's or Game Rules, it is almost certainly against @Alex's terms of service of his hosting provider, and covered within his invisionboard licence as well.

[Raphael]

Why isn't this kind of botting against the rules in the first place?

[Buorhann]

3 minutes ago, Frawley said:

-snip-

It's not stolen if you're willingly giving it up to be used for bots or for someone else to directly access your account.

[Guest Frawley]

Just now, Buorhann said:

It's not stolen if you're willingly giving it up to be used for bots or for someone else to directly access your account.

Firstly, Leo does not have his password available publicly on BKNet, it would be built into the code or backend and would not be accessible without a security breach

Secondly, even if that were true, if you left your keys in your front door and your place was robbed, that would still be theft.  The same is true for computer crimes. 

7 minutes ago, Bartholomew Roberts said:

Why isn't this kind of botting against the rules in the first place?

Because a large number of banks, stats sites, baseball trackers etc, services that community enjoy and rely on utilise botting like this in order to provide services to the community.

[Raphael]

24 minutes ago, Frawley said:

Because a large number of banks, stats sites, baseball trackers etc, services that community enjoy and rely on utilise botting like this in order to provide services to the community.

To select communities, you mean.

Gaming the system and automating functions of PnW should be against the rules. It confers an unfair advantage. Whether there are a "large number" of things relying on unethical exploitation is a non-factor.

 

I don't mind using scripts to collect information from the game, the API is designed for that. Once you begin utilizing scripts to automate functions and actions, I think it crosses a line.

[Viselli]

Many bots, like a recruitment bot, needs the email and password of the nation to send out the in game messages. Same goes with bank bots if you want to transfer funds. From what I understand from this thread someone is being accused of using the bot (which is legal according to the game rules) to kick people from the alliance. This action is not against the game rules as using the bot is not against the game rules.

[Roquentin]

23 minutes ago, Bartholomew Roberts said:

To select communities, you mean.

Gaming the system and automating functions of PnW should be against the rules. It confers an unfair advantage. Whether there are a "large number" of things relying on unethical exploitation is a non-factor.

 

I don't mind using scripts to collect information from the game, the API is designed for that. Once you begin utilizing scripts to automate functions and actions, I think it crosses a line.

Alex has allowed it. I wasn't keen on everything like that being automated originally but he opened the door with yoso's original bot and then TKR made one and then it goes on and on.

BK cleared their bank system with Alex over 3 years ago.

Edited January 14, 2020 by Roquentin

[Guest Elijah Mikaelson]

5 hours ago, Tiberius said:

As far as I am aware, Gorge did not have that amount of funds in BK bank to withdraw. As you have proven earlier, you create an account, deposit cash/rss and then you can withdraw those at any point. You cant withdraw more than you deposited. Therefore the only way Gorge could have got those funds was from being logged into Leo's account.

Ok we both know you are over reaching here, any admin of the BKnet can change the amount in any account as they see fit, they can also make it look like deposits was not made or withdrawals was made. again Gorge did not at any stage need to log on to leos account to transfer the rrs or cash.

Was gorge wrong to use BKnet to take the funds, YES but with it being morally wrong, do not make it against the game rules.

 

 

47 minutes ago, Roquentin said:

Alex has allowed it. I wasn't keen on everything like that being automated originally but he opened the door with yoso's original bot and then TKR made one and then it goes on and on.

BK cleared their bank system with Alex over 3 years ago.

Maybe it's time for Alex to revisit these rules, as right now it seems as long as someone (Do not even need to be the account owner) press a button then its not automated.

Whats the difference between BKnet and a baseball bot?, well apart from a baseball bot being safer? both give an unfair advantage vs those who do not use bots. 

Edited January 14, 2020 by Elijah Mikaelson

[Shadowthrone]

7 minutes ago, Bjorn Ironside said:

Was gorge wrong to use BKnet to take the funds, YES but with it being morally wrong, do not make it against the game rules.

He was unauthorised to use BKnet, had a dummy account and breached the security of the site for in-game benefits. Its quite clear, its against any terms and conditions IRL. It's like someone who was at an office, set up a backdoor and quit. Later used that backdoor to steal stuff for his new boss etc. It's against most terms and conditions of websites. So lets not try to equivocate on something as simple as that. 

 

Gorge deserves what's coming to him for using an unauthorised backend access to BKNet, to get into Leo's account and pull out stuff, he was not authorised too. Was it terrible security, maybe, but he still broke it, and deserves everything that's coming to him. 

[Guest Elijah Mikaelson]

3 minutes ago, Shadowthrone said:

He was unauthorised to use BKnet, had a dummy account and breached the security of the site for in-game benefits. Its quite clear, its against any terms and conditions IRL. It's like someone who was at an office, set up a backdoor and quit. Later used that backdoor to steal stuff for his new boss etc. It's against most terms and conditions of websites. So lets not try to equivocate on something as simple as that. 

 

Gorge deserves what's coming to him for using an unauthorised backend access to BKNet, to get into Leo's account and pull out stuff, he was not authorised too. Was it terrible security, maybe, but he still broke it, and deserves everything that's coming to him. 

Again not against the game rules as we stand unless Alex says otherwise and in doing so then Alex needs to take a stand and make all bots even bknet against the rules, Did gorge use a back door in BKnet YES, but whats that got to do with the game. When leo is sleeping and someone use BKnet to transfer funds (YES it does happen) then is that authorized?

Look I do not think anyone disagree Gorge was in the wrong, but HE never logged on leos account, he never hacked leos account, he used a back door in a 3rd part website to move funds, the only person to blame would be leo for willingly adding his details in to a 3rd party website for others to use with poor security.

ToS
 

Links To Other Sites

Our Site may contain links to third-party sites that are not owned or controlled by Politics & War.

Politics & War has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party sites or services. We strongly advise you to read the terms and conditions and privacy policy of any third-party site that you visit.

pretty sure BKnet falls under this, so at the most Gorge broke the ToS of BKnet and the owners of BKnet has every right to ban gorge from from the services they offer.

[Viselli]

20 minutes ago, Shadowthrone said:

He was unauthorised to use BKnet, had a dummy account and breached the security of the site for in-game benefits.

Do you have any proof of this?

[Tapatios]

54 minutes ago, Viselli said:

Do you have any proof of this?

To be fair enough.
You do not have the PW authority to ask proofs, at this point of the event, BK Does not need to satisfy the curiosity of the people that continuely blames Leo or BK, That is only concern of PW Administration. Not simple peasants. 

[Viselli]

1 hour ago, Khanter Molchaniye said:

To be fair enough.
You do not have the PW authority to ask proofs, at this point of the event, BK Does not need to satisfy the curiosity of the people that continuely blames Leo or BK, That is only concern of PW Administration. Not simple peasants. 

If you publicly accuse someone then you have the duty to the public to show public proof. Your alliance could have made a private accusation to Alex in private messages or on discord but decided to go public. Y'all went for a public accusation therefore you have the responsibility to provide proof to the public.

[Tapatios]

50 minutes ago, Viselli said:

If you publicly accuse someone then you have the duty to the public to show public proof. Your alliance could have made a private accusation to Alex in private messages or on discord but decided to go public. Y'all went for a public accusation therefore you have the responsibility to provide proof to the public.

Not really. Leo did not made the post. And as humans we can rant whatever we want. Excuse me if you are perfect. 
Said that, you do not know if there is a private message or not, so hush hush. Fake paparazzi.

[Charles Bolivar]

I'm curious.

Why does the bot even have the capability to remove a person from the AA in the first place? Presumably that automatic command was programmed into the bot for some reason? I admit, I'm not a coder, excel and gdocs is the extent of my ability but I'm struggling to comprehend why you would program a bot or piece of software to be able to kick someone or a person joke group of people from an alliance without human action or oversight.

Edited January 14, 2020 by Charles the Tyrant

[Tapatios]

8 minutes ago, Charles the Tyrant said:

I'm curious.

Why does the bot even have the capability to remove a person from the AA in the first place? Presumably that automatic command was programmed into the bot for some reason? I admit, I'm not a coder, excel and gdocs is the extent of my ability but I'm struggling to comprehend why you would program a bot or piece of software to be able to kick someone or a person joke group of people from an alliance without human action or oversight.

I can answer you wih my assumption. The bot can not. But everyone is trying to make Leo Responsible that they do not care about common sense.

The BKnet uses PW API, so even if is not a PW site, has PW coding (the API) therefore has is not entirely apart of PW rules and T&C. To use the API you agree with a serial of rules and terms.

BKnet is just an automatic cashier bank, like in real life you deposit your money with an account number and code, and you withdraw from your account.

However, if someone does a backdoor, violating the integrity of the code and the API used there, you compromise a serial of security stuff, and like everything on internet with brute force you can pull a password.

So, as far I understand, Gorge or anyone used a back door (hacking and since is PW API, even being 3rd party site, is still covered by PW terms) pushes away the RSS, pull out Leo's password and kicked out all the Archdukes, Viceroys and Econ Members and probably IA or Defense members too. 

I highly believe that was not a random kicking.  So for real all this ping pong of whatever this others that ask for public proofs and claims that is not PW matter and is to blame Leo and just Leo and bla bla.... They should know that if they have a bot, and the bot is using PW API, therefore the bot is related to PW terms and rules. So yes, administration has the right to check in and take messures on it. And if a member is discovered of malicious intentions, I do not see why people just jump in defense of that person or praise that person.

 

I only ask to stop the stupid salt for 2 minutes and swap the situation and make ir yours. <<What if...>> This happen to you?

[Charles Bolivar]

Ok, so does that mean the person who presumably used the bot to get Leo's password logged into Leo's nation and kicked the individual nations out one by one?

Surely that means the IP of who logged into Leo's nation should be recorded and it's a simple act of checking the IP and cross-referencing it against known IPs?

Seems pretty straightforward to resolve.