Originally posted by bcbully This is news worthy. I don't think I've heard anything as bad in a major mmorpg. I wouldn't be surprised to see a few articles from the major gaming sites.
Perfect World, Neverwinter, Vindictus, Legend of Ares, Diablo 2....I could go on all day....
I thought this was fixed, but if you can trust DMKano with anything - perhaps it isn't. I haven't heard anything about it since the massive banning, which is odd considering I'm part of a massive crafting LS.
Originally posted by bcbully This is news worthy. I don't think I've heard anything as bad in a major mmorpg. I wouldn't be surprised to see a few articles from the major gaming sites.
Perfect World, Neverwinter, Vindictus, Legend of Ares, Diablo 2....I could go on all day....
I thought this was fixed, but if you can trust DMKano with anything - perhaps it isn't. I haven't heard anything about it since the massive banning, which is odd considering I'm part of a massive crafting LS.
The big server maintenance on Monday should fix this exploit. In the meantime report folks that you see doing this - they are banning actively now. Just watch your text on screen for somebody gaining 30-40 levels in less than a minute.
I reported 2 folks auto-killing mobs for skin/leather materials (both were logged on for days doing this) - this morning both are gone! I know this is a separate issue (botting) but its nice to see they are removing the bots.
P.S. Include the coordinates and zone/region name - it helps the process.
Yeah, same thing I do for the underground bots....
I have no doubt they will ban all of them it's pretty flagrant.
Originally posted by bcbully This is news worthy. I don't think I've heard anything as bad in a major mmorpg. I wouldn't be surprised to see a few articles from the major gaming sites.
Perfect World, Neverwinter, Vindictus, Legend of Ares, Diablo 2....I could go on all day....
I thought this was fixed, but if you can trust DMKano with anything - perhaps it isn't. I haven't heard anything about it since the massive banning, which is odd considering I'm part of a massive crafting LS.
The big server maintenance on Monday should fix this exploit. In the meantime report folks that you see doing this - they are banning actively now. Just watch your text on screen for somebody gaining 30-40 levels in less than a minute.
I reported 2 folks auto-killing mobs for skin/leather materials (both were logged on for days doing this) - this morning both are gone! I know this is a separate issue (botting) but its nice to see they are removing the bots.
P.S. Include the coordinates and zone/region name - it helps the process.
That's great to hear! Thx for tips too about reporting zone/region name.
If you want to do something like this and risk a ban then maybe you shouldn't be playing this game as you obviously don't care about the game like the majority of us do. in fact if you do, i hope you get banned for life as i don't want people like this playing my game anyway.
It's a great game and completely worth my time and money.
My faith is my shield! - Turalyon 2022
Your legend ends here and now! - (Battles Won Long Ago)
The bigger concern is how big is the flaw? Could a knowledgeable player potentially damage other players or the database itself? Could someone modify loot tables or spawn times for example or even spawn bosses in the starter area?
great game shame its run so bad with se. i would recomend anyone to steer clear of this game has it is now its just a hackers dream. with account bannings flying all over the place. might give it ago again next year if its still about .
this is the first mmo ive ever had that i have been banned from. some hacker was on my acc2 that i never used and was spammimng gold sale so i am told.
i have deleted my acc1 and 2 now back to playing the mmo ive been playing for the last 7 years thats never been hacket ).
Problem really I think is they were rushed to push the game out before it was ready. The basics of the game was ready but there is very little security in the game at all, pretty much anything is possible on here because there are very few server side checks that almost ever other mmo has.
Given how active the botting and hacking community was on FFXI it made sense they went overboard with FFXIV v1 (almost every single action was server side), sad that instead of some kind of middle ground they they went so far the other way with ARR. The server just blindly accepts whatever the client tells it and the client is always so easy to change that it should never be trusted on anything important.
The low price of gil and the massive rmt selling presence makes a lot more sense now, also the massive amount of gil removed from the game (60 billion was it?) within weeks when it would of been impossible for that much gil to of been created legitimatly in such a small amount of time.
[mod edit - please don't post links, details, pics, or videos with instructions on how to exploit]
Problem really I think is they were rushed to push the game out before it was ready. The basics of the game was ready but there is very little security in the game at all, pretty much anything is possible on here because there are very few server side checks that almost ever other mmo has.
Given how active the botting and hacking community was on FFXI it made sense they went overboard with FFXIV v1 (almost every single action was server side), sad that instead of some kind of middle ground they they went so far the other way with ARR. The server just blindly accepts whatever the client tells it and the client is always so easy to change that it should never be trusted on anything important.
The low price of gil and the massive rmt selling presence makes a lot more sense now, also the massive amount of gil removed from the game (60 billion was it?) within weeks when it would of been impossible for that much gil to of been created legitimatly in such a small amount of time.
[mod edit - please don't post links, details, pics, or videos with instructions on how to exploit]
Changing numbers and images on your client is possible in every god damn game. The video you provided and screenshot you provided are no proof, simply because all that is editable in every game; what matters is if the server reckognizes those changes.
And no just because it looks like he bought the items inside the game, it doesnt mean that the game actually reckognizes them as valid trades. A simple test would have been to see him close the game , login from scratch in window mode and see if the money and items is still there (of course blurring names and login details).
Furthermore, if there was a such true exploit, you would expect them to buyout all markets and expensive items in market, to show that they can and that SE fucked up; that hasn't happened.
Of course, if the person providing the video wants to hack accounts or sell the "hack", they of course use the tools they can to fool potential buyers.
Seriously old news, most of us have known about this for weeks. The concern trolling is unnecessary and gratuitous.
Remember the whole 365 billion taken out of the economy? This was part of that.
Mtibbs and I even referenced these kind of exploits in the multitude of threads complaining about gil confiscations. Threads that you (the OP) were involved in.
Glad to see the air below the sand is so fresh.
I didn't know about this. And i am glad OP posted it here.
And who made you the forum police?
"The problem is that the hardcore folks always want the same thing: 'We want exactly what you gave us before, but it has to be completely different.' -Jesse Schell
"Online gamers are the most ludicrously entitled beings since Caligula made his horse a senator, and at least the horse never said anything stupid." -Luke McKinney
Well when you have Gold spammers flooding chat on the first week of launch, there's a dam good chance gold duping is going on. I'm not surprised.
Velika: City of Wheels: Among the mortal races, the humans were the only one that never built cities or great empires; a curse laid upon them by their creator, Gidd, forced them to wander as nomads for twenty centuries...
Seriously old news, most of us have known about this for weeks. The concern trolling is unnecessary and gratuitous.
Remember the whole 365 billion taken out of the economy? This was part of that.
Mtibbs and I even referenced these kind of exploits in the multitude of threads complaining about gil confiscations. Threads that you (the OP) were involved in.
Glad to see the air below the sand is so fresh.
I didn't know about this. And i am glad OP posted it here.
And who made you the forum police?
No one in my linkshells or FC have seen this yet either so I had no idea it was going on.
Meh not like it was the first time this shit has happened in an MMO..
WoW had the silent killer issue around this time last year, was funny until I died. I find that shit more frustrating as it affects me directly. Either way the people exploiting will get banned and lives will go on, it is just to easy to confirm someone used this type of exploit.
So until someone can affect my character directly or gets my personal info straight from SE, it is what it is. Every game has bots, cheats and hacks that get banned only to use another account they got from some idiot who thinks hamburger is a safe password.
Just so long as the people dismissing this problem remember that when other games release or have problems. Some people here have been really critical of other games like Neverwinter when they had problems.
And to be fair, pretty the only way you can be totally secure in your passwords anymore is to use 2 factor authentication and a password manager than creates totally random complex strings. It doesn't matter if your password is "H@m13Urg3r" or "I @t3 at th3 t@st33 fRe3z3". Hacking algorithms are really powerful now. If you can remember a 16+ character acronym you might be in a better position, but other than that. It's all a false sense of security.
Ah the password cracking myth .... Do you know how long it takes to crack a password based on possible sequences??? A very fn long time unless its some 4 digit pin. One of my jobs, I have access to federal and state software used to crack cell phones and computers.... Ya your not going to sit and wait trying a password billions of times. Unless you have multiple NSA Computers fully dedicated to it, ya its not going to happen in a few hours more like days and weeks. And if your talking about the use of 1 number, 1 capital letter and 1 special character..... psshhhhh A month at least for a single top of the line consumer grade computer.
Now cracking passwords based on "password manager than creates totally random complex strings" Is much easier... cause theres no such thing as random to computers... most random is based on a math equation. If you know what X and Y in that equation is then the passwords are predictable.
Anyways what im trying to say is. If your going to retrieve someones password its Easier and more logical to use the standard passwords the majority use, or phishing. A third option I always use, if you have the software and the suspects hardware, find the stored encrypted key and just de-encrypt it....Cause everyone saves there passwords, I dont know why...... But for video games they got it from options 1 and 2.
Originally posted by Aori Unless of course they use the same freaking password on mmorpg.com that they use else where.
Wait - you mean I'm ~not~ supposed to have the same password?!?
How the hell can I remember two passwords, 6 characters is hard enough as it is.
Sh$t.
Anyway, how did this get turned from S/E's unsecured database to a topic on password security. Yeah, it sucks people are abusing it, but if it's able to be abused people will do so. I saw a bit of the insta-leveling early on (like in the pre-release days), I thought it was legacy players logging on to be honest, but oh well, that is easily discoverable and that makes it easily bannable. I'm not terribly concerned about it yet. I don't play the marketplace too much, I make enough money to pay for my repairs and teleports as-is, so meh... I'm willing to see what happens to it.
I do wonder if this morning's hotfix actually fixed this or not though.
Originally posted by LizardEgypt Have you considered that one of the reasons they delete these threads is not because they don't want people to know about it, but because you're now effectively telling anyone with database knowledge exactly where to start prodding to duplicate the exact same thing?
Exactly this 100x's this.
So if this is real, then you are making more and more people aware of it, and thereby use it.
When SE, if they are deleting threads then they are CLEARLY aware of it. Which by then you going around advertising this when they must not have a solution yet are just causing more and more people to exploit and ruin the game.
Originally posted by stayontarget Well when you have Gold spammers flooding chat on the first week of launch, there's a dam good chance gold duping is going on. I'm not surprised.
Originally posted by Aori Unless of course they use the same freaking password on mmorpg.com that they use else where.
Wait - you mean I'm ~not~ supposed to have the same password?!?
How the hell can I remember two passwords, 6 characters is hard enough as it is.
Sh$t.
Anyway, how did this get turned from S/E's unsecured database to a topic on password security. Yeah, it sucks people are abusing it, but if it's able to be abused people will do so. I saw a bit of the insta-leveling early on (like in the pre-release days), I thought it was legacy players logging on to be honest, but oh well, that is easily discoverable and that makes it easily bannable. I'm not terribly concerned about it yet. I don't play the marketplace too much, I make enough money to pay for my repairs and teleports as-is, so meh... I'm willing to see what happens to it.
I do wonder if this morning's hotfix actually fixed this or not though.
I do a lot of database work (I migrate electronic medical record data between systems) and how easily trackable this is would depend on how their database is structured. The more you store and update the more costly it is in size, bandwidth, and performance. If they only keep a current value, for example, and not an incremental timeline, then it might be really hard, if not impossible to reliably track.
You see a datapoint in the table and most likely, at best, the date of initial record and the date of last update. How are they going to know whether someone incremented that all overnight? In this scenario they could probably catch really stupid people who created a character and auto-leveled them overnight, but they aren't likely to catch someone who has an older character. If they did try and do this they would most likely get a lot of false positives, punishing innocent players along with the guilty.
What would be worrisome to me is not that they can touch their own data, but a particularly savvy user might be able to touch the data of others. I suppose that also depends on how open and extensive the vulnerability is.
The password security diversion came about because a previous poster inferred that this was because people use passwords like "hamburger" and not stronger ones. We're past the point where malicious users need the hash. If they can pull the encrypted password out of the database they can do an offline brute force decryption and figure it out. Here is one article discussing how what we have historically considered to be stronger passwords are now becoming very vulnerable: Ars Technica. There are still some password styles and methods that are much more inherently secure, but we're coming to a place where 2 factor authentication is going to be a must.
@Aori - Of course someone shouldn't use "hamburger" because that just makes the job faster and easier. But, using more complex versions of the same word or even passphrases is no longer more inherently secure, just a little bit slower. When these sorts of vectors become common knowledge you can be assured they're already in full force use by those you don't want to use them, plus whatever else they've discovered that we don't know yet.
You think there pulling the passwords off of SE? While possible, very unlikely unless its an inside job. I mean im sure they contract there security to another firm. And I wouldnt risk jail time for a game... hell if you wanna go to all that just steal there CC info youll get more bang for the risk.
That Ars Technica article was interesting, but the dictionary attacks aren't always so easy. Any password system worth its salt.... would use a different salt value per password. This basically defeats the dictionary attacks because the MD5 hash of "mypassword" without a salt won't match ("mypassword" + salt) MD5 hash. And so you'd have to create a dictionary for every algorithm plus every possible hash. That... can take a while and a lot more space.
Originally posted by Torvaldr I do a lot of database work (I migrate electronic medical record data between systems) and how easily trackable this is would depend on how their database is structured. The more you store and update the more costly it is in size, bandwidth, and performance. If they only keep a current value, for example, and not an incremental timeline, then it might be really hard, if not impossible to reliably track.
If you see all 5 Level achievements in the same minute, with none of the subsequent "Have made XXX Items" achievements - that's a pretty good sign.
If you see Who Wants to Be a Gillionaire? on a character with less than a week's playtime, it's not a certain sign, but it's a pretty good sign.
So, yeah, the database you need to track this is pretty much already a part of the game. You could probably search Lodestone character info for it right now if the "hackers" were dumb enough to allow their achievement profiles to be searched publicly...
This exploit was actually easy to do, without going to too much details, it involved using a packet sniffer software and checking the packages you got when you did a quest or got gil, then replicating that specific packet in specific times and thus replicating what you got.
Pretty lame considering we are talking of a "professional" dev team...
Personally don't think it's an unsecured DB problem. On top of them being "sold" accounts from people that thought 1.0 was a train wreck. We also have the usual MMO gamer password problems.
In War - Victory. In Peace - Vigilance. In Death - Sacrifice.
Hackers are going to hack. New networks is normally the easiest to find holes with. Freak out, rage if you want but who you really should be mad at is the hackers. Much like shop lifters every day customers pay 20% more to cover the costs. Same here with hackers. That being said, give them time and they will work this out. Its not their first MMO.
Originally posted by Roin Personally don't think it's an unsecured DB problem. On top of them being "sold" accounts from people that thought 1.0 was a train wreck. We also have the usual MMO gamer password problems.
As a IT guy I can tell you most network compromises are user end problems. Using an email for the game that used all over the net is a big common problem. Make a unique email just for the game and 90% of the hacks would not work. Stop using the same 3 passwords for everything. Make sure you check out any add ons in detail and if you dont know how, goto forums and ask for help.
Just so long as the people dismissing this problem remember that when other games release or have problems. Some people here have been really critical of other games like Neverwinter when they had problems.
Ding ding ding! Exactly this.
It's amazing how often that happens. People will let loose with both barrels when another MMO is having issues, but when it's the one they're a fan of, the excuses and justifications start flying.
There's at least one person here in the FFXIV forums who has used the "why are you spending time bashing a game you don't like" argument against critics of ARR. Just recently I saw several posts by them in another forum section, for a MMO they don't play. Can you guess what they were doing?
If you guessed "bashing the game", you win an all-expenses paid virtual vacation to the place of your choosing! And they aren't even offering criticism or valid complaints. They are literally just bashing the game and mocking the developers.
I'm just waiting for them to use that argument on someone again in these forums, so I can begin quoting them and referencing those posts.
The ensuing damage control, as they attempt to save face and somehow not come out looking like a complete hypocrite, should be entertaining.
Just so long as the people dismissing this problem remember that when other games release or have problems. Some people here have been really critical of other games like Neverwinter when they had problems.
Ding ding ding! Exactly this.
It's amazing how often that happens. People will let loose with both barrels when another MMO is having issues, but when it's the one they're a fan of, the excuses and justifications start flying.
There's at least one person here in the FFXIV forums who has used the "why are you spending time bashing a game you don't like" argument against critics of ARR. Just recently I saw several posts by them in another forum section, for a MMO they don't play. Can you guess what they were doing?
If you guessed "bashing the game", you win an all-expenses paid virtual vacation to the place of your choosing! And they aren't even offering criticism or valid complaints. They are literally just bashing the game and mocking the developers.
I'm just waiting for them to use that argument on someone again in these forums, so I can begin quoting them and referencing those posts.
The ensuing damage control, as they attempt to save face and somehow not come out looking like a complete hypocrite, should be entertaining.
You're going to find this on every single forum on this site, nothing new. You call out people on here, I can guarantee you some of the same people that are bashing on this game are on other games forums they enjoy are doing the same exact thing. You're going to go to every single game forum and light fires against fanboyz because you feel all high and mighty? How is that accomplishing anything? It doesn't make you any better then the guy bashing the game or defending the game when you're sitting there waiting to pounce on someone just to say I said so.
Originally posted by Roin Personally don't think it's an unsecured DB problem. On top of them being "sold" accounts from people that thought 1.0 was a train wreck. We also have the usual MMO gamer password problems.
As a IT guy I can tell you most network compromises are user end problems. Using an email for the game that used all over the net is a big common problem. Make a unique email just for the game and 90% of the hacks would not work. Stop using the same 3 passwords for everything. Make sure you check out any add ons in detail and if you dont know how, goto forums and ask for help.
Actually, there's a known sessionID vulnerability in FFXIV that allows hackers who have infiltrated a target PC with a process observer to obtain the sessionID sent by the launcher to the main game executable. That sessionID does not expire and does not check the originating IP, so it can be re-used from another computer to access the account without having to know or use the log-in name, password, or authenticator token.
Thus, in this case, standard practices for securing accounts with unique emails, passwords, or the use of authenticator tokens are entirely useless in protecting one's account. And, as an IT guy, you should know this is a pretty major design flaw.
Comments
Perfect World, Neverwinter, Vindictus, Legend of Ares, Diablo 2....I could go on all day....
I thought this was fixed, but if you can trust DMKano with anything - perhaps it isn't. I haven't heard anything about it since the massive banning, which is odd considering I'm part of a massive crafting LS.
Yeah, same thing I do for the underground bots....
I have no doubt they will ban all of them it's pretty flagrant.
That's great to hear! Thx for tips too about reporting zone/region name.
If you want to do something like this and risk a ban then maybe you shouldn't be playing this game as you obviously don't care about the game like the majority of us do. in fact if you do, i hope you get banned for life as i don't want people like this playing my game anyway.
It's a great game and completely worth my time and money.
great game shame its run so bad with se. i would recomend anyone to steer clear of this game has it is now its just a hackers dream. with account bannings flying all over the place. might give it ago again next year if its still about .
this is the first mmo ive ever had that i have been banned from. some hacker was on my acc2 that i never used and was spammimng gold sale so i am told.
i have deleted my acc1 and 2 now back to playing the mmo ive been playing for the last 7 years thats never been hacket
).
Problem really I think is they were rushed to push the game out before it was ready. The basics of the game was ready but there is very little security in the game at all, pretty much anything is possible on here because there are very few server side checks that almost ever other mmo has.
Given how active the botting and hacking community was on FFXI it made sense they went overboard with FFXIV v1 (almost every single action was server side), sad that instead of some kind of middle ground they they went so far the other way with ARR. The server just blindly accepts whatever the client tells it and the client is always so easy to change that it should never be trusted on anything important.
The low price of gil and the massive rmt selling presence makes a lot more sense now, also the massive amount of gil removed from the game (60 billion was it?) within weeks when it would of been impossible for that much gil to of been created legitimatly in such a small amount of time.
[mod edit - please don't post links, details, pics, or videos with instructions on how to exploit]
Changing numbers and images on your client is possible in every god damn game. The video you provided and screenshot you provided are no proof, simply because all that is editable in every game; what matters is if the server reckognizes those changes.
And no just because it looks like he bought the items inside the game, it doesnt mean that the game actually reckognizes them as valid trades. A simple test would have been to see him close the game , login from scratch in window mode and see if the money and items is still there (of course blurring names and login details).
Furthermore, if there was a such true exploit, you would expect them to buyout all markets and expensive items in market, to show that they can and that SE fucked up; that hasn't happened.
Of course, if the person providing the video wants to hack accounts or sell the "hack", they of course use the tools they can to fool potential buyers.
I didn't know about this. And i am glad OP posted it here.
And who made you the forum police?
"The problem is that the hardcore folks always want the same thing: 'We want exactly what you gave us before, but it has to be completely different.'
-Jesse Schell
"Online gamers are the most ludicrously entitled beings since Caligula made his horse a senator, and at least the horse never said anything stupid."
-Luke McKinney
Velika: City of Wheels: Among the mortal races, the humans were the only one that never built cities or great empires; a curse laid upon them by their creator, Gidd, forced them to wander as nomads for twenty centuries...
Ah the password cracking myth .... Do you know how long it takes to crack a password based on possible sequences??? A very fn long time unless its some 4 digit pin. One of my jobs, I have access to federal and state software used to crack cell phones and computers.... Ya your not going to sit and wait trying a password billions of times. Unless you have multiple NSA Computers fully dedicated to it, ya its not going to happen in a few hours more like days and weeks. And if your talking about the use of 1 number, 1 capital letter and 1 special character..... psshhhhh A month at least for a single top of the line consumer grade computer.
Now cracking passwords based on "password manager than creates totally random complex strings" Is much easier... cause theres no such thing as random to computers... most random is based on a math equation. If you know what X and Y in that equation is then the passwords are predictable.
Anyways what im trying to say is. If your going to retrieve someones password its Easier and more logical to use the standard passwords the majority use, or phishing. A third option I always use, if you have the software and the suspects hardware, find the stored encrypted key and just de-encrypt it....Cause everyone saves there passwords, I dont know why...... But for video games they got it from options 1 and 2.
Wait - you mean I'm ~not~ supposed to have the same password?!?
How the hell can I remember two passwords, 6 characters is hard enough as it is.
Sh$t.
Anyway, how did this get turned from S/E's unsecured database to a topic on password security. Yeah, it sucks people are abusing it, but if it's able to be abused people will do so. I saw a bit of the insta-leveling early on (like in the pre-release days), I thought it was legacy players logging on to be honest, but oh well, that is easily discoverable and that makes it easily bannable. I'm not terribly concerned about it yet. I don't play the marketplace too much, I make enough money to pay for my repairs and teleports as-is, so meh... I'm willing to see what happens to it.
I do wonder if this morning's hotfix actually fixed this or not though.
Exactly this 100x's this.
So if this is real, then you are making more and more people aware of it, and thereby use it.
When SE, if they are deleting threads then they are CLEARLY aware of it. Which by then you going around advertising this when they must not have a solution yet are just causing more and more people to exploit and ruin the game.
GG OP.
Thanks MMORPG.com
/facepalm
or compromised accounts?
You know like every mmo?
You think there pulling the passwords off of SE? While possible, very unlikely unless its an inside job. I mean im sure they contract there security to another firm. And I wouldnt risk jail time for a game... hell if you wanna go to all that just steal there CC info youll get more bang for the risk.
That Ars Technica article was interesting, but the dictionary attacks aren't always so easy. Any password system worth its salt.... would use a different salt value per password. This basically defeats the dictionary attacks because the MD5 hash of "mypassword" without a salt won't match ("mypassword" + salt) MD5 hash. And so you'd have to create a dictionary for every algorithm plus every possible hash. That... can take a while
and a lot more space.
Achievements track them.
If you see all 5 Level achievements in the same minute, with none of the subsequent "Have made XXX Items" achievements - that's a pretty good sign.
If you see Who Wants to Be a Gillionaire? on a character with less than a week's playtime, it's not a certain sign, but it's a pretty good sign.
So, yeah, the database you need to track this is pretty much already a part of the game. You could probably search Lodestone character info for it right now if the "hackers" were dumb enough to allow their achievement profiles to be searched publicly...
This exploit was actually easy to do, without going to too much details, it involved using a packet sniffer software and checking the packages you got when you did a quest or got gil, then replicating that specific packet in specific times and thus replicating what you got.
Pretty lame considering we are talking of a "professional" dev team...
New players can get a welcome package and old/returning players can also get a welcome back package and 7 days free subscription time! Just click here to use my referral invitation
In War - Victory.
In Peace - Vigilance.
In Death - Sacrifice.
As a IT guy I can tell you most network compromises are user end problems. Using an email for the game that used all over the net is a big common problem. Make a unique email just for the game and 90% of the hacks would not work. Stop using the same 3 passwords for everything. Make sure you check out any add ons in detail and if you dont know how, goto forums and ask for help.
Ding ding ding! Exactly this.
It's amazing how often that happens. People will let loose with both barrels when another MMO is having issues, but when it's the one they're a fan of, the excuses and justifications start flying.
There's at least one person here in the FFXIV forums who has used the "why are you spending time bashing a game you don't like" argument against critics of ARR. Just recently I saw several posts by them in another forum section, for a MMO they don't play. Can you guess what they were doing?
If you guessed "bashing the game", you win an all-expenses paid virtual vacation to the place of your choosing! And they aren't even offering criticism or valid complaints. They are literally just bashing the game and mocking the developers.
I'm just waiting for them to use that argument on someone again in these forums, so I can begin quoting them and referencing those posts.
The ensuing damage control, as they attempt to save face and somehow not come out looking like a complete hypocrite, should be entertaining.
You're going to find this on every single forum on this site, nothing new. You call out people on here, I can guarantee you some of the same people that are bashing on this game are on other games forums they enjoy are doing the same exact thing. You're going to go to every single game forum and light fires against fanboyz because you feel all high and mighty? How is that accomplishing anything? It doesn't make you any better then the guy bashing the game or defending the game when you're sitting there waiting to pounce on someone just to say I said so.
Actually, there's a known sessionID vulnerability in FFXIV that allows hackers who have infiltrated a target PC with a process observer to obtain the sessionID sent by the launcher to the main game executable. That sessionID does not expire and does not check the originating IP, so it can be re-used from another computer to access the account without having to know or use the log-in name, password, or authenticator token.
Thus, in this case, standard practices for securing accounts with unique emails, passwords, or the use of authenticator tokens are entirely useless in protecting one's account. And, as an IT guy, you should know this is a pretty major design flaw.