Hacker Made $1,000 A Day from Stolen League of Legends Accounts

[toms]

"Shane Duffy is 21-years-old, has Asperger Syndrome"
You forgot other pertinent information such as "fair skinned and slightly obese male of the species Homo sapiens sapiens".

What has him having Asperger's to do with him being a douchebag?
I happen to have it too (properly diagnosed, mind you) and I've never participated in any illicit or anti-social activities (besides file-sharing and engaging in pointless debate on internet forums).

 

[Uratoh]

Shane Duffy is 21-years-old, has Asperger Syndrome

As someone with Asperger's Syndrome/High Functioning Autism, I take offense at this being brought up as almost a 'justification' for his actions...people treat it like the ultimate defense against being a jerk. I may not pick up on small social cues as easily as others, but I know 'wrong' when I see it. It's just kind of a hot button for me when it's brought up in the 'Oh, this jerk has Aspergers, though!'

 

[Esmeralda Portillo]

Shane Duffy is 21-years-old, has Asperger Syndrome

As someone with Asperger's Syndrome/High Functioning Autism, I take offense at this being brought up as almost a 'justification' for his actions...people treat it like the ultimate defense against being a jerk. I may not pick up on small social cues as easily as others, but I know 'wrong' when I see it. It's just kind of a hot button for me when it's brought up in the 'Oh, this jerk has Aspergers, though!'

I can understand how a few of you saw that portion and believed that was coming to a conclusion that it's justifying his actions, but that's not the case at all when I put it in the article. I added it because of how his mother said it was the reason he was homeschooled, that's all. This news article is not making any assumptions on his character based off his pre-existing conditions, because I am in no way an expert to make such assumptions, nor is it my role to make speculations.

 

[Charli]

I don't know what's more pathetic: This guy, or the people who paid so much for his "services".

I mean, seriously. Paying someone to DoS your opponent so you can win? Weak.

Seriously. Negative 500 respect points for this loser. Could have been so much more with his talents and chose to make profit off unsportsmanship and misery.

Asshole.

And having aspergers and homeschooling is no excuse for this noise, piss off with that.

I had a rough time of it through the 'glorious education system' too, and was socially inept all the way up until my final years of school. (Lighter cases obviously but some mirroring circumstances) Clearly I'm on a road to ruin. Oh wait no, I choose to not be a prick.

 

[Esmeralda Portillo]

I think you could reword it slightly to better reflect that point. Putting it out front and foremost portrays a different message, I think.

Not that I was offended, but I can see why some might be and clearer wording seems like a good idea.

Understood and reworded to better reflect that.

 

[Uratoh]

Understood and reworded to better reflect that.

Indeed, thank you. It's kind of a pet peeve of mine seeing it in any way as a 'justification' for actions. Looks much better like this.

 

[UberPubert]

I can think of a no more noble endeavor than making the lives of MOBA players miserable, good on him for not doing anything seriously malicious with his talents.

I hope he gets out and has a bright future as a network security consultant.

 

[FalloutJack]

So clearly, crime really doesn't pay. I mean, yeah, he stole money, but obviously he's been caught at it, so backpeddling now.

 

[Elvis Starburst]

Sounds like Asperger is gonna be the defense more than anything. As another poster mentioned Aspergers is not autism and it's being over diagnosed a lot the last couple years.

Um, yes, it is? Being properly diagnosed with it, and going to a school that had a handful of others who were diagnosed with it, not to mention all of the research gone into it... It's very clear it IS a form of autism. Just wanted to get that out. But, you are right, I hear it often of being mis-diagnosed; not to mention it's so common people throw it around on the internet like it's some kind of insult. It's kind of annoying, and gives off a bad name for the people who do have it. I already had a hard enough time dealing with it. I don't need some stereotype following ime as well just cause some people are too ignorant to understand it.

OT: Holy hell, that's a lot of cash... And people did this stuff just to win at rounds? People PAYED for that? Why? Just get better. Or not be a total prick. That's just insane. But, this guy is just as bad for doing all of this. I don't care the reason for it, I'm glad to hear that he has been dealt with

 

[Strazdas]

so what i get from this story is that Riot games have pretty much no security (a staff member can copy user database and noone notices?) and staff members should not have acess till they learn proper security basics. if you can bruteforce a password, the owner of such password should not be let anywhere near secure information. Bruteforcing is hard even with most modern tech, via internet bruteforcing is far harder due to much higher delay of response. The password was 6 or less characters long to bruteforce it.

Who the fuck uses Jason as a code name? Jason doesn't sound cool at all, I should know. I've been stuck with the damn name for nearly twenty years.

probably somone that wants to throw his tracks off to somone acutally named Jason. imagine you get a chatlog of hackers chatting and one of them is named Jason. surely its possible hes actually named Jason then. its throwing his scent away a bit.

I kind of hope they will also be able to go after the people who were paying this guy for fucking around with other peoples accounts/matches. If you need to pay someone to hack a game and boot someone from a match you're kind of pathetic. Although I'm not sure what Riot could do. Reset their account so it has no wins?

well, DDoS is a crime. You could argue that they were acomplices in a crime, just like a person hiring a hitman would be. Thus Riot could probably sue them.

Looks like the only thing he's hacking into is diabetes....am I right? Because he's overweight and probably just sucks down high fructose drinks and cheetos.

I dont consume either and im overweight. but apperently stereotyping is ok as long as its some cirminal.

Sounds like Asperger is gonna be the defense more than anything. As another poster mentioned Aspergers is not autism and it's being over diagnosed a lot the last couple years.

cant speak about overdiagnosis (more like, underdiagnosis of actual Aspergers, overdiagnosis of self-diagnosis kind) but Aspergers is on the Autism spectrum.

 

[Infernal Lawyer]

Hey, us Aspies are people too. We're just as capable of being an apathetic, scamming asshole as the next guy!

 

[FalloutJack]

I get tired of the whole misconstruing of what autism/aspergers actually does and whether or not it's relevent. It's an unimportant detail up against the real issue, which is of course that he wanted to make a quick buck with his mad skillz. This is, therefore, about as bad as someone saying they learned how to fire a gun from an FPS.

 

[Starke]

Isn't brute force attacking, the most basic way of hacking?

Pretty much. Which doesn't say very charitable things about Riot's security.

Yeah. I was under the assumption that brute force could really only ever work on the most basic of systems. I'm talking poorly passworded rar files.

Has anyone commented on his hair? Not in a rude way, but he totally has a slight Flock of Seagulls thing going on and that's fabulous(ly wrong).

Brute force is just, asking the system, "Is the password 'a'? No, okay, well, is the password 'aa'? No, okay, um, is it 'ab'?" Which is about the time the login system should go, "get out of here scum, I'm locking the door."

The problem is, you're going to have to run through millions of attempts to get any half decent password this way. So any system with a limit on the number of failed log in attempts that can be applied to a specific account will effectively prevent the approach. Usually this is in the 3 to 5 attempts, though really, even in the low hundreds, it'll still stop a brute force attempt.

Dictionary attacks are slightly faster. You're executing a brute force attack, but only using words that come off a dictionary list (strictly speaking, this might not be a normal English dictionary, it's just a precooked list). This was part of why the recommendation against just using normal words came along. (Also, they're really easy to guess.

So, Riot apparently, didn't actually have any multiple failed login lockdown system, which would be the equivalent to a a bank wiring their vault's time lock to the clock on the manager's desk. Or, for that matter, any other common system, like a mechanism to confirm with the user that they just accessed the system from an unknown IP before allowing that IP login access.

 

[Starke]

Isn't brute force attacking, the most basic way of hacking?

Pretty much. Which doesn't say very charitable things about Riot's security.

Yeah. I was under the assumption that brute force could really only ever work on the most basic of systems. I'm talking poorly passworded rar files.

Has anyone commented on his hair? Not in a rude way, but he totally has a slight Flock of Seagulls thing going on and that's fabulous(ly wrong).

Brute force is just, asking the system, "Is the password 'a'? No, okay, well, is the password 'aa'? No, okay, um, is it 'ab'?" Which is about the time the login system should go, "get out of here scum, I'm locking the door."

The problem is, you're going to have to run through millions of attempts to get any half decent password this way. So any system with a limit on the number of failed log in attempts that can be applied to a specific account will effectively prevent the approach. Usually this is in the 3 to 5 attempts, though really, even in the low hundreds, it'll still stop a brute force attempt.

Dictionary attacks are slightly faster. You're executing a brute force attack, but only using words that come off a dictionary list (strictly speaking, this might not be a normal English dictionary, it's just a precooked list). This was part of why the recommendation against just using normal words came along. (Also, they're really easy to guess.

So, Riot apparently, didn't actually have any multiple failed login lockdown system, which would be the equivalent to a a bank wiring their vault's time lock to the clock on the manager's desk. Or, for that matter, any other common system, like a mechanism to confirm with the user that they just accessed the system from an unknown IP before allowing that IP login access.

That dictionary method you mentioned makes me wonder how realistic and simple it would be to look up a top 10 list of passwords and just try "hacking" people's accounts on mass. It seems far too easy to work, but I'm not into this stuff enough to know why it wouldn't.

No, it actually does work. If you're trying to crack a large batch of accounts, running a list of the top 100 passwords will crack a bunch.

There are a couple easy ways you can prevent it. The biggest one is a lockout. After three failures the account's locked for 15 minutes. That will stop any brute force attack plan. It's also why those systems exist in the first place. Depending on how that lockout's configured, it can be set up to prevent logins to OTHER accounts, which means a single attacker isn't much of a threat remotely, if they don't have the password.

But, if someone has the actual encrypted password tables, then things get a lot messier. In that case you can simply brute force for the most common passwords, and then use the cracked accounts to "infer" the encryption in the rest. Once you have that, you've got a list of accounts and their passwords, which you can take on the road and use on other sites.

There are ways around this, such as not using a single encryption setup for all the passwords in a database. But, honestly, I've been on sites that didn't encrypt the user's password at all. Admins could actually see and report back your password. I wouldn't want to think Riot's security is as terrible as a webring (I think) forum from the late 90s... but... here we are.

Now, keep in mind, this isn't really my area of expertise... but, there's plenty of news articles on the subject though, that do make this pretty clear. Searching "ars technica salted hash" (without the quotes) will point you to a few articles on the subject, if you want a better explanation.