Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Developer Tracker

Star Wars: The Old Republic > English > Developer Tracker


EricMusco
Free Battle Droid?!?! | 03.18.2013, 03:23 PM
Quote: Originally Posted by Jerba View Post
Now that the weekend is over, it would be great to get a yellow response on

A. How much we have to progress in those other games in order to be eligible for the pets and receive an e-mail, and

B. Can we - who are already playing SWTOR - get those pets, or are they only for new accounts?

Thanks in advance!
I have the answer to these two questions which I think is what most people are looking for (especially B)

A. In order to get the pet you will have to have received the email mentioning the pet promotion. Then you would need to create a new SWTOR account with that email address. That account will then, at a later date, receive the pet.

B. At this moment subscribers cannot get the items, no. This was intended as a cross-promotion to other EA free-2-play games. However, I can tell you that subscribers will have access to these items in the future. We are still working out both the when and the how. I will share any details as I get them.

Hope that answers your questions!

-eric


CourtneyWoods
Companions 101: Mako | 03.18.2013, 02:51 PM
Hey everyone!

Please share your favorite Mako moments this thread. My personal favorite moment is...

Spoiler


You can also suggest who you would like to see in our next Companions 101 blog. Since we did an Imperial character this time, our next blog will be a Republic Companion.

Happy Hunting!


Phillip_BW
Display Name Only Log In - Update 2 - Coming April 2, 2013 | 03.18.2013, 10:28 AM

*** Some text changes below to indicate finalized wording used on the website and dates ***

On April 2nd, we are changing some aspects of our Authentication system. In our first notification of the most visible of the changes on March 5th (http://www.swtor.com/community/showthread.php?p=5954106) we were still waiting on the last few background systems to be confirmed as ready. Now that they are ready, today's notification also includes those changes as well.

email

On April 2nd, the following changes are going live:
  1. Display Name only login
  2. One-Time Password (via email) replacing Security Questions and Answers during Authentication
  3. Self-service for Forgot my Display Name
  4. Self-service for Lost my Security Key
  5. Self-service for Remove my Security Key
  6. Self-service for Move my Security Key

As a result of the original announcement of the initial overall change, there were a lot of questions raised. I'm going to try and give as much detail as I can here to try and answer any questions you might otherwise have, and that way we can focus on anything missed.

Here are some of the questions I expect might get asked. Accordingly I'm going to let one of my ducks do the asking so I can make a first go at answering them...

Quote: Originally Posted by MrYellowDuck
Why can't we use our email address? It's awesome! Quack! All the best companies use email address as username!
Lots of companies do use email address as the username. Lots don't. Both approaches have risks as well as rewards. One of the key risks for using email address is that an attacker who gets a valid email address and password will then know for certain that the account is associated with the website (or game!). For SWTOR this does not mean that the attacker could then take over an account, but it would give them the knowledge of who to craft a phishing attack against and have a higher rate of success in gaining access to information such as Answers to Security Questions. Without the link to email address, they also won't know the needed information in order to target the email account itself for a take-over in order to gain access to SWTOR and anything else linked to that email account.

This change will remove the ability to link (based on knowledge of the correct password) to your SWTOR account.

Even today if an attacker gets the right password they will not be able to gain access to your account, and with this change they will not be able to figure out which email address to send a phishing attack at, or which email account to try and take over. This allows us to place more trust in the ownership of the email account as being validation that we are (electronically) talking to the owner of the account.

Quote: Originally Posted by MrYellowDuck
Using Display Name is insane! I will be hacked! *ruffle feathers* You have given the bad guys my username! Half the battle is now lost! I'm 50% less secure!
OK, that wasn't a question. Lets just presume you are actually asking if using the publicly visible Display Name increases the chance you will be hacked...

We put in other controls before the launch of the game during 2011 such as the existing Security Questions and Answers system in order to protect your account even if an attacker managed to get the correct username and password. That security control aspect is not going away (although the 'remember' part is for the website and game launcher). In reality we are making it harder for an attacker, and giving you more control on the security of your account.

Lets look at the different pieces needed to successfully log in today:
  1. Display Name or Email Address
  2. Password
  3. Security Key or Authorized Location
  4. Non-Authorized Location via Security Question and Answer

Then lets look at the different pieces needed to successfully log in from April 2nd onwards:
  1. Display Name
  2. Password
  3. Security Key or Authorized Location
    1. Non-Authorized Location via One-Time Password (via email)
    2. Access to your Email Account

From the get-go, we have never considered the username to be 'hidden' or 'secret'. It never factored into our security model as something to secure, as we have worked on the basis that the attacker already knows it. This is also why we have not provided a self-service system for Security Key's as while the email address is easy (for an attacker) to associate with a SWTOR account. We have had to presume they will phish or attack the email account itself. De-linking the email account means that an attacker who knows the username has no knowledge of who to phish or attack. This means they continue to be unable to take over your account.

There are hundreds of millions of known username/password data rows available on the Internet. Well over 100 million unique email addresses. Most of these compromised details use email address as the username... It is this fact that dictates that attackers will know the username for at least some accounts regardless of any secrecy we may try to implement. You can check your own email address at http://pwnedlist.com/ for instance as one of the posts on the previous thread indicated.

So no, we have not given away 50% of the security. Half the battle is not lost. You should not care that anybody else knows your username. You should instead think they may have it already.

That said, you should care about your password, both on SWTOR as well as on your email account. It is especially important to use a unique password on your email account if nowhere else. I would recommend looking at a two-factor solution for your email account and will give the 2-Step authentication feature on GMail as an example. Google 2-Step today

Quote: Originally Posted by MrYellowDuck
I don't want my Display Name to be public! I disagree with everything you are saying!
We are working on a new 'Forum Display Name' capability so that people will at some point in the future be able to change the name used on the forums. Which way we go about that (choose a character name? let you write whatever you want?) is still being decided and that will impact the amount of work required and therefore the 'when'.

This is not something that is planned for April 2nd.

It is also not something that can be easily implemented in a matter of minutes. Regardless of if the change would be as simple as adding a column in a database, there is still getting that data presented to the website securely, providing the ability to input data into the column itself (again securely), and that is before we have our awesome QA team make sure the functionality works as expected. We won't say 'soon' on this feature, as it is too early to be able to predict when this could be rolled out.

Quote: Originally Posted by MrYellowDuck
What is this 'One-Time Password' you speak of?
We will send you a 'One-Time Password', via email, whenever we determine you are attempting to log on from a non-authorized location. This is similar to how we prompt for the Security Questions and Answers today, except instead of having to remember an Answer, you will be provided it via email instead.

With the Security Question and Answer system in place today, it is sometimes possible for an attacker to research a person well enough to be able to have a chance of guessing the correct Answer if they have already got the correct username and password. It is also possible to phish for the Answer if you know the email address.

By changing to a One-Time Password system, this actually decreases the chance an attacker would be able to guess the correct 'answer', as not only will the One-Time Password be randomized each time it is set, there will only be a small number of chances to guess the correct code before the randomization reoccurs and a new password is sent. This keeps a concept called 'entropy' (as applied outside of thermodynamics and instead focusing on 'the degree of disorder or uncertainty in a system') at an extremely high level. If you want an example as applied to passwords, I highly recommend reading XKCD (http://xkcd.com/936/).

If anybody ever does actually guess the One-Time Password, they should immediately go out and buy a single-line lottery ticket. Actually they would have far more chance winning the lottery in the first place. Far, far more chance...

Quote: Originally Posted by MrYellowDuck
Your new system will allow anybody to lock me out! *peck!* This is pathetic!
No. No it will not.

As soon as we detect an attempt to log in from a new 'location', we prompt that location for a One-Time Password which will be delivered to your Email Account (or Security Questions and Answers today). It is only after that prompt is verified that we will move the new location into an Authorized Location status. We do not remove your current Authorized Location as soon as a new location is detected. We keep a number (no I won't say how many) of Authorized Location's in the system, so an attacker can try to lock you out, but they will never succeed as they first have to validate themselves using the One-Time Password. Once the person with access to the Email Account validates using a One-Time Password, from that point forward you will be able to log in from that new Authorized Location and as a result there is no point where an attacker actually lock you out.

Quote: Originally Posted by MrYellowDuck
You don't know what you are doing! You will break my Origin account with all my EA games! I won't be able to log on there with my email address any more!
Actually the Origin authentication system is not changing as a result to the changes within SWTOR. You will still be able to log in to Origin with either your email address or your Origin Display Name. In the background we will still update your Origin password if you change your password on the SWTOR website.

Quote: Originally Posted by MrYellowDuck
But what about my current location? Will I need to be sent a One-Time Password on April 2nd along with everybody else???
Rather than force everybody to get revalidated, we will be grandfathering in existing approved locations, which are based on the existing Security Questions and Answers. If you have a Security Key, that functionality will not change and you will continue to only be required to enter the next Security Key code when you log in.

Quote: Originally Posted by MrYellowDuck
Hang on, if I migrate and have to play from an Internet Cafe while flying to my summer home, will anybody be able to take over my account?
So there are two alternatives here I would recommend. The first is to get a Security Key that you can take with you. This will protect you from any potential key-loggers or other malware on the temporary computer you use. Just don't type your email account password in at the same time unless it is also protected by a two-factor system.

The second alternative is to change your password as soon as possible (from your smartphone or tablet perhaps?) after playing, as that will remove the existing Authorized Locations.

Quote: Originally Posted by MrYellowDuck
You just told the hackers all your secrets! What the? Are you mad? No security 'professional' would ever do that!
I may indeed just have told some amateur hackers a small portion of our security model. You'll be (happy?) to know that the professional hackers figured out these pieces well before launch of the game in 2011 and it hasn't helped them. Additionally there are certain aspects that we can talk about (a variant of Shannon's maxim as applied to overall security systems rather than just cryptography - see Kerckhoffs's principle if you want a more technical view of the background of this maxim). Relying on Security by Obscurity (assuming a username can be kept secret for example) is not a direction we aim towards.

Quote: Originally Posted by MrYellowDuck
Do I have to log in with my character name? It has weird and wonderful characters in it that I can't type easily! What do I have to do?
No. We will not be requiring you to log on with a character name. What you need to use is your Display Name.

Quote: Originally Posted by MrYellowDuck
Well I don't know my Display Name! What do I do?
At any time before April 2nd, you will be able to log on to www.swtor.com (or www.starwarstheoldrepublic.com for those that like typing lots), log in and your Display Name will appear in the upper-right of the website.

Starting April 2nd, you will be able to have your Display Name sent to you via email as part of our first self-service option.

Quote: Originally Posted by MrYellowDuck
You just said you would use my email address to recover my Display Name? I thought you said email addresses are bad?
Well, to be fair if you only know your email address, we have to let you type it in somewhere. Unless you have access to the email account though, you won't be able to read any emails that are sent to that email address. Regardless of if a particular email address is associated with a SWTOR account, you won't know if there is a link unless you do have access to the email account. It is that principle that continues to de-link the email address from the SWTOR account by purely just using the website (or game launcher) itself.

I actually like email addresses and don't think they are bad. They just don't always suit being used as a username based on how we implement the different aspects of authentication.

Quote: Originally Posted by MrYellowDuck
Hang on, I'm a new Free To Play account. I have no email address. What can I do?
At any time a Free To Play account holder can register and validate an email address. Once you get to level 15 in-game, or want to purchase something from us, you will be required to register and validate an email address at that point in time.

Quote: Originally Posted by MrYellowDuck
Are you getting rid of all my Security Questions and Answers? I liked them. Lots.
No. We are keeping the Security Questions and Answers in place and will be using them as a form of verification on the telephone if you ever need to call our Customer Services team. A lot of the changes going into place on April 2nd are to help enable self-service systems so that you will not need to call CS as often. We appreciate that when there is a holding queue that it is very annoying, and if calling internationally also not free. We would like to reduce costs where we can both for our players as well as ourselves.

Of course, we want to keep your accounts secure, so we are not reducing security to try and save costs and instead changing security slightly.

For the Free To Play accounts, Security Questions and Answers are also required when you want to purchase something from us.

Quote: Originally Posted by MrYellowDuck
Is there anything I should do? I'm but a simple duck and computers and stuff are not my strong point.
Yes. Yes there is.

As we transition from relying on Answers to Security Questions to sending a One-Time Password to you via email when authenticating, the security of your own Account becomes something you can impact directly by also making sure your Email Account is also secure.

I would recommend you look at the following or get a more computer savvy friend to help:
  • Use a unique, complex and as lengthy as you can password (stressing it is used nowhere else) on your email account
  • Where possible add a two-factor system to your email account - 2-Step on GMail is a great example
  • Make sure your connections to email are secured by SSL or similar. Basic SMTP (sends email in plain text) can easily disclose your password to somebody watching your network as can unsecured POP3 or IMAP
  • Ensure you have a good AV program installed and kept up to date. Microsoft Security Essentials for example is free on Windows and is one of many great choices
  • Don't visit hacker websites (or for that matter most adult-entertainment sites). A lot of them have virus attacks included in viewing the pages
  • Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop...
  • Don't click links you don't know inside emails. Go to the website you think you need to go to and type the url in the hard way. Takes longer, but helps protect you...
  • There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can!

Quote: Originally Posted by MrYellowDuck
Why are you wasting all this time on changing something that I don't think needs changing? Make better graphics! Put in more flashpoints! We want more content, not more security! *peck!*
I have to say I am constantly amazed at what our artists can do. Lets just say I'm artistically challenged and my stick figures are pathetic and quite ugly to behold... I'm also not one of the server or game engineers and I don't think any of us want me messing around with code that could create full-scale blackouts across entire shards if it is written incorrectly. Basically we have many teams here and my specific team will continue to focus on the security aspects as that is what we are actually here for. Think of it as an added bonus.

Quote: Originally Posted by MrYellowDuck
You keep mentioning two-factor. What does that mean?
I'm going to copy/paste most of an answer I gave in the previous thread.
In the security field, when waffling on about authentication we talk of two-factor quite a bit. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are:
  • Something I know (e.g. password)
  • Something I am (e.g. biometrics)
  • Something I have (e.g. security key)
I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement.
As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.
The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key.
One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...


Quote: Originally Posted by MrYellowDuck
OK, you have convinced me! Quack Quack! What is your email address so I can send you money via PayPal as thanks for all you have done?
Why thank you! My email address is ph..... Oh hang on, I see what you did there. Naughty duck!


OK, enough monologue from me! If you have questions or comments, please don't hesitate to reply. I can't promise an immediate turn-around, but we will be watching this thread and there will be replies when we can get them posted. I would however ask that you refrain from being too descriptive if you feel the need to say I'm wrong anywhere - the forum rules still apply.


CourtneyWoods
Question of the Day 3/18/2013 | 03.18.2013, 09:39 AM
How far did you get after our 1st Double XP weekend?

Personal Answer: I got my Powertech to 50! Next I am going to focus on either my sorc or my scoundrel.


EricMusco
Thanks for the Double XP!!!! | 03.18.2013, 09:30 AM
Glad you all enjoyed it! I spent an alarming amount of hours playing SWTOR. I got my Marauder from 35 to 48 this weekend. I think my biggest surprise was space...doing those quests and dailies was just an insane amount of experience.

I really enjoyed it and definitely looking forward to getting back out there again on Friday

I think the real question is...what do I level next?


AmberGreen
Question of the Day 3/15/2013 | 03.15.2013, 12:45 PM
Now that Double XP weekend has started, how do you plan to level your characters?


Personal Answer:

Very quickly! >.< No, really though, I am looking forward to maximizing the characters that I've maxed out Legacy perks on first.


EricMusco
Get ready for new Double XP weekends! | 03.15.2013, 10:04 AM
Just wanted to pop in and let everyone know what will happen when double experience goes live. Once it goes live you should see your experience bar change appearance, including an update to the tooltip which will tell you double experience is live and how long it lasts!

As a reminder, it goes live today at 1:00PM CDT / 11:00AM PDT / 6:00PM GMT. Enjoy your speedy leveling my friends.

-eric


AmberGreen
International Healer Appreciation Day | 03.15.2013, 09:01 AM
Happy Healer Appreciation Day!

Whether they are keeping that DOT away while you tank that crazy boss, throwing up a bubble at the last second so you can cap that Warzone node, or making sure you stay alive when your DPS was so crazy-awesome that the boss is mad at YOU now, healers make the game a more safe and wonderful place to be!


So, what are you and/or your guild doing for your favorite healer(s) today?



CourtneyWoods
The Old Republic Insider Episode 5 | 03.14.2013, 03:56 PM
Today we are pleased to announce that Star Wars™: The Old Republic™ Insider Episode 5 is now live! This video details some of the new Cartel Market items including the Luxury Skiff Speeder and the Contraband Shipment, a set of five Cartel Packs!

Watch now


CourtneyWoods
Question of the Day 3/14/2013 | 03.14.2013, 12:58 PM
When fighting against other players, what Warzone do you prefer?

Personal Answer: I absolutely love Ancient Hypergates. Besides the fact that it's gorgeous, I love having an epic battle in the center, then running back to my team's pylon with orbs, and then fighting stealthers trying to take our pylon. Also stunning players when the pylons explode never gets old. Never.

Pa-chow!


EricMusco
SWTOR Clock is Buggered | 03.14.2013, 08:44 AM
Quote: Originally Posted by NavrasJueventa View Post
Methinks that the people in Bioware cannot tell the time as it is 9:02pm in NSW Australia (+11) 8:02 Standard Eastern Australian Time and the servers are shut down 2 whole hours early? ***??? Did someone push the wrong button or what?

Bioware you need to specify which Eastern Australian Time you are going by as there is only ONE state that is (+10) atm the rest have this weird thing called Day Light Savings Time so we are (+11) until the first Sunday in April - You can google the dates takes 2 seconds.
Thanks for bringing this up. This is 100% my fault and unfortunately after I wrote the maintenance messaging, I didn't catch the incorrect time...in...time.

It was an oversight on my end, my fault, won't happen again! Apologies for any mixups it caused.


AmberGreen
Sith Warrior Story Quest: Transponder Station Bug | 03.14.2013, 08:33 AM
Hi Sith Warriors,

We've added this to the Known Issues along with the workaround discovered by our astute players in this thread. We intend to include a fix in patch 1.7.3, and if that changes I will post an update for you. Thanks for your understanding and have fun out there!


EricMusco
The Gay Planet | 03.14.2013, 08:17 AM
Hey folks,

We are going to be closing down this thread. I am sure it was noted by some of you that this is now the second thread within a few days about this exact topic which needed to be closed. It was my intent to let these threads go and allow the discussion to proceed naturally. We are not trying to stifle anyone's opinion, whether they are for or against the inclusion of SGRA, but the conversation must remain civil and within the forum rules. This thread (as some have pointed out) even remained civil for quite a while, but unfortunately it didn't last.

A lot of the same issues I pointed out in the other thread came to light in this thread, such as:
  • The conversation at times turned political or religious
  • There were some very disrespectful things said to others
  • etc

Since this is the second thread on the same topic we have had to do this with, we are going to be closing all further threads on this topic moving forward. As we have done in the past, we will be consolidating the discussion of same gender romance to this thread: http://www.swtor.com/community/showthread.php?t=590526

I also want to reiterate, we are solely closing this thread (like the last) because the conversation has gotten a bit out of hand. If you move this conversation to the other thread, do not forget to remain respectful of eachother. We will be continuing to monitor this topic and action people appropriately. Please, just remain respectful towards eachother and eachother's opinions.

-eric


EricMusco
Maintenance: March 14th, 2013 | 03.14.2013, 05:35 AM
All servers are once again available, thank you!

-eric


EricMusco
Community team communicating | 03.13.2013, 05:29 PM
Quote: Originally Posted by Alec_Fortescue View Post
What about the things I am vocal about? :l I swear I'll leave those forums forever once I get a hood toggle...
Maybe I shouldn't have targeted my point so directly

Basically what I mean is that any issues that are prominent on the forums, such as the ones I already listed along with things like hood toggle, etc. are things that I just want to stress that we are aware of. It isn't that we are ignoring you, I promise, it is just that I don't have any updates to post, so we sometimes remain quiet.


EricMusco
Community team communicating | 03.13.2013, 04:51 PM
Quote: Originally Posted by JPryde View Post
Any news on the translation of the new board rules ?

I mean... you know... you said something of them being in the process of translation... two days ago...
It is not exactly a whole book of law to translate... it is just one page.
I will be posting them shortly, again apologies for the delay. This was unfortunately a part of the localization issues we ran into that I mentioned earlier in the day.


EricMusco
Maintenance: March 14th, 2013 | 03.13.2013, 04:48 PM
Hello everyone, we wanted to let you know that we will be performing scheduled maintenance for 2 hours on Thursday March 14th, 2013 from 5AM CDT until 7AM CDT.

All game servers will be offline during this period. This maintenance is expected to take no more than two hours, but could be extended.

This maintenance is done in order to make general improvements and to check performance of the game so that we can continue to provide a consistent, quality experience. Quite often (but not always) after a maintenance period there will be a patch to download. After the maintenance, please login via the launcher to download the latest patch. If your launcher was open during the maintenance, you must close and reopen it for a fresh login.

Maintenance
Date: Thursday, March 14th, 2013

Time: 5AM CDT (3AM PDT/6AM EDT/10AM GMT/11AM CET/10PM AEDT) until 7AM CDT (5AM PDT/8AM EDT/12PM GMT/1PM CET/12AM AEDT)

All game servers will be offline during this period. This maintenance is expected to take no more than two hours.

Thank you for your patience as we maintain service for Star Wars™: The Old Republic™.


EricMusco
Community team communicating | 03.13.2013, 04:41 PM
Quote: Originally Posted by Jonoku View Post
Definetly an improvement, still looking for my issues to be addressed tho.
Quote: Originally Posted by Tatile View Post
It's certainly a vast improvement on what we had before (which was not a lot), but it could be better in some areas - of course it's more likely that those areas are ones where they actually don't have information, whereas before it felt like they weren't conveying information because of, hrm...

Yes. Is good.
Hey Jonoku and Tatile! I know for your respective issues (character transfers and SGRA) you are definitely vocal and it is not lost on us, don't worry. I am always making sure to check in on your issues and will report on anything once I have more information. I don't want you to think I am ignoring them, I just don't have anything new to communicate yet.

-eric


AmberGreen
[Bug] Digital Deluxe Edition | 03.13.2013, 04:03 PM
When I posted about this issue earlier, I told you that I would let you know when there was an estimate for a fix, and now we know!

Because we want players to have access to these items during Double XP weekend, we've decided to deploy a patch tomorrow morning that will resolve this. We're going to have a short maintenance period at 5AM CDT tomorrow. Afterwards, any new Digital Deluxe and Collector's Edition gift packages will contain the correct items. Any characters who didn't get the correct items after yesterday's patch will need to contact Customer Support to have them granted, as the patch will not be fixing any of the bad packages created after patch 1.7.2.

Thanks for your understanding!


CourtneyWoods
Cartel Market Shipment Two: The Contraband Packs | 03.13.2013, 03:43 PM
Hello!

In case you missed it yesterday, we have a new Cartel Shipment - the Contraband Packs - live in the Cartel Market. Take a look at our new blog, containing a Hutt load () of screenshots to see what you can get in our new packs!
Star Wars: The Old Republic > English > Developer Tracker