Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Developer Tracker

Star Wars: The Old Republic > English > Developer Tracker


EricMusco
Yo, BW, put out a date for Gree Event returning. | 03.08.2013, 12:53 PM
Quote: Originally Posted by BadOrb View Post
Even though I'm glad it's returning they probably had the removal of the gold scalene armor planned , the title for legend status is "perfect gold bisector" So putting 1 and 1 together would imply we were going to get something for being legend . A lot of us will be legend a week Tuesday

Now all we need is an update on the 50 planetary comms total and what will happen to the excess when 2.0 goes live.

Cheers,

BadOrb.
I bolded and underlined what I am about to refer to, can you point me to a specific thread about this? I am 99% positive I know what you are referring to but I don't want to misspeak.

-eric


EricMusco
Community Team, Assemble! | 03.07.2013, 05:52 PM
Quote: Originally Posted by StJon View Post
I for one do enjoy the change in comunication and find the jokes hilarious id very much like to see more of that

especially team mates picking on eachother
Even if you dont see as much positive feedback as youd hope im sure most people do enjoy the change they are just, like myself, lazy to post.

One side question tho are there any plans or intentions of putting the party jawa on the cartel market?
Reason im asking is that one of the tattooine achievements for 2.0 requires you to kill jawas while "partying" with the jawa... I find it a nice touch but i for one do not have it and as of right now theres no way for me to get one.. would be sad to leave tattoine's achievements on 97%
I will pass it on to be looked into. However, I can assure you that we don't intend to have any achievements which require things that are no longer available.

Hope that helps!

-eric


CourtneyWoods
Add Guild Capital Ships | 03.07.2013, 05:31 PM
Quote: Originally Posted by Dmort View Post
I think they should make guild capital ships in the next update, the possibilities are endless. They could add hangars to dock your ships on, have access to the guild bank, etc. The list could go on and everyone can imagine something different to add. It's something i think lots of people would like to have in the next update.
This is our Lead Designer, Damion Schubert's "baby" and it is on the "wall of crazy" to do list. But we are not going to put this feature out until it is perfect. So I wouldn't expect to see it anytime soon, but it is something we would love to do!


CourtneyWoods
New Locations for the Star Wars: The Old Republic Community Cantina Tour | 03.07.2013, 05:16 PM
Quote: Originally Posted by Yaesive View Post
I want to know what is wrong with Atlanta, we are only the world's busiest airport and there are direct flights from Austin and most other parts of the world here.

Not to mention Dragoncon in September (27th and still going).
I'm actually from Atlanta and love Dragoncon. Unfortunately, we can only go to so many events and it had to be cut from the list.

This is the case for most of the "missing" cities. We would love to visit, of course, but unfortunately we can't do it all!


EricMusco
Yo, BW, put out a date for Gree Event returning. | 03.07.2013, 05:08 PM
Hey everyone!

Although I cannot completely satisfy your request by stating a date that the Gree event will be returning, I do have some information at least. The Gree event will be returning a whole lot sooner than you think (note no ). Soon in this case, is Game Update 1.7.2!

As part of this I wanted to make you all aware of the fact that along with the Gree Event coming back, the Golden Scalene Armor is going to be removed from the store at the same time, but that armor could always come back at a later date!

As one last teaser, we have some pretty cool information coming next week, so keep your eyes open for that.

-eric


CourtneyWoods
Developer Update: Overview of the Planet Makeb | 03.07.2013, 03:57 PM
Hey everyone,

Please discuss Charles Boyd's "Overview of Planet Makeb" blog in this thread. If you haven't gotten a chance to read it, click this link!


Phillip_BW
Display Name Only Log In - Coming April 2, 2013 | 03.07.2013, 11:52 AM
We had a minor issue with uploading one of my posts yesterday, and it lost the 'Next BW Post' link as a result. So just in case you missed it, here is a list of the posts thus far!
http://www.swtor.com/community/showt...06#post5954106 (Courtney's starting post)
http://www.swtor.com/community/showt...36#post5955636 (First reply)
http://www.swtor.com/community/showt...16#post5961316 (Second reply - this is the one with the missing link)
http://www.swtor.com/community/showt...75#post5961675 (Third reply)

OK - pages 31 to 37 answers...


Quote: Originally Posted by Dink View Post
When will we get an authentication app for (don't hate) Windows 7/8 phones? I'm not going to carry my keyfob with me everywhere just so I can login to the website, so I've yet to activate it...but I would activate if I had an app I could access from my phone.
We have Security Key applications for Windows Phones (and Blackberry even) on the list of 'would be really nice to have', but there is no current development plans for those at this time. That is a business decision based on market share - the development effort is not trivial, and until the percentages change significantly (which they could!) we probably will not get funding for the work involved. I've used Windows Phones most of my life, so this is a topic near and dear to my heart as well :jawa_grin:


Quote: Originally Posted by Bomyne View Post
This is going to be blunt but you are wrong. I'm sorry. How do i know? Last week i upgraded from my iPhone 4 to an iPhone 5. Upon restoring my backup via iTunes, I found the app was crashing. Security feature, maybe? Anyway, i grabbed the details i saved and removed and restored the app from the app store. I input the saved information and I now have a working security app for my account. Been using it ever since i got the iPhone5.
I will have that functionality tested again - the time period for being able to reuse the same key successfully (and this relates to the Mobile version only) should stop that after a certain number of authentications. It's possible the configuration changed when we consolidated some of our back-end systems, so I'll get the configuration validated for sure. I'll make sure if we do have a configuration change there that we only change it after the self-service options are available (your next question is actually related after all).

Quote: Originally Posted by Bomyne View Post
Unrelated note but both blizzard and Sony have a way for me to remove an authenticator my self incase of upgrading the device/changing the keyfob. Any chance of that here?
As part of the April 2nd release or later? I can't say just yet on April 2nd, but this is one of the ducks I'm lining up. It's no coincidence that the change we are making is related to that (among other) self-service implementations. One of the ducks even has 'move' in it's name.


Quote: Originally Posted by Invincibelle View Post
I wonder if this might be a prelude to using Display Names as handles attached to character names... like STO does it. I know a lot of people have been upset over losing character names in the server merges, so this would be a way to let them have their names back (not saying this is a good thing... it just sticks out as a possibility). So instead of having a character named Mara and being the only Mara on the server, I'd be "Mara@InvinciBelle". It'd only display "Mara" in the game world, but when you click to friend or chat it'd clarify with the "@InvinciBelle" added to it. And that way there would be no more unique names and everyone who lost their original names could have them back.

Again, I'm not saying this is a good idea (I kinda like having a unique identity, even if it's not the one I wanted)... just that this seemed like a possible direction after I read the announcement.
The removal of email address as a username option is a change to our out-of-game authentication system only. No in-game name changes will result. I thought it best to clear that up...


Quote: Originally Posted by MadHobbit View Post
ok tin foil hat time, this change is due to splitting off swtor ,to in effect create different account.
Also squashing this before it becomes a rumour - we aren't splitting off SWTOR from EA. The change in our authentication system is an enabler for modifications or additional systems associated with authentication only.


Quote: Originally Posted by TomWhiting View Post
Way it was done previously:
login using email, (which someone would have to guess), and password . More secure

Way it will be done now:
Login using username (which EVERYONE knows) and password. LESS secure


Because an IP ADDRESS is not a form of 'security.
limiting logins based on IP address is just the most ridiculous thing I've ever heard of (well, almost as ridiculous as just giving users 1/2 the login credentials to get to my account, or anyone's for that matter). What about individuals who travel frequently, but want to play? What if someone moves? There are HUNDREDS of variables here, and limiting logins by IP on an MMO is just RIDICULOUS.
Relying purely on IP Address indeed would be ridiculous. Imagine a university dorm and everybody being able to play each others accounts. That would be horrific if you valued your account at all in that scenario.
All these scenarios (and many many more) have been considered and mitigated. We aren't relying solely on one control (such as an IP Address) to protect an account, just as we have never relied on just username/password in the live game. We rely on many controls that work together to protect the account. Yes we are changing some of those controls, but only so we can put additional systems in place without removing security. The upshot is that accounts will be in an even more secure state as of April 2nd.


Quote: Originally Posted by Jedlosson View Post
I completely agree with this assessment.

Starting with 2nd April, all the hackers have to do is browse the SWToR forum for display names in order to get half of people's login credentials.



Incorrect. There are two main ways of hacking into ones account - the phishing and the keylogger virus.

1) The phishing hacker already knows your email, since he already sent you a phishing e-mail. As you go to the page linked by the phishing e-mail and use your display name to log in, he will have both the e-mail and the display name.

2) If you have a key-logger virus on your computer, the hacker will get both the email address (as you log into origin) and the display name (as you log into SWToR) in order to play the game.
Even today, hackers can browse the SWTOR forums for Display Names. It doesn't give them anywhere near half of a players login credentials though, and we have built our security based on the knowledge that some players use the same username and even the same password on multiple websites. With the number of compromises of those credentials at other companies in the last few years, the concept that 'username' is something to try and protect is a foolish concept indeed. It's why we have so many other controls in place to make knowledge of the username in of itself irrelevant.
You are right that two of the ways of being 'hacked' is phishing and keyloggers. And these are things that you as a player (indeed, all the players!) can and should control. There are some very simple ways to protect yourself:
* Ensure you have a good AV program installed and kept up to date
* Use a unique password on your email account
* If possible put a two-factor system around your email account (Two-Step for GMail is the most obvious/easy to get of the solutions out there)
* Don't visit hacker websites, or for that matter most **** sites - a lot of them have virus attacks included in viewing the pages
* Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop...
* There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can!


Quote: Originally Posted by Jacen_Starsolo View Post
I tried to strengthen my password in TOR. I tried to generate a long complex password with KeePass. Even after I do a random gen in KeePass I go in and change a few around. And TOR wouldn't accept it unless I shortened it CONSIDERABLY. Like cut it to 1/3 the length. What kind of "superior security" is that?
The maximum length of 16 characters is an EA restriction due to a lot of other systems across EA that cannot handle more than 16 characters still. One day that may change (and I continually push for that work to be completed!), so in the meantime we have many other controls in place to make a shorter password not as important as it otherwise could have been. Being forced to have a shorter password has meant we have placed more controls than we otherwise would have, which is why you don't see thousands of 'my account was hacked' posts on a daily basis. Sometimes being restricted in specific instances on what security we can implement has created better security overall due to the other controls we put in place.


Quote: Originally Posted by Merouk View Post
Forget about security for a second. You are not giving us control over whether the username is hidden or visible, and lack of control is obviously what's making us "vocal." It doesn't matter whether a hidden username actually increases security or not; in our minds it does. Consider the cost of implementing a hidden username or non-login forum name solely against the benefit of shutting us the hell up and having happier customers.

It's what you're doing with your posting, anyway, trying to get us to be less vocal. It's not working for some of us. You're using reason and logical explanations to argue agains how we feel. It's not working.
That has to be one of the best posts in this entire thread! I would love to care more about peoples feelings when it comes to security, however the attackers/hackers out there don't. Not one bit. Personally I do care, but professionally I also have to deal with the attackers, so I have to cater for their level of caring and look at security from the point of view of boring concepts such as logic. If that focus on preventing zero-feeling attacks has bled over into my answers, then I can only apologize - my ambition is to ensure we continue to keep accounts secure at a reasonable level of cost. That, and nobody likes my idea of requesting a pint of blood for DNA verification every time a player logs in.
I actually like people being vocal btw. It helps ensure we haven't missed anything (there are a lot more of you than us working here!), and I can safely say that nobody has brought up a concern with regards to the change to Display Name only that we haven't already planned for or mitigated by ensuring we have other controls in place. I'm just trying to alleviate (or even educate) people with regards to better security, as it is a very complicated subject that most people take for granted without fully understanding. Perceptions based on less than full understanding are something I'm trying to get to perceptions based on better understanding...


Quote: Originally Posted by LarryRow View Post
I call BS. This level of detail and attentiveness requires a much larger time commitment.

Don't stop the sass, Phillip. These guys need to know that
1. British people are the funniest.
2. Amateurs and arm-chair analysts are not qualified to weigh in on internet security
OK - you caught me. I'm only spending a few minutes on each answer. The reason there has usually been a day delay in answering the questions is that I'm writing up the answers out of office hours most of the time.


Quote: Originally Posted by KALELSAB View Post
Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

How are both true?

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?
Both are true as we have other controls in place which we don't talk about, and from a players perspective you will never see in action as you aren't trying to 'hack' your own account. Attackers on the other hand trigger the other controls and are dealt with accordingly - that's why those other controls exist to protect your legitimate usage of your account.


Quote: Originally Posted by iamthehoyden View Post
I do have a question. Is there any chance we'll be able to write our own security questions? Or get more options than what's there currently? The current ones don't seem particularly secure.
Within SWTOR we will not be changing the system to allow custom questions. More options than there are currently has been looked at a few times already, and I'm sure it will come up as a topic internally again. With regards to the custom questions, while most people are very polite with the answers, the questions themselves are also used as voice verification for Customer Services, and impolite custom questions are something we would like to protect our CS staff from when a disgruntled player could otherwise be impolite.


Quote: Originally Posted by DaRoamer View Post
Because it IP bans them. You will still be able to log in from your IP address.



You can put anything you like in those answers. You don't have to answer truthfully :P As long as you remember what your answers are.

What is your favorite color?
Broomticket
I too don't answer the answers truthfully! To prevent myself from forgetting the answers though, I keep them locked up in a little program called Password Safe (sourceforge project). There are quite a few similar programs out there such as KeePass, and I highly recommend using one to avoid that 'forgot!' moment. I use a different answer on every site as well, so would never be able to remember the answers if I wanted to...
Just never ever use that 'master password' anywhere else!


OK, finished with page 39 now...


CourtneyWoods
Question of the Day 3/7/2013 | 03.07.2013, 11:35 AM
Quote: Originally Posted by Pistols-GS View Post
Should this question be rephrased to Bounty Hunter/Trooper? Or is this factional roleplay only?

Just curious.
This is just Bounty Hunter for today. We will ask Trooper in the future.


CourtneyWoods
Question of the Day 3/7/2013 | 03.07.2013, 10:56 AM
Good morning!

It's time for our SWTOR Daily question:

When adventuring on your Bounty Hunter which companion do you choose to have at your side?

Personal Answer: I am currently leveling a Powertech (spec Pyrotech), and I always have Torian out. We both have the level 40 pvp gear, so (imo) we look pretty awesome. Since I roleplay my BH as an honorable warrior, Torian is a great fit... he is also one of my favorite romances in the game.


AmberGreen
Broken in patch 1.7.1 | 03.07.2013, 10:02 AM
Quote: Originally Posted by Asavrede View Post
As for GTN search, do you also know that search for partial matches is STILL broken?

If you search for "Enha 27" you still usually get all enhancements grade 27. If you search for "Armor 27" you will most of the time get no matches, yet once in a rare while you will get all grade 27 armorings. Searching for armorING works ofc, since that's no longer a partial string match.

This finicky and frankly voodoo-like behaviour has persisted at least since 1.5 now, even though it has been reported several times.

(I never had that space mission issue btw - could be a mouse/keyboard driver issue - are you using Logitech setpoint? That can cause random weirdness at least)
Quote: Originally Posted by Glower View Post
^this.
You can search "holo" (holo-dancer holo-statue etc) with 0 results but "holo-" with 3 pages OR both with 0 results, but full word "holo-statue" still works.

Searching is way too random! Pls fix this bug.
We've been investigating the reports in this thread about partial searches not working. Can you please let us know if this is still happening for you after patch 1.7.2? If so, can you please confirm your examples and tell us what server you're on? Thanks bunches for your help while look into it.


AmberGreen
Display Name Only Log In-Facepalm | 03.07.2013, 09:42 AM
Hey there folks. There's a lively discussion going on in the Display Name Only Log In - Coming April 2, 2013 thread. Therefore, we are going to close this to consolidate discussion.

We invite you add your comments and read what others have said by visiting the main thread. There you'll find responses to many questions and concerns from our Head of Security, Phillip Holmes.


AmberGreen
SWTOR.COM 3/6/13 random access denied pages! | 03.07.2013, 09:29 AM
Quote: Originally Posted by HomicidalWhales View Post
Any update yet on this bug?
Hey folks. My apologies for not stepping in last night to post an update after this was fixed. The issues folks were seeing was completely resolved at around 8PM CST yesterday.

Please be sure to let us know if you're browsing and experience this again. We appreciate your reports.


Phillip_BW
Display Name Only Log In - Coming April 2, 2013 | 03.06.2013, 05:18 PM
Starting at page 21...

Quote: Originally Posted by Missandei View Post
So basically, now every retarded kiddie will be able to block any account just entering 10+ times the wrong password to the Display Name he can get from Forums?

Great job BioWare!
Easy answer here: No.
Even accomplished kiddies will not be able to block any account by just entering 10+ times the wrong password. They can't do that today either. The current system requires knowing the correct password (if they can get that far) to even attempt at being able to 'block' an account.


Quote: Originally Posted by Missandei View Post
Yes. And when your account is blocked due to the numerous failed hack attempts... guess what? You have to dial to the Bioware CS that already proved as a total bull..t..
Have you prepared to a 5hrs waiting on the line to just get reset your account to be allowed you to log in?
One of the key reasons we are making this change is to enable an implementaiton of a variety of self-service options where you will no longer have to call CS.


Quote: Originally Posted by Mallorik View Post
My forum name is not my email that can be hacked and used to retreive my password.
Not a question, but thank you for 'getting' one of the reasons we are making this change


Quote: Originally Posted by SeriouslyMike View Post
Oh, sure, how about people who still use such antiquated technology as e-mail clients that download and then delete your e-mails from the server? So even if someone hacks your e-mail account on one of 28 days of the month when Bioware doesn't send notifications that your account was billed or something, he still won't have anything. That and is it so hard to google your very public display name and connect it to an e-mail? Also, if your e-mail gets hacked, BioWare helpfully refers to you by display name in all personal messages like Cartel Coin purchase confirmations. So, if anything, it only makes it easier to target specific players.
Yeah, pretty much that. Other games do have that, so what's the problem here?
I totally agree that if your personal email is compromised that you will be vulnerable to many issues. I don't believe you that it is easy to google a Display Name and connect it to an email address. Even then, I don't believe its easy to find the password for that email account.

I'll stress again (and I know, I repeat myself a lot!) that protecting your personal email account is very important. Use a unique password, and if possible get a two-factor system such as Two-Step for GMail. I like GMail's solution.


Quote: Originally Posted by Terin View Post
Just curious, could this change have any impact on the game itself? For example, will my Display Name perhaps also eventually migrate into SWTOR itself? Or is this purely a change for the site?
This will affect how you authentication within the Launcher, and the Website. Nothing else will change in regard to using Display Name only for log in purposes.


Quote: Originally Posted by old_benn View Post
I haven't read the 15 pages since this was posted, so forgive me if this has already been pointed out.

I sincerely hope that this does not mean that I have to give BW my e-mail account password! I will *not* be doing so. It would be tragic to lose customers over something so stupid.
I really really do not want you to tell us your email account password. Please don't! :jawa_grin:


Quote: Originally Posted by bowlergirl View Post
You might not be able to answer this question...

Do you guys hire former hackers to attempt to hack the site and user information to make your security better? I have heard about companies outsourcing reformed hackers to help their businesses.
I've found most 'former hackers' aren't that good at real security testing. Most might get lucky a couple of times on a well known exploit, but for testing 'all the things'? Not in my experience. There is always the exception, but thus far I haven't come across anybody who purports to be a former hacker who has been somebody I would pay money to.
The answer to 'do you use internal and/or external security penetration testers to run security tests against your site and user information to make your security better' is: yes.


Quote: Originally Posted by Soul_of_Flames View Post
Display name "ONLY" log in. Does this mean they are removing security keys?
No - we are not removing Security Keys.


Heh, I should have read through the rest of the posts before thinking I needed to answer lots of new questions! I'm up to page 31 now, so if there are more questions I'll post when I can, until then I leave you with a wookie wearing sunglasses!




AmberGreen
International Healer Appreciation Day | 03.06.2013, 05:12 PM
As a healer, I support this idea. That is all.


AmberGreen
SWTOR.COM 3/6/13 random access denied pages! | 03.06.2013, 05:06 PM
Hey folks. We're investigating these issues now, and we'll work to get it fixed as soon as possible. Thank you very much for the reports! o/''\o


Phillip_BW
Display Name Only Log In - Coming April 2, 2013 | 03.06.2013, 04:06 PM
A couple of people have noted I use a bit of 'sass' in my replies. I should probably point out I'm from the UK, and 'sass' type comments aren't meant to be offensive, its just a virtual language difference. I still get quite a few interesting looks when I talk here in the office, even after being in Austin Texas for 3 years now. I have at least learnt to use the z instead of an s and to drop the occasional u when typing (most of the time...)

On to more answers!

Quote: Originally Posted by RalphYauger View Post
Please make it so we can change our display names.
This has come up a lot in the responses so far. I did try to answer this previously, so I'll have another go now
Technically, changing the forum system to start using a new display name is not as trivial as adding a new column in a table and spending 10 minutes on. We have a large and rather complex set of systems in order to be able to handle the sheer volume of traffic, and what sounds like a simple change is anything but simple. Or easy. This isn't to say we shy away from work, but rather we have to focus our work efforts in a prioritized fashion. Based on the feedback you will be happy to hear that we are again discussing the perceived issue. I can't promise 'soon' - heck, I can't promise 'later' just yet. It is likely based on the underlying systems that we will not change the account Display Name, but rather look at adding a new Forum Name that can be different.
So thanks for the feedback from everybody that has raised this. You are being listened to - but please also remember that being listened to does not mean we can easily change everything based on just your feedback. We have other pieces to consider. Think of what I have disclosed publicly today as the tip of an iceberg. A very big iceberg that constantly changing shape as it freezes and unfreezes due to global warming... An iceberg with feedback chiseled into it that we can plainly see and are paying attention to.

Quote: Originally Posted by bigheadbrandon View Post
That actually is false, yes you can choose to use your account name as your display name but it is entire possible to go by a completely different name (which in most cases is what people are doing). I can assure you my steam display name is not my account name.
I stand corrected and apologize for the assumption (yes, I made an *** of myself!). I've used the same display name since before most people had heard of Steam and have never attempted to change it. At the same time (and the reason I didn't think it was changeable), the current security of Steam means that knowledge of my username in Steam has no bearing on the actual security of my account. Many people have tried (Steam emails me) and none have succeeded. I may not work at Valve, but I have to hand it to their team that they have one of the best/secure authentication systems in the industry. Of course I'm egotistical enough to think that we have one of the best too, and our upcoming improvements (Display Name is a piece of those improvements) will only make our system stronger.

Quote: Originally Posted by Bomyne View Post
I need three pieces of information to log in. My username. My password. My authenticator. You are willing giving one of those away to potentinal hackers and the other two are easy to overcome. Wow. Really? This is actually worse than Blizzard's real name on the forums thing.
I'm going to apologize in advance for the upcoming security lecture!
In a lot of systems (mainly corporate and military) the username is a given piece of information that the person using it has no control over specifying. It's usually a standard format that is commonly derived from the persons actual name or an internal identifier. My BioWare login internally is no different in that respect. This is one of the contributing factors on why username in of itself should never be a major concern around the security of an authentication system.
In the security field, when waffling on about authentication we talk of two-factor quite a bit, and it looks like that needs a bit more explanation. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are:
  • Something I know (e.g. password)
  • Something I am (e.g. biometrics)
  • Something I have (e.g. security key)
I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement
As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.
The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key.
Another potential 'Something I have' is something we could call an 'Email Security Code'. The key point here being it is something you have that is provided out of the same channel as the password. For example sending a code via email fulfills a time limited code that changes frequently. Very similar to a Security Key, but without the overhead of a smartphone or key-fob. Come to think of it, I have a duck around here somewhere called 'Email Security Code'...
So no, this is nothing like displaying a persons real name on the forums. Technically that would probably be easier in our system than implementing a 'forum display name', but rest assured we have learned from Blizzard's foray into that area and are not considering doing that at all.
One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...
TL;DR: username should never be considered a security component - that's what passwords, SQA's and Security Keys (or ducks!) are for.

Quote: Originally Posted by Bomyne View Post
Do you remember the two pieces of information you inputted in the app when you were setting it up? Naturally you made a backup. If anyone gets that backup, they can recreate your authenticaor.
Actually our system doesn't really work that way. I'm not going into details, but entering in the serial and challenge/response some time later (I can't say how long) will not result in a working Security Key code.
To ward off all the questions that statement could create, yes, I have another duck called 'I lost my Security Key and don't like calling an international phone number'. Its a tricky little duck and there will be more news on that subject in the next few weeks.
Securing your home PC and personal email account isn't something we have any control over though, so 'if anyone gets that backup' who isn't supposed to be getting that backup, then you have other issues you also need to consider.

I'll go on to say 'please secure your personal email account' again - so many of today's authentication systems totally depend on the security of your personal email account, and that is something you can control.

Quote: Originally Posted by JPryde View Post
So you know, that the mail of my own domain is not exclusively used ? When I own several mail-accounts that are exclusively under my own control ?
Respect... but I would suggest, that you are a little less bold on what you claim to be able to guarantee.

And even if I did use my email-address on any other site, then someone would still need to figure out, that I am using that e-mail for SWTOR too... With your proposed new system, noone needs to take any guesses. Everyone interested in hacking will know for sure, what my login name is.
Valid reprimand! I looked up your email address and it looked generic (no plus addressing!) so assumed you would use it in multiple locations. And there is that word 'assume' again.
If it is any consolation, I've only spent a few minutes responding to these posts, and over two years working (off and on) the new implementation of our authentication system - also we have quite a number of people who have put their two cents into play on the new system so its been attacked six ways from Sunday multiple times.
I'll try to assume less in my forum replies - after all I strive to assume nothing in my 'normal' work.

Quote: Originally Posted by Bomyne View Post
It's not paranoia. It's fact. Gold sellers exist on the internet. These people hack accounts and steal gold, credits, etc from MMO accounts then turn around and sell them to other players. Previously they had to rely on keyloggers and clever methods to get login details. Now they only need to skim the forums.

I have an authenticator on my account but I don't 100% trust apple or google not to accidently include a bug or exploit in their OS software, so I don't rely on it's for security. Passwords are easy to overcome. Most people use easy to guess passwords. I'm willing to bet that Password1 is a VERY common SWTOR password.
I would recommend not posting your password to your SWTOR account, or the password and email address for your personal email account on the forums.
Hackers need to do a lot more than skim the forums currently, and will have to undertake a lot more effort once we de-link email account from your current SWTOR password. The vast bulk of 'attacks' on any system are email and password pairs gleaned from other sites, and we have existing (and are putting in additional) systems in place to mitigate attacks just against the username/password combination.

Quote: Originally Posted by PAMuttoni View Post
Raise your hand if your Swtor account has been hacked.

...


Raise your hand if you think this change is necessary. (No one asked for it)

....


Instead of focusing in Log In changes, fix the game crashes, lag, disconnections.....
I don't think anybody would want me working on game crashes, lag or disconnections. My only contribution there would possibly be to create them! Personally, I don't experience game crashes, lag or disconnections on a constant basis as you appear to be implying is a 'thing'. We don't host game servers in Texas, so I have to put up with the varied ISP issues that everybody else has to as well...

Quote: Originally Posted by theblaznee View Post
Alright, now the "book is open" so to speak, and we have Swtors CSO looking at this, I'd like to personally get some assurance here..

1. Userdatabase with logins, passwords and security key answers.. Are they hashed using md5, sha-(1-512) or any other fast "off the shelf" crypto algorithm (yes or no answer - no need to feed info)? Are they salted?

2. Do you use multi factor authentication before allowing authorization attempts? Does the level of authorization required change based on the provided authentication "level".. Basically, do you have differing levels of authentication?.

3. This is mostly me being curious. Why don't you require all users to use 2-factor? With the current reliance on username/password schemes - even with security questions, the only way forward is at least 2-factor.

My hopes for answers are

1. No, we use a high work factor custom password encryption hash.

2. Yes

3. We wish we could, but politics say 2-factor is not user-friendly and so..
Good questions, but I can't go into all the details as you guessed.
My answers such as I can:
  1. So you also know that off the shelf/'fast' algorithms only benefit an attacker! If they can get to the data that is. We could even make it harder by using a unique (and changing) salt per password. I can't answer your question though for obvious reasons.
  1. Do you mean internally within our production data centers? I could say I have multiple Security Keys. And not all of them are game related. Again I can't answer your question though...
  1. Back when Greg and Ray were still around (the co-founders of BioWare) we had this discussion many times. While of course all of us wanted to have a Security Key on every account, we also agreed with the business decision that we would have too many people 'rage /quit'. Some of the replies to this authentication change announcement are indicative of that I believe
Hey, I did give you an answer you wanted! 1 out of 3 means I failed though right?

Quote: Originally Posted by Blackavaar View Post
Yes, to my knowledge not one single account has been hacked on SWTOR, so why bother making this change at all?

Another good question.
This change fundamentally changes what else we can improve within our authentication system in other areas such as self-help services. I have a few ducks with names that start with 'self-help' floating around here somewhere....

Quote: Originally Posted by discbox View Post
Case 1:

nobody knows what e-mail I use for SWTOR, except BioWare (really noboby, just me and BioWare)

my e-mail has about 20+ chracters including @ - and .

Case 2:

everybody can read my nickname here

it has 7 characters

Which one is more secure, Phillip?

What kind of education do you have, Phillip? Cook?
Which one is more secure? Neither.
As explained above in a bit more detail, the username in of itself should never be something considered for securing an account. Identifying an account sure, but not securing one. We have multiple layers of controls around the overall authentication piece, and we work on the supposition that the username is not a control.
I don't have any formal cooking qualifications, sorry about that.

Quote: Originally Posted by Nealzeypoo View Post
Can we fix the android authenicator. The number text for mine is black. I have to use it in landscape to be able to see the numbers
While we continue to wait for an updated mobile Security Key application, there is fix for this existing bug - if you go back to the app home screen and then tell it to generate a new key, it should show up correctly (failing that, close the app completely and launch it again). I wish I had a concrete date for an updated android app but I don't.

Quote: Originally Posted by RyaSan-sal View Post
Whoever told you guys this is safer should leave a large opening where his/her job used to be. How old and out of touch do you need to get, EA? You've proven you haven't got a clue what gamers want. So stop already. Change for the sake of change is a futile exercise for you and annoying as heck for your paying customers.
This is far from change for the sake of change as you will see over the next few weeks. I agree there is a minor annoyance as you will have to change your username to use your Display Name, but then you can use the existing 'remember this account' function that has been there for a few years now and the annoyance will go away...

Quote: Originally Posted by noobzor View Post
One concern that I have is that it seems this is opening up a way for people to "grief" each other by intentionally trying to log into someone else's account and failing a number of times, resulting in the account getting locked out. Currently, the only way to re-enable the account is to call customer service.

I, personally, don't want to have to call customer service to get my account re-enabled over and over again if someone decides they want to pick on me. That would be enough to make me not want to play this game anymore.

Are there any plans to address this scenario?
Short answer: yes.
Longer answer: An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account.
Much longer answer: I'll give that sometime in the next few weeks once the ducks are all lined up.

Quote: Originally Posted by Leonalis View Post
Maybe you can explain: why

Blizzard changed the login from login-name to email and said: this is more safety
Bioware changed the login from email to login name

Logic!

And blizzard has a liitle bit more user and my email adress on the battle net is additional my login to sc2 and D3 and wow
Blizzard and BioWare, while sharing the same first letter of the studio name, have very different authentication systems. For us, using email account as the username precludes us from rolling out some other additional security features which dictates that to roll out more features we must change to Display Name only.
I don't know, and won't attempt to guess the inner workings of the Blizzard authentication system, so I'm not qualified to say its better or worse in using email address for the username. I do however know our system very well, and know that it is better for us to change now in order to be able to implement other enhancements to our security.

Quote: Originally Posted by PeterGun-SWE View Post
Big thanx for the replys Phillip_BW


And since this topic is about security and you are the Senior Manager of Security, i hope you dont mind me asking:

When will we in Europe and Asia-Pacific be able to buy Physical Security Keys?

And please dont give me that baloney that its possible via the Origin Store, or even via the US Origin Store... cause they dont ship outside the US.
I don't mind being asked at all! I can only apologize for the delay, and can assure you that we are working on this. I don't have an actual date for when we can get the key-fobs available for purchase again. I can say that even today I had various emails specifically on this topic with the teams in Europe that control the EU side of the Origin store, and therefore the availability of the key-fobs themselves.
I really do want everybody to have a Security Key or at least the choice on if they want to get one - this has been a hot topic with me (as many people internally know) ever since we had to take the key-fobs off the store last year.

Quote: Originally Posted by Bomyne View Post
After reading this thread, I have come to a conclusion. There is a MASSIVE security hole in SWTOR's login system. You can log in by a publically displayed username already.

I'd like to make a suggestion. Disable this publically displayed username login system and force everyone to log in though the more secure email login system.
We don't need to change the existing implementation as there is no MASSIVE security hole. As others have pointed out, if you log in from a different location and/or machine, you will be prompted for a SQA if you don't have a Security Key.
There is one caveat - if you are a new 'F2P' player and have never bought anything, you currently don't have a email address and probably don't have SQA's associated with your account. You can add either at any time of course, but until you do your account will only ever be secured by a Display Name and password combination.
We may change it so that all players have at least a valid email address at some point in the future, but currently it is optional up until the point you want to buy something and therefore associate a real money transaction against your account.

Quote: Originally Posted by Halabane View Post
The email you sent out looks like a phishing email. You should tell people to log into their accounts with out a link. It would be easy to grab account info, especially for those who don't have an authenticator by using this email form.

They hammer us at work about this.
Apologies - we had put in place explicit instructions to not put in links in the email, but it appears that one got through regardless.


Quote: Originally Posted by Dragarr View Post
So sacrifice player account security in chase of the Almighty dollar, it's good to know what Bioware think of us. Should I just start depositing my pay check straight to your account?
If anything we are spending a lot of money to increase security. A lot of players have complained about having to call CS due to various issues such as being unable to log in due to forgetting their Secret Questions and Answers or losing their Security Key, and in order to facilitate some self-service pieces (those previously mentioned ducks) with an acceptable level of risk, we have to de-link the email address from the authentication system.


Quote: Originally Posted by DaRoamer View Post
What about the IP checks and secret answers they will need to log in to the account?
I've noticed a lot of people are forgetting about the other checks we do. There are more than just those two of course...


Quote: Originally Posted by DarthSabreth View Post
OHHH JOY i can just see it now. Joe shmuckatelly gets upset with joe smoe's post then well hey since he / she already has 50% of his or hers log on then let the fun begin for their hack on them for revenge. There are alot of smart folks that play this game and giving them half of a logon is just silly.

At any rate it will force people to either not use the forums or delete all the past posts to avoid any credit farmers from phishing the forums for easy pickings. why not they now have HALF the logon.

so since we cant or are shuned from using another service they provide due to lack of security is there any other surprises down the road? was there really that many hacked accounts to warrent such a change?
We have a very vocal community of players. If there was an issue with accounts being hacked, I'm very sure we would all know about it. So to put your mind at rest, none of the changes we are making with the authentication system are a result of an issue with hacked accounts and in fact it will be even harder for an attacker to attempt to hack an account.
We are keeping ahead and avoiding account take-over issues, not reacting to one.


Quote: Originally Posted by Jagrevi View Post
A question - I may be losing the email address associated with this account in the course of the upcoming year. Will this change allow me to (or affect my ability to) change the e-mail address associated with this account?
Another good question! Your ability to change your email address is available today, and will remain available after the changes on April 2nd. I would recommend changing to a new email address (and completing the validation process for that new email address) before you lose access to your current email account.

Again I'd stress using a unique password on the email account and if possible using a two-factor solution like Two-Step for GMail.


Quote: Originally Posted by WorldSecurities View Post
But then he showed favor to 'doing security on the cheap.'
Taking that one sentance at face value, let's just be clear that we are not "doing security on the cheap". Far from it. I can't go in to the total costs of the Mobile Security Key per player, but it's not a trivial cost, and we are absorbing that completely with no plans to change. We sell the Physical Security Key at less than cost and still have to ship it to the buyer, again, no plans to change who pays that cost.
The costs you are quoting me on are support costs associated with something nearly everybody that has to call CS complains about - exactly that, the 'need' to call CS (especially internationally) and therefore the CS costs we therefore also absorb. One of the key aspects of de-linking email from the username is the ability to provide some self-service options which will negate the need for a call to CS. Yes we will save some money internally, but we are not "doing security on the cheap".


Quote: Originally Posted by BanRau View Post
That has got to be the worst move I've ever heard of. Why is it that if you are going to change the login that you make us use the name that we subscribe under instead of letting us log in like we have been with our emails? You came out with these devices that attach to our key-chains that give us a number to enter as our Security Key and our emails and passwords to go with it and you're changing it. Why didn't you do this when the game was first released instead of doing it now after all of this time, tell me that? This makes no sense.
The note we sent out was only changing the username aspect of authentication. All of the other peices such as passwords and Security Keys remain in place. I hope that makes more sense...


OK, I've finished this reply up to the end of page 20. Given the sheer length of this post I'll reply again for page 21+ soon!


EricMusco
Playing with friends (again) | 03.06.2013, 03:16 PM
Quote: Originally Posted by SpoeMeister View Post
After your starting planet, you will indeed meet up on Coruscant. Your class quests are indeed individual, but they do have a similar track record.

I will try to explain this as easily as possible:

Each planet is usually divided into sections. These sections can be identified by the binding points for travelling and/or the Taxi Access Terminals. All of the class quests follow this logic.

With that in mind, you and your friend can easily level together in the following manner:

0. Make sure you are grouped.
1. You both arrive on the planet at the same time.
2. You both go to your respective class quest giver on the planet.
3. When the quest has been given, you meet up again.
4. If desired, pick up other quests together (the triangles on the maps are quest givers that everyone can access).
5. Check your map: You should be able to see both your missions as well as the missions of your partner (if you are grouped). Notice how they are usually not in the exact same location, but they are on the same section of the map.
6. Go do all the quests that are on the map. Both you and your friends should also help each other with your respective class quests.
7. When all quests have been done (note: each mission will say something like "Return to xxx" or "Speak to xxx") go back to hand in all the quests you have fullfilled. (note again: on the map, your quest givers will now show as a triangle with a green center).
8. You have now finished a section of a planet together. Your class quest will send you to your next section, and usually, your partner will receive the same kind of message in his/her class quest.
9. Do the same for the next section :-)

As for your Level 33 friend. Don't let him group with you unless you are Level 30+ as well. He will seriously gimp you and your friend in the following ways:

- If you group with him, your experience gainings will be significantly reduced, meaning you will very soon be underleveled for the content, and he as well as he's not gaining any experience.
- If he keeps on destroying all your enemies and you do nothing, by the time you're 30+, you will have no idea what your class can do.

Good Luck and if you have further questions, don't hesitate to ask.
I have nothing to add to this thread other than to say awesome job on this SpoeMeister. This is why we have the New Player Help forum

Seriously, very concisely written and very helpful. Thank you


CourtneyWoods
What Happened to the Community Round-Up? | 03.06.2013, 03:12 PM
Quote: Originally Posted by HomicidalWhales View Post
Is it ever coming back? I really liked it because it combined a lot of things happening within the galaxy into one single thread we could all discuss about. I really hope it comes back because I was always up-to-date with the latest events and popular threads/discussions going around the community!
Hey HomicidalWhales,

The general consensus I received was that this blog was not well received by our community. I intend to bring it back with a greater focus on just events posted in the Server Forums. But I am always open to leaving the format how it was if people enjoyed the blog. It seemed from the responses in the Round-Up threads that that was not the case, so I wanted to change it to something y'all would (hopefully) like more! I am always open to suggestions since this blog is for y'all and I want it to be useful.


EricMusco
Always check your bill | 03.06.2013, 03:08 PM
Quote: Originally Posted by NatashaTerenzio View Post
Last month I got my bill for my subscription and it was $16.34. I thought this extremely curious because this was the first month I'd been charged over 14.99. As I checked my statement it showed 1.35 in taxes. This only provided further confusion because that was above 8% for starters and secondly I had never received a tax charge before.

So I called SWTOR. A very polite gentlemen informed me that they were seeing this pop up on a lot of people's statements but they had nothing to do with it, and that I should call my bank. This baffled me because I'm assuming SWTOR billing was unaware that I do the majority of my banking through paypal, and paypal does not add charges. But whatev I called paypal and of course they said it wasn't them, and are disputing the extra $1.35 charge on my behalf.

I don't mind paying what's owed, but I'm not paying EA extra for no reason. So moral of the story kids always check your bill, and just because you see XYZ in taxes doesn't mean it's correct.
Hey everyone,

I posted some clarification on this a few days ago but I wanted to bring it up here as well since the issue is still around. You can find the thread here: http://www.swtor.com/community/showt...45#edit5924845


What I said prior was:
Quote: Originally Posted by EricMusco View Post
I was hoping to clear up some confusion on this issue. Subscriptions are subject to sales tax in some states, and sometimes states rules on how these taxes are applied can fluctuate from month to month. This could be the cause of the cost changes you noted above.

If you want to get more information on something like this you can view our Terms of Service or our FAQ, or call your state's Revenue Department.

-eric
Hope that clears up any confusion!


CourtneyWoods
Bioware, when can we get a word on player housing? | 03.06.2013, 02:55 PM
Quote: Originally Posted by ISDcaptain View Post
An official statement would be nice. Is it in the future of this game (please tell me it is)?
Hey ISDcaptain,

I forwarded this along to our Lead Designer, Damion Schubert, and this is our current statement on Player Housing:

Were not saying never, but its not on our immediate roadmap. If we were to expand on this in some direction, we would first focus on improving the degree that players can customize their ship interiors, but even that feature is a ways down the road.
Star Wars: The Old Republic > English > Developer Tracker