View Single Post

PaZPyX's Avatar


PaZPyX
03.12.2013 , 02:47 AM | #506
Quote: Originally Posted by Nemhain View Post
You should follow the advice of Ruhrpottpatriot

Apparently some people like you didn't even bother to look at that posts, like Ruhrpottpatriot said: "I really urge you to read his posts(...)". Not only you but everyone, before posting here.
Thanks to both of you for compiling the "official" responses in a single place. I'm sure it'd be helpful to more than just me if the moderators moved them to the head of the topic though.


Quote: Originally Posted by Nemhain View Post
I had my account hacked in other mmorpg (which I played for almost 6 years) and I was the most carefull as a user can be, I didn't deserve what happened to me in that case.
I agree -- but sad as it may be, it was to be expected as a consequence of entrusting esthetically valuable data -- your characters, items, game progress -- to a third party (the gaming service) for safekeeping, against every possible caveat in the EULA. "<Whatever>-as-a-service" technologies are convenient, but convenience always has a price; in the case of *aaS, that price is control. You are at the mercy of the service provider and whoever can manipulate their data; you have no say in how this data is managed -- worst you can do is terminate your subscription, maybe sue them for damages, but good luck with that given the EULA. This is one reason I tend to avoid relying on cloud/*aaS solutions (including MMO games), and prefer old-school installable single-player games or games that use peer networking models or those with open server executables, with all the code and data easily replicable and within reach. TOR is a rare exception, I play this mostly because its prequels are my long-time favorites.

Quote: Originally Posted by Nemhain View Post
If a hacker wants to hack your account he will, we just have to make their life as harder as possible, and trust the people that looks up for our accounts security do their best to avoid it.
Just to make it clear, I was not calling into question the technical competence of BW/EA security staff, maybe only my own. On the contrary, SW:TOR is one of few online systems I know of to employ multiple-factor ("something you know" + "something you have/are") and defense-in-depth (password + security questions) approaches. I was only remarking on the fact that, as Wired's "Kill the Password" article points out (interesting read, BTW), better security always has the tradeoff of inconvenience and/or privacy. It would be nice to let the users decide if they are willing to make that tradeoff (and how much) instead of enforcing policies that claim to serve the users, but under the hood mostly serve to guard BW/EA against damage from their own mess-ups.

With this I still maintain that for most users, single-factor (password-only) authentication should be good enough as long as both the user and BW/EA manage this information responsibly. The mentioned Wired article fails to identify the flaws of passwords themselves (OK, one -- "good passwords are hard to remember," but even that is mostly a user error). Rather, it centers on the mishandling of passwords, the biggest of them being the presence (yes!) of "password reset" backdoors in most systems, and the associated social engineering exploits. By the Force, if anything should be killed, it's the password resets, not passwords. As my instructor used to say, "all known attacks against RSA are attacks against idiots using RSA." The same easily applies to password-based authentication. If I lose my password, I'm an idiot and get what I deserve. Instead of catering to the needs of idiots, who'll always find a way to mess up no matter what, online services would do well to educate users and cater to the needs of the competent.
Q: What happens when the value of Pi changes?
A: The universe reboots.