Jump to content
LOTROCommunity
Sign in to follow this  
Jackalope

Privacy Commissioner response

Recommended Posts

I was told that just having us have to use a game account as a forum account key, and having part of the key available on the forum, was bad security practice to begin with, and showed a lack of understanding, or lack of concern, maybe even both.

I've been telling Turbine this for YEARS.

It is absolutely ridiculous at a child level, for any major company to be using the SAME login ID/Password for the game account AND the forum.

Browsers often store password, and if you check the 'keep me logged in', then that password is stored. And thereby, browser hacks can compromise not only your FORUM account, which would be bad enough, but your GAME account, which is absolutely not cool.

Even the concept that your GAME account can be hacked, by your posting on a FORUM, is sheer idiocy at the very least.

And yet there it is. And it won't be changing anytime soon, if ever.

And with every breech, we are told to change our passwords.

Why? The morons obviously couldn't keep them secure the first time, and they refuse to spend $ on read data security, so what's to prevent this from happening a second/third/fourth time?

Answer: Nothing.

Turbine posts record profits since going F2P, and this is what we get.

I think that should spell it out pretty clearly where their priorities lie.

Share this post


Link to post
Share on other sites

He's also said that there are some new technologies coming through the pipeline to make such theft impossible, using biometric data like a retina scan or palm reader (think Demolition Man without the invasive surgery), where each point of interaction uses the scan to create a unique number for that transaction point alone (Mastercard, Bank card, etc..) So hacking into ONE of those will not screw you over everywhere, cause they still need YOU to be there. In fact, even if they knew the number of your credit card account, they'd still need your hand to access it. Not using fingerprints either, but vein location and such. Pretty sci-fi really. That would mean that anytime you want to use your data to make a purchase, you'd need to scan somewhere, so homes at some point would have to have these scanners to be used online (maybe even an app to adapt a standard flattop scanner), and at points of sale everywhere. Goodbye fraud. Unless they start chopping hands off. (I said that too, he said he thinks blood would need to be flowing to get a read.) Link here for parties interested in reading a bit about biometric palm readers. 2 year old data, so not much longer to implement I think.

off topic

The problem with this kind of technology in the home is that the information is still transmitted in binary, so it can be faked once you have a copy of the data. It works well in practice and in the high street where someone can see you but as long as it is transferred into binary it can be faked.

on topic

Very nice response. Sadly it appears Turbine just dont care at all.

Share this post


Link to post
Share on other sites

off topic

The problem with this kind of technology in the home is that the information is still transmitted in binary, so it can be faked once you have a copy of the data. It works well in practice and in the high street where someone can see you but as long as it is transferred into binary it can be faked.

on topic

Very nice response. Sadly it appears Turbine just dont care at all.

You missed 1 important point. Biometric data that has been comprised cannot be revoked and/or reissued. If it's compromised not much can be done short or denying access to the victim. http://boingboing.net/2008/04/01/hackers-publish-thou.html

Share this post


Link to post
Share on other sites

I don't think it would work that way. I'm sure they thought of compromised PC's and sniffers.

You can never rule out phishing and other social engineering attacks though. No security scheme can protect against inept user so compromised accounts are always a possibility.

Share this post


Link to post
Share on other sites

You can never rule out phishing and other social engineering attacks though. No security scheme can protect against inept user so compromised accounts are always a possibility.

They could always resort to a dna scan similar to that movie with Uma Thurman and Ethan Hawke, Gattaca. Fresh samples only please, oh and pee in this cup, and a hair sample too would you? lol

Share this post


Link to post
Share on other sites

off topic

The problem with this kind of technology in the home is that the information is still transmitted in binary, so it can be faked once you have a copy of the data. It works well in practice and in the high street where someone can see you but as long as it is transferred into binary it can be faked.

on topic

Very nice response. Sadly it appears Turbine just dont care at all.

Well presumably you have a computing device taking your metric in your home. And of course it uses challenge-response encryption for transmitting.

So you would have to break the encryption the same way as other encryption, or you would have to go into a person's computer room physically. That's a whole lot better than what we have.

Share this post


Link to post
Share on other sites

I just don't understand how, since we know they troll the boards here, and must have read the post I made by now, they can continue to just shovel this away. When someone in the field calls you out and claims your a boob for sticking to your line on security (and I have to suspect they looked quite closely at all the information I passed on that they could get their hands on, and perhaps made attempts to contact others themselves, and determined this white hat was no fake, and the data he could access was the real deal), if you had any sense of pride you'd change your behavior and your tune.

I'd almost be ready to bury the hatchet if they could do that. And it might have happened if they hadn't been bought out. But I doubt very much WB would let them spend the time they need (along with the money) to fix things. WB has other plans for that cash I'm sure, and servicing us (heh) isn't on the plate.

[On a slightly unrelated note, how do we KNOW that the person posting as Sap now is really Sap, maybe he's just another Dread Pirate Roberts?]

Share this post


Link to post
Share on other sites

[On a slightly unrelated note, how do we KNOW that the person posting as Sap now is really Sap, maybe he's just another Dread Pirate Roberts?]

That made me laugh! It's a good point though... and an excellent film :)

Share this post


Link to post
Share on other sites

[On a slightly unrelated note, how do we KNOW that the person posting as Sap now is really Sap, maybe he's just another Dread Pirate Roberts?]

Surely there are not two people on this planet as goddamn stupid & arrogant as that??!! :?:?:?;)

Share this post


Link to post
Share on other sites

I was also told that attacks by SQL are so old hat that the fact it was even possible suggests they run a pretty lousy company. His own IT guys found it pretty dumb for them to have a database open to that attack. He couldn't speak to whether or not they may have made an intentional hole in the wall, but I did posit that if it is so old hat, they had to have known about it, so it may be someone adjusted their security to make things work from the inside. Who knows, probably never know.

Allthough he's in fact right that SQL injection vulnerability is an ancient security issue by now, if you'd follow security news and for example Anonymous and Lulzsec's actions over the past 2 years, you'll find that A LOT of government (or affiliated) websites, white hat security companies that work for the feds etc. are still vulnerable to this issue. Sony hack too. A lot of it wasn't just DDOS but also included at least some form of SQL injection.

Turbine left more doors open than most of those, but still if every company that has at least some of their db's vulnerable to SQLi is a pretty lousy company then a lot of security companies working for governments are just as lousy as Turbine ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...