Dominion Strategy Forum

Please login or register.

Login with username, password and session length
Pages: 1 ... 11 12 [13] 14  All

Author Topic: Dominion Online Open Beta coming up shortly!  (Read 97301 times)

0 Members and 1 Guest are viewing this topic.

AdamH

  • Margrave
  • *****
  • Offline Offline
  • Posts: 2833
  • Shuffle iT Username: Adam Horton
  • You make your own shuffle luck
  • Respect: +3879
    • View Profile
    • My Dominion Videos
Re: Dominion Online Open Beta coming up shortly!
« Reply #300 on: June 25, 2015, 09:55:20 am »
+1

Wait, is the criticism that they are storing plaintext passwords on your computer, or plaintext passwords on your server?  The latter is completely unacceptable.  The former, which by my cursory reading appears to be the case, was considered acceptable even by Google as of fairly recently: https://news.ycombinator.com/item?id=6166731  There's a not-unreasonable argument to be made that encrypting locally stored passwords is mostly security theater.

One guy from Google says they don't want to do it, and then a bunch of people disagree with him for reasons that seem perfectly reasonable to me. This isn't an official announcement or anything.

I talk to many people every day who work in the computer security field. I've never heard any of them say it's OK to store passwords in plain text.
Logged
Visit my blog for links to a whole bunch of Dominion content I've made.

TrojH

  • Moneylender
  • ****
  • Offline Offline
  • Posts: 169
  • Respect: +191
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #301 on: June 25, 2015, 10:26:24 am »
+2

Let me be clear, I'm not touching this application again until I can be reasonably sure that it's secure (and there are very few people that want your app to succeed more than me, seriously). Storing passwords in plain text is not secure. You can wave your hands at it as much as you want and say it's not a big deal, but now you just look silly waving your hands and saying wrong things. It's not hard to change this, why isn't it being changed? Ugh.

This is sounding very familiar.

I remember when Goko's implementation first came out, there were some security issues, and Wandering Winder said he wouldn't play on Goko until those issues were fixed. Someone then compared Wandering Winder to Cookie Monster; if Cookie Monster refused to eat a cookie, it could only be because that cookie isn't safe to eat.

AdamH, it looks like you're our new Dominion Monster.  :D
Logged

markusin

  • Cartographer
  • *****
  • Offline Offline
  • Posts: 3846
  • Shuffle iT Username: markusin
  • I also switched from Starcraft
  • Respect: +2437
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #302 on: June 25, 2015, 10:30:15 am »
+5

Wait, is the criticism that they are storing plaintext passwords on your computer, or plaintext passwords on your server?  The latter is completely unacceptable.  The former, which by my cursory reading appears to be the case, was considered acceptable even by Google as of fairly recently: https://news.ycombinator.com/item?id=6166731  There's a not-unreasonable argument to be made that encrypting locally stored passwords is mostly security theater.

One guy from Google says they don't want to do it, and then a bunch of people disagree with him for reasons that seem perfectly reasonable to me. This isn't an official announcement or anything.

I talk to many people every day who work in the computer security field. I've never heard any of them say it's OK to store passwords in plain text.
Except what MF has done is not the same as what Google does for Chrome. The Google Chrome passwords are still encrypted on your machine. It just that they use your computer account password as the encryption key. Chrome doesn't ask you to input your user account password when you want to see your passwords in plain text, but you have to be logged in to the user account that saved the password for that to work. Your account password can be accessed by other utilities though, so malware running on that account can access those passwords too.
Reference: http://www.howtogeek.com/70146/how-secure-are-your-saved-chrome-browser-passwords/

What MF has done is worse than that though. They literally save passwords in plain text (clarification: plain text in the log file) to the program files folder. Last I checked, that's a shared folder across all users of the machine it's saved on. That means anyone on the guest account of that computer can look at the file and see your password. Please correct me if I'm wrong.
« Last Edit: June 25, 2015, 11:06:49 am by markusin »
Logged

werothegreat

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 8172
  • Shuffle iT Username: werothegreat
  • Let me tell you a secret...
  • Respect: +9625
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #303 on: June 25, 2015, 10:46:49 am »
0

Logged
Contrary to popular belief, I do not run the wiki all on my own.  There are plenty of other people who are actively editing.  Go bother them!

Check out this fantasy epic adventure novel I wrote, the Broken Globe!  http://www.amazon.com/Broken-Globe-Tyr-Chronicles-Book-ebook/dp/B00LR1SZAS/

Cave-o-sapien

  • Jester
  • *****
  • Offline Offline
  • Posts: 887
  • Respect: +1675
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #304 on: June 25, 2015, 10:47:35 am »
+3

Wait, is the criticism that they are storing plaintext passwords on your computer, or plaintext passwords on your server?  The latter is completely unacceptable.  The former, which by my cursory reading appears to be the case, was considered acceptable even by Google as of fairly recently: https://news.ycombinator.com/item?id=6166731  There's a not-unreasonable argument to be made that encrypting locally stored passwords is mostly security theater.

One guy from Google says they don't want to do it, and then a bunch of people disagree with him for reasons that seem perfectly reasonable to me. This isn't an official announcement or anything.

I talk to many people every day who work in the computer security field. I've never heard any of them say it's OK to store passwords in plain text.
Except what MF has done is not the same as what Google does for Chrome. The Google Chrome passwords are still encrypted on your machine. It just that they use your computer account password as the encryption key. Chrome doesn't ask you to input your user account password when you want to see your passwords in plain text, but you have to be logged in to the user account that saved the password for that to work. Your account password can be accessed by other utilities though, so malware running on that account can access those passwords too.
Reference: http://www.howtogeek.com/70146/how-secure-are-your-saved-chrome-browser-passwords/

What MF has done is worse than that though. They literally save passwords in plain text to the program files folder. Last I checked, that's a shared folder across all users of the machine it's saved on. That means anyone on the guest account of that computer can look at the file and see your password. Please correct me if I'm wrong.

Let's be clear and precise about what they're doing:

1) I don't have any evidence that they're storing credentials for logon purposes in plain text anywhere on my machine.

2) What they ARE doing is writing username/password in plain text to a debug log in a shared location.

Both of the problems in (2) are easily addressed and don't seem like nearly the security design flaws some people are making them out to be. One is a lack of understanding of Windows file location best practices; the other is likely an artifact of a much earlier development step.
Logged

pubby

  • Minion
  • *****
  • Offline Offline
  • Posts: 548
  • Respect: +1046
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #305 on: June 25, 2015, 10:53:58 am »
0

Re: the password discussion:
I've seen contrary opinions on the password thing as I've followed this thread off and on. There's an outstanding ticket on this issue. The passwords are not being sent between server and client in plain text, and if someone's machine is compromised, it would seem that you're hosed regardless.

Granted, that's not my field, and my code skills don't go further than rudimentary html and css. Can someone summarize why the above is wrong, or how concerns persist despite the above so that I can add that to the ticket on this issue?
What we know: The client is logging communication with the server, including login password.
What we don't know: Is the server logging this too?

The client logging is mostly a non-issue, but if the server is logging passwords then that's 100% bad and wrong. Please make this part clear in the ticket.
Logged

Haddock

  • Minion
  • *****
  • Offline Offline
  • Posts: 725
  • Shuffle iT Username: Haddock
  • Doc Cod
  • Respect: +558
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #306 on: June 25, 2015, 10:56:11 am »
+2

One is a lack of understanding of Windows file location best practices; the other is likely an artifact of a much earlier development step.
Well sure, but both still need fixing.
Logged
The best reason to lynch Haddock is the meltdown we get to witness on the wagon runup. I mean, we should totally wagon him every day just for the lulz.

M Town Wins-Losses (6-2, 75%): 71, 72, 76, 81, 83, 87 - 79, 82.  M Scum Wins-Losses (2-1, 67%): 80, 101 - 70.
RMM Town Wins-Losses (3-1, 75%): 42, 47, 49 - 31.  RMM Scum Wins-Losses (3-3, 50%): 33, 37, 43 - 29, 32, 35.
Modded: M75, M84, RMM38.     Mislynched (M-RMM): None - 42.     Correctly lynched (M-RMM): 101 - 33, 33, 35.       MVPs: RMM37, M87

theory

  • Administrator
  • *****
  • Offline Offline
  • Posts: 3603
  • Respect: +6121
    • View Profile
    • Dominion Strategy
Re: Dominion Online Open Beta coming up shortly!
« Reply #307 on: June 25, 2015, 11:35:21 am »
+6

I agree that it can be done better.  Chrome has changed its practices too.  But the point remains that locally logging plaintext passwords, while dubious and probably unnecessary, is not a security catastrophe.  Mainly because it's a security risk if and only if someone has root access to your machine already, in which case you really are completely boned. 

It's like worrying whether an envelope of cash in your safe is sealed or not.  Probably you shouldn't be keeping an envelope of cash in your safe, and it's true that sealing it offers some modicum of protection if your safe door is open for some reason (so that a passerby doesn't see money spilling out of the envelope), but if someone hacked into your safe, whether or not your envelope is sealed doesn't make much of a difference.

As to the whole saving to the wrong folder because of the Program Files shared-ness, I don't know much about that, but that does sound shitty and also an easy fix.  Just put the envelope in a different safe.
Logged

AdamH

  • Margrave
  • *****
  • Offline Offline
  • Posts: 2833
  • Shuffle iT Username: Adam Horton
  • You make your own shuffle luck
  • Respect: +3879
    • View Profile
    • My Dominion Videos
Re: Dominion Online Open Beta coming up shortly!
« Reply #308 on: June 25, 2015, 11:48:54 am »
+4

I agree that it can be done better.  Chrome has changed its practices too.  But the point remains that locally logging plaintext passwords, while dubious and probably unnecessary, is not a security catastrophe.  Mainly because it's a security risk if and only if someone has root access to your machine already, in which case you really are completely boned. 

It's like worrying whether an envelope of cash in your safe is sealed or not.  Probably you shouldn't be keeping an envelope of cash in your safe, and it's true that sealing it offers some modicum of protection if your safe door is open for some reason (so that a passerby doesn't see money spilling out of the envelope), but if someone hacked into your safe, whether or not your envelope is sealed doesn't make much of a difference.

I disagree, I think it is a security catastrophe. Even if it's less than a catastrophe, it still doesn't inspire confidence. I'd be fired from my job if I stored a password in plain text.

And I don't think this analogy is appropriate. If you obfuscate the password, then it doesn't look like a password anymore, maybe if the envelope made your cash look like something that isn't valuable? It's tough to make these analogies, which is why I try not to do it. In computer security, theft deterrent is a thing (like having the crappiest bike on campus so nobody wants to steal it -- if someone wants to steal your bike they'll steal your bike by just cutting through the lock, so you just make your bike something that nobody wants to steal). People can get plain-text passwords pretty easily by lots of means. I don't want my passwords to be any easier to get than they have to be.

I mean, I just thought it was accepted practice among anyone who knows what they're doing to never store passwords in plain text. It's so easy to do and it helps so much.
Logged
Visit my blog for links to a whole bunch of Dominion content I've made.

markusin

  • Cartographer
  • *****
  • Offline Offline
  • Posts: 3846
  • Shuffle iT Username: markusin
  • I also switched from Starcraft
  • Respect: +2437
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #309 on: June 25, 2015, 11:53:10 am »
+4

As to the whole saving to the wrong folder because of the Program Files shared-ness, I don't know much about that, but that does sound shitty and also an easy fix.  Just put the envelope in a different safe.
Well yeah it's an easy fix, but it has to be done. If I understand things correctly, then a person doesn't necessarily need root access to your computer. Any access will do so long as they know where to to look in the program files folder. A guest account should work for that. Moving the log to a user specific folder so that only admin accounts can get to it is what needs to be done. I think the appData folder fits that requirement.

Still like, saving any password in plaintext at any point seems careless.
Logged

philosophyguy

  • Minion
  • *****
  • Offline Offline
  • Posts: 575
  • Respect: +299
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #310 on: June 25, 2015, 01:23:43 pm »
+11

I agree that it can be done better.  Chrome has changed its practices too.  But the point remains that locally logging plaintext passwords, while dubious and probably unnecessary, is not a security catastrophe.

At some point I'll stop beating on this horse, but I really think this is a fundamental issue. Security is hard. Lots of seemingly innocent decisions can create an attack surface that is surprisingly large. When it comes to passwords, the best practice is to always encrypt them. Now, if there's a compelling reason to deviate from the best practice, I'm willing to listen, but that's not what I'm seeing. What I'm seeing is a company that doesn't recognize that they aren't following the best practice and seems pretty lackadaisical about it.

If you're going to deviate from a best practice, that's the worst attitude you could have. I want an organization that is hyper aware of the fact that they are deviating, and what the consequences of that are, and that inspires confidence that they have done a competent risk-benefit analysis. Nothing about this situation meets those criteria.

In isolation, this issue might not be as severe as I'm treating it, although I think it is. What is undoubtedly severe, however, is that Making Fun is not demonstrating a professional level of concern for security. There's a lot of things that we need to take on trust when it comes to online service providers protecting our credentials, credit card info, etc. Making Fun is starting from a trust deficit, and their actions--both in terms of their coding and in terms of their response when this issue was raised--are not making that deficit any smaller.
Logged

Seprix

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 5607
  • Respect: +3676
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #311 on: June 25, 2015, 01:25:10 pm »
0

I agree that it can be done better.  Chrome has changed its practices too.  But the point remains that locally logging plaintext passwords, while dubious and probably unnecessary, is not a security catastrophe.

At some point I'll stop beating on this horse, but I really think this is a fundamental issue. Security is hard. Lots of seemingly innocent decisions can create an attack surface that is surprisingly large. When it comes to passwords, the best practice is to always encrypt them. Now, if there's a compelling reason to deviate from the best practice, I'm willing to listen, but that's not what I'm seeing. What I'm seeing is a company that doesn't recognize that they aren't following the best practice and seems pretty lackadaisical about it.

If you're going to deviate from a best practice, that's the worst attitude you could have. I want an organization that is hyper aware of the fact that they are deviating, and what the consequences of that are, and that inspires confidence that they have done a competent risk-benefit analysis. Nothing about this situation meets those criteria.

In isolation, this issue might not be as severe as I'm treating it, although I think it is. What is undoubtedly severe, however, is that Making Fun is not demonstrating a professional level of concern for security. There's a lot of things that we need to take on trust when it comes to online service providers protecting our credentials, credit card info, etc. Making Fun is starting from a trust deficit, and their actions--both in terms of their coding and in terms of their response when this issue was raised--are not making that deficit any smaller.

You really know your philosophy security, guy!
Logged
DM me for ideas on a new article, either here or on Discord (I check Discord way more often)

pubby

  • Minion
  • *****
  • Offline Offline
  • Posts: 548
  • Respect: +1046
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #312 on: June 25, 2015, 01:47:42 pm »
+2

Quote
Moving the log to a user specific folder so that only admin accounts can get to it is what needs to be done.
The sane (and only) fix is to stop including the password in the log. That's it. This whole discussion on "always encrypt passwords" and security-by-obscurity is completely irrelevant to the problem people are  angry about.
Logged

markusin

  • Cartographer
  • *****
  • Offline Offline
  • Posts: 3846
  • Shuffle iT Username: markusin
  • I also switched from Starcraft
  • Respect: +2437
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #313 on: June 25, 2015, 01:54:26 pm »
+3

As cave-o-sapien mentioned, this is likely a development artifact that was missed when the Beta was made public. It shouldn't be considered a big deal so long as it's promptly fixed and assurances that the client-server communication and server-side data conforms to safety standards. We have no evidence to say the client-server communication and the server data aren't conforming to security standards.

What can be considered "promptly" is up for contention. I think some people here were expecting "promptly" to mean the release after it was discovered. I'm okay if they deal with it in the next release or so.
Quote
Moving the log to a user specific folder so that only admin accounts can get to it is what needs to be done.
The sane (and only) fix is to stop including the password in the log. That's it. This whole discussion on "always encrypt passwords" and security-by-obscurity is completely irrelevant to the problem people are  angry about.
I thought we were assuming that MF wanted to see user-password info in the log for some reason.
Logged

blueblimp

  • Margrave
  • *****
  • Offline Offline
  • Posts: 2849
  • Respect: +1559
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #314 on: June 25, 2015, 05:32:43 pm »
+1

Wait, is the criticism that they are storing plaintext passwords on your computer, or plaintext passwords on your server?  The latter is completely unacceptable.  The former, which by my cursory reading appears to be the case, was considered acceptable even by Google as of fairly recently: https://news.ycombinator.com/item?id=6166731  There's a not-unreasonable argument to be made that encrypting locally stored passwords is mostly security theater.
Interesting discussion. It seems like there are a couple of differences between the situation here vs Chrome's old behavior. (These days, at least on Mac OS X, it seems that Chrome requires the account password to display any stored password.)

One is that the password is being written to a log in a folder viewable by all users, or at least all users that can run the Dominion Online program. (I'm not familiar with what permissions Windows uses for Program Files.) For an example of why this is a problem, consider if two different users both used Dominion Online. Then they would be able to look at each other's passwords by opening this log.

Second, even if the password were written to user-specific storage, that storage isn't necessarily encrypted, so someone with access to the storage device (the hard drive or SSD) would be able to read the password off of it without needing the account password. It's true that sometimes all data on disk is encrypted, like with FileVault on a Mac, but this isn't always the case.

So, it's better to keep the password in storage that is both user-specific and guaranteed to be encrypted. On a Mac, this is Keychain. I don't know what the Windows equivalent is. Although in this case, since the file in question is a log, the better solution is to simply not log the password at all.

What Chrome used to be doing is that it would keep the passwords in Keychain, but it would also allow viewing those passwords without asking for the account password. You would still need to be logged into your account to view the passwords, so they would still be secure against access from other users and whoever can read your storage device directly, unlike the Dominion Online log.
Logged

yed

  • Minion
  • *****
  • Offline Offline
  • Posts: 620
  • Shuffle iT Username: yed
  • Respect: +571
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #315 on: June 25, 2015, 05:35:09 pm »
+1

I think it is ok to store plaintext password in your home directory, but only when you select the "remember password" option.
Encrypting the password with some key you have in code is just for show and not worth the effort. Better way is to use some system private storage, but not all systems have that so it is not worth the complications in multi-platform application, Dominion account is not that important.

But it is not ok to save the log with password, especially when you are not using "remember password" option.
« Last Edit: June 25, 2015, 05:36:40 pm by yed »
Logged

yed

  • Minion
  • *****
  • Offline Offline
  • Posts: 620
  • Shuffle iT Username: yed
  • Respect: +571
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #316 on: June 25, 2015, 05:38:10 pm »
+4

Quote
Moving the log to a user specific folder so that only admin accounts can get to it is what needs to be done.
The sane (and only) fix is to stop including the password in the log. That's it. This whole discussion on "always encrypt passwords" and security-by-obscurity is completely irrelevant to the problem people are  angry about.
Could you please start using clickable quotes?
Logged

DavidTheDavid

  • Dominion Online Staff
  • *****
  • Offline Offline
  • Posts: 64
  • Respect: +210
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #317 on: June 26, 2015, 08:11:35 am »
+9

Re: the password discussion:
I've seen contrary opinions on the password thing as I've followed this thread off and on. There's an outstanding ticket on this issue. The passwords are not being sent between server and client in plain text, and if someone's machine is compromised, it would seem that you're hosed regardless.

Granted, that's not my field, and my code skills don't go further than rudimentary html and css. Can someone summarize why the above is wrong, or how concerns persist despite the above so that I can add that to the ticket on this issue?

Did I misrepresent myself? While I am a representative for the game's publisher, I work in player support and do some QA as needed. I can float a div container to the right, but that's about it. Please don't misinterpret or mischaracterize my statements as some sort of policy on security practices. In fact, as noted in my opening sentence, I was referencing contrary opinions stated in this thread. Now if you want to take the code itself and make assumptions from there, that can be understood.

While I can't speak to security, I can act as a liaison and share your thoughts with the developers. That was my intent: a bit of outreach as I knew it was a concern to some people here. Not sure about the consequent finger wagging and excoriations. Maybe I'm the most visible target, not sure, but I was hoping to take something constructive back.
Logged

philosophyguy

  • Minion
  • *****
  • Offline Offline
  • Posts: 575
  • Respect: +299
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #318 on: June 26, 2015, 09:54:10 am »
+3

While I can't speak to security, I can act as a liaison and share your thoughts with the developers. That was my intent: a bit of outreach as I knew it was a concern to some people here. Not sure about the consequent finger wagging and excoriations. Maybe I'm the most visible target, not sure, but I was hoping to take something constructive back.

If you want to take something back, here are a few questions for the developers. I think it's important for Making Fun to have satisfactory answers to these; what you share from those answers is up to you, but since you have a serious trust gap at the moment I would encourage you to be more forthright rather than less.

1. Why are plaintext passwords being written to a log file?

If the passwords were written as a debugging measure that was not supposed to remain in a public release,
2. Why was the decision made to use a method that contravenes best practices, even initially?
3. What failed in our process that this decision was NOT corrected before the public release?
4. Are there any other issues where we made a temporary decision that contravened best practices, and if so have we fixed those issues?
5. How do we know that our answer to #4 is correct? What process verifies that we didn't miss anything?

If it was not a temporary and then overlooked decision,
6. Who made that decision?
7. Is that person aware of security best practices regarding hashing passwords, etc.?
8. Why did that person decide to not follow the best practice in this case?
9. Did that person perform a risk-benefit assessment for the deviation from best practices? What were the conclusions? Was anyone else with security expertise consulted (internally or externally) to check those conclusions?
10. Are there any other issues in which best practices were not known, ignored, or intentionally deviated from? What are they? How confident are you that there are no unknown deviations?
Logged

RobertJ

  • Alchemist
  • ***
  • Offline Offline
  • Posts: 39
  • Respect: +57
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #319 on: June 26, 2015, 11:30:18 am »
+3

Re: the password discussion:
I've seen contrary opinions on the password thing as I've followed this thread off and on. There's an outstanding ticket on this issue. The passwords are not being sent between server and client in plain text, and if someone's machine is compromised, it would seem that you're hosed regardless.

Granted, that's not my field, and my code skills don't go further than rudimentary html and css. Can someone summarize why the above is wrong, or how concerns persist despite the above so that I can add that to the ticket on this issue?

Possibly this is because I have no technical expertise in this but the thing that troubles me most is that you seem to be asking for advice on security issues from a bunch of random people on an internet forum* (bolded quote above particularly). I can see that seeking feedback from the community is important for many aspects (how automatch works, the sparkliness of the animations, etc.) but security is surely something that should be approached in a more professional way.

I can't judge how serious any of this is but the impression I'm getting is that the developers are acting rather casually which doesn't inspire confidence.

* I don't mean to offend any posters here, I'm sure there are some very knowledgable people contributing but it still feels wrong that this discussion is happening here.
Logged

qmech

  • Torturer
  • *****
  • Offline Offline
  • Posts: 1918
  • Shuffle iT Username: qmech
  • What year is it?
  • Respect: +2320
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #320 on: June 26, 2015, 01:01:29 pm »
+10

Re: the password discussion:
I've seen contrary opinions on the password thing as I've followed this thread off and on. There's an outstanding ticket on this issue. The passwords are not being sent between server and client in plain text, and if someone's machine is compromised, it would seem that you're hosed regardless.

Granted, that's not my field, and my code skills don't go further than rudimentary html and css. Can someone summarize why the above is wrong, or how concerns persist despite the above so that I can add that to the ticket on this issue?

Possibly this is because I have no technical expertise in this but the thing that troubles me most is that you seem to be asking for advice on security issues from a bunch of random people on an internet forum* (bolded quote above particularly). I can see that seeking feedback from the community is important for many aspects (how automatch works, the sparkliness of the animations, etc.) but security is surely something that should be approached in a more professional way.

This doesn't seem to be an entirely fair reading of the situation.  David is not a developer, he's someone involved precisely to act as a bridge between us and the developers.  In the best case, he can be an advocate for what we want to see.  I'm sure that he's not been specifically asked to seek our opinions on security, but it's important to a lot of people and it's entirely sensible for him to try and find out what our concerns are so that he can present them as clearly as possible to those in charge.

It's awkward for David that he's in this situation, but it doesn't seem to be his fault.  The developers are messing him around just as much as they are us.
Logged

RobertJ

  • Alchemist
  • ***
  • Offline Offline
  • Posts: 39
  • Respect: +57
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #321 on: June 26, 2015, 03:11:50 pm »
0

Re: the password discussion:
I've seen contrary opinions on the password thing as I've followed this thread off and on. There's an outstanding ticket on this issue. The passwords are not being sent between server and client in plain text, and if someone's machine is compromised, it would seem that you're hosed regardless.

Granted, that's not my field, and my code skills don't go further than rudimentary html and css. Can someone summarize why the above is wrong, or how concerns persist despite the above so that I can add that to the ticket on this issue?

Possibly this is because I have no technical expertise in this but the thing that troubles me most is that you seem to be asking for advice on security issues from a bunch of random people on an internet forum* (bolded quote above particularly). I can see that seeking feedback from the community is important for many aspects (how automatch works, the sparkliness of the animations, etc.) but security is surely something that should be approached in a more professional way.

This doesn't seem to be an entirely fair reading of the situation.  David is not a developer, he's someone involved precisely to act as a bridge between us and the developers.  In the best case, he can be an advocate for what we want to see.  I'm sure that he's not been specifically asked to seek our opinions on security, but it's important to a lot of people and it's entirely sensible for him to try and find out what our concerns are so that he can present them as clearly as possible to those in charge.

It's awkward for David that he's in this situation, but it doesn't seem to be his fault.  The developers are messing him around just as much as they are us.

Quite possibly I am misreading things but for clarity here is a fuller description of why I'm uncomfortable.

As I understood David's post there was a ticket saying something along the lines of "There are concerns over the unencrypted storage of passwords." To my mind this should be a perfectly legitimate and useful message for the developers to be getting.

What concerned me was the invitation:

Quote
Can someone summarize why the above is wrong, or how concerns persist despite the above so that I can add that to the ticket on this issue?

I took this as an attempt to move to a ticket saying:

"There are concerns over the unencrypted storage of passwords and here are some suggestions for how to deal with them......"

or

"There are concerns over the unencrypted storage of passwords but most people are happy that this is only a minor problem."

or

"There are concerns over the unencrypted storage of passwords and this is a really bad problem that people are very worried about."

But why are these better message for the developers to be hearing than just that there is a concern? Surely, if we believe the developers to be competent the judgement on what to do about the concern should be given to them not us. Ultimately, given that security is difficult and specialised, I'm not sure how reassured I'm going to be to hear that all concerns that forum people raised have been dealt with. Maybe:

"There are concerns over the unencrypted storage of passwords and some statement of how accepted security protocols will be followed or an external certification that the security is sound would be useful."

would be a good message to send.

By contrast, with a comment on how the automatch options work or something I would for sure want to have the view of as many people as possible clearly presented but security matters seem completely different.     
Logged

Kirian

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 7096
  • Shuffle iT Username: Kirian
  • An Unbalanced Equation
  • Respect: +9411
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #322 on: June 26, 2015, 04:29:09 pm »
+5

It's awkward for David that he's in this situation, but it doesn't seem to be his fault.  The developers are messing him around just as much as they are us.

I don't think I'd expressed this sentiment yet, but it's quite obvious.  Sorry your company is tossing you to the wolves, David.
Logged
Kirian's Law of f.DS jokes:  Any sufficiently unexplained joke is indistinguishable from serious conversation.

DavidTheDavid

  • Dominion Online Staff
  • *****
  • Offline Offline
  • Posts: 64
  • Respect: +210
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #323 on: June 26, 2015, 06:38:10 pm »
+3

It's awkward for David that he's in this situation, but it doesn't seem to be his fault.  The developers are messing him around just as much as they are us.

I don't think I'd expressed this sentiment yet, but it's quite obvious.  Sorry your company is tossing you to the wolves, David.

Well, thanks, but nobody sent me here. I knew the concern was expressed here, and I wanted to gather those concerns to relay back. I guess I'm a glutton for punishment.  ;D
Logged

popsofctown

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 5477
  • Respect: +2860
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #324 on: June 27, 2015, 12:36:19 pm »
0

I made an account and didn't get an activation email. Should i just try to make a new account?

Is there a super secret preference for existing accounts that means I oughtta link an email to my existing facebook based account?
« Last Edit: June 27, 2015, 12:37:36 pm by popsofctown »
Logged
Pages: 1 ... 11 12 [13] 14  All
 

Page created in 0.069 seconds with 21 queries.