Support us on Patreon
PayPalLatest Comments by Beamboom
VEKTOR 2089, a retro inspired fast-paced futuristic hovercar racer needs help on Greenlight
4 May 2017 at 7:21 am UTC
4 May 2017 at 7:21 am UTC
I'd maybe consider it on my mobile phone. Maybe.
The Unity forums were hacked, but they say no passwords were taken
3 May 2017 at 8:09 am UTC
Two layers of security is and will always be better than one. Just think about it: As a service provider you build intricate analysers who scan the traffic for suspect actions, set up tight rules on each layer, from firewall to router to load balancers to application servers, an entire stack of security to stay safe from the wilderness.
And then you leave the main entrance up to the individual users out there, with one tiny little string of characters as the only - ONLY - prevention from someone totally taking over the account on that server, with all privileges that comes with that user. Just one little string, consisting of usually 6-8 characters, often in a clear pattern. One single point of failure. It goes against everything you've ever learnt in computer security.
A temporary token system makes your account safe even if you get a friggin' KEYLOGGER installed on your computer. You are safe(r) from many man-in-the-middle attacks that leaves your password exposed. Or when the service providers database is breached and passwords are not properly protected (this happen ALL the time - it's reality. A scenario where everything is perfect is utopia - you can't use that as a prerequisite). You are safer from a whole stack of attack methods where you - the user - are totally without blame, methods where your personal practise means squat, zero, nill.
Can't you see? It is a layer of security that has other properties than a static password can provide. And that is a Good Thing.
We have rules for security equipment in dangerous workplaces. Why the hell don't bikers wear a helmet without rules telling them they have to or they will be fined? That's how we cure stupidity there. We cure stupidity absolutely everywhere.
And 2FA is a good cure. one of several cures. The others are done server side. But we have to secure also the client side of things - we can't handle absolutely every scenario server side.
We can discuss anonymity and the internet another time. Or market leverage or app design.
The topic now is if 2FA provides a more secure regime than one single password. And it does. If you lose your phone or password file or the password to your password file or whatever else, that is a challenge that must be handled. It must be designed a system that can take care of that the best possible way with the least risk involved. Yes, it is a challenge, but as long as we deal with passwords at all, we just need to handle that.
Personally I am against passwords, period, since it's such a pain in the arse either way, and a stupid stupid thing from a security perspective.
I predict that in a decades time we don't have to fool around with these bloody passwords anymore - then there's other systems that's taken over verification.
My password file contains 150 passwords. Count'em: One hundred and fifty unique passwords, and mostly unique usernames too. And many have much more than that. It's complete, plain madness of a archaic system that stems from a time where we all had one account on our LAN. It's one giant ulster of a security challenge that can only be overcome by replacing it with something better.
But until then: Temporary passwords with one usage and then scrapped does negotiate a few of the gaping flaws of static passwords.
That's really all I am hoping to make you, and others, realise. So can we all join in on a complain hymn about the hassle, oh the hassle!, until something better comes along.
3 May 2017 at 8:09 am UTC
Quoting: KimyrielleIn the end, my fundamental problem with 2FA that it doesn't really provide any significant additional security for people who use good passwords or service providers that aren't completely inept.This is, with all due respect but to be totally honest here, not the right attitude. It reminds me a lot of all the companies out there who believes that they are safe from attacks because they got such a modern and secure firewall. Everyone must have mechanics in place that handle an invasion of their network. Just like every user must be prepared to what can happen if their passwords are exposed.
Two layers of security is and will always be better than one. Just think about it: As a service provider you build intricate analysers who scan the traffic for suspect actions, set up tight rules on each layer, from firewall to router to load balancers to application servers, an entire stack of security to stay safe from the wilderness.
And then you leave the main entrance up to the individual users out there, with one tiny little string of characters as the only - ONLY - prevention from someone totally taking over the account on that server, with all privileges that comes with that user. Just one little string, consisting of usually 6-8 characters, often in a clear pattern. One single point of failure. It goes against everything you've ever learnt in computer security.
A temporary token system makes your account safe even if you get a friggin' KEYLOGGER installed on your computer. You are safe(r) from many man-in-the-middle attacks that leaves your password exposed. Or when the service providers database is breached and passwords are not properly protected (this happen ALL the time - it's reality. A scenario where everything is perfect is utopia - you can't use that as a prerequisite). You are safer from a whole stack of attack methods where you - the user - are totally without blame, methods where your personal practise means squat, zero, nill.
Can't you see? It is a layer of security that has other properties than a static password can provide. And that is a Good Thing.
Quoting: KimyrielleBasically 2FA is an attempt to cure stupid.Yes, that and laziness. Especially laziness.
Quoting: KimyrielleAnd we all know that in the end you can't.But we have to limit the consequences sa best as we can. We have to, and we do - everywhere.
We have rules for security equipment in dangerous workplaces. Why the hell don't bikers wear a helmet without rules telling them they have to or they will be fined? That's how we cure stupidity there. We cure stupidity absolutely everywhere.
And 2FA is a good cure. one of several cures. The others are done server side. But we have to secure also the client side of things - we can't handle absolutely every scenario server side.
Quoting: KimyrielleFor people who are NOT stupid, it doesn't do anything except making their life more complicated.Hence, "laziness".
Quoting: KimyrielleBut go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)That is not the topic. The topic is security. Two layers of security are better than one - period.
We can discuss anonymity and the internet another time. Or market leverage or app design.
The topic now is if 2FA provides a more secure regime than one single password. And it does. If you lose your phone or password file or the password to your password file or whatever else, that is a challenge that must be handled. It must be designed a system that can take care of that the best possible way with the least risk involved. Yes, it is a challenge, but as long as we deal with passwords at all, we just need to handle that.
Personally I am against passwords, period, since it's such a pain in the arse either way, and a stupid stupid thing from a security perspective.
I predict that in a decades time we don't have to fool around with these bloody passwords anymore - then there's other systems that's taken over verification.
My password file contains 150 passwords. Count'em: One hundred and fifty unique passwords, and mostly unique usernames too. And many have much more than that. It's complete, plain madness of a archaic system that stems from a time where we all had one account on our LAN. It's one giant ulster of a security challenge that can only be overcome by replacing it with something better.
But until then: Temporary passwords with one usage and then scrapped does negotiate a few of the gaping flaws of static passwords.
That's really all I am hoping to make you, and others, realise. So can we all join in on a complain hymn about the hassle, oh the hassle!, until something better comes along.
The Unity forums were hacked, but they say no passwords were taken
2 May 2017 at 9:58 pm UTC
And it then becomes a task for the service provider to handle. Look at how Facebook and Google handles it. Their systems are far more compex than a stupid "secret question" request.
But this is a different discussion.
2 May 2017 at 9:58 pm UTC
Quoting: KimyrielleI find it both funny and a little offensive that you're basically suggesting that I don't understand how 2FA works.No - I don't think you knew how the tokens - the temporary passwords - work. If you thought that it was giving your keys to Google (or whoever) then yeah, it would be stupid. But it's not.
Quoting: KimyrielleI know that you're not -technically- handing your keys to Google. You're still making yourself dependent on them and their service. Which is in the end just as bad.Oh come on. It's an offline tool - one of many of whom you can freely choose. The algorithm is open and freely available for anyone to implement. You're trying to create an argument that's not there, now.
Quoting: KimyrielleWell, then criticise that, then. But this is the same regardless if there's one of two layers of password security!And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.Yes, that's my point. Most of these recovery procedures are really weak security. As weak as a bad/lost password. "Answer this silly question about you, that every halfway determined person can find out in 5 mins". Yeah, right!
And it then becomes a task for the service provider to handle. Look at how Facebook and Google handles it. Their systems are far more compex than a stupid "secret question" request.
But this is a different discussion.
Quoting: KimyrielleYou're cherry picking the quotes now. I stated that this password often is not secure, because it's a password the user have to remember and use often. I can promise you this, the majority of encrypted password files are not using a long, complex password. It's incredibly impractical when one need to open it regularly.An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open.You do realize that brute force attacking a file encrypted using a proper cypher and a -good- password takes multiple lifetimes, yes?
Quoting: KimyrielleCan't cure stupid. But if they can't be bothered using a good password for the most important file they possess, what makes you think they'd want to add a super-inconvenient second authentication layer on top of that? And that 2FA is super inconvenient is just an objective fact, sorry.If it was up to average joe there would barely be any security at all, they'd disable most of it. 2FA must be enforced. Like the banks do today, for example.
The Unity forums were hacked, but they say no passwords were taken
2 May 2017 at 7:18 pm UTC
The token you are given by the app is based on a private key that is stored locally on your phone. The application (who doesn't have to be Google's, but any that support that same protocol) uses the timestamp as the second key, and calculates the token based on that. That's why a token only last for a minute - and this is why you need to re-tie the account to your phone when you get a new phone.
So the app doesn't (and shouldn't) require network access privilege, nothing whatsoever is sent across any network - it can forever work on an offline phone -it doesn't even need to have a simcard. Just like those RSA "dongles" that some have from their bank to supply temporary 2nd password. Exact same.
There are of course those who do offer a "cloud storage" of your private key, so that it'll always work across devices. But yeah - it's up to you if you trust that provider or not. I'd not do it, that's for too damn sure.
So why is the Google Authenticator so popular? Because it offers a nice interface to your various keys. It's user friendly. That's the simple reason to use that offline app.
But again - once you understand how this works you'll realise that this system is, in fact, very good.
Two password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.
And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.
Bu this is the way forward. By far not all users practise good password policy, but this enforces proper password practise for all users just by its very nature. From the service providers perspective it doesn't really matter anymore of the user uses one single password across the entire internet - it doesn't put your service at risk unless they *also* break into the users phone. One more barrier to break, and let's face it, it's a tough one for online hackers.
An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open. Especially since most users use a simple password on that file - since they have to open it quite regularly.
So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.
2 May 2017 at 7:18 pm UTC
Quoting: KimyrielleI find it also hilarious that people use Linux to escape MS's monopoly, but would be willing to handle Google the keys to each and every online service they use. Just sayin'.No, you don't understand how this works.
The token you are given by the app is based on a private key that is stored locally on your phone. The application (who doesn't have to be Google's, but any that support that same protocol) uses the timestamp as the second key, and calculates the token based on that. That's why a token only last for a minute - and this is why you need to re-tie the account to your phone when you get a new phone.
So the app doesn't (and shouldn't) require network access privilege, nothing whatsoever is sent across any network - it can forever work on an offline phone -it doesn't even need to have a simcard. Just like those RSA "dongles" that some have from their bank to supply temporary 2nd password. Exact same.
There are of course those who do offer a "cloud storage" of your private key, so that it'll always work across devices. But yeah - it's up to you if you trust that provider or not. I'd not do it, that's for too damn sure.
So why is the Google Authenticator so popular? Because it offers a nice interface to your various keys. It's user friendly. That's the simple reason to use that offline app.
But again - once you understand how this works you'll realise that this system is, in fact, very good.
Two password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.
And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.
Bu this is the way forward. By far not all users practise good password policy, but this enforces proper password practise for all users just by its very nature. From the service providers perspective it doesn't really matter anymore of the user uses one single password across the entire internet - it doesn't put your service at risk unless they *also* break into the users phone. One more barrier to break, and let's face it, it's a tough one for online hackers.
An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open. Especially since most users use a simple password on that file - since they have to open it quite regularly.
So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.
The Unity forums were hacked, but they say no passwords were taken
2 May 2017 at 11:10 am UTC
To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.
In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).
2 May 2017 at 11:10 am UTC
Quoting: KimyrielleI totally disagrees with all you say, Kim. A good password is unique to each account. And a collection of unique passwords WILL have to be stored in a password file of some sort, and that file WILL, for most persons who do practise good password policy, be stored on the mobile phone too (typically via cloud). And then you're pretty much back to square one if you do lose your mobile and someone gets past the login of the phone.
To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.
In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).
The next version of SDL will have Steam Controller support out of the box
28 Apr 2017 at 2:21 pm UTC
28 Apr 2017 at 2:21 pm UTC
... And SDL is...?
Diluvion, the deep sea exploration game with RPG elements is getting a Linux beta
20 Apr 2017 at 6:48 pm UTC
"I can't remember the last time I had to go to a game's forum to get a bug resolved just so I could advance. It's a lesson in wonderful concept and poor execution."
https://www.destructoid.com/review-diluvion-422788.phtml [External Link]
20 Apr 2017 at 6:48 pm UTC
Quoting: F.UltraLooks like most negative reviews comes from fiddly controls. Hopefully that is something that they can and/or will improve.Fiddly controls, camera issues, bad interface, unpolished, multiple bugs... To quote Destructoid:
"I can't remember the last time I had to go to a game's forum to get a bug resolved just so I could advance. It's a lesson in wonderful concept and poor execution."
https://www.destructoid.com/review-diluvion-422788.phtml [External Link]
Diluvion, the deep sea exploration game with RPG elements is getting a Linux beta
20 Apr 2017 at 12:23 pm UTC
20 Apr 2017 at 12:23 pm UTC
Another quite mediocre release with bland reviews getting a Linux port to squeeze out those last dineros out of the project. That's how I see it, unfortunately. :/
http://www.gamerankings.com/pc/194343-diluvion/articles.html [External Link]
It looks pretty cool, though. I'll give it that.
http://www.gamerankings.com/pc/194343-diluvion/articles.html [External Link]
It looks pretty cool, though. I'll give it that.
Downward, an impressive first-person open-world Parkour adventure supports Linux
18 Apr 2017 at 7:55 pm UTC
18 Apr 2017 at 7:55 pm UTC
wow - and so cheap too? Wonder if it's very short then?
Yooka-Laylee released with day-1 Linux support, some quick initial thoughts
11 Apr 2017 at 7:20 pm UTC Likes: 1
It looks like great fun, remind me a lot of Jack and Daxter, and that can only be a Good Thing.
I'm just curious, is the local coop feature for the main storyline, or just the stuff we saw in the multiplayer trailer?
EDIT: It seems there is a coop feature following the main character, albeit not really a full coop but rather that you control something (unclear what) that can help/assist the main player.
Still sounds like something I can play with my daughter - so this will be a purchase!
11 Apr 2017 at 7:20 pm UTC Likes: 1
Quoting: liamdaweEdit: Found it, was on the publisher's Youtube not theirs, have changed the video now.Now that's more like it. :)
It looks like great fun, remind me a lot of Jack and Daxter, and that can only be a Good Thing.
I'm just curious, is the local coop feature for the main storyline, or just the stuff we saw in the multiplayer trailer?
EDIT: It seems there is a coop feature following the main character, albeit not really a full coop but rather that you control something (unclear what) that can help/assist the main player.
Still sounds like something I can play with my daughter - so this will be a purchase!