Curse

Miscreant_Moon · Jan 24, 2010, 03:08 PM // 15:08

Lots of references to NCSoft and ArenaNet in this. I think it's spot on but I'm sure there are some who will disagree.

Whole interview is here: http://www.massively.com/2010/01/18/...ount-security/

This question I thought was good, since I too found Anet's response inadequate:

Quote:

During the recent wave of security problems, many players complained that ArenaNet was not doing enough to communicate to the players on a solution. ArenaNet pointed out that if they tell the players what they are doing, they are also telling the hackers what they are doing. Where do you think the balance lies between keeping the player base informed and not tipping your hand to those you are working against?

ArenaNet faces a unique challenge because people don't "buy stuff" from the company very often - just the base game or expansion every year or so... and even then, it is often done through a retailer, so ArenaNet doesn't have a direct financial relationship with its players. Subscriptions and payments allow online game companies to tap into a number of external security mechanisms (such as validating credit card numbers).

That being said, the argument that sharing information with players is bad because the hackers will get the data is totally spurious. When the US was mining harbors in Nicaragua in the 1980s, it was "classified"...but you can bet the Sandinistas knew what was going on. Hackers are acutely aware of what security mechanisms are being used against them.

As I noted above, it is important to tell your customers that you are doing something. Customers are fickle and can leave... there are a lot of games out there and players are going to play where they feel safe and that they are valued by the game company. Players are pretty sophisticated and do not like being treated like children.

... there is no reason to tell them EVERYTHING that you are doing, however.

And this line I wholeheartedly agree with:

Quote:

There is no way to tell if NCsoft is handling the problem well technically, but the company is not doing a very good job of public relations.

Arduin · Jan 24, 2010, 03:44 PM // 15:44

Anet responded perfectly fine, even implementing the additional security of the Character Name at login.

NCSoft dropped the ball, not Anet.

Ravious · Jan 24, 2010, 06:15 PM // 18:15

As much as I love Lum, having him write the "company line" that clearly reeked of the management's touch was a bad move.

Martin Alvito · Jan 24, 2010, 06:31 PM // 18:31

Very nice find. This does an excellent job of providing a reasoned appraisal of the situation.

Shayne Hawke · Jan 24, 2010, 07:22 PM // 19:22

Just curious, what would it take to separate ANet from NCsoft?

Martin Alvito · Jan 24, 2010, 07:32 PM // 19:32

A lot of money that ANet doesn't have.

thedarkmarine · Jan 24, 2010, 07:48 PM // 19:48

Quote:

Originally Posted by Shayne Hawke

Just curious, what would it take to separate ANet from NCsoft?

Make GW subscription based.

tasha · Jan 24, 2010, 07:54 PM // 19:54

Quote:

Originally Posted by thedarkmarine

Make GW subscription based.

I know I'd be in the minority, it totally goes against the business model etc, but I would support this if it led to ArenaNet leaving NCSoft.

Back OT, the full interview is somewhat informative. Its also comforting to know that what has been going on with NCSoft of late has been noticed by the wider gaming community.

Enko · Jan 24, 2010, 07:55 PM // 19:55

Quote:

Originally Posted by Shayne Hawke

Just curious, what would it take to separate ANet from NCsoft?

anet would have to create a lot of the business infrastructure that is currently being handled by ncsoft. if they did something like that, it would probably kill the company financially.

Nerel · Jan 24, 2010, 08:04 PM // 20:04

Meh, SecurePlay has a vested interest in seeming to 'know better' and to be critical of any companies security responses that don't involve licensing their (SecurePlay's) software solutions, what's more, F.U.D. is always good business sense for people offering the solution for a price, it's free advertising.

The listed responses they suggest for dealing with security issues was as follows...

1. Aware – Tell your customers that you are aware of the problem and are taking it seriously. Let them know that they (the customers) and their issues are important and that the integrity of the game is critical to the company.
2. Triage – Figure out what immediate action you can take to stop the problem from getting worse or spreading.
3. Investigate – Figure out what is really going on.
4. Patch – Identify short term solution or work around to get things "almost" normal.
5. Repair – Fix the problem and reconstitute the game.
6. Reflect – Look to see if there are related vulnerabilities in the game design, business operations, or other areas that can be exploited and fix them before they fix you.

Well, NCSoft seems to be following a similar protocol, they've been bleating about account security FOREVER, and in recent times in bright red letters... they've communicated that the accounts have been compromised, though not the exact nature of how these accounts are being compromised, they've stepped up with some quick fixes and are no doubt still looking for long term solutions to other future threats.

So, by SecurePlay's own account of things, NCSoft seems to be doing okay, other than being more forthright about the vectors being used in the attacks, and admitting any security vulnerabilities on their end.

Seeing as how SecurePlay is in the software security industry, it seems surprising that they condone releasing information about any potential security vulnerabilities and the steps being taken to defeat the 'hackers' before a solid fix is in place. Major software companies do this ALL THE TIME, they find out about an exploit and DON'T release that information until they HAVE A FIX. Saying "Hey we have X vulnerability and we're going to try doing doing Y and Z to overcome it" is just ADVERTISING your weakness to those who would exploit it.

TL: DR version. SecurePlay wants to sell their software. Cynical, but true.

Karate Jesus · Jan 24, 2010, 08:33 PM // 20:33

Quote:

Originally Posted by Arduin

NCSoft dropped the ball, not Anet.

^ and although it's probably true that SecurePlay is probably just trying to boost their own sales using this interview, the very fact that the interview came around to this topic means that people outside of GW are aware of the poor PR.

Sadly, in the gaming world, all publicity is not good publicity. It's a bad time to be known for poor security or poor PR, especially considering all the games that are supposed to come out when GW2 does :/

jonnieboi05 · Jan 24, 2010, 09:28 PM // 21:28

Quote:

Originally Posted by Karate Jesus

^ and although it's probably true that SecurePlay is probably just trying to boost their own sales using this interview, the very fact that the interview came around to this topic means that people outside of GW are aware of the poor PR.

Sadly, in the gaming world, all publicity is not good publicity. It's a bad time to be known for poor security or poor PR, especially considering all the games that are supposed to come out when GW2 does :/

This right here. And I agree very much with the bolded section.

kedde · Jan 24, 2010, 10:49 PM // 22:49

So, relating to this read, how is it appropriate to block accounts midmatch with no notice after being hacked?

Some things are just handled really badly, specifically communications from anets side.

Smarty · Jan 24, 2010, 11:03 PM // 23:03

Quote:

Originally Posted by Shayne Hawke

Just curious, what would it take to separate ANet from NCsoft?

Quote:

Originally Posted by thedarkmarine

Make GW subscription based.

Quote:

Originally Posted by tasha

I know I'd be in the minority, it totally goes against the business model etc, but I would support this if it led to ArenaNet leaving NCSoft.

Ditto. I don't think it's ever going to happen though.

Quote:

Originally Posted by Nerel

Well, NCSoft seems to be following a similar protocol, they've been bleating about account security FOREVER, and in recent times in bright red letters... they've communicated that the accounts have been compromised, though not the exact nature of how these accounts are being compromised, they've stepped up with some quick fixes and are no doubt still looking for long term solutions to other future threats.

So, by SecurePlay's own account of things, NCSoft seems to be doing okay, other than being more forthright about the vectors being used in the attacks, and admitting any security vulnerabilities on their end.

I guess you weren't a regular visitor to the AionSource forums. NCsoft have been attempting to brush things under the carpet where Aion security is concerned since October. It's been really, really bad communication on their part. The abusive and dismissive letter from the GSU is typical of the way their CMs have addressed the Aion community. Oh, and they still have no GMs on the Euro servers despite it being a subscription game. GG NCsoft.

I don't disagree about SecurePlay coming from a "we have a product to sell" angle, though.

Zehnchu · Jan 25, 2010, 12:01 AM // 00:01

Damage control that's it is nothing more.

and p2p isn't the fix.

Lord Dagon · Jan 25, 2010, 01:22 AM // 01:22

eh NCSoft can do what they want w/ their company, no one has to buy anything from it. Bad secruity=future games are gonan suck more due to lack of revenue. This is a simple fact and,for NCSoft and unfortunatly anet whoes caught up in this, i doubt it will change at any time soon. (not unless like the ceo of the company's account gets hacked and they cant figure out how to restore it ;p)

worstnameevar · Jan 25, 2010, 01:54 AM // 01:54

While sounding informative and informational, this interview provides little of import. SSDD

pumpkin pie · Jan 25, 2010, 02:36 AM // 02:36

Quote:

ArenaNet faces a unique challenge because people don't "buy stuff" from the company very often - just the base game or expansion every year or so... and even then, it is often done through a retailer, so ArenaNet doesn't have a direct financial relationship with its players. Subscriptions and payments allow online game companies to tap into a number of external security mechanisms (such as validating credit card numbers).

Question: What the hell do you mean people don't "buy stuff" from the company very often? "No Subscription Fees" is one of the key selling point of Guild Wars, how can you use that as a reason for not being able to tap into external security mechanisms?

Question: It is lucky (according to you) NOT many people buy stuff from you, otherwise, the stolen customers' identity would have been an even bigger problem then merely virtual stuff being stolen.

Question: How is it that you did not tap into external security mechanisms when you have IN-GAME STORE?

Quote:

1. Aware – Tell your customers that you are aware of the problem and are taking it seriously. Let them know that they (the customers) and their issues are important and that the integrity of the game is critical to the company.

2. Triage – Figure out what immediate action you can take to stop the problem from getting worse or spreading.

3. Investigate – Figure out what is really going on.

4. Patch – Identify short term solution or work around to get things "almost" normal.

5. Repair – Fix the problem and reconstitute the game.

6. Reflect – Look to see if there are related vulnerabilities in the game design, business operations, or other areas that can be exploited and fix them before they fix you.

Basically when I reported my suspicion (late May 2009) that linking to NCSoft master account could be a cause of a hack, all of the above weren't done, it was all denial, NO it can't happen was the impression I got. We/I do not want to know what you are doing for security measure. Also you have just announced to the whole world that ArenaNet do not have external security measure ....

explained as you might, The ball is in your court, and YES CUSTOMERS ARE FICKLE, THEY WILL LEAVE!

PS: I do sound like a disgruntled customer, but this is not a complain, its things you do that are compromising (a better word could be use there) yourself. I am merely giving you feedback of what people (ME) perceive you to be when I/we read your messages.

Zahr Dalsk · Jan 25, 2010, 03:20 AM // 03:20

Quote:

Originally Posted by thedarkmarine

Make GW subscription based.

I'd pay for this if it meant regular content updates and skill balancing.

Guild Wars as it is right now isn't really worth a subscription, but Guild Wars as it was two years ago, was.

HawkofStorms · Jan 25, 2010, 04:13 AM // 04:13

Pumpkin, what I think he means is, people who get ticked off at a company for having an account get hacked, can quit the game. For subscription games, that means... oh boy, you better not tick off your customers.

For a.net... ehhh shrug who cares?