Jan 24, 2010, 03:08 PM // 15:08
|
#1
|
Ascalonian Squire
Join Date: Jul 2009
Location: Somewhere in Ascalon
Profession: Me/E
|
CEO of SecurePlay discusses account security (Anet and NCSoft)
Lots of references to NCSoft and ArenaNet in this. I think it's spot on but I'm sure there are some who will disagree.
Whole interview is here: http://www.massively.com/2010/01/18/...ount-security/
This question I thought was good, since I too found Anet's response inadequate:
Quote:
During the recent wave of security problems, many players complained that ArenaNet was not doing enough to communicate to the players on a solution. ArenaNet pointed out that if they tell the players what they are doing, they are also telling the hackers what they are doing. Where do you think the balance lies between keeping the player base informed and not tipping your hand to those you are working against?
ArenaNet faces a unique challenge because people don't "buy stuff" from the company very often - just the base game or expansion every year or so... and even then, it is often done through a retailer, so ArenaNet doesn't have a direct financial relationship with its players. Subscriptions and payments allow online game companies to tap into a number of external security mechanisms (such as validating credit card numbers).
That being said, the argument that sharing information with players is bad because the hackers will get the data is totally spurious. When the US was mining harbors in Nicaragua in the 1980s, it was "classified"...but you can bet the Sandinistas knew what was going on. Hackers are acutely aware of what security mechanisms are being used against them.
As I noted above, it is important to tell your customers that you are doing something. Customers are fickle and can leave... there are a lot of games out there and players are going to play where they feel safe and that they are valued by the game company. Players are pretty sophisticated and do not like being treated like children.
... there is no reason to tell them EVERYTHING that you are doing, however.
|
And this line I wholeheartedly agree with:
Quote:
There is no way to tell if NCsoft is handling the problem well technically, but the company is not doing a very good job of public relations.
|
|
|
|
Jan 24, 2010, 03:44 PM // 15:44
|
#2
|
Grotto Attendant
Join Date: May 2005
Location: The Netherlands
Guild: Limburgse Jagers [LJ]
Profession: R/
|
Anet responded perfectly fine, even implementing the additional security of the Character Name at login.
NCSoft dropped the ball, not Anet.
|
|
|
Jan 24, 2010, 06:15 PM // 18:15
|
#3
|
Lion's Arch Merchant
Join Date: Mar 2006
Guild: Servants of Fortuna
Profession: N/Mo
|
As much as I love Lum, having him write the "company line" that clearly reeked of the management's touch was a bad move.
|
|
|
Jan 24, 2010, 06:31 PM // 18:31
|
#4
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Very nice find. This does an excellent job of providing a reasoned appraisal of the situation.
|
|
|
Jan 24, 2010, 07:22 PM // 19:22
|
#5
|
Departed from Tyria
Join Date: May 2007
Guild: Clan Dethryche [dth]
Profession: R/
|
Just curious, what would it take to separate ANet from NCsoft?
|
|
|
Jan 24, 2010, 07:32 PM // 19:32
|
#6
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
A lot of money that ANet doesn't have.
|
|
|
Jan 24, 2010, 07:48 PM // 19:48
|
#7
|
Lion's Arch Merchant
|
Quote:
Originally Posted by Shayne Hawke
Just curious, what would it take to separate ANet from NCsoft?
|
Make GW subscription based.
|
|
|
Jan 24, 2010, 07:54 PM // 19:54
|
#8
|
Auctions Mod
Join Date: Jan 2006
Location: UK
Guild: Mystic Spiral [MYST]
|
Quote:
Originally Posted by thedarkmarine
Make GW subscription based.
|
I know I'd be in the minority, it totally goes against the business model etc, but I would support this if it led to ArenaNet leaving NCSoft.
Back OT, the full interview is somewhat informative. Its also comforting to know that what has been going on with NCSoft of late has been noticed by the wider gaming community.
|
|
|
Jan 24, 2010, 07:55 PM // 19:55
|
#9
|
Forge Runner
Join Date: Jun 2006
Location: VA
Profession: Mo/
|
Quote:
Originally Posted by Shayne Hawke
Just curious, what would it take to separate ANet from NCsoft?
|
anet would have to create a lot of the business infrastructure that is currently being handled by ncsoft. if they did something like that, it would probably kill the company financially.
|
|
|
Jan 24, 2010, 08:04 PM // 20:04
|
#10
|
Jungle Guide
Join Date: Jun 2008
Location: Australia, what you want my home address?
Guild: [CAT]
Profession: Mo/
|
Meh, SecurePlay has a vested interest in seeming to 'know better' and to be critical of any companies security responses that don't involve licensing their (SecurePlay's) software solutions, what's more, F.U.D. is always good business sense for people offering the solution for a price, it's free advertising.
The listed responses they suggest for dealing with security issues was as follows...
1. Aware – Tell your customers that you are aware of the problem and are taking it seriously. Let them know that they (the customers) and their issues are important and that the integrity of the game is critical to the company.
2. Triage – Figure out what immediate action you can take to stop the problem from getting worse or spreading.
3. Investigate – Figure out what is really going on.
4. Patch – Identify short term solution or work around to get things "almost" normal.
5. Repair – Fix the problem and reconstitute the game.
6. Reflect – Look to see if there are related vulnerabilities in the game design, business operations, or other areas that can be exploited and fix them before they fix you.
Well, NCSoft seems to be following a similar protocol, they've been bleating about account security FOREVER, and in recent times in bright red letters... they've communicated that the accounts have been compromised, though not the exact nature of how these accounts are being compromised, they've stepped up with some quick fixes and are no doubt still looking for long term solutions to other future threats.
So, by SecurePlay's own account of things, NCSoft seems to be doing okay, other than being more forthright about the vectors being used in the attacks, and admitting any security vulnerabilities on their end.
Seeing as how SecurePlay is in the software security industry, it seems surprising that they condone releasing information about any potential security vulnerabilities and the steps being taken to defeat the 'hackers' before a solid fix is in place. Major software companies do this ALL THE TIME, they find out about an exploit and DON'T release that information until they HAVE A FIX. Saying "Hey we have X vulnerability and we're going to try doing doing Y and Z to overcome it" is just ADVERTISING your weakness to those who would exploit it.
TL: DR version. SecurePlay wants to sell their software. Cynical, but true.
Last edited by Nerel; Jan 24, 2010 at 08:07 PM // 20:07..
|
|
|
Jan 24, 2010, 08:33 PM // 20:33
|
#11
|
Forge Runner
Join Date: Apr 2008
Location: Texas
Guild: Reign of Judgment [RoJ]
Profession: Me/
|
Quote:
Originally Posted by Arduin
NCSoft dropped the ball, not Anet.
|
^ and although it's probably true that SecurePlay is probably just trying to boost their own sales using this interview, the very fact that the interview came around to this topic means that people outside of GW are aware of the poor PR.
Sadly, in the gaming world, all publicity is not good publicity. It's a bad time to be known for poor security or poor PR, especially considering all the games that are supposed to come out when GW2 does :/
Last edited by Karate Jesus; Jan 24, 2010 at 08:37 PM // 20:37..
|
|
|
Jan 24, 2010, 09:28 PM // 21:28
|
#12
|
Forge Runner
Join Date: Mar 2006
Location: Mableton, Georgia
Guild: Guild Ancestors Reunited [ギルド]
|
Quote:
Originally Posted by Karate Jesus
^ and although it's probably true that SecurePlay is probably just trying to boost their own sales using this interview, the very fact that the interview came around to this topic means that people outside of GW are aware of the poor PR.
Sadly, in the gaming world, all publicity is not good publicity. It's a bad time to be known for poor security or poor PR, especially considering all the games that are supposed to come out when GW2 does :/
|
This right here. And I agree very much with the bolded section.
|
|
|
Jan 24, 2010, 10:49 PM // 22:49
|
#13
|
Wilds Pathfinder
Join Date: May 2007
Guild: Kaons Banned Fecal Super Team [Ban]
Profession: Mo/A
|
So, relating to this read, how is it appropriate to block accounts midmatch with no notice after being hacked?
Some things are just handled really badly, specifically communications from anets side.
|
|
|
Jan 24, 2010, 11:03 PM // 23:03
|
#14
|
Krytan Explorer
Join Date: Mar 2008
Location: England
Profession: Me/
|
Quote:
Originally Posted by Shayne Hawke
Just curious, what would it take to separate ANet from NCsoft?
|
Quote:
Originally Posted by thedarkmarine
Make GW subscription based.
|
Quote:
Originally Posted by tasha
I know I'd be in the minority, it totally goes against the business model etc, but I would support this if it led to ArenaNet leaving NCSoft.
|
Ditto. I don't think it's ever going to happen though.
Quote:
Originally Posted by Nerel
Well, NCSoft seems to be following a similar protocol, they've been bleating about account security FOREVER, and in recent times in bright red letters... they've communicated that the accounts have been compromised, though not the exact nature of how these accounts are being compromised, they've stepped up with some quick fixes and are no doubt still looking for long term solutions to other future threats.
So, by SecurePlay's own account of things, NCSoft seems to be doing okay, other than being more forthright about the vectors being used in the attacks, and admitting any security vulnerabilities on their end.
|
I guess you weren't a regular visitor to the AionSource forums. NCsoft have been attempting to brush things under the carpet where Aion security is concerned since October. It's been really, really bad communication on their part. The abusive and dismissive letter from the GSU is typical of the way their CMs have addressed the Aion community. Oh, and they still have no GMs on the Euro servers despite it being a subscription game. GG NCsoft.
I don't disagree about SecurePlay coming from a "we have a product to sell" angle, though.
Last edited by Smarty; Jan 24, 2010 at 11:07 PM // 23:07..
|
|
|
Jan 25, 2010, 12:01 AM // 00:01
|
#15
|
Popcorn Fetish
Join Date: Dec 2005
Guild: [GODS]
Profession: Mo/Me
|
Damage control that's it is nothing more.
and p2p isn't the fix.
|
|
|
Jan 25, 2010, 01:22 AM // 01:22
|
#16
|
Desert Nomad
Join Date: Jul 2009
Location: Inside the Oblivion Gate
Guild: The Imperial Guards of Istan[TIGE]
Profession: E/Me
|
eh NCSoft can do what they want w/ their company, no one has to buy anything from it. Bad secruity=future games are gonan suck more due to lack of revenue. This is a simple fact and,for NCSoft and unfortunatly anet whoes caught up in this, i doubt it will change at any time soon. (not unless like the ceo of the company's account gets hacked and they cant figure out how to restore it ;p)
|
|
|
Jan 25, 2010, 01:54 AM // 01:54
|
#17
|
Academy Page
Join Date: Nov 2008
Location: Between Earth and Sky
Guild: The Thuggee[lain]
Profession: N/
|
While sounding informative and informational, this interview provides little of import. SSDD
|
|
|
Jan 25, 2010, 02:36 AM // 02:36
|
#18
|
Furnace Stoker
Join Date: Jul 2006
Location: behind you
Guild: bumble bee
Profession: E/
|
Quote:
ArenaNet faces a unique challenge because people don't "buy stuff" from the company very often - just the base game or expansion every year or so... and even then, it is often done through a retailer, so ArenaNet doesn't have a direct financial relationship with its players. Subscriptions and payments allow online game companies to tap into a number of external security mechanisms (such as validating credit card numbers).
|
Question: What the hell do you mean people don't "buy stuff" from the company very often? "No Subscription Fees" is one of the key selling point of Guild Wars, how can you use that as a reason for not being able to tap into external security mechanisms?
Question: It is lucky (according to you) NOT many people buy stuff from you, otherwise, the stolen customers' identity would have been an even bigger problem then merely virtual stuff being stolen.
Question: How is it that you did not tap into external security mechanisms when you have IN-GAME STORE?
Quote:
1. Aware – Tell your customers that you are aware of the problem and are taking it seriously. Let them know that they (the customers) and their issues are important and that the integrity of the game is critical to the company.
2. Triage – Figure out what immediate action you can take to stop the problem from getting worse or spreading.
3. Investigate – Figure out what is really going on.
4. Patch – Identify short term solution or work around to get things "almost" normal.
5. Repair – Fix the problem and reconstitute the game.
6. Reflect – Look to see if there are related vulnerabilities in the game design, business operations, or other areas that can be exploited and fix them before they fix you.
|
Basically when I reported my suspicion (late May 2009) that linking to NCSoft master account could be a cause of a hack, all of the above weren't done, it was all denial, NO it can't happen was the impression I got. We/I do not want to know what you are doing for security measure. Also you have just announced to the whole world that ArenaNet do not have external security measure ....
explained as you might, The ball is in your court, and YES CUSTOMERS ARE FICKLE, THEY WILL LEAVE!
PS: I do sound like a disgruntled customer, but this is not a complain, its things you do that are compromising (a better word could be use there) yourself. I am merely giving you feedback of what people (ME) perceive you to be when I/we read your messages.
Last edited by pumpkin pie; Jan 25, 2010 at 03:37 AM // 03:37..
|
|
|
Jan 25, 2010, 03:20 AM // 03:20
|
#19
|
Grotto Attendant
Join Date: Aug 2007
Location: Canada
|
Quote:
Originally Posted by thedarkmarine
Make GW subscription based.
|
I'd pay for this if it meant regular content updates and skill balancing.
Guild Wars as it is right now isn't really worth a subscription, but Guild Wars as it was two years ago, was.
|
|
|
Jan 25, 2010, 04:13 AM // 04:13
|
#20
|
Hall Hero
Join Date: Aug 2005
Profession: E/
|
Pumpkin, what I think he means is, people who get ticked off at a company for having an account get hacked, can quit the game. For subscription games, that means... oh boy, you better not tick off your customers.
For a.net... ehhh shrug who cares?
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 09:28 AM // 09:28.
|