jalf.dk

• Sony
• Sony Again
• Nin­tendo
• Epic
• Code­Mas­ters
• Bethesda
• BioWare
• Square Enix
• Sega
• BioWare
• EA

2011 was the year of the games indus­try, as a whole, get­ting hacked.

Dear games indus­try; huge inter­na­tional pub­lish­ers and devel­op­ment stu­dios: are you seri­ously going to tell me you didn’t see this coming?

For the last sev­eral years, the games indus­try has been been infested by a plague of account sys­tems. EVERY com­pany wanted their cus­tomers to sign up for THEIR unique account, mar­ket­place, com­mu­nity and down­load cen­tral, prefer­ably with sep­a­rate accounts for each. And then another account for sup­port requests, of course. And the more of these accounts can be asso­ci­ated with credit card infor­ma­tion, the bet­ter. And of course, in true games indus­try fash­ion, as much as pos­si­ble should be devel­oped in-house.

Every games com­pany wants me to cre­ate a unique account just for them. Every games com­pany wants my pass­word. And appar­ently, nearly as many let their secu­rity be han­dled by Joe the Intern who does their web­site on weekends.

It’s absurd. And not just because you are get­ting hacked en masse, and your users have their sen­si­tive infor­ma­tion leaked to hack­ers cour­tesy of you and your incom­pe­tence and your stub­born insis­tence on acquir­ing sen­si­tive infor­ma­tion that you have no need of, no busi­ness stor­ing, and are not qual­i­fied to han­dle and safeguard.

It is also absurd because, even when you are not being hacked, it is infu­ri­at­ing your users. I don’t want to have to invest in your imag­i­nary cur­rency (which can only be bought in bulk, in quan­ti­ties con­ve­niently designed to force you to spend more money up front than the price of the item you wanted to buy), in order to pur­chase DLC for my games. I don’t want to have to remem­ber 47 dif­fer­ent account user­names and pass­words. I don’t want to have to remem­ber which email address I signed up with two years ago on the com­pany you bought 6 months ago and whose account data­base you have now inte­grated into yours.

I don’t want to have to guess whether I am sup­posed to log in with my Bioware account or my EA account when unlock­ing stuff for my Bioware game (pub­lished by EA). I don’t want to have to log in to both Steam and GfWL to play a game. I don’t want to have to log in to Rock­star Games Social Club. Sega, was it worth it to make me sign up for a Sega Pass? Did you get enough value out of yet another user­name in your data­base to jus­tify my pass­word now being in the hands of hackers?

All of you, do you really need me to sign up for any­thing at all? Or is this just your van­ity and your 20-year-old habit of prompt­ing users to “please fill in your reg­is­tra­tion card while you wait for the installer”, updated to the inter­net era for no rea­son whatsoever?

The rest of the world has, by and large, learned a cou­ple of impor­tant lessons over the last years:

• online secu­rity is hard, and
• users have plenty of accounts every­where already, and they don’t want to have to sign up for your exclu­sive site any more than they want to sign up for the 400 other sites they vis­ited recently.

Thus, quite a lot of seri­ous web­sites now “out­source” the account secu­rity busi­ness to those who are qual­i­fied to han­dle it. We have Face­book Con­nect, rely­ing on the assump­tion that Face­book, a site with 400 mil­lion users, and a very tempt­ing tar­get for hack­ers, is able to deal securely with authen­ti­ca­tion, and we have OpenID, rely­ing on the assump­tion that users them­selves will use a provider that they trust among the count­less dif­fer­ent ones available.

What these have in com­mon is that they allow you, the com­pany host­ing a web­site and an online ser­vice, to pro­vide all the ben­e­fits of a per­sonal user account to your users, but with­out you ever see­ing a pass­word, and with­out you being able to lose quite as much sen­si­tive data when you get hacked. It also pro­vides the con­ve­nience ben­e­fit of allow­ing the user (with­out forc­ing the user to do so) to reuse the same user ID across mul­ti­ple sites, and it even offers the poten­tial for exchang­ing (with the users’ con­sent, of course) infor­ma­tion between dif­fer­ent game companies.

And you know what? Steam is an OpenID provider. You could imple­ment OpenID-based authen­ti­ca­tion, and peo­ple would be able to log in with their Steam ID (or their GMail account, or any of the dozens of other OpenID providers, of course), and you wouldn’t have to worry about pro­tect­ing their pass­words.

You could, prac­ti­cally in your lunch break, write a login sys­tem which allows GMail users, Steam users and Face­book users to log in using their cre­den­tials from those ser­vices, han­dled securely by those ser­vices, where you get all the ben­e­fit of juicy direct and “exclu­sive” access to the user, with­out the headaches of “how do we store the users’ user­name and pass­word, and with­out has­sling the user with “please come up with a user­name and pass­word for yet another site.

So, dear games indus­try. I’m sure that pretty much any­one who has played a game over the last decade has already had his user­name, pass­word, pet name, address and credit card info leaked by now, thanks to you.

But how about putting a stop to it from now on? How about leav­ing secu­rity to the com­pa­nies that actu­ally invest in it, and who make it their busi­ness? How about, along the way, get­ting rid of the cur­rent account hell where every user has to, for every game, every devel­op­ment stu­dio and every pub­lisher, remem­ber a unique com­bi­na­tion of URL (where your “ser­vice” is hosted this month, after the lat­est relaunch, the lat­est merger or the lat­est “let’s just start over because our pre­vi­ous sys­tem sucked”), and user­name, pass­word and email address to log in to said URL?

How about mak­ing your jobs eas­ier, while also treat­ing your cus­tomers bet­ter and giv­ing less infor­ma­tion away to hackers?

How about grow­ing up and catch­ing up?

A com­mon sen­ti­ment when these hacks really exploded this past sum­mer was “these hack­ers need to be stopped”, but that’s miss­ing the point. They’re only show­ing how absolutely triv­ial it is to hack a huge num­ber of web­sites. Arrest­ing them, tor­tur­ing them for a few years at Gitmo or con­demn­ing them to the deep­est pit of Hell doesn’t mat­ter, because your web­sites are still vul­ner­a­ble, and in a world of 7 bil­lion peo­ple, some­one is going to try to exploit it.

Yes, the hack­ers need to be held account­able, but so do you. You are the ones who chose to start hoard­ing user infor­ma­tion, and you are the ones who didn’t even care enough about your users to do so securely. You are the ones who betrayed your users. You are the ones who failed to live up to the respon­si­bil­ity you wouldn’t even have had if you’d stuck to your actual busi­ness: mak­ing games, rather than col­lect­ing user­names and passwords.

Grow up. Start stor­ing only the data you actu­ally need, and make sure that what you do store is kept absolutely god­damn secure. If you ever even see my pass­word, encrypted, hashed and salted or oth­er­wise, you are doing it wrong.

I know, it’s been ages since I updated my blog.

I started on a new job back in August, which took up a lot of my atten­tion for the first cou­ple of months. On the home front, things have been kind of busy too, and I’ve had less time than usual for pro­gram­ming, and writ­ing about pro­gram­ming. Con­tinue read­ing I’m not dead!

So my last blog post got a sur­pris­ing amount of atten­tion, not least from a/the (no clue how many there are of those) Prod­uct Man­ager of Visual Stu­dio, which is pretty neat.

So, here’s a quick fol­lowup, in order to fully exploit my 15 min­utes of fame!

Con­tinue read­ing A follow-up rant about Connect

Using Visual Stu­dio 2010 with Ser­vice Pack 1, try doing the following:

1. cre­ate a new project of type Win32 Console Application, and under Application Settings in the project wiz­ard, select Console Application and Empty Project.
2. cre­ate a sin­gle .cpp file
3. add the code int main() {} to it
4. hit build. Con­tinue read­ing What’s wrong with Visual C++ and Microsoft Connect?

Not much to say here, other than that C++11, or pos­si­bly C++12, for­merly known as C++0x, has been approved unan­i­mously by ISO.

Hur­rah!

Appar­ently, it’ll take a few months for all the paper­work and such to catch up, and then the final stan­dard will be pub­lished by ISO (I haven’t been able to find a clear answer to whether or not this might drag the final release all the way out to 2012, but hope­fully, C++0x will be for­ever known as C++11).

Every so often, I come across a pro­gram­mer (usu­ally a stu­dent, or a self-taught hob­by­ist) who doesn’t use ver­sion con­trol (cue shock and horror).

Of course, when­ever some­one dares to admit this, they’re set upon by every­one and heck­led and pestered until they give in and install some VCS. And then they spend a few after­noons moan­ing about how they “could have been cod­ing instead”.

And it occurred to me that there doesn’t seem to be any short, sim­ple, min­i­mal­ist guide to set­ting up and using a VCS sys­tem. There are plenty of excel­lent tuto­ri­als and guides which explain every­thing about every­thing, and are an amaz­ing resource to those will­ing to actu­ally spend time to learn how to use their tool.

But new­com­ers to ver­sion con­trol are gen­er­ally some­one who’s will­ing to give it 2 – 3 min­utes, if it’ll shut every­one else up so they can get back to cod­ing. They’re not inter­ested in know­ing what their code looked like 7 months ago, or what exact changes were com­mit­ted on the 28th of June 2010 at 9:37 pm. And they don’t really see why they’d want to branch and merge their code.

Thus… Con­tinue read­ing The “I don’t care about ver­sion con­trol, I just want other pro­gram­mers to stop pes­ter­ing me”-guide to ver­sion control

Hooray!

Games for Win­dows Live is being relaunched again.

Con­sid­er­ing all the fun I had last time, I per­son­ally can’t wait for this. Con­tinue read­ing It’s that time of the year, I guess

As I men­tioned not too long ago, I’ve recently resumed work on the STM library I cre­ated for my Mas­ters Thesis.

It’s still not quite where I want it to be, but I felt that at the very least, it deserved a proper sta­tus page. So here it is. A brand new page on my blog. As I’m still rather busy, I can’t promise that much will hap­pen with the library over the sum­mer, but when some­thing sig­nif­i­cant hap­pens, that page will be the first to know.

I don’t get it.

They obvi­ously went to a lot of trou­ble to design a new touch-based inter­face. But because they need back­wards com­pat­i­bil­ity as well, they have a “tra­di­tional” apps iso­lated into a kind of “Win­dows 7 ghetto”, some­thing that looks just like Win­dows 7, and with no vis­i­ble trace of being inte­grated into the whole Win8/touch thing… And this is for tra­di­tional PC’s. On my PC, I’m appar­ently going to have to choose which envi­ron­ment I’m using cur­rently, because there’s lim­ited inter­ac­tion between them. And both worlds are going to suf­fer from that. Con­tinue read­ing The Win­dows 8 Touch UI

It’s been a bit quiet on this blog for a while. The last month or so has been bru­tal. By May 16th, I had to be out of my old apart­ment (long story), mean­ing I’ve had to find another place to live pretty urgently.

With­out get­ting into all the painful details, I’ve spent most of the last month or two try­ing to find a new apart­ment, and this past week­end was spent mov­ing out of our old apart­ment, paint­ing it and fix­ing it up. It’s been stress­ful, and it hasn’t left much time for any­thing else.

Until July 1st, when I get to move into the new apart­ment, I’ll be liv­ing on a friend’s couch, so things aren’t quite back to nor­mal yet. But the worst part is over, and hope­fully I’ll be able to spend a bit of time now on inter­est­ing things, such as blog­ging, cod­ing and blog­ging about coding.