• Sony
• Sony Again
• Nin­tendo
• Epic
• Code­Mas­ters
• Bethesda
• BioWare
• Square Enix
• Sega
• BioWare
• EA

2011 was the year of the games indus­try, as a whole, get­ting hacked.

Dear games indus­try; huge inter­na­tional pub­lish­ers and devel­op­ment stu­dios: are you seri­ously going to tell me you didn’t see this coming?

For the last sev­eral years, the games indus­try has been been infested by a plague of account sys­tems. EVERY com­pany wanted their cus­tomers to sign up for THEIR unique account, mar­ket­place, com­mu­nity and down­load cen­tral, prefer­ably with sep­a­rate accounts for each. And then another account for sup­port requests, of course. And the more of these accounts can be asso­ci­ated with credit card infor­ma­tion, the bet­ter. And of course, in true games indus­try fash­ion, as much as pos­si­ble should be devel­oped in-house.

Every games com­pany wants me to cre­ate a unique account just for them. Every games com­pany wants my pass­word. And appar­ently, nearly as many let their secu­rity be han­dled by Joe the Intern who does their web­site on weekends.

It’s absurd. And not just because you are get­ting hacked en masse, and your users have their sen­si­tive infor­ma­tion leaked to hack­ers cour­tesy of you and your incom­pe­tence and your stub­born insis­tence on acquir­ing sen­si­tive infor­ma­tion that you have no need of, no busi­ness stor­ing, and are not qual­i­fied to han­dle and safeguard.

It is also absurd because, even when you are not being hacked, it is infu­ri­at­ing your users. I don’t want to have to invest in your imag­i­nary cur­rency (which can only be bought in bulk, in quan­ti­ties con­ve­niently designed to force you to spend more money up front than the price of the item you wanted to buy), in order to pur­chase DLC for my games. I don’t want to have to remem­ber 47 dif­fer­ent account user­names and pass­words. I don’t want to have to remem­ber which email address I signed up with two years ago on the com­pany you bought 6 months ago and whose account data­base you have now inte­grated into yours.

I don’t want to have to guess whether I am sup­posed to log in with my Bioware account or my EA account when unlock­ing stuff for my Bioware game (pub­lished by EA). I don’t want to have to log in to both Steam and GfWL to play a game. I don’t want to have to log in to Rock­star Games Social Club. Sega, was it worth it to make me sign up for a Sega Pass? Did you get enough value out of yet another user­name in your data­base to jus­tify my pass­word now being in the hands of hackers?

All of you, do you really need me to sign up for any­thing at all? Or is this just your van­ity and your 20-year-old habit of prompt­ing users to “please fill in your reg­is­tra­tion card while you wait for the installer”, updated to the inter­net era for no rea­son whatsoever?

The rest of the world has, by and large, learned a cou­ple of impor­tant lessons over the last years:

• online secu­rity is hard, and
• users have plenty of accounts every­where already, and they don’t want to have to sign up for your exclu­sive site any more than they want to sign up for the 400 other sites they vis­ited recently.

Thus, quite a lot of seri­ous web­sites now “out­source” the account secu­rity busi­ness to those who are qual­i­fied to han­dle it. We have Face­book Con­nect, rely­ing on the assump­tion that Face­book, a site with 400 mil­lion users, and a very tempt­ing tar­get for hack­ers, is able to deal securely with authen­ti­ca­tion, and we have OpenID, rely­ing on the assump­tion that users them­selves will use a provider that they trust among the count­less dif­fer­ent ones available.

What these have in com­mon is that they allow you, the com­pany host­ing a web­site and an online ser­vice, to pro­vide all the ben­e­fits of a per­sonal user account to your users, but with­out you ever see­ing a pass­word, and with­out you being able to lose quite as much sen­si­tive data when you get hacked. It also pro­vides the con­ve­nience ben­e­fit of allow­ing the user (with­out forc­ing the user to do so) to reuse the same user ID across mul­ti­ple sites, and it even offers the poten­tial for exchang­ing (with the users’ con­sent, of course) infor­ma­tion between dif­fer­ent game companies.

And you know what? Steam is an OpenID provider. You could imple­ment OpenID-based authen­ti­ca­tion, and peo­ple would be able to log in with their Steam ID (or their GMail account, or any of the dozens of other OpenID providers, of course), and you wouldn’t have to worry about pro­tect­ing their pass­words.

You could, prac­ti­cally in your lunch break, write a login sys­tem which allows GMail users, Steam users and Face­book users to log in using their cre­den­tials from those ser­vices, han­dled securely by those ser­vices, where you get all the ben­e­fit of juicy direct and “exclu­sive” access to the user, with­out the headaches of “how do we store the users’ user­name and pass­word, and with­out has­sling the user with “please come up with a user­name and pass­word for yet another site.

So, dear games indus­try. I’m sure that pretty much any­one who has played a game over the last decade has already had his user­name, pass­word, pet name, address and credit card info leaked by now, thanks to you.

But how about putting a stop to it from now on? How about leav­ing secu­rity to the com­pa­nies that actu­ally invest in it, and who make it their busi­ness? How about, along the way, get­ting rid of the cur­rent account hell where every user has to, for every game, every devel­op­ment stu­dio and every pub­lisher, remem­ber a unique com­bi­na­tion of URL (where your “ser­vice” is hosted this month, after the lat­est relaunch, the lat­est merger or the lat­est “let’s just start over because our pre­vi­ous sys­tem sucked”), and user­name, pass­word and email address to log in to said URL?

How about mak­ing your jobs eas­ier, while also treat­ing your cus­tomers bet­ter and giv­ing less infor­ma­tion away to hackers?

How about grow­ing up and catch­ing up?

A com­mon sen­ti­ment when these hacks really exploded this past sum­mer was “these hack­ers need to be stopped”, but that’s miss­ing the point. They’re only show­ing how absolutely triv­ial it is to hack a huge num­ber of web­sites. Arrest­ing them, tor­tur­ing them for a few years at Gitmo or con­demn­ing them to the deep­est pit of Hell doesn’t mat­ter, because your web­sites are still vul­ner­a­ble, and in a world of 7 bil­lion peo­ple, some­one is going to try to exploit it.

Yes, the hack­ers need to be held account­able, but so do you. You are the ones who chose to start hoard­ing user infor­ma­tion, and you are the ones who didn’t even care enough about your users to do so securely. You are the ones who betrayed your users. You are the ones who failed to live up to the respon­si­bil­ity you wouldn’t even have had if you’d stuck to your actual busi­ness: mak­ing games, rather than col­lect­ing user­names and passwords.

Grow up. Start stor­ing only the data you actu­ally need, and make sure that what you do store is kept absolutely god­damn secure. If you ever even see my pass­word, encrypted, hashed and salted or oth­er­wise, you are doing it wrong.

Hooray!

Games for Win­dows Live is being relaunched again.

Con­sid­er­ing all the fun I had last time, I per­son­ally can’t wait for this. (more…)

Two weeks ago, I wrote a post that you might con­sider “mildly crit­i­cal”, dis­cussing the brand new Games for Win­dows Live web-based store, and the count­less ways in which it fell apart as soon as you looked at it.

Today, I went to look at their site again, as they have Deus Ex on sale, and, while it is a 10 year old game, and I already have it, I was inter­ested in see­ing if they’d opened up the store for peo­ple out­side Amer­ica and the UK yet. (more…)

Once again, Microsoft “relaunched” Games for Win­dows Live, either gam­bling that if they keep relaunch­ing the same thing, even­tu­ally every­one will just give up and start using it, or per­haps that if they keep relaunch­ing the same thing, even­tu­ally every­one will just give up and buy an XBox 360 instead. I don’t know. But it is really get­ting ridiculous.

Unlike the last time it “relaunched”, how­ever, this time it actu­ally has a new fea­ture as well: it is now pos­si­ble to view (and use) their store from a browser, or so they claim. And what’s more, games can now, appar­ently, be bought using money, actual human cur­rency, rather than imag­i­nary Microsoft Points.

In prac­tice? Not so much. (more…)

Just over a month ago, I handed in my Mas­ters The­sis. All that’s left now is an oral defense of it one of the next weeks. So what hap­pens then? I sup­pose I should find a job. A few peo­ple have asked if I am going to do a PhD, but I don’t think so. I think I’ve had enough of acad­e­mia for now. It was fun while it lasted, but I think it’s time to try some­thing dif­fer­ent. (more…)

I’m sorry. This isn’t going to be pretty. (more…)

… this comes along.

At Comic Con, if you com­mit “an act of lust” with an EA booth babe and take a pic­ture, you could win din­ner with said babes, as well as a great big pile of prizes related to the upcom­ing Dante’s Inferno. That’s right, the babes won’t just get the stan­dard behav­ior and awk­ward advances — if some­one is really obnox­ious, they get rewarded for it, and then you get to see them again socially!

What absolute moron came up with this? And how did every­one else who had to sign off on it not real­ize what a ter­ri­ble idea it is?

I must say I’m dis­ap­pointed in EA. This is just giv­ing both the games indus­try and gamers a bad name, in addi­tion to giv­ing their own employ­ees even more crappy behav­ior to deal with in a job that already exposes them to plenty of it.. That kind of misog­yny just isn’t cool.

Well, at least the reac­tions are encour­ag­ing. Let’s see how they try to wrig­gle out of this PR disaster.