• Sony
• Sony Again
• Nin­tendo
• Epic
• Code­Mas­ters
• Bethesda
• BioWare
• Square Enix
• Sega
• BioWare
• EA

2011 was the year of the games indus­try, as a whole, get­ting hacked.

Dear games indus­try; huge inter­na­tional pub­lish­ers and devel­op­ment stu­dios: are you seri­ously going to tell me you didn’t see this coming?

For the last sev­eral years, the games indus­try has been been infested by a plague of account sys­tems. EVERY com­pany wanted their cus­tomers to sign up for THEIR unique account, mar­ket­place, com­mu­nity and down­load cen­tral, prefer­ably with sep­a­rate accounts for each. And then another account for sup­port requests, of course. And the more of these accounts can be asso­ci­ated with credit card infor­ma­tion, the bet­ter. And of course, in true games indus­try fash­ion, as much as pos­si­ble should be devel­oped in-house.

Every games com­pany wants me to cre­ate a unique account just for them. Every games com­pany wants my pass­word. And appar­ently, nearly as many let their secu­rity be han­dled by Joe the Intern who does their web­site on weekends.

It’s absurd. And not just because you are get­ting hacked en masse, and your users have their sen­si­tive infor­ma­tion leaked to hack­ers cour­tesy of you and your incom­pe­tence and your stub­born insis­tence on acquir­ing sen­si­tive infor­ma­tion that you have no need of, no busi­ness stor­ing, and are not qual­i­fied to han­dle and safeguard.

It is also absurd because, even when you are not being hacked, it is infu­ri­at­ing your users. I don’t want to have to invest in your imag­i­nary cur­rency (which can only be bought in bulk, in quan­ti­ties con­ve­niently designed to force you to spend more money up front than the price of the item you wanted to buy), in order to pur­chase DLC for my games. I don’t want to have to remem­ber 47 dif­fer­ent account user­names and pass­words. I don’t want to have to remem­ber which email address I signed up with two years ago on the com­pany you bought 6 months ago and whose account data­base you have now inte­grated into yours.

I don’t want to have to guess whether I am sup­posed to log in with my Bioware account or my EA account when unlock­ing stuff for my Bioware game (pub­lished by EA). I don’t want to have to log in to both Steam and GfWL to play a game. I don’t want to have to log in to Rock­star Games Social Club. Sega, was it worth it to make me sign up for a Sega Pass? Did you get enough value out of yet another user­name in your data­base to jus­tify my pass­word now being in the hands of hackers?

All of you, do you really need me to sign up for any­thing at all? Or is this just your van­ity and your 20-year-old habit of prompt­ing users to “please fill in your reg­is­tra­tion card while you wait for the installer”, updated to the inter­net era for no rea­son whatsoever?

The rest of the world has, by and large, learned a cou­ple of impor­tant lessons over the last years:

• online secu­rity is hard, and
• users have plenty of accounts every­where already, and they don’t want to have to sign up for your exclu­sive site any more than they want to sign up for the 400 other sites they vis­ited recently.

Thus, quite a lot of seri­ous web­sites now “out­source” the account secu­rity busi­ness to those who are qual­i­fied to han­dle it. We have Face­book Con­nect, rely­ing on the assump­tion that Face­book, a site with 400 mil­lion users, and a very tempt­ing tar­get for hack­ers, is able to deal securely with authen­ti­ca­tion, and we have OpenID, rely­ing on the assump­tion that users them­selves will use a provider that they trust among the count­less dif­fer­ent ones available.

What these have in com­mon is that they allow you, the com­pany host­ing a web­site and an online ser­vice, to pro­vide all the ben­e­fits of a per­sonal user account to your users, but with­out you ever see­ing a pass­word, and with­out you being able to lose quite as much sen­si­tive data when you get hacked. It also pro­vides the con­ve­nience ben­e­fit of allow­ing the user (with­out forc­ing the user to do so) to reuse the same user ID across mul­ti­ple sites, and it even offers the poten­tial for exchang­ing (with the users’ con­sent, of course) infor­ma­tion between dif­fer­ent game companies.

And you know what? Steam is an OpenID provider. You could imple­ment OpenID-based authen­ti­ca­tion, and peo­ple would be able to log in with their Steam ID (or their GMail account, or any of the dozens of other OpenID providers, of course), and you wouldn’t have to worry about pro­tect­ing their pass­words.

You could, prac­ti­cally in your lunch break, write a login sys­tem which allows GMail users, Steam users and Face­book users to log in using their cre­den­tials from those ser­vices, han­dled securely by those ser­vices, where you get all the ben­e­fit of juicy direct and “exclu­sive” access to the user, with­out the headaches of “how do we store the users’ user­name and pass­word, and with­out has­sling the user with “please come up with a user­name and pass­word for yet another site.

So, dear games indus­try. I’m sure that pretty much any­one who has played a game over the last decade has already had his user­name, pass­word, pet name, address and credit card info leaked by now, thanks to you.

But how about putting a stop to it from now on? How about leav­ing secu­rity to the com­pa­nies that actu­ally invest in it, and who make it their busi­ness? How about, along the way, get­ting rid of the cur­rent account hell where every user has to, for every game, every devel­op­ment stu­dio and every pub­lisher, remem­ber a unique com­bi­na­tion of URL (where your “ser­vice” is hosted this month, after the lat­est relaunch, the lat­est merger or the lat­est “let’s just start over because our pre­vi­ous sys­tem sucked”), and user­name, pass­word and email address to log in to said URL?

How about mak­ing your jobs eas­ier, while also treat­ing your cus­tomers bet­ter and giv­ing less infor­ma­tion away to hackers?

How about grow­ing up and catch­ing up?

A com­mon sen­ti­ment when these hacks really exploded this past sum­mer was “these hack­ers need to be stopped”, but that’s miss­ing the point. They’re only show­ing how absolutely triv­ial it is to hack a huge num­ber of web­sites. Arrest­ing them, tor­tur­ing them for a few years at Gitmo or con­demn­ing them to the deep­est pit of Hell doesn’t mat­ter, because your web­sites are still vul­ner­a­ble, and in a world of 7 bil­lion peo­ple, some­one is going to try to exploit it.

Yes, the hack­ers need to be held account­able, but so do you. You are the ones who chose to start hoard­ing user infor­ma­tion, and you are the ones who didn’t even care enough about your users to do so securely. You are the ones who betrayed your users. You are the ones who failed to live up to the respon­si­bil­ity you wouldn’t even have had if you’d stuck to your actual busi­ness: mak­ing games, rather than col­lect­ing user­names and passwords.

Grow up. Start stor­ing only the data you actu­ally need, and make sure that what you do store is kept absolutely god­damn secure. If you ever even see my pass­word, encrypted, hashed and salted or oth­er­wise, you are doing it wrong.

I don’t get it.

They obvi­ously went to a lot of trou­ble to design a new touch-based inter­face. But because they need back­wards com­pat­i­bil­ity as well, they have a “tra­di­tional” apps iso­lated into a kind of “Win­dows 7 ghetto”, some­thing that looks just like Win­dows 7, and with no vis­i­ble trace of being inte­grated into the whole Win8/touch thing… And this is for tra­di­tional PC’s. On my PC, I’m appar­ently going to have to choose which envi­ron­ment I’m using cur­rently, because there’s lim­ited inter­ac­tion between them. And both worlds are going to suf­fer from that. (more…)

It’s been a bit quiet on this blog for a while. The last month or so has been bru­tal. By May 16th, I had to be out of my old apart­ment (long story), mean­ing I’ve had to find another place to live pretty urgently.

With­out get­ting into all the painful details, I’ve spent most of the last month or two try­ing to find a new apart­ment, and this past week­end was spent mov­ing out of our old apart­ment, paint­ing it and fix­ing it up. It’s been stress­ful, and it hasn’t left much time for any­thing else.

Until July 1st, when I get to move into the new apart­ment, I’ll be liv­ing on a friend’s couch, so things aren’t quite back to nor­mal yet. But the worst part is over, and hope­fully I’ll be able to spend a bit of time now on inter­est­ing things, such as blog­ging, cod­ing and blog­ging about coding.

A while ago, I made a post about the pro­posed TeX Stack­Ex­change site. Now it’s out of beta, and it’s got a brand new, and pretty sweet-looking, design. Go check it out: http://tex.stackexchange.com/

It some­times amazes me how many peo­ple, pro­gram­mers as well as non-programmers seem to take offense at my lack of psy­chic abilities.

Either that, or at my ten­dency to try to answer ques­tions with a use­ful answer.

Or maybe they’re just bad at ask­ing ques­tions. (more…)

So the big news these days is obvi­ously Paul the Psy­chic Octo­pus. Def­i­nitely inter­est­ing. It was able to main­tain a 100% suc­cess rate in this year’s World Cup (and a much higher suc­cess rate than it had in 2008 where it mis­pre­dicted a whop­ping two matches).

So what’s going on here? Freak coin­ci­dence? Super­nat­ural pow­ers? At a first glance, both sound ridicu­lous to me.

But I want to think about the more “inter­est­ing” expla­na­tion a bit: per­haps Paul really is psy­chic. Per­haps Paul can tell the future. (more…)

A Stack­Over­flow sib­ling site ded­i­cated to LaTeX (or TeX in gen­eral) ques­tions has been pro­posed. How­ever, the site won’t be launched unless enough prospec­tive users indi­cate that they’re will­ing to use it.

As a LaTeX user, I’d love to see this take off. (more…)

Dear world.

I grad­u­ated. My the­sis defense went well and I’m no longer a stu­dent. Just thought I’d let you know

So what hap­pens now? No clue, but I sup­pose it involves find­ing a job.

The end is nigh.

On mon­day the 12th of April, I’m going to defend my master’s the­sis. If you’re in the area, and are geeky enough to find it inter­est­ing, feel free to drop by. (more…)

Just over a month ago, I handed in my Mas­ters The­sis. All that’s left now is an oral defense of it one of the next weeks. So what hap­pens then? I sup­pose I should find a job. A few peo­ple have asked if I am going to do a PhD, but I don’t think so. I think I’ve had enough of acad­e­mia for now. It was fun while it lasted, but I think it’s time to try some­thing dif­fer­ent. (more…)