2011 was the year of the games industry, as a whole, getting hacked.

Dear games industry; huge international publishers and development studios: are you seriously going to tell me you didn’t see this coming?

For the last several years, the games industry has been been infested by a plague of account systems. EVERY company wanted their customers to sign up for THEIR unique account, marketplace, community and download central, preferably with separate accounts for each. And then another account for support requests, of course. And the more of these accounts can be associated with credit card information, the better. And of course, in true games industry fashion, as much as possible should be developed in-house.

Every games company wants me to create a unique account just for them. Every games company wants my password. And apparently, nearly as many let their security be handled by Joe the Intern who does their website on weekends.

It’s absurd. And not just because you are getting hacked en masse, and your users have their sensitive information leaked to hackers courtesy of you and your incompetence and your stubborn insistence on acquiring sensitive information that you have no need of, no business storing, and are not qualified to handle and safeguard.

It is also absurd because, even when you are not being hacked, it is infuriating your users. I don’t want to have to invest in your imaginary currency (which can only be bought in bulk, in quantities conveniently designed to force you to spend more money up front than the price of the item you wanted to buy), in order to purchase DLC for my games. I don’t want to have to remember 47 different account usernames and passwords. I don’t want to have to remember which email address I signed up with two years ago on the company you bought 6 months ago and whose account database you have now integrated into yours.

I don’t want to have to guess whether I am supposed to log in with my Bioware account or my EA account when unlocking stuff for my Bioware game (published by EA). I don’t want to have to log in to both Steam and GfWL to play a game. I don’t want to have to log in to Rockstar Games Social Club. Sega, was it worth it to make me sign up for a Sega Pass? Did you get enough value out of yet another username in your database to justify my password now being in the hands of hackers?

All of you, do you really need me to sign up for anything at all? Or is this just your vanity and your 20-year-old habit of prompting users to “please fill in your registration card while you wait for the installer”, updated to the internet era for no reason whatsoever?

The rest of the world has, by and large, learned a couple of important lessons over the last years:

• online security is hard, and
• users have plenty of accounts everywhere already, and they don’t want to have to sign up for your exclusive site any more than they want to sign up for the 400 other sites they visited recently.

Thus, quite a lot of serious websites now “outsource” the account security business to those who are qualified to handle it. We have Facebook Connect, relying on the assumption that Facebook, a site with 400 million users, and a very tempting target for hackers, is able to deal securely with authentication, and we have OpenID, relying on the assumption that users themselves will use a provider that they trust among the countless different ones available.

What these have in common is that they allow you, the company hosting a website and an online service, to provide all the benefits of a personal user account to your users, but without you ever seeing a password, and without you being able to lose quite as much sensitive data when you get hacked. It also provides the convenience benefit of allowing the user (without forcing the user to do so) to reuse the same user ID across multiple sites, and it even offers the potential for exchanging (with the users’ consent, of course) information between different game companies.

And you know what? Steam is an OpenID provider. You could implement OpenID-based authentication, and people would be able to log in with their Steam ID (or their GMail account, or any of the dozens of other OpenID providers, of course), and you wouldn’t have to worry about protecting their passwords.

You could, practically in your lunch break, write a login system which allows GMail users, Steam users and Facebook users to log in using their credentials from those services, handled securely by those services, where you get all the benefit of juicy direct and “exclusive” access to the user, without the headaches of “how do we store the users’ username and password, and without hassling the user with “please come up with a username and password for yet another site.

So, dear games industry. I’m sure that pretty much anyone who has played a game over the last decade has already had his username, password, pet name, address and credit card info leaked by now, thanks to you.

But how about putting a stop to it from now on? How about leaving security to the companies that actually invest in it, and who make it their business? How about, along the way, getting rid of the current account hell where every user has to, for every game, every development studio and every publisher, remember a unique combination of URL (where your “service” is hosted this month, after the latest relaunch, the latest merger or the latest “let’s just start over because our previous system sucked”), and username, password and email address to log in to said URL?

How about making your jobs easier, while also treating your customers better and giving less information away to hackers?

How about growing up and catching up?

A common sentiment when these hacks really exploded this past summer was “these hackers need to be stopped”, but that’s missing the point. They’re only showing how absolutely trivial it is to hack a huge number of websites. Arresting them, torturing them for a few years at Gitmo or condemning them to the deepest pit of Hell doesn’t matter, because your websites are still vulnerable, and in a world of 7 billion people, someone is going to try to exploit it.

Yes, the hackers need to be held accountable, but so do you. You are the ones who chose to start hoarding user information, and you are the ones who didn’t even care enough about your users to do so securely. You are the ones who betrayed your users. You are the ones who failed to live up to the responsibility you wouldn’t even have had if you’d stuck to your actual business: making games, rather than collecting usernames and passwords.

Grow up. Start storing only the data you actually need, and make sure that what you do store is kept absolutely goddamn secure. If you ever even see my password, encrypted, hashed and salted or otherwise, you are doing it wrong.

The result is that a lot of people now have sensitive personal information floating around in public. An example of this (found via ArsTechnica) is this woman, who starts her post like this:

I use my private Gmail account to email my boyfriend and my mother.

There’s a BIG drop-off between them and my other “most frequent” contacts.

You know who my third most frequent contact is?

My abusive ex-husband.

Which is why it’s SO EXCITING, Google, that you AUTOMATICALLY allowed all my most frequent contacts access to my Reader, including all the comments I’ve made on Reader items, usually shared with my boyfriend, who I had NO REASON to hide my current location or workplace from, and never did.

Ouch.

Others, with less at stake personally, are also pissed:

See, I love the idea of neat new tech innovations that lead to streamlined communication, real-time updating, in-line video and photo posting, and supersimple friend and contact integration. I do not, however, like a product that bursts through my door like a tornado and opts me in to wanton in-box clutter and spam (or, more precisely, bacn) publicly reveals my personal contact list without asking me, threatens to broadcast my e-mail address anytime someone wants to @ me in a Buzz, and even appears to grab photos off my Android phone that I’ve never uploaded.

or this one

So…yeah, I guess I’m on Google Buzz. It’s linked to my Picasa and WordPress accounts, so you can follow everything I do. Cause that’s not creepy or anything. The best part is that the defaults for everything are public, and you end up broadcasting to a bunch of random people unless you sit down and sort through. I’m expecting this to backfire for a bunch of people, and not just eventually but almost immediately. It might not be a bad idea to start a betting pool on when the first child porn charges are filed as some highschool student accidentally sends herself to the entire school.

I could go on, but I really don’t want this to turn into some kind of link farm.

I’m not personally affected by this. I do have a GMail account, and yes, they opted me in to Buzz, but the account contains no personal information whatsoever, and no personal emails. I use it exclusively as a dumping ground for spam, and form mails I don’t want cluttering up my real email inbox. I’ve never even sent an email from the account.

I use the Google search engine, but I am not signed in to it, and have never created a profile or a customized homepage on it. I’m sure they could still identify me just by examining cookies or my IP address, but at least they’d have to work for it. And it’s not like my Google searches are state secrets anyway. As long as people are not able to search for my name and bring up a list of everything I’ve searched for, I’m satisfied.

I also use Google Analytics for this blog. I feel OK about that because this blog is already my public face on the internet. Google already knows a lot about it simply by indexing it for their search engine. I have no problem with them generating statistics on where my visitors come from, as long as they make the information available to me too. The only sensitive information associated with this blog is my login password, and I’m pretty sure Google doesn’t have that. And they’re not getting it, even if they launched a GPassword service tomorrow.

I use the WordPress software, but not hosted on WordPress.com. I don’t use Picasa or Google Reader. I don’t use Google Documents.

So all in all, yes, Google certainly knows a lot of fragments of information about me. Google searches can turn up quite a bit, they can collect a few more bits and pieces through cookies when I use their search engine, and they have a lot of statistics on who reads my blog. But they can’t read my emails. They don’t have any really sensitive information about me. Nothing related to my work, personal life or studies is tied to Google.

And this brings us to the point of this post:

Don’t blame Buzz, blame GMail

A lot of people are furious at Google for the mixture of incompetence and indifference towards users’ privacy with which Buzz was launched, and while that might be justified, it is missing a fundamental point.

Buzz is just doing what Google does best, what they’ve always done, and what they should be doing. Here’s what Google’s own website has to say on the company’s mission:

Google’s mission: to organize the world’s information and make it universally accessible and useful

Google is dedicated to making information universally accessible. For a lot of information, that’s a good thing. Their search engine turned the internet upside down — for the first time ever, users were able to actually find the information they needed. Google is good at this, and we’ve benefited hugely from it.

And social networking is right up Google’s alley as well: Social networking is all about making information about you and me accessible to the world in an organized manner. A lot of Facebook’s popularity relies on their ability to analyze our existing relations, friendships and networks, and use this to suggest new friends. My Twitter would be useless if I couldn’t follow the people I wanted to keep up with, and if others couldn’t find my tweets through searches. Buzz is simply more of the same, and there is nothing wrong with that. It’s another social networking service, and Google is exactly the right company to do something like this. No one is better at organizing information and telling us exactly what we want to know.

The problem is that another of their services is not so well suited for the company. Email is something almost everyone considers personal and private. Even the US government, in its desperate war on people who wear turbans, speak funny and pray to Allah, has only given itself permission to sniff the subject lines of people’s mails sent over GMail. This is considered the equivalent of reading the envelope, without opening it and looking at the letter inside. Because that letter is personal. And so are the bodies of our emails.

But if we consider our emails to be sensitive personal information, then why do so many people entrust them to a company whose stated mission is “to make the world’s information universally accessible”?

A company like that should never be entrusted with our sensitive information.

Facebook has made some major blunders regarding privacy, but their mission seems to be something like “can’t we just all get along”. In Facebook’s perfect world, everyone are friends with everyone else. This doesn’t excuse their privacy issues, but at least it tells us that they’re not directly opposed to the idea of privacy. They’re just clumsy and don’t think things through.

Google, however, is different. In the perfect Google world, privacy does not exist. In Google’s dream world, I could go take a look at Bill Gates’ emails or Steve Jobs’ search history. or Bono’s shopping list. It is information. It should be made available to the world.

So no, there’s nothing wrong with Google Buzz. It should absolutely broadcast everything Google knows about us to the world. The problem is that Google has been given sensitive information in the first place. Google shouldn’t know anything about us that can’t safely be published through Buzz. If GMail had never existed, Google would not know that the woman in the first example has received emails from her abusive ex-husband, and so they couldn’t have caused her any problems. The only things Buzz would have known about us would be what we told it.

Imagine if Twitter or Facebook had been built by Google, based on their search engine and their ability to categorize and organize information. That is what Buzz could potentially become, and that’d be nothing short of amazing. At least as long as we all take care to keep our emails and other sensitive information far away from Google.

Don’t opt out of Buzz because of privacy concerns. Opt out of GMail instead. Expect every new service Google launches to do as Buzz. Their mission is to make all information available to the world, and they’re going to keep trying. You’re fighting a losing battle. You can keep opting out of their services till the cows come home. It’s always a temporary solution at best. Instead, fix the root issue: Make sure Google is not given any sensitive information about you in the first place.

However, a few things have been bothering me about it.

When I first signed up, I did a bit of research, and found out that you can use your own domain as your OpenID. You simply enter the following in a <head> of a HTML page you control:

<link rel="openid.server" href="http://myopenidprovider" />
<link rel="openid.delegate" href="http://myopenid-at-that-provider/" />

And the URI of that HTML page can now be used as your OpenID. It will forward authentication requests to the specified provider. This gave me a nice clean URI to use as my OpenID, and as a bonus, it meant that I could change my OpenID provider and keep my ID, just by editing this HTML.

Of course, I quickly found out there was a downside as well. When I created this blog, I placed it in http://jalf.dk/blog. I figured I could easily add a redirect from http://jalf.dk and so it wouldn’t matter in the long run.

When I tried adding this redirect, I realized that this of course would also redirect any OpenID requests. My OpenID provider would then see a login attempt from http://jalf.dk/blog instead, and all hell would break loose.

So I removed the redirect, and instead placed this message in http://jalf.dk/ along with the OpenID <link> tags:

Please go here for my blog. Sorry for the lack of a proper redirect.

Not very elegant, but it worked. OpenID requests were handled correctly, and readers of my blog could follow the link, or just bookmark /blog in the first place.

Today, a friend asked me why I didn’t have a redirect, and I explained the above problem. I didn’t think about it any further until half an hour ago, when I realized that Facebook can be tied to an OpenID account. As I said before, the more services I can log in to with my OpenID, the better, so I attempted to add my OpenID… And got a nasty error message telling me that my OpenID only supported version 1.1, and Facebook required 2.0.

Geez, I hadn’t even realized there were multiple versions.

So I went hunting for a solution. And it turned out to be pretty simple, and have the nice side effect of solving the redirection problem as well!

It turns out that the <link> tags embedded in HTML only work for OpenID 1.0 and 1.1. For 2.0, you have to provide a YADIS XML file when a request is sent with the MIME-type application/xrds+xml.

Unfortunately, there seems to be very few examples online of what this file should look like. I did find a nice example of using a YADIS file for OpenID 1.0 here, which got me started. The Wikipedia article on YADIS held another example, but again only with OpenID 1.0. However, it also shows how to specify LID 2.0, so while I have no clue what LID is for, at least it gave a hint of how to support multiple versions.

Finally, diving into the specification for OpenID 2.0, I discovered the correct URI to specify as <Type> in the YADIS file: http://specs.openid.net/auth/2.0. Of course they just had to change the URI format between versions 1.1 and 2.0. Nothing is ever that easy.

But with this, the last piece fell into place. I created an openid.xml file looking like this:

< ?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"
xmlns:openid="http://openid.net/xmlns/1.0">
  <XRD>
    <Service priority="50">
      <Type>http://specs.openid.net/auth/2.0/signon</Type>
      <URI>http://myopenidprovider</URI>
      <openid:Delegate>http://myopenid-at-that-provider/</openid:Delegate>
    </Service>
    <Service priority="20">
      <Type>http://openid.net/signon/1.1</Type>
      <URI>http://myopenidprovider</URI>
      <openid:Delegate>http://myopenid-at-that-provider/</openid:Delegate>
    </Service>
    <Service priority="10">
      <Type>http://openid.net/signon/1.0</Type>
      <URI>http://myopenidprovider</URI>
      <openid:Delegate>http://myopenid-at-that-provider/</openid:Delegate>
    </Service>
  </XRD>
</xrds:XRDS>

and using the PHP snippet from paulisageek, which, if the content-type application/xrds+xml is detected, returns the contents of the YADIS file (and for any other content-type, simply forwards to /blog).

< ?php
if (strpos($_SERVER['HTTP_ACCEPT'], "application/xrds+xml") !== FALSE) {
  header("Content-Type: application/xrds+xml");
  echo file_get_contents("openid.xml");
}
else {
  header("Location: http://jalf.dk/blog");
}
?>

I now have:

• The same nice, short, easy-to-remember OpenID URI I always had
• My blog accessible form http://jalf.dk
• My Facebook account linked to my OpenID
• Support for OpenID version 2.0

All in all, I’m happy. And now that I’ve documented the process, perhaps the next person who runs into this problem may be a bit happier too.