Epic Games, Epic Fail: Forumers' info blown into dust by hack Epic Games, known for its Unreal Engine and the Gears of War series, sent a grovelling letter to its forum users this morning explaining that a hack "may have resulted in unauthorised access to your username, email address, password, and the date of birth you provided at registration." Emails announced that the company has …
Another one bites the dust.
Look, I know security is hard, and Games of War being a rather successful franchise, it was only a matter of time. Still, it's getting dreary now.
And really, losing user details on a FORUM ? For fuck's sake, is it really that hard to not put user credentials on the same authentication path as the posts ?
Else this whole thing is way more technical than I can comprehend, but damn, this is just a drag.
Security is straightforward and no more complex than the system it's on. Lots of web pages say how to do it.
The hard part is justifying the time for it. The simple setup of a good firewall and strong LAN passwords is an impenetrable barrier only until somebody opens a well crafted e-mail on their workstation.
Security is straightforward (I'm so glad you didn't say simple or easy, cheers!) if its a consideration from the start and there's no interference from management or marketing types with silly ideas.
Let's take this case: a forum for a game. What do we actually need? A username, an email and a password. The first two need to be stored and used but the last can be hashed so even if it leaks its no use anywhere else. Simple, understood and easy to implement.
Then someone from legal points out that you need to confirm an age to comply with something or other. Note that the age doesn't have to be real, just what the user says they are 'cause this is strictly for compliance and arse covering purposes not actual child protection or anything like that. So we start collecting birth dates, flag user as legal or not and dump the original data.
Then someone from marketing has the genius idea that that data would be useful. I've never seen a compelling case beyond "personalisation" by sending an automated happy birthday message which is about as endearing as any automated greeting. So now we have personal information we have to store and the slippery slope begins. Before you know it you are collecting names, addresses, mother's maiden name and inside leg measurement and all on a system that was never intended to store anything confidential.
Been there, wrote the post mortem after it went tits up.
I've never seen a compelling case beyond "personalisation" by sending an automated happy birthday message which is about as endearing as any automated greeting
Indeed.
I wonder how many of us got a load of such greetings on the first of January. I'll bet quite a few of us turned 45 this year :-)
Vic.
What is it with all these websites demanding your date of birth, before you can register? I have had this from several restaurants, just to get money off vouchers from them.
They could at least just ask your age (for games / videos), after all they're only interested in if you're 12 or 18. And in the case of restaurants, what they actually want is your birthday, to send you a special birthday dinner voucher. Which is fair enough. I tend to stagger my birthdays, so I get nice dinner vouchers spread throughout the year from my local chains...
Obviously one can lie about addresses, phone numbers and dates of birth. But it would be better if websites considered security properly, and didn't bloody well ask!
If all user details were stored centrally, then that single hack to leak user credential would also compromise banking, shopping etc.
Equally - who would own it and who would trust governing body (and intelligence agencies) looking after it not to subvert it for their own means. No identify on the core system and therefore unable to log into anything...
Don't hate me for saying it. Hate Tim Berners Lee. He's the one who had the idea, I am merely repeating what he said.
But think about it, there are websites who allow you to log in using Twitter, Facebook and Google, and they usually access the user data. And I bet there's a few who have commented or downvoted this idea who have used such a service.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
