Re: Regarding the Use of Third-Party Programs and Player Safety

[Rolder50]

It's funny that they add a blacklist feature and inadvertently made it even EASIER to stalk people by doing so

[Jokerz_93]

Uhm…
I don’t understand much of these things.
One thing I do, tho, is how forum ppl seem to have the solution at hand and…just saying “here I am with the solution”.

Ok, now then?
If someone was really concerned about an issue affecting their own, they would do something in regard, wouldn’t they?

To me, shouting the solution without actions it’s just smoke.
As much as I don’t like where this company is going, It’s hard to think to me that everybody on SE’s HQ are dumb and stupid.
It is still a multibillion company with a fair decent amount of failure game titles on the back. You can’t reach this point if your employees and work culture are stupid, I think. It it could be just luck, tho…, I don’t know.

I think, at the end, that the most simple answer is that they know the solution and they are capable to implement it, just not convenient.
Because money, because they got fever, because of the global heating, because of 5ghz, because anything.
Anything that those who screams with solutions cannot understand.
And to be blunt, those data are just a bunch of in game personal informations.
If those are not protected in any way by SE, this makes me think that even SE doesn’t consider those data relevant.

Well that’s my take, take or leave it. Up to you.
Have a good day!!

[Rehayem]

The only reason YoshiP's statement is about going after the plugin creator is really just PR talk for shareholders. If they admit they made a mistake, their stocks would drop significantly and obviously they don't want that.

[Immut]

Uhm…
I don’t understand much of these things.
One thing I do, tho, is how forum ppl seem to have the solution at hand and…just saying “here I am with the solution”.

Well it's not hard. The technical and legal incompetence on display here by Yoshida is honestly staggering. Who is he going to "pursue legal action" against? Himself? SE is the one broadcasting this data. You don't need a plugin to read it, you just need any network traffic sniffer. You don't even need it to be on the same machine.

[VanillaWafer]

-snip-

I have the same feeling, you're not alone. With all these simple solutions people have been spewing out, you don't think they've already considered that possibility? We don't know if they've already tried in their internal servers and we'll likely never know.

Yes, it's true that character data are not protected. It seems that people are just very attached to their characters and their privacy attached to them. While I don't think there's anything wrong with that, we all need to understand that character data is not personal data. That's why there isn't a bigger fuss about this whole thing.

Though, I am a little bothered by "Just don't use the tool." Okay, most players wouldn't use it in the first place, but you can't expect those who are to eventually drop that data. Let's be real here, free will is a thing because they think whatever their justifications are is valid, even if they are wrong.

I've already accepted the fact that my data is most likely scraped. I do feel bad for those who don't want that information in someone's database, but there's nothing I or any player can do.

I don't like the response, but I already figured that's the route he'd take. It's way too late anyway as the damage is done. It's literally, "Yeah, we know and we hear you, just don't add yourself to the problem."

We're sitting ducks, then? Okay.

[Kaurhz]

Ever used a "Login with Google" button on some random website? Do you know what that website gets? A unique, internal account ID that Google has assigned to you. Details:

In technical terms, the login flow uses a protocol known as OpenID Connect. One the pieces of information the website eventually gains access to is a "sub" claim:

An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple email addresses at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.

Sending out unique identifiers isn't inherently insecure. It's what that unique identifier can be used for or tied to that is potentially the problem.

Inherently it isn't a problem, but with the way that FFXIV are doing it, it absolutely is a problem, and absolutely is not a secure way of doing it.

It has also been a very long time since I've touched OIDC, but I am under the impression the sub claim is only shared with the replying application/party that has authenticated and when said person has requested said information. I am also under the impression that it isn't just sending my sub claim to another random user.

[ValynS]

I don't know if there's realistically a bulletproof way to solve the underlying issue - which imo isn't the exposure of the account id, but is the fact it can reveal which other characters are mine. With the underlying goal being to block all my characters from being visible or being able to interact with someone, theres always going to be a way to figure that out - maybe slightly harder than this tool using account id, but not by much.

Ultimately there needs to be better tools for reporting and dealing with harassment because even with a theoretical bulletproof blacklist nothing stops a bad actor rolling a new account

[Saraide]

So now you're requiring people to know how to get, install wireshark, and now modify wireshark with plugins and export and extract that data.
You act like requiring a massive amount more tech literacy is the same as a github repo where you plug it into the dalamud launcher and it installs and works instantly.

You guys are so concerned with a perfect solution with no security holes you're ignoring any mitigation or path forward that reduces the spread and efficacy of the plugin.

StalkerScope is fully operational if only a small group of people use it. Literally just have one guy logging on a data center, travel every server there and open the player search. In a week or two you will have the unique player ID of everyone.

[Exmo]

I don't know if there's realistically a bulletproof way to solve the underlying issue - which imo isn't the exposure of the account id, but is the fact it can reveal which other characters are mine. With the underlying goal being to block all my characters from being visible or being able to interact with someone, theres always going to be a way to figure that out - maybe slightly harder than this tool using account id, but not by much.

Ultimately there needs to be better tools for reporting and dealing with harassment because even with a theoretical bulletproof blacklist nothing stops a bad actor rolling a new account

I said the same in another thread. Any blacklist system that blocks an account's alts can be used to discover an account's alts. There is no technical solution that can prevent it.

[BigCheez]

I said the same in another thread. Any blacklist system that blocks an account's alts can be used to discover an account's alts. There is no technical solution that can prevent it.

And you're still wrong.

If the blacklist is handled server side, I don't need to be given any information other than a boolean true/false value for whether a character is blacklisted. I don't need to have access to the character id, never mind the account id that the character belongs to.

All I need to know are the names of the characters that I've blacklisted and that I'm sent [message from blacklisted user] instead of the actual content of a message from a blacklisted user.

When you go to a store and buy something, do they take your money, put it in the cash register and hand you back your change, or do they hand you the cash register and let you do what you want with it? Same thing. You're effectively claiming that there's no way to handle the transaction without the customer having access to the money in the cash register.