Page 4 of 25 FirstFirst ... 2 3 4 5 6 14 ... LastLast
Results 31 to 40 of 279

Hybrid View

  1. #1
    Player
    Archmortal's Avatar
    Join Date
    Dec 2015
    Posts
    20
    Character
    Auric Archmortal
    World
    Midgardsormr
    Main Class
    Samurai Lv 90
    Having the plug-in taken down won't accomplish much. The creator is already planning to distribute it among his friends and in less visible spaces. Pursuing legal action will only stop the creator, it won't stop the people that have already copied the plug-in with plans to make their own. I encourage seeking legal action but it will not prevent another copy-cat plug-in from doing the exact same thing.

    What MUST be done is protecting the account ID that no one asked for. You could simply NOT send it client-side. If it absolutely MUST be sent client-side for the blacklist to use its current features then you must AT MINIMUM protect it with randomized hashing if you can't be bothered to encrypt it. You cannot let such sensitive data be sent to the client with no protection in a game that you KNOW has such heavy plug-in usage. Basic data security is just completely absent from its current implementation. THAT'S the problem, Yoshida.
    (13)
    Last edited by Archmortal; 01-25-2025 at 01:04 AM.

  2. #2
    Player
    Sarevok_Thordin's Avatar
    Join Date
    Mar 2017
    Posts
    446
    Character
    Sarevok Thordin
    World
    Brynhildr
    Main Class
    Red Mage Lv 100
    Quote Originally Posted by Archmortal View Post
    Having the plug-in taken down won't accomplish much. The creator is already planning to distribute it among his friends and in less visible spaces. Pursuing legal action will only stop the creator, it won't stop the people that have already copied the plug-in with plans to make their own. I encourage seeking legal action but it will not prevent another copy-cat plug-in from doing the exact same thing.

    What MUST be done is protecting the account ID that no one asked for. You could simply NOT send it client-side. If it absolutely MUST be sent client-side for the blacklist to use its current features then you must AT MINIMUM protect it with randomized hashing if you can't be bothered to encrypt it. You cannot let such sensitive data be sent to the client with no protection in a game that you KNOW has such heavy plug-in usage. Basic data security is just completely absent from its current implementation. THAT'S the problem, Yoshida.
    This the issue, the client does not need the accountID to do anything as it isn't interacting with the other player's account, it's only the character that it sees it needs to check. The accountID should be a server side check with anything requiring the use of account id being managed through a characterid challenge from the client.

    A basic pattern of security is least privledge, the client should never have read privledge on account ids of other people.
    (6)

  3. #3
    Player
    Exmo's Avatar
    Join Date
    Nov 2024
    Posts
    797
    Character
    Exterior Motive
    World
    Raiden
    Main Class
    Dancer Lv 100
    Quote Originally Posted by Sarevok_Thordin View Post
    This the issue, the client does not need the accountID to do anything as it isn't interacting with the other player's account, it's only the character that it sees it needs to check. The accountID should be a server side check with anything requiring the use of account id being managed through a characterid challenge from the client.

    A basic pattern of security is least privledge, the client should never have read privledge on account ids of other people.
    This doesn't make sense. The blacklist feature blocks another player and their alts. Therefore, the client needs to know some info about those alts so it can block them.
    (0)

  4. #4
    Player
    SongOfTheWind's Avatar
    Join Date
    Apr 2024
    Posts
    257
    Character
    Freja Heleh
    World
    Moogle
    Main Class
    Dark Knight Lv 90
    Quote Originally Posted by Exmo View Post
    This doesn't make sense. The blacklist feature blocks another player and their alts. Therefore, the client needs to know some info about those alts so it can block them.
    It makes perfect sense in the world where the client is not given authority to do account wide blocking. When you block me, as in, my character - you, as a client, is not supposed to be entitled to information beyond that. The server is supposed to know what other characters I have, not you. You only need to get appropriate information about the characters around the world based on what your blacklist is. How that blacklist to character is resolved is for the server to decide, not you.
    Does it make more sense? Yes, this is more complex than just blocking individual characters, but more often than not - if you can’t make it right just don’t make it at all is the best approach.
    (12)

  5. #5
    Player
    Exmo's Avatar
    Join Date
    Nov 2024
    Posts
    797
    Character
    Exterior Motive
    World
    Raiden
    Main Class
    Dancer Lv 100
    Quote Originally Posted by SongOfTheWind View Post
    It makes perfect sense in the world where the client is not given authority to do account wide blocking. When you block me, as in, my character - you, as a client, is not supposed to be entitled to information beyond that. The server is supposed to know what other characters I have, not you. You only need to get appropriate information about the characters around the world based on what your blacklist is. How that blacklist to character is resolved is for the server to decide, not you.
    Does it make more sense? Yes, this is more complex than just blocking individual characters, but more often than not - if you can’t make it right just don’t make it at all is the best approach.
    You're taking about moving the whole feature server side, which is different to what I was replying to. Moving the feature server side is an option but it's vastly more complex and expensive. Whether it's for much of a gain is open for discussion. Although it's how a small, small number of players use alts, I don't know if SE consider them as a security mechanism to mitigate stalking. Has there ever been a statement to this effect? I doubt they view alts as a matter of privacy, so they probably view the problem caused by this exposed ID as being already resolved by the blacklist feature - your stalker might know of your alts but they can't harass you in game once you blocked them. Determined stalkers will create an entirely new account to bypass your blacklist, but the reporting feature is in place to help people as well. I don't know, I'm only speculating based on what SE have and haven't said so far, but I suspect they might have a different perspective on the whole thing. Maybe they'll give a statement some point in the future that makes their stance clearer.
    (0)

  6. #6
    Player
    BigCheez's Avatar
    Join Date
    Oct 2021
    Location
    Ul'Dah
    Posts
    732
    Character
    Cheez Whiz
    World
    Twintania
    Main Class
    Paladin Lv 100
    Quote Originally Posted by Exmo View Post
    This doesn't make sense. The blacklist feature blocks another player and their alts. Therefore, the client needs to know some info about those alts so it can block them.
    No, it doesn't.

    What happens right now is that you're given the account id of the account that the character belongs to to check if it matches an account id in your blacklist.

    What should happen is that the server should check if the account id matches the account id of any of the characters in your blacklist and just send you a simple yes/no response, so you know if the player is blacklisted but aren't given access to any additional data.

    This is the kind of thing that you would generally expect someone to learn in their first year as a junior software developer.
    (11)

  7. #7
    Player
    MiaBlaze-Cari's Avatar
    Join Date
    Aug 2021
    Location
    Gridania
    Posts
    97
    Character
    Leda Crysthira
    World
    Sagittarius
    Main Class
    Dark Knight Lv 100
    Quote Originally Posted by Exmo View Post
    This doesn't make sense. The blacklist feature blocks another player and their alts. Therefore, the client needs to know some info about those alts so it can block them.
    The client doesn't need to know anything in that regard if that stuff is handled on the server. Let's say Player A logs in on an alt to harass Player B. Player B has Player A blacklisted and therefor the server simply would not send the data about Player A to Player B at all. If blacklists would work in both ways then the Player B data would also not reach Player A.

    The way it is now the server sends the data all the time and the client has to handle it, with blacklist data that is from the self-same server. The Blacklist is already saved server-side so it should also be handled there instead of sending an immutable ID of everyone that can be linked to everything on their accounts.
    (5)
    Boop!

  8. #8
    Player
    Sarevok_Thordin's Avatar
    Join Date
    Mar 2017
    Posts
    446
    Character
    Sarevok Thordin
    World
    Brynhildr
    Main Class
    Red Mage Lv 100
    Quote Originally Posted by Exmo View Post
    This doesn't make sense. The blacklist feature blocks another player and their alts. Therefore, the client needs to know some info about those alts so it can block them.
    No it doesn't.

    The block list should be server side so it can determine if communication should be allowed without the client needing to parse that information itself.
    (5)

  9. #9
    Player
    ThatQEDguy's Avatar
    Join Date
    Apr 2016
    Posts
    24
    Character
    Director Fury
    World
    Cactuar
    Main Class
    Machinist Lv 100
    I take it "Fixing the issue" isn't on their radar?
    (6)

  10. #10
    Player
    Espon's Avatar
    Join Date
    Aug 2013
    Posts
    974
    Character
    N'kilah Razhi
    World
    Cactuar
    Main Class
    Paladin Lv 100
    SE's only choice is to fix the actual problem. There's no reason why the client should be given access to a person's account ID, it should be a check done server-side only.

    Legal action won't solve anything once the plugin is already out there, and it does not stop someone else from making the same thing. If anything, people might start taking action against SE for compromising their private data and refusing to fix the exploit.

    As for those suggesting SE use anti-cheat software: it does not fix the root of the actual problem. That would be like putting all your money on your front lawn in a box with a sign that says "Do not steal." It's not going to stop anyone as people will find a way around it, since they always do.
    (7)

Page 4 of 25 FirstFirst ... 2 3 4 5 6 14 ... LastLast