Re: Regarding the Use of Third-Party Programs and Player Safety

[tank2fish]

Of course it will. When people realize that using third party Software gets actually punished they will stop using it.

You are absolving the developers of their mistake, and you need to not do that. They went live with a system that is inherently vulnerable. They have double downed in saying that it's not vulnerable. And you are blaming something else that is unrelated to the core issue.

There will always be bad actors out there, but it is on developers to not provide them with an open door for them to simply walk through. You, and everyone else suggesting banning third party use, are completely focused and fixated on punishing people for walking into the house, and not addressing the door held open.

And that is an issue because that gives the devs something to hide behind. Instead of admitting any fault or mistakes, they're blaming third party use. They are not taking responsibility. They are not acknowledging there's any problem. People are confused about the entire issue, because people like you are so focused on the wrong thing.

[ReynTime]

This is one of, if not the peak of CS3's incompetence. And by staying subscribed you're validating this lack of accountability, so well done.

And don't need to try doing a gotcha reply at me. I unsubbed almost two weeks ago. My access to the forums will probably expire soon.

[Kaurhz]

1. The issue probably won't be fixed. That would require them to acknowledge the issue, and clearly they see sending a raw account ID (Even if only a 'segment' of that ID) from server to client as a perfectly reasonable -- and absolutely not utterly insecure -- manner of doing things.

2. The fact they have only addressed this on a forum post which isn't pinned, and is only referenced once in a tweet, tells me that they have absolute and utter sheer disregard for the safety of the general player-base seeing as there isn't even a lodestone post.

3. Anti-Cheat is not an appropriate remedy. This game has an absurd amount of deficit, which wouldn't surprise me if it is being mitigated by third party tools. Remove that and people will just go elsewhere, and whilst the game would still function, you would probably be looking at even longer patch cycles and/or a further decrease in the quality of content, which all things considered would be a pretty impressive feat given this expansion thus far. -- Further, Anti-cheat can only do so much, that data is still communicated across the network, so many standard tools will be able to analyze this without actually interacting with the game. -- Would it require an initial higher level of competency to gather that data? Absolutely, but this would not last long at all, people will develop better methods that require less and less technical competency to use.... I understand where the anti-cheat argument comes from, but it isn't just 1-2 small segments of the player base that are affected, it does a lot more detriment than good... Versus developer competency and general small increase on infrastructure budget to ensure they aren't deploying the most absolute insecure measures humanly possible, because god help the hamsters.

4. The best approach is to honestly just collaborate with developers that produce third party, to create something where they are more facilitated in-game, e.g., an approved plugins list of sorts... Sure... This would create a disparity between PC players and console players, but that disparity already exists, and assuming there have been no updates to console since I last played, it is already lagging behind PC for accessibility features.. In something that is already lagging behind a good standard in the first place.

5. The next LL is the absolute latest where I would expect a general announcement/update for the broader player-base... I would say before I lose hope, but frankly they already lost mine when they decided to do something as bizarre as this in the first place.

6. At the very least something does need to be done because their current stance is not viable. Its the equivalent of leaving your door wide open, and having a sign “please don’t intrude”

[SillyCrow]

1. The issue probably won't be fixed. That would require them to acknowledge the issue, and clearly they see sending a raw account ID (Even if only a 'segment' of that ID) from server to client as a perfectly reasonable -- and absolutely not utterly insecure -- manner of doing things.

Is it just a segment? I have seen replies that say it's the raw, full internal account ID.

[Kaurhz]

Is it just a segment? I have seen replies that say it's the raw, full internal account ID.

This is why I used segment loosely.. I don’t think it is a segment, but that’s hypothesis anyway, and regardless the ID communicated is unique enough for those maps to take place anyway. The term segment just strikes me as their way of trying to downplay the fact.

[AmiableApkallu]

1. The issue probably won't be fixed. That would require them to acknowledge the issue, and clearly they see sending a raw account ID (Even if only a 'segment' of that ID) from server to client as a perfectly reasonable -- and absolutely not utterly insecure -- manner of doing things.

Ever used a "Login with Google" button on some random website? Do you know what that website gets? A unique, internal account ID that Google has assigned to you. Details:

In technical terms, the login flow uses a protocol known as OpenID Connect. One the pieces of information the website eventually gains access to is a "sub" claim:

An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple email addresses at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.

Sending out unique identifiers isn't inherently insecure. It's what that unique identifier can be used for or tied to that is potentially the problem.

[Raiya]

I'll just put my 2 cents out there but when it comes to this malicious plugin the root issue is the blacklist changes of Dawntrail have allowed this to happen. The only realistic ways to fix it is to either move the blacklist server side that the internal account ID's can no longer be read client side OR revert to the original blacklist system from before Dawntrail and maybe try another approach instead.

Some people might think calling for an anti cheat would solve this but I've been gaming online for nearly 20 years and that bloatware does absolutely nothing to stop these malicious people who cheat or harass others, it's a speed bump that gets defeated within a few hours of an update and ends up causing issues for legitimate players usually through compatibility issues and other things and is ultimately a waste of time for both players and developers and that doesn't even get to the whole privacy issues either.

[DiaDeem]

I appreciate Yoshida's post, but it'd be nice if he acknowledged that people warned them about this vulnerability months ago and nothing was done. This was their mistake. The tool could have never been made if they didn't leave the vulnerability open to begin with. Just some accountability would be appreciated.

[AnnRam]

Just add an anticheat in 8.0 we need it at this rate.

They wont.

SE its aware that its swimming in money thanks to mare plugin and moonhoopers so you are going to deal with it.

Touching that community (over 100k) means it will hurt their income.

[Mortex]

You are absolving the developers of their mistake, and you need to not do that. They went live with a system that is inherently vulnerable. They have double downed in saying that it's not vulnerable. And you are blaming something else that is unrelated to the core issue.

There will always be bad actors out there, but it is on developers to not provide them with an open door for them to simply walk through. You, and everyone else suggesting banning third party use, are completely focused and fixated on punishing people for walking into the house, and not addressing the door held open.

And that is an issue because that gives the devs something to hide behind. Instead of admitting any fault or mistakes, they're blaming third party use. They are not taking responsibility. They are not acknowledging there's any problem. People are confused about the entire issue, because people like you are so focused on the wrong thing.

It’s kinda insane that people pay money for this incompetence of basic account security and then have baby rages about third party tools and want anti cheat(with doesn’t even stop this entire security fiasco and still lets these people get the account id pretty easy ). Like people really need to stop glazing the multimillion dollar company if they shit the bed.