Future Update Discussions

[Urza285]

rip [DISCUSSION] Update Teasers

How dare you...

 

How dare you!

 

Bring it back. Bring it back NOAW!

[JeRambo]

Woah guys sorry! It's getting fixed dw :c

[Sy_Accursed]

I find some of the RSOF complaints about this lol worthy.

Namely 'If I only have 1 computer I'm less secure than JAG because they just generate a code if they hack me'

Because as well all know once you authorise your computer in JAG and it gets hacked JAG magically turns off and won't let them get at your runescape account.

 

Using this new thing with only 1 computer is pretty much on par with JAG - if they have that computer they can use ur rs.

If you have smartphone or two pcs its better - they need to hack multiple devices to get at your rs account.

Plus if you use gmail + smartphone you can kinda get 5 step verification protection in total (not literally but sort of).

1) Gmail password

2) Gmail authentication

3) Smartphone lock code

4) Rs password

5) Rs authentication

[HunterDexter]

Hmm, would you need your second computer with you to get on RuneScape? During the weeks I use my computer at university, while at home I use the family desktop. Wonder how I can set the verification up safely. :s

[Sy_Accursed]

That would depend who you trust more family or uni folks -  either system is gonna be exposed in some way or another. So both have merits and flaws at having the codes on.

 

I'd prob go for uni since if its YOUR computer you can password it so outside hacking only you can use it, where as family system would be exposed to all the family.

[HunterDexter]

Hmm, but would I need the uni computer at home to set up the verification? As I don't have a smartphone (yet).

[strilmus]

Well, JAG's turning off "later this summer" anyway, so they're not going to provide a choice between the two. Probably gonna cannibalize the JAG resources to put up the authenticator.

[Rena]

I find some of the RSOF complaints about this lol worthy.

Namely 'If I only have 1 computer I'm less secure than JAG because they just generate a code if they hack me'

Because as well all know once you authorise your computer in JAG and it gets hacked JAG magically turns off and won't let them get at your runescape account.

 

Using this new thing with only 1 computer is pretty much on par with JAG - if they have that computer they can use ur rs.

If you have smartphone or two pcs its better - they need to hack multiple devices to get at your rs account.

Plus if you use gmail + smartphone you can kinda get 5 step verification protection in total (not literally but sort of).

1) Gmail password

2) Gmail authentication

3) Smartphone lock code

4) Rs password

5) Rs authentication

It defaults back to your email which makes it superfluous. It's just as useless as JAG was (JAG didn't actually do anything either). It's just another false sense of security.

 

It's only as secure as your email is - and most people don't keep their emails very secure.

[Sy_Accursed]

Its hardly superfluous just because it reverts to emails - everything reverts to emails for reset purposes.

 

If your email isn't secure, or uses the same login as whatever other service has been hacked, yes it is a weak spot - but that is utterly your fault and not a flaw of the 2 step verification offered.

 

I mean a lock is only as secure as its keys - and if your dumb friend gives their copy of your door key away your lock is hardly secure anymore. But that doesn't render the lock superfluous or mean the lock isn't doing a good job - it means YOU made a mistake in not treating the keys securely enough by giving them to such a dumb flaky friend.

 

This is the same in a digital context it is YOUR job to keep the 'key' (emails and authentication device) safe to ensure the 'lock' (runescape security) isn't compromised; if you fail to do so it is not a flaw in the system or the fault of Jagex and it does not render the entire thing superfluous.

[Huge Noob]

Its hardly superfluous just because it reverts to emails - everything reverts to emails for reset purposes.

 

If your email isn't secure, or uses the same login as whatever other service has been hacked, yes it is a weak spot - but that is utterly your fault and not a flaw of the 2 step verification offered.

 

I mean a lock is only as secure as its keys - and if your dumb friend gives their copy of your door key away your lock is hardly secure anymore. But that doesn't render the lock superfluous or mean the lock isn't doing a good job - it means YOU made a mistake in not treating the keys securely enough by giving them to such a dumb flaky friend.

 

This is the same in a digital context it is YOUR job to keep the 'key' (emails and authentication device) safe to ensure the 'lock' (runescape security) isn't compromised; if you fail to do so it is not a flaw in the system or the fault of Jagex and it does not render the entire thing superfluous.

 

 

I could not of said it better myself. People are always so quick to blame other people when things go wrong. I'm not saying the person Accursed is replying to is doing it, but people in general. It seems like every time you see someone post a thread about being hacked 95% of the time it's "Stupid Jagex! I hate this game" even though it was directly related to something they did, not Jagex.

[Alg]

We're also all too eager to jump into victim blaming, so it evens out.

[Rena]

No, if it provides no additional security over your email it is superfluous. You're just as secure with or without the addition because any competent cracker will bypass the security entirely and focus on recovering your email address and using that for their entry into your account.

 

Tell me, if someone can access your email - what good does having this app do for you? Zilch. Nadda. Nothing. It's a false sense of security for those who don't understand online security. Or security in general - you're only as strong as your weakest link. The only thing you should care about securing is your email if you have one authenticated.

 

Telling people "Oh, your account will be more secure if you download our app!" is lulling people into a false sense of security because in reality it doesn't do anything for you.

 

 

E:

Think of it like a house. A salesman tells you your house is insecure because your front door doesn't even have a lock! So you pay to have the lock installed.

 

A few weeks later, your house is broken into. A different salesman tells you of course it was! Your lock wasn't strong enough and they just broke the lock and forced their way in. So he sells you a chainlock, which is a lot stronger. You have it installed.

 

A while later your house is broken into yet again. Puzzled, you ask your neighbor. He tells you that chainlocks can be unlocked with just a rubberband and a pencil - and then the robber forced his way into your house.

 

So you have a Grade-A retina scanner installed with an airtight steel security door installed. You really stepped it up! Now nobody is getting in or out of that door without your eyeball!

 

A few weeks later, your house is broken into yet again.

 

You consult a security expert - who tells you one of your windows was left cracked open and the robber just entered the house by removing the screen from the window.

 

How useful was the door?

[Sy_Accursed]

No, if it provides no additional security over your email it is superfluous. You're just as secure with or without the addition because any competent cracker will bypass the security entirely and focus on recovering your email address and using that for their entry into your account.

 

Tell me, if someone can access your email - what good does having this app do for you? Zilch. Nadda. Nothing. It's a false sense of security for those who don't understand online security. Or security in general - you're only as strong as your weakest link. The only thing you should care about securing is your email if you have one authenticated.

 

Telling people "Oh, your account will be more secure if you download our app!" is lulling people into a false sense of security because in reality it doesn't do anything for you.

Yes if they CAN access your email it doesn't do you any good.

 

But if they CAN'T it does add extra security.

It can prevent a simple keylogging getting in to your account (subject to when you discover it) or a simple brute forcing, based on common passwords, becomes impossible; equally anyone who might've found your password written down or tricked you into revealing it is blocked out by the 2nd step of authentication. Databases leaks are also mitigated by having a 2nd step of authentication in place, as even if they crack that data it doesn't give them the necessary codes.

 

Yes in the grand scheme of your security you are only as strong as the weakest link and the email security is going to play a core role in that chain for most things; but it is absolutely wrong to claim adding a 2nd step of authentication to a runescape account does nothing for security. The only way it does nothing is if your email is so so so so poorly secured that you may as well not even have a password on anything; if there is even the slightest level of security on your email account a 2nd step of authentication on anything adds security as it stops people being able to directly attack that account - it forces them to try and discover and crack the email instead. Which if properly secured should not be something they can discover all that easily, let alone break in to.

 

The simple fact is adding 2 step verification DOES add extra security and is not superfluous.

At the very basic level it offers extra protection you from basic keyloggings, brute forcing of common passwords, database leaks, and friends guessing or discovering anything written down.

With email being secured properly it does all of he above and adds extra in cases of more advanced keyloggers, plus it makes it harder for even competent hackers to get in to your account as they need to work out what the email on the account is and how to break that before they can even address the main account.

 

Yes a poorly secured email will be the downfall if you do get hacked and will be the main target point for anyone seeking to hack you, but that does not mean the 2 step verification on the main account does not do anything - it blocks a number of basic means of compromising an account and will be the reason why the email is targeted in the first place. Plus equally based on JAG implementation and site messages Jagex aren't trying to pretend this fixes all ills - they specifically recommend you use a gmail account with a different password with 2 step authentication enabled to maximise security; what more can they do to make sure you secure your emails well? Send plans to sky write it outside your house everyday? Hire muscle men to travel the globe and force people to get gmail?

[Urza285]

This conversation brought to you by the word: superfluous.

[Rena]

 

No, if it provides no additional security over your email it is superfluous. You're just as secure with or without the addition because any competent cracker will bypass the security entirely and focus on recovering your email address and using that for their entry into your account.

 

Tell me, if someone can access your email - what good does having this app do for you? Zilch. Nadda. Nothing. It's a false sense of security for those who don't understand online security. Or security in general - you're only as strong as your weakest link. The only thing you should care about securing is your email if you have one authenticated.

 

Telling people "Oh, your account will be more secure if you download our app!" is lulling people into a false sense of security because in reality it doesn't do anything for you.

 it forces them to try and discover and crack the email instead.

That's the first step any competent cracker would go for - not the second. It gives more general access and after gaining access once is easy to do a form of social-engineering by snooping for data through accessing accounts related to that email. Once you have their email you can also more easily find all of their related accounts - recover those and possibly claim more information.

 

Gaining access to the email also makes it harder for them to send recovery requests for all of their related accounts - meaning they have to wait on what is usually a 3-4 days proccess on GMail (and longer for other mail hosts usually) to recover their account.

 

Once you have all that information, if/when the person recovers their own email/accounts back - you have all the information you need to recover other accounts and possibly even the email address again - although at that point you would be more focused on accounts of value.

 

Nobody is going to try and bruteforce your RS password. Bruteforcing is only done on encrypted databases or devices/websites without a lockout timer (which almost all do nowadays) and even for those purposes is rather slow. They would first start out with a dictionary attack to recover as many passwords as possible. Many blackhat crackers have expansive dictionaries that include common phrases, common password lists, foreign languages, other common passwords they've found, and would be used far before they bother bruteforcing.

 

The issue with the point you are trying to make is it assumes people will first go for the RS account and only go for the email if the RS account is too secure. This is backwards, because they would first go to the email regardless of the RS security. Knowing you'll need to hold onto an RS account for 3-5 days to cancel a bank pin to actually clear the account automatically tells you:

 

1) Your targets must be targets you know aren't actively playing the game

2) You must keep access to the account for 3-5 days if they are active, meaning you need to have access to their recovery method (usually: their email address) to prevent them from recovering the account.

3) If you have knowledge of them not having a bank pin you might try to access the account directly through social engineering [this is the only exception to the "attack the email first"]

 

The RS account is your door. It doesn't matter how much security you add to that door if the robber is just going to come through the window - so you better have a barred window. Your email address is your window and is also the first place any cracker will go for.

[Steph]

Most crackers get eaten and digested I've never seen them in my windows

[Urza285]

You know this kind of stuff is why i find reverse engineering and system exploit testing so interesting. I would imagine a legitimate company, hopefully jagex, has hired staff to work at cracking through these systems to test it.

[Hedgehog]

You would think that, but lots of sites are ridiculously insecure. Here are 1800 or so sites (+ some gibberish) that store passwords in plain text, which is literally the least secure thing you can do outside of printing usernames and passwords on your homepage.

[Sorator]

You know this kind of stuff is why i find reverse engineering and system exploit testing so interesting. I would imagine a legitimate company, hopefully jagex, has hired staff to work at cracking through these systems to test it.

Honestly, I doubt it's worth their time to hire a third party to try and crack their systems. They might do some work internally, but no way will they hire an outside group for it. The most sensitive/valuable info they have is payment info, which is largely separate from the login info this system is designed to protect. (That might be worth outside testing, but if I'm not mistaken, companies generally contract third-party software to handle that entirely.)

[Rena]

You know this kind of stuff is why i find reverse engineering and system exploit testing so interesting. I would imagine a legitimate company, hopefully jagex, has hired staff to work at cracking through these systems to test it.

Penetration testing is also quite interesting. Most businesses don't bother updating their servers, even if they are far out of date with security flaws everywhere - which means people can easily gain access. Businesses don't tend to take security as seriously as people think they do, until after a severe breach has occurred.

 

You can read quite a few articles about pen testers who gain administrative access in under a few hours - sometimes mere minutes through unpatched exploits and social engineering of an adminstrative person through their private Facebook and other venues.

 

Reverse Engineering is mostly done to patch software (by disabling certain checks) and understanding Malware design by RE'ing it in a virtual machine.

 

If you are interested in RE you can learn some basics through Lena's tutorials here. I've had to patch a software before because although I had purchased the program - I had reinstalled Windows and the original programmer had passed away, so I was unable to ask for another key - I still had the program, but it required a new key due to being installed on a "new system". I had to patch it to not check for the key so that I could continue using it. It's a useful skill to have, although usually not worth the effort if you don't plan to have it as a career. I also don't support patching software to avoid paying for it. :P

 

SQL injections and other server exploits are largely automated now. I won't give the name of the program - but there are several programs out there that automatically try to do SQL injection. So a person doesn't even need to be knowledgable to do injection anymore.

[Hedgehog]

You barely have to be knowledgeable to prevent SQL injection though so it balances out

[Urza285]

Im interested mostly for the insight of what goes on, but not the general knowledge.

 

Thank you though!

[Rena]

You barely have to be knowledgeable to prevent SQL injection though so it balances out

Just have to know how to update really... unfortunately it seems updating is largely neglected. 

[Hedgehog]

You prevent sql injection with prepared statements

 

But yeah I know how every new php developer tries to use mysql_i or something (and probably also stores passwords in plain text)

[Urza285]

For those interested i have new companion app pictures up on the skillchompas topic.