Jump to content
Cowman_133

Future Update Discussions

Recommended Posts

No, if it provides no additional security over your email it is superfluous. You're just as secure with or without the addition because any competent cracker will bypass the security entirely and focus on recovering your email address and using that for their entry into your account.

 

Tell me, if someone can access your email - what good does having this app do for you? Zilch. Nadda. Nothing. It's a false sense of security for those who don't understand online security. Or security in general - you're only as strong as your weakest link. The only thing you should care about securing is your email if you have one authenticated.

 

Telling people "Oh, your account will be more secure if you download our app!" is lulling people into a false sense of security because in reality it doesn't do anything for you.

Yes if they CAN access your email it doesn't do you any good.

 

But if they CAN'T it does add extra security.

It can prevent a simple keylogging getting in to your account (subject to when you discover it) or a simple brute forcing, based on common passwords, becomes impossible; equally anyone who might've found your password written down or tricked you into revealing it is blocked out by the 2nd step of authentication. Databases leaks are also mitigated by having a 2nd step of authentication in place, as even if they crack that data it doesn't give them the necessary codes.

 

Yes in the grand scheme of your security you are only as strong as the weakest link and the email security is going to play a core role in that chain for most things; but it is absolutely wrong to claim adding a 2nd step of authentication to a runescape account does nothing for security. The only way it does nothing is if your email is so so so so poorly secured that you may as well not even have a password on anything; if there is even the slightest level of security on your email account a 2nd step of authentication on anything adds security as it stops people being able to directly attack that account - it forces them to try and discover and crack the email instead. Which if properly secured should not be something they can discover all that easily, let alone break in to.

 

The simple fact is adding 2 step verification DOES add extra security and is not superfluous.

At the very basic level it offers extra protection you from basic keyloggings, brute forcing of common passwords, database leaks, and friends guessing or discovering anything written down.

With email being secured properly it does all of he above and adds extra in cases of more advanced keyloggers, plus it makes it harder for even competent hackers to get in to your account as they need to work out what the email on the account is and how to break that before they can even address the main account.

 

Yes a poorly secured email will be the downfall if you do get hacked and will be the main target point for anyone seeking to hack you, but that does not mean the 2 step verification on the main account does not do anything - it blocks a number of basic means of compromising an account and will be the reason why the email is targeted in the first place. Plus equally based on JAG implementation and site messages Jagex aren't trying to pretend this fixes all ills - they specifically recommend you use a gmail account with a different password with 2 step authentication enabled to maximise security; what more can they do to make sure you secure your emails well? Send plans to sky write it outside your house everyday? Hire muscle men to travel the globe and force people to get gmail?


Plv6Dz6.jpg

Operation Gold Sparkles :: Chompy Kills ::  Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA Rewards

Dragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue

Share this post


Link to post
Share on other sites

This conversation brought to you by the word: superfluous.

  • Like 2



Maxed [February 14, 2012] | Completionist [October 25, 2012] | Trimmed Completionist [in Progress]

Visit my Blog!


u_rza.png

Share this post


Link to post
Share on other sites

 

No, if it provides no additional security over your email it is superfluous. You're just as secure with or without the addition because any competent cracker will bypass the security entirely and focus on recovering your email address and using that for their entry into your account.

 

Tell me, if someone can access your email - what good does having this app do for you? Zilch. Nadda. Nothing. It's a false sense of security for those who don't understand online security. Or security in general - you're only as strong as your weakest link. The only thing you should care about securing is your email if you have one authenticated.

 

Telling people "Oh, your account will be more secure if you download our app!" is lulling people into a false sense of security because in reality it doesn't do anything for you.

 it forces them to try and discover and crack the email instead.

That's the first step any competent cracker would go for - not the second. It gives more general access and after gaining access once is easy to do a form of social-engineering by snooping for data through accessing accounts related to that email. Once you have their email you can also more easily find all of their related accounts - recover those and possibly claim more information.

 

Gaining access to the email also makes it harder for them to send recovery requests for all of their related accounts - meaning they have to wait on what is usually a 3-4 days proccess on GMail (and longer for other mail hosts usually) to recover their account.

 

Once you have all that information, if/when the person recovers their own email/accounts back - you have all the information you need to recover other accounts and possibly even the email address again - although at that point you would be more focused on accounts of value.

 

Nobody is going to try and bruteforce your RS password. Bruteforcing is only done on encrypted databases or devices/websites without a lockout timer (which almost all do nowadays) and even for those purposes is rather slow. They would first start out with a dictionary attack to recover as many passwords as possible. Many blackhat crackers have expansive dictionaries that include common phrases, common password lists, foreign languages, other common passwords they've found, and would be used far before they bother bruteforcing.

 

The issue with the point you are trying to make is it assumes people will first go for the RS account and only go for the email if the RS account is too secure. This is backwards, because they would first go to the email regardless of the RS security. Knowing you'll need to hold onto an RS account for 3-5 days to cancel a bank pin to actually clear the account automatically tells you:

 

1) Your targets must be targets you know aren't actively playing the game

2) You must keep access to the account for 3-5 days if they are active, meaning you need to have access to their recovery method (usually: their email address) to prevent them from recovering the account.

3) If you have knowledge of them not having a bank pin you might try to access the account directly through social engineering [this is the only exception to the "attack the email first"]

 

The RS account is your door. It doesn't matter how much security you add to that door if the robber is just going to come through the window - so you better have a barred window. Your email address is your window and is also the first place any cracker will go for.


現実とうひを繰り返してもうそうしてんだ

 

Share this post


Link to post
Share on other sites

Most crackers get eaten and digested I've never seen them in my windows

  • Like 3

Tranquil.png

 

[2:21:46 PM] Baldvin | Leik: these comp reqs are so bad

[2:22:36 PM] Arceus Dark: Time to get...req'd?

Share this post


Link to post
Share on other sites

You know this kind of stuff is why i find reverse engineering and system exploit testing so interesting. I would imagine a legitimate company, hopefully jagex, has hired staff to work at cracking through these systems to test it.




Maxed [February 14, 2012] | Completionist [October 25, 2012] | Trimmed Completionist [in Progress]

Visit my Blog!


u_rza.png

Share this post


Link to post
Share on other sites

You would think that, but lots of sites are ridiculously insecure. Here are 1800 or so sites (+ some gibberish) that store passwords in plain text, which is literally the least secure thing you can do outside of printing usernames and passwords on your homepage.

Share this post


Link to post
Share on other sites

You know this kind of stuff is why i find reverse engineering and system exploit testing so interesting. I would imagine a legitimate company, hopefully jagex, has hired staff to work at cracking through these systems to test it.

Honestly, I doubt it's worth their time to hire a third party to try and crack their systems. They might do some work internally, but no way will they hire an outside group for it. The most sensitive/valuable info they have is payment info, which is largely separate from the login info this system is designed to protect. (That might be worth outside testing, but if I'm not mistaken, companies generally contract third-party software to handle that entirely.)


Obtained quest cape and base 92 before obtaining any 99s! Currently finishing out my 99s with the (long-distant) goal of comp cape.
Sorator.png
260pifq.jpg

gMIy8.jpg

Share this post


Link to post
Share on other sites

You know this kind of stuff is why i find reverse engineering and system exploit testing so interesting. I would imagine a legitimate company, hopefully jagex, has hired staff to work at cracking through these systems to test it.

Penetration testing is also quite interesting. Most businesses don't bother updating their servers, even if they are far out of date with security flaws everywhere - which means people can easily gain access. Businesses don't tend to take security as seriously as people think they do, until after a severe breach has occurred.

 

You can read quite a few articles about pen testers who gain administrative access in under a few hours - sometimes mere minutes through unpatched exploits and social engineering of an adminstrative person through their private Facebook and other venues.

 

Reverse Engineering is mostly done to patch software (by disabling certain checks) and understanding Malware design by RE'ing it in a virtual machine.

 

If you are interested in RE you can learn some basics through Lena's tutorials here. I've had to patch a software before because although I had purchased the program - I had reinstalled Windows and the original programmer had passed away, so I was unable to ask for another key - I still had the program, but it required a new key due to being installed on a "new system". I had to patch it to not check for the key so that I could continue using it. It's a useful skill to have, although usually not worth the effort if you don't plan to have it as a career. I also don't support patching software to avoid paying for it. :P

 

SQL injections and other server exploits are largely automated now. I won't give the name of the program - but there are several programs out there that automatically try to do SQL injection. So a person doesn't even need to be knowledgable to do injection anymore.


現実とうひを繰り返してもうそうしてんだ

 

Share this post


Link to post
Share on other sites

You barely have to be knowledgeable to prevent SQL injection though so it balances out

Share this post


Link to post
Share on other sites

Im interested mostly for the insight of what goes on, but not the general knowledge.

 

Thank you though!




Maxed [February 14, 2012] | Completionist [October 25, 2012] | Trimmed Completionist [in Progress]

Visit my Blog!


u_rza.png

Share this post


Link to post
Share on other sites

You barely have to be knowledgeable to prevent SQL injection though so it balances out

Just have to know how to update really... unfortunately it seems updating is largely neglected. 


現実とうひを繰り返してもうそうしてんだ

 

Share this post


Link to post
Share on other sites

You prevent sql injection with prepared statements

 

But yeah I know how every new php developer tries to use mysql_i or something (and probably also stores passwords in plain text)

  • Like 1

Share this post


Link to post
Share on other sites

For those interested i have new companion app pictures up on the skillchompas topic.




Maxed [February 14, 2012] | Completionist [October 25, 2012] | Trimmed Completionist [in Progress]

Visit my Blog!


u_rza.png

Share this post


Link to post
Share on other sites

9GFFM.png

 

hype

  • Like 2

6Ij0n.jpg

In real life MMO you don't get 99 smithing by making endless bronze daggers.

Share this post


Link to post
Share on other sites

Official Wiki, Mod Michelle posted that.


6Ij0n.jpg

In real life MMO you don't get 99 smithing by making endless bronze daggers.

Share this post


Link to post
Share on other sites

F*******

 

The deeemon code prevents me

 

From declining a rock-off challenge

  • Like 3

Share this post


Link to post
Share on other sites

I wonder if the last 5 musics will come from a quest? Maybe the zamorakian sympathizer quest?




Maxed [February 14, 2012] | Completionist [October 25, 2012] | Trimmed Completionist [in Progress]

Visit my Blog!


u_rza.png

Share this post


Link to post
Share on other sites

F*******

 

The deeemon code prevents me

 

From declining a rock-off challenge

I won't accept anything else as the emote except for this
  • Like 3

6Ij0n.jpg

In real life MMO you don't get 99 smithing by making endless bronze daggers.

Share this post


Link to post
Share on other sites

ohP8JD5.png

drrqgSa.png


yqe0mrU.jpg

^^My blog of EoC PvM, lols and Therapy.^^

My livestream- Currently: Offline :(

Offical Harpy Therapist of the Mad

[hide=Lewtations]

Barrows drops: Dharok's helm x2, Guthan's helm, Ahrim's top, Hood and skirt, Torag's hammers, Karils skirt, Karil's top, Torag's helm, Verac's skirt, Verac's Flail, Dharok's Platebody.

Dag kings drops: Lost count! :wall:

4k+ Glacors, 7 Ragefires, 4 Steadfasts, 4 Glaivens, 400+ shards![/hide]

Share this post


Link to post
Share on other sites

ohP8JD5.png

drrqgSa.png

I smell some crazy duo tactics with that green waterfall and the terrain variations.



Maxed [February 14, 2012] | Completionist [October 25, 2012] | Trimmed Completionist [in Progress]

Visit my Blog!


u_rza.png

Share this post


Link to post
Share on other sites

Boss slayer dev blog update:

 

- Update 27/06/2014

 

The Ninja team are now full speed ahead with Boss Slayer!!!

 

For those paying attention, the two polls we had up last week are now closed. Results have determined that Death will be the representing NPC and the title unlock for killing all the bosses incorporated in Boss Slayer will be "_ the Reaper"; which is nice as the two go quite well together.

 

Ana put some quick concepts for a new lootbeam (see above) on the forums, twitter, and reddit. We've kept an eye on what people have said, and it would appear a majority thought that the rainbow was the best. As such, this will be an unlockable reward through Boss Slayer.

 

Labl has started work on Death's office, the place you'll be going to receive your daily Boss Slayer task. Below is an early work in progress model of the area:

 

Death's Office

 

http://services.runescape.com/m=rswikiimages/resized/en/2014/6/Death's_Office-27144016-800px.PNG

(everything is still greybox so it is subject to change)

 

Asherz has been working on a new interface which will display all the bosses available in Boss Slayer with total kills, fastest kill, available drops, as well as some other information. You'll also be able to see a variety of other monster kill counts on the interface as well.

 

That's all for this week... You stay classy Gielinor!

 

-

 

The information above is subject to change during development.

 

Mods Ana, Asherz, Ryan, Oliver, Stu O and Labl

 




Maxed [February 14, 2012] | Completionist [October 25, 2012] | Trimmed Completionist [in Progress]

Visit my Blog!


u_rza.png

Share this post


Link to post
Share on other sites

I knew skillcapes looked bad and outdated, but still quite surprised that the poll is at 83% in favour of changing them after over 30k votes. Never thought you could get such a high percentage of players to agree on anything.

  • Like 2

R.I.P. The olde nite. A legend is gone but not forgotten.

 

a Faction Related Item Sink for Rune Labs. https://[LikelyScam]/m=player-proposal/a=13/c=VcG-Ir5Ijno/view-idea?idea=19

 

 

Share this post


Link to post
Share on other sites

6Ij0n.jpg

In real life MMO you don't get 99 smithing by making endless bronze daggers.

Share this post


Link to post
Share on other sites

I knew skillcapes looked bad and outdated, but still quite surprised that the poll is at 83% in favour of changing them after over 30k votes. Never thought you could get such a high percentage of players to agree on anything.

 

Um - where were you when the Wilderness/Free Trade Poll was made? :unsure:


nyuseg.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.