Even More General Blathering – Random Waypoint https://randomwaypoint.fajs.de Journeys and Musings of an Ex-Hardcore Raider Mon, 09 Nov 2015 22:43:17 +0000 en-US hourly 1 https://wordpress.org/?v=5.2.17 25906064 I got a Hat https://randomwaypoint.fajs.de/2015/11/i-got-a-hat/ https://randomwaypoint.fajs.de/2015/11/i-got-a-hat/#respond Mon, 09 Nov 2015 22:29:18 +0000 http://randomwaypoint.fajs.de/?p=3850 Continue reading I got a Hat ]]> We gamers are all obsessed with hats, aren’t we? Maybe most of them, the TF2 people. But still, even in MMOs, hats reign supreme in the cosmetic category. Wilhelm loves them. Bhagpuss loves them. And those who went through the horrible grind to get the coveted Bloodsail Admiral’s hat wore it proudly (while they were busy grinding even more afterwards to repair their standing with Booty Bay).

I did some grinding for a very special hat, too. A hat like no other. Bespoke crafting, a one-of-a-kind. Behold.

the_hat

For those not familiar with the tradition: around here, when someone finishes their PhD, their coworkers build them a hat roughly resembling a mortarboard that is decorated with bits and pieces that lampoon (in good humor) noteworthy events or personality quirks. Sadly, all pictures from the event itself with me and the hat have coworkers and friends on it that are not easily croppable, and I don’t want to put those online without their knowledge. So you get the hat sans me.

Some grinding it was. The last months were a bit intense. In summer, I got a job offer I couldn’t (or didn’t want to) refuse. But they wanted me fast, so I started working there earlier than I had planned. (My plan had been to just slowly start looking around for jobs, then one of the first applications already turned out to be this apparently great fit.) Too early to defend beforehand, which made for some packed months. Get up, go to work, get back, study, go to bed. On the weekends, drive back to the old place, 3 hours each direction, to finish the preparations for the event.

Now I just need to print the final versions and send them to the respective libraries. Oh right, and move out of this company-arranged temporary one-room apartment and get my stuff from my old place into a new, real one. Lots of packing and unpacking in the near future. But around Christmas, I might actually have time to play games again. And maybe I’ll even have Internet in the new place by then… if I’m lucky.

Maybe then I’ll even find time to write again, and have ideas what to write about. To be honest, my writing here has been extremely spotty the last… 18 months or so. So I’m not holding my breath. But I’m also not willing to give up quite yet.

 

I may start with trying to fix the fancy live-updating blogroll to the right, which seems to have broken some time ago…

]]>
https://randomwaypoint.fajs.de/2015/11/i-got-a-hat/feed/ 0 3850
Three Years of Random Waypoint https://randomwaypoint.fajs.de/2014/07/three-years-of-random-waypoint/ https://randomwaypoint.fajs.de/2014/07/three-years-of-random-waypoint/#comments Fri, 18 Jul 2014 15:03:25 +0000 http://randomwaypoint.fajs.de/?p=3507 Continue reading Three Years of Random Waypoint ]]> WordPress made sure to remind me that today is a special day:
3yearsblog_wordpressgrats
Three years ago, I started Random Waypoint with my first post. I had just left my raiding guild, and for the first time in years, I felt directionless when it came to MMOs. Well, I guess that’s not completely true, because I had already started feeling like that for some time before I left the guild, but inertia kept me playing.

Since then, it’s been an up and down here, especially when it comes to posts. Phases of almost-daily posting or at least two-to-three-times weekly are separated by long periods of silence. So I’m happy even more about people who keep my blog on the back burner and continue reading when I pop up again. I’m not very good at writing regularly on a grand timescale, but I still enjoy doing it now and then. Every now and then, I even genuinely like posts that I have written!

Since it’s time to look back, and since wordpress provides some neat historical data, what better to do than show some plots?

More plots, more plots! (Click to enlarge; goes for all of them.)

Posts

postsRed diamonds on the timeline are posts. Since the beginning three years ago, I’ve written 186 posts, which means about 0.16 posts per day, or 1.2 per week. That only tells half the story, though. Since this blog goes through phases of activity and phases of silence, I identified them in the timeline: The grey areas are times of activity. You can see that I started enthusiastically, writing posts very regularly for about 10 months (from July 2011 to May 2012). I then had my first lull, and came back just in time for the first anniversary. It felt weird to write a “happy anniversary” post as the first one after two months of silence, though, so I didn’t that year. I went back to posting regularly for about 4 months, before I fell off the face of the earth for an extremely long time: my longest break up to now was from November 2012 to July 2013, a full eight months with only two posts in-between! Again, I came back just in time for the anniversary, and again, it didn’t feel appropriate to write a post about it. (It seems there is something about the dog days of summer that drives me to write blog posts. No idea why.) Since then, I’ve gotten into an on–off routine: 4 months of posting, 2 months of silence. Going by that rule, you’ll get some semi-regular reads until November! Even this time around, I only came back just in time for the anniversary, but this year, I was curious enough myself to crunch the data. Coming back to the beginning, while I wrote 1.2 posts per week over the lifetime of this blog, if you only take the active times, we get an average of 2.1 posts per week. That’s pretty close to the unofficial “2 posts per week” minimum that I have in my head.

Views

OK, so we’ve seen what my posting behavior is. How does that influence views? In fact, how many views does this blog get, anyway?

It’s not a huge-volume affair, but it gets regular traffic: I’m close to 10,000 views now. As I’m writing this, the counter is up to 9,788 views. That’s about 9 views per day, or 52 views per posts. Of course, these are again distributed very unevenly. Time for another plot!

viewsFirst things first: writing posts produces views. Surprise! It would be very sad if it were otherwise. Because then I’d have to assume only bots came by. That said, even during times of inactivity, some low-volume traffic remains. I assume these must be bots that are not filtered out by the wordpress statistics, and people who prefer to check the blog directly every now and then instead of using an RSS reader (you can also use Twitter now to get notifications).

You can also see a good example of how it takes time for a blog to take off. Even though I posted a lot in the beginning, it took a few months to attract regular viewers. I’ve been considering selecting some of the better posts from that time and reblogging them as “reruns” during lulls, because some of them never got much attention.

The amount of traffic that a post produces is both very irregular and almost completely unpredictable. Posts you spend ages on tinkering to near-perfection don’t make any impression, while a fast throwaway comment makes your status updates blink like a Christmas tree. This is probably nothing that comes as any surprise to those who write themselves. Every now and then, a post can get 60, 70 views within a day. Even more rarely, things go crazy. There are two events that dwarf the rest of the daily-pageviews statistic: (a) marks my top day in views in the last three years. One of my posts got mentioned on the MMO Melting Pot, and directed a lot of viewers over here. This wasn’t the first time I got mentioned on the Melting Pot, and it wasn’t the last either, but something must’ve been special about this one. Maybe it was the right post at the right time, or maybe it was a windfall of something larger happening. Maybe the MMO Melting Pot, in turn, had just gotten mentioned on a very large site? We’ll never know. (I miss the Pot, by the way. It was a great way to find new blogs.) (b) is an event that puzzles me. I have no idea what happened. Checking the logs, it looks like just a lot of random pages being accessed. Maybe it was an unfiltered robot, or somebody got really interested and went through a lot of posts.

These days, every new posts gets around 20–30 views within the first 24 hours. On the downside, that means that, when I give a lecture, I have an audience 5–10 times as large. On the upside, I’m pretty sure that my readers are much more interested in what I say than most students. My readers even come voluntarily, and without an exam to guilt them into the lecture. (That would be a funny thought, though. An MMO blog exam. Hm….)

Speaking of my readers, I have to thank them for being so faithful, even during the times of silence, and always coming back. While I try to follow the rule of “write for yourself, not for others” (which is one of the reasons that, when I really don’t feel like it, I just don’t write for myself), it’s a great motivation to see people reading, and especially commenting.

Miscellaneous

To finish with the statistics, let’s have a look into the most viewed posts, popular search terms, and other random tidbits.

Top Posts

The most famous page on this blog is, obviously, the home page. Many people either surf directly to the blog, or they click the blog link (instead of a post link) when they see a new post has been published. 3,764, or 38.5%, of all page views are for the home page. Since this doesn’t say much about which posts are popular, let’s disregard that information. The Top 10 of posts, only counting views of the post pages themselvesm, from the last three years is:

1 EQ2: Simulating the Level Cap Experience Before the Level Cap 258
2 So I applied to EVE University… 239
3 The Totalitarianism of Progress-Focused MMO Gaming 235
4 PS Vita Test 217
5 No Heart for Shotacon 178
6 Pilgrimage to the EVE Gate 170
7 An Example of a Good Dungeon 158
8 Another one bites the F2P bullet 142
9 What I’m not playing: LotRO 119
10 So… It’s Kung Fu Panda After All? 115

Most of these posts are from 2012. That means they had enough time to collect extra page hits over the last 1–2 years, but they’re not from the very early time of the blog when there were little readers (and linkers). Again, the list shows that it’s hard to predict how popular a post will be: there are some longer and more “theoretic” posts in the mix (number 3 or 7), as well as some simpler “this is what I’m up to” posts (1, 2, 9). The largest surprise might be numbers 4 and 5: I wrote the PS Vita Test posts simply because I had played around with a Vita at Sony Building in Tokyo before the official release, and felt like I had to at least write something about that, even though I hadn’t followed news on the Vita at all. The “Shotacon” post was a short half-serious, half-tongue-in-cheek remark about TERA’s Elin, and why they only come in female versions. I wouldn’t consider either of these posts exceptionally good, but they both seemed to benefit from a buzzword in their title. Which gets me to…

Top Search Terms

This is actually less interesting than it sounds. Sadly, google has stopped giving search terms in their referral links, so these days, I don’t have much information about what people searched for to end up here. However, the top two search values were “PS Vita” and “shotacon”, which confirms my guess about why those two posts ended up in the Top 10. I also feel like a lot of people searching for the latter term left disappointed…

I don’t seem to attract any outrageously weird or funny search terms. Some of the more offbeat ones are:

the best swashbuckler ever in eq2 (you called?)
dead hooker juxtaposition (I’m… not even sure I want to know.)
blue öyster cult (Must be my user icon.)
flosch taste (refined! what else?)
is it possible to reach the eve gate (Be my guest and try, but you might not have enough time until the next server downtime.)
“can not/cannot” grammar (yes, that is one of my pet peeves.)
where can i find shotacon games? (not here. And yep, that one left especially disappointed, I bet.)
город гоблинов (Hey, I understand that! And I didn’t even need Wilhelm’s help! Here you go.)
panda hardcore (I really, really hope you don’t mean that kind of panda hardcore.)

Top Referrers

This one was actually quite tricky, mostly because blogspot uses ccTLDs and you end up with all sorts of referrers that look different, but are the same: http://www.bhagpuss.blogspot.com, www.bhagpuss.blogspot.de, and bhagpuss.blogspot.com.au all show up separately in the logs. With the help of some perl scripting magic, I came up with the following top referrers in the last 3 years: (note: I removed search engines from the list; they don’t count in my opinion.)

1 blessingofkings.blogspot.* 1325
2 mmomeltingpot.* 676
3 nilsmmoblog.blogspot.* 529
4 bhagpuss.blogspot.* 396
5 playervsdeveloper.blogspot.* 232
6 raging-monkeys.blogspot.* 216
7 Google Reader 80
8 tagn.wordpress.* 77
9 biobreak.wordpress.* 72
10 hzero.wordpress.* 55

It’s interesting how four dormant or defunct sites still managed to make it into the top ten: The MMO Melting Pot hasn’t been stirred in almost 10 months; Nils’ MMO Blog has had only 3 posts in the last 14 months; Syl has since renamed Raging Monkeys and moved to another domain; and Google Reader suffered a much-lamented death. Of course, that might have to do with my regular posting breaks. However, even dormant sites can still produce traffic: for example, Nils’ Blog still is used by many people as blogroll, it seems. It is still in the Top 10 referrers for the last quarter.

Overall, blogspot blogs seem to produce more referrals than wordpress ones; I assume this must have to do with their rotating blogroll that shows newest posts at the top, something that can’t be done with wordpress unless you host it on your own server (which is why you can enjoy it on my page, yay!).

Random Waypoints from Around the World

Since early 2012, wordpress also collects data about which countries viewers come from. This produces another nice figure:

3yearsblog_countriesI cut off at 10 views, because the picture got unwieldy enough with the white space to the right. What surprises me most, I think, is how high on the list Britain, Canada and Australia are. The UK even beats Germany! (A result you haven’t seen in football for a long time *rimshot*). I guess I just assumed I’d get more German hits because the domain ends in .de, but then again, all posts are in English, so it’s maybe not such a big surprise. Canada and Australia mainly surprise me because neither country, for all their land size, is all that populous. It’s also quite funny that I have 15 hits from Hong Kong, but only 1 from mainland China. I’m probably blocked or something. Also, Switzerland finishes on a strong 8th place. I have a hunch who’s responsible for that!

Final Random Stats

Longest post: 3871 words, Allegiance, Betrayal, and Oh So Many Warning Boxes!
Shortest posts: 18 words, “Homefront” on Steam…
Most commented: 12 comments, What I’m not playing: GW2
Most revisions before finally published: 91 revisions, Allegiance, Betrayal, and Oh So Many Warning Boxes!
Most revisions before finally published (and not also the longest post): 76 revisions, Authenticators! How Do They Work?
Most used category: General Game-Related Blathering
Least used category: City of Heroes (and that one isn’t going to grow any more, I’m afraid.)

Final Thought

Off to another three years! I wonder whether this blog will still be alive and kicking then. No other way to find out than to continue!

]]>
https://randomwaypoint.fajs.de/2014/07/three-years-of-random-waypoint/feed/ 6 3507
Authenticators! How Do They Work? https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/ https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comments Mon, 17 Feb 2014 16:59:27 +0000 http://randomwaypoint.fajs.de/?p=3194 Continue reading Authenticators! How Do They Work? ]]> Have you ever used one of those authenticator thingies that have become popular over the last few years? The ones that add an additional password to your account when you log in, a random 6-to-8 digit number that changes every 30 seconds or so? I sure hope you have, because those things add an additional layer of security to your account that can be very helpful to ward off account stealing attempts.

But have you ever wondered how they actually work? When I looked around for some information on the more technical details when I wrote my last post, I realized that there isn’t a lot of easily available and understandable information around. Or at least I couldn’t find it. When you search for “how does the blizzard authenticator work”, for example, you get a lot of results that explain to you how to use it (buy/download, attach to your account, additional passcode field shows up when you log in), but no information of how the authenticators themselves work. he closest I got was this article on WoWWiki, which itself doesn’t cite any sources. You can also find some technical information of how SecurID works, which (as far as I know) all the key fob style authenticators are modeled after. T But that information is probably not an easy read for someone without any background in cryptography.

I don’t think that’s a good state of affairs, because people should have a chance to at least roughly understand how their security technology works. That way, authenticators are less of a voodoo black box, you can understand what actually makes those authenticators secure, and most importantly perhaps, you can make an informed decision whether you’d rather use the key fob style or the smartphone app style.

So, since I couldn’t find any explanation of the technical workings of authenticators, explained on a basic level, I decided to write my own. Now, I have to add an important disclaimer to this post:

  1. I’m a computer scientist. I hope I broke down the information in a way that makes it accessible to non-computer scientists. If you don’t understand an explanation, please tell me, and I’ll try to fix it.
  2. While I’m a computer scientist, I’m not a cryptography or security expert. I hope I didn’t get any of the details wrong, or put them the wrong way. If you are an expert and can show that I presented something wrongly, please tell me, and I’ll try to fix it.
  3. Most technical information that’s the basis of this explanation was pieced together from sources on the Internet. For a few details, I even used reasonable guesses. Again, if you know better than me and can show that I got something wrong, please tell me, and I’ll try to fix it.

Definitions (a.k.a., the boring part)

Let’s first run through a few short definitions. I’ll use them later on, and I’ll make this part short and hopefully easy to understand. The links lead to wikipedia for people who want to dig deeper.

Algorithm: The exact definition is much deeper and quite philosophical, but for this text, you can think of it as “a piece of computer code that calculates a result from some given input”.
One-way function: A one-way function is an algorithm that transforms an input into an output, with calculations that are easy enough to run very fast. However, the opposite is not true: given the output, it’s extremely hard (and practically impossible) to calculate the input. Like a one-way street, you can only go in one direction, but not the other. This is very useful for some types of encryption or authentication.
Pseudorandom number generator (PRNG): Computers suck at being random. They are built to calculate, and to produce the same output for the same input every time. True randomness is actually a very hard problem. Radioactive decay is considered a true random process, but for obvious reasons, people aren’t too keen on putting a plutonium reservoir into their PCs. The next best thing are PRNGs: they produce output that looks random, but isn’t really: they’re just algorithms that take a single number (a seed) as input, and from that produce one or a sequence of numbers that look sufficiently random (as defined by probability theory, but we’ll leave that to the mathematicians). Given the same seed, a PRNG will always produce the same sequence of numbers. We’ll see why this can be useful.
Cryptographically secure PRNG: It’s simply a PRNG that fulfills some extra requirements. In easy terms, an attacker who looks at a sequence of numbers from a PRNG must not have a chance to deduce any information that could lead to the PRNG’s seed.
Public-key cryptography is one of the wonders of modern encryption. It used to be that an encryption key was a shared secret between two parties. You used a key to encrypt your data, and you needed the same key to reverse the encryption. That had the huge problem that you needed to get the key to the other party securely by some means, because whoever learned the key could decrypt your communication. Public-key cryptography uses two keys, a public one that you can tell everybody, which is only good for encrypting data. To decrypt the data again, you need a private key which you keep confidential. This works by using certain one-way functions. This means you get out of the key distribution problem, because you can distribute public keys and still have encrypted communication.

OK, I promise that was the hardest past. Now on to pretty pictures! I’ll use different colors to denote different keys used in the authentication process. Obviously, they’re not really colored, but it’s maybe easier to keep track if each key has an assigned color.

Key fob style authenticators

authenticator-scaledSo you have an authenticator. It has a button, a display, and a battery. It also has a pretty picture on the front.


blizzard-authenticator-backThe back looks less interesting, but has a very important piece of information: the serial number. (Mine has become partly unreadable over the years. This is bad.)


authenticator-keyApart from a microcontroller (the kind of computer that runs your washing machines, dishwashers, etc.), the key fob also contains a battery, a battery-buffered clock, and a key, that is, a piece of secret data that is used to calculate the numbers that appear when you push the button. This key is unique to this key fob: no other produced authenticator shares this key. This is the “secret sauce” that makes your authenticator work: if anybody ever was able to extract the key from the fob, they could create the same one-time passwords, and log into your account. Thankfully, those key fobs are very sturdy, and extraction is extremely complicated, expensive, and very much destructive to the device.


blizzard-masterkeyBlizzard holds a special master key. This master key was used to create all keys in all fobs (of a specific production run; there are good chances that Blizzard changes them from run to run). To create each fob key, the master key is combined with a number via a one-way function. And that number? That’s the S/N on the back of your authenticator. (It was pointed out to me in the comments that some key fob producers do not actually use a master key to create the fob keys, but instead create random fob keys and then provide Blizzard or other company customers with a lookup list that contains for each fob its key and the S/N. From a security point of view, this doesn’t make much of a difference, though such a list should have a very light theoretical security advantage.)

To register your authenticator with Blizzard, you log in and enter the serial number on the back of your authenticator. Blizzard takes that serial number, combines it with the master key and computes your fob key. It then puts that key information with the rest of your account information. Now you both have a copy of that key. We’re almost done!

register-keyfob

Note something very nifty: The secret key was never sent over your Internet connection, or entered on your keyboard. That way, if your computer is compromised by spyware, or someone is eavesdropping your connection, they don’t learn anything useful. They know your authenticator’s serial number, but to create your one-time passwords, they’d need the (silver) key. But to calculate that from your S/N, they would need Blizzard’s (golden) master key! And that one is stowed away as securely as possible. If an attacker managed to get their hands on that one, all authenticators would suddenly be vulnerable. Then again, if they got that, you’d probably be screwed anyway, because chances are they also made away with your main password as well as credit card and other sensitive information. (In the case of a lookup list, the S/N is just searched in the list, and the corresponding “silver” key information taken from that list. Again, no key information is transmitted, and if the list ever got stolen, key fobs would be compromised.)

Now what if we want to authenticate? We have a key, but if we simply use that as input to a pseudorandom number generator (cryptographically secure or not), we will only ever get one password: same input, same output. Not very secure, is it? That’s where the battery-buffered clock in the authenticator comes in. Instead of simply using the key as the input, the key is combined with the current date and time, and that is used as input. Your authenticator knows what time it is, Blizzard knows what time it is. As long as they agree on that time, both will calculate the same result, which to an outsider looks like random gibberish and doesn’t give any information about the key that was used.

keyfob-authenticate

This has the nice side effect that each authenticator passcode is only valid for a short amount of time. That prevents an attacker from eavesdropping and recording the password, or pushing the button and recording the output when you aren’t looking, and using the authenticator code later on when they got a hold of your main password. Incidentally, the clock is also the reason those key fobs are pretty much broken beyond repair once the battery runs out: even if you could exchange the battery, there is no way to set the time after power is restored. Server and authenticator are out of sync and won’t produce the same numbers any more.

Mobile Authenticators

Those key fobs have a couple of downsides. First, you have to pay for them, while the mobile authenticator is a free download from Google’s or Apple’s app store. Second, you have to order the key fob and then wait until it arrives at your door via snail mail, while you could use the mobile authenticator within a couple of minutes. Third, if you need to access your account from outside home, you have to remember to take your key fob with you, while you’re probably carrying around your phone anyway.

So you decide to use the mobile authenticator. How does that work? How is it different from the key fob?

mobile_authenticator_keysThe different (and most complicated) part is the initial setup. Since you download the app from Google’s or Apple’s app store, every version of the app is the same. It doesn’t contain a unique secret key like the key fob does. What it does come with though, is a public key from Blizzard (golden). Remember that such keys that consist of a pair of public and private key are special: Blizzard can safely tell everybody public key and still keep its corresponding private key secret. Also note that this “golden” key is not the same as the “golden” key in the key fob explanation. I’m sorry if that is confusing, but I ran out of cool colors, and what says coolness more than gold?

Anyway, in addition to Blizzard’s public key that was provided, the app creates a random “session key” (red) when it is started for the first time. After that, it will connect to the Blizzard server to create a key just like the secret key that resides inside the key fob. To do this, it uses the session key, encrypts it with Blizzard’s public key, and sends the encrypted session key to Blizzard. (This is denoted by the red key in a golden box.)

mobile_authenticator_session_key_exchange

Blizzard decrypts the session key with its private key. Note that nobody else can get the red key out of the golden box: the public key is only good for “locking the box”, so to speak, not for unlocking it. Now both sides have the (red) session key and can use it to talk to each other securely. Blizzard now creates a secret key, just like the (silver) one that resides in a key fob. It encrypts that key with the session key, and sends that to you (silver key in a red box).

mobile_authenticator_secret_key_exchange

Since your authenticator also knows the red key, it can decrypt the secret key. Voila! Now both Blizzard and your authenticator know the secret (silver) key. Setup is over, the red key isn’t needed any more and thrown away, and the day-to-day authentication works exactly the same as with the key fob authenticator:

mobile-authenticate

You don’t even need any Internet connection while you’re creating authentication codes. All you need is a reasonably accurate clock. If your phone gets out of sync for whatever reason (which it typically shouldn’t, if your phone network provides time information), the authenticator has a button to resynchronize to Blizzard’s servers. Synchronization, of course, requires an Internet connection.

Threats

So let’s look at a couple of threat scenarios, and which type of authenticator fares better in each.

Attacker taps my Internet connection: during normal operation, all the attacker can learn that way are the short-term passwords. If they already know your normal password and are very fast, you’re screwed in both cases. If they don’t, there’s nothing to learn for them: the 6-to-8-digit passwords do not provide any useful information about your secret key. The main difference is that the mobile authenticator doesn’t come with a pre-installed secret key, so it needs the key exchange described above to get it. You’ll note that the red session key is created “randomly”. Now, as I said, true randomness is hard to achieve for computers. So there is some theoretical risk if an attacker could figure out how your phone’s random number generator was initialized, and therefore could figure out what session key (red) you created. Then, the attacker could eavesdrop on your connection, capture Blizzard’s response, and decrypt the (silver) secret key with the guessed session key. Winner: both are secure, key fob has the edge.

Attacker learns my secret key: With a key fob, this is pretty much impossible. Getting to know your secret key involves opening your device and doing some serious hardware hacking. At the very least, you’d notice it immediately after it’s done, because an attacker would have to break it open. With a mobile authenticator, this is much easier: the attacker would have to (get you to) install some spyware on your phone that reads your secret key and sends it to them. Winner: key fob.

Losing / breaking your phone / fob: During the initial setup of the mobile authenticator, the app shows you a recovery key that you are supposed to keep in a very secure place. If you ever lose your phone or need to reinstall the app, you can use that key create a replacement authenticator. With your key fob, if you lose or break it, you’re out of luck. Off to Blizzard’s phone line you go. Have some government-issued ID or similar documents ready to mail them to unlock your account. Winner: mobile authenticator.

Attacker steals or “borrows” phone / fob: Like all other attacks, this only gives the attacker a chance to compromise your account if they also know your main password. If an attacker gets physical access to your authenticator, you’ve pretty much lost the fight. With a fob, the attacker can immediately log into your account and, for example, detach your fob and attach another authenticator, locking you out. With a phone, a screen lock might delay an attacker, but those things are not very secure. Winner: you are screwed regardless, mobile has the edge.

Attacker “persuades” you: That’s up to you. It’s your decision how much of your health your account is worth to you…

Yeah, not even a Thunderfury is worth going through that. [source: xkcd.com]

Yeah, not even a Thunderfury is worth going through that. [source: xkcd]

To summarize, the tradeoff is a pretty classical one between security and convenience. The key fob is the more secure device, but if you lose or break it, you can expect a lot more work (and time!) until you get access to your account again. On the other hand, the mobile authenticator’s most glaring risk is that the secret key can be stolen by spyware, which should not be underestimated. Mobile phones are not that secure, after all. But if something happens to your phone, you can use your recovery key to authenticate yourself from a replacement phone, which is both faster and a lot less hassle. Which one you chose is ultimately up to you.

]]>
https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/feed/ 8 3194
Talking To The Wind, or: When Comments Fail https://randomwaypoint.fajs.de/2014/01/talking-to-the-wind-or-when-comments-fail/ https://randomwaypoint.fajs.de/2014/01/talking-to-the-wind-or-when-comments-fail/#comments Fri, 31 Jan 2014 13:18:21 +0000 http://randomwaypoint.fajs.de/?p=3077 Continue reading Talking To The Wind, or: When Comments Fail ]]> It seems it’s always feast or famine with posts around here… though the current ones have more to do with the blog itself than with actual content.

Seems at some point in the recent past, Jetpack’s comment feature broke. Comments didn’t go through. I should’ve become suspicious when the number of spam comments went waaaay down. While I always updated the blog with the newest versions of software, I never realized that the coments had broken. I posted so little that I wasn’t surprised that there were no comments. I figured I was simply talking to the wind. I just noticed today when I went over a pre-migration checklist.

Long story short, I can’t figure out what the problem is, so at least for the time being, the standard comment form is active again. It doesn’t look nearly as spiffy, but at least it doesn’t eat all comments.

Of course, I might be talking to the wind anyway, but at least now, there is a chance for people to answer again!

]]>
https://randomwaypoint.fajs.de/2014/01/talking-to-the-wind-or-when-comments-fail/feed/ 3 3077
Dual-Use Post https://randomwaypoint.fajs.de/2014/01/dual-use-post/ https://randomwaypoint.fajs.de/2014/01/dual-use-post/#respond Fri, 31 Jan 2014 10:27:52 +0000 http://randomwaypoint.fajs.de/?p=3017 Continue reading Dual-Use Post ]]> Two short bits of information:

Migration Period

No, not that migration period.

No, not that migration period.

First, the short-term one. I will have to move the server this blog resides on. If all goes well, it’ll happen this weekend. If not, some time later in the first half of February. You probably will see some hiccups, and the server might be unavailable for some time (for the tech-savvy people: that’s mostly because the IP will change and, sadly, I cannot influence the DNS caching times). It’ll be back.

Hibernation Period

Now for the medium-to-long term one. As you’ve noticed, my posting volume has gone way down. To be honest, and even though that makes me a bit sad, I fear that this won’t change for some time. I’m currently in the phase of writing down my dissertation for my PhD. It’s not quite going as I had hoped, but the effect on this blog is that, after spending most of my time writing proposals, papers, and (in the little time that remains) dissertation sections these days, I’m too tired of writing to write on this blog in my free time. I just want passive entertainment in the evenings. However, I’ve not given up on the blog yet. If I ever do that, I’ll let you know. For now, I’ll just write when I feel like it, because keeping a strict schedule will definitely sap the fun out of it. I still feel like eventually, I’ll get back to it.

]]>
https://randomwaypoint.fajs.de/2014/01/dual-use-post/feed/ 0 3017
Updated Look https://randomwaypoint.fajs.de/2013/09/updated-look/ https://randomwaypoint.fajs.de/2013/09/updated-look/#comments Sun, 08 Sep 2013 06:35:59 +0000 http://randomwaypoint.fajs.de/?p=2860 Continue reading Updated Look ]]> When I started this blog, I searched around for a nice theme. I wanted something simple, slightly austere, and most important of all: no pictures that I had to make, because I suck at those. I started with Titan, which I modified to my liking.

Titan, however, is more or less a made-from-scratch theme. Which is all fine, but over time, I had a harder and harder time maintaining my changes, and to get Titan play nice with nifty plugins. It required jumping through hoops here and there (which might completely be due to my changes and not the original Titan theme; all my experience with CSS, for example, comes from trial and error.) I decided I needed something new and more maintainable, and that the best bet would be to modify a standard wordpress theme, so I’d get a Titan look with a twenty-something feel.

I tried about half a year ago with the then-current twenty-twelve, but didn’t have much success. I got lost in endless cascades and flexible, but complicated definitions. I gave up.

Twenty-thirteen made it much easier for me to change it to my liking. I played around for about a week now, and am now at the point where I like what I see. Expect minor tinkering here and there in the near future.

Bottom line: If something doesn’t work any more, please tell me.

]]>
https://randomwaypoint.fajs.de/2013/09/updated-look/feed/ 2 2860
Schoolyard Bullies https://randomwaypoint.fajs.de/2013/07/schoolyard-bullies/ https://randomwaypoint.fajs.de/2013/07/schoolyard-bullies/#comments Wed, 24 Jul 2013 18:10:50 +0000 http://randomwaypoint.fajs.de/?p=2670 Continue reading Schoolyard Bullies ]]> Go and read this: http://eq2wire.com/2013/07/24/character-blocked-from-eq2u-due-to-trademark-claim/

Then decide whether you want to laugh or cry. Short version: Feldon, tireless tinkerer behind EQ2Wire, one of the most, if not the most useful EQ2 site (news, armory, gear lookups, etc. all in one place) is bullied by some guy who claims he has a trademark on a character name, despite the fact that

  1. EQ2Wire only provides a WoW-armory-like frontend to API data that is publicly accessible from SOE servers,
  2. the claim that a character name infringes on his wordmark because, among many other things, is registered for a classification that, again among many other things,  includes “Game services provided on-line from a computer network” sounds quite spurious,
  3. the character was named before his trademark was registered.

I especially like the part where the guy says

I can not understand why do you make such trouble. The easy way is delete it. You can then tell your client that he breaks laws. What is easier for you? deleting ONE user or making your website unavailable for all European countries?

I can’t help but read this in a fake Italian Mafia movie voice: “Luigi, why are you making-a this so difficult-a for me-a?” This, by the way, is also where the bullying comes in. You could, of course, try to explain your points and give proof to your claims instead of shouting “IT’S VERBOOOOTEN!” and having Feldon run around and do the footwork. But why if it’s easier to just claim someone’s website will be offline in all of Europe (yeah right) at a snap of your finger?

Despite the outlandish sounds of this silliness, the guy isn’t actually completely out of his mind in all points, I’m afraid. Though thankfully, his claims at least look haphazardly stitched together. The guy is probably annoyed that after (supposedly) tanking his business and letting expire his domain, one of the first hits on google is to a Dark Elf character on Antonia Bayle who likes to RP evil, and claims some unsavory deeds in his character’s biography, such as “murder, treason, and poisioning[sic] the Qeynos water supply”.

Despite coming from a family of law practitioners, I never studied it myself, so I won’t try and give my non-expert opinion here. But it’s probably not a 100% frivolous claim, as much as I wished it were. If you look long and hard enough at each point, you can find things you could argue in favor of that guy, if you had to. I hope Feldon will have a chance to talk to SOE (as a premier EQ2 site, he seems to have some good contacts over there), and maybe can get an opinion from their legal department. Hopefully, they’ll tell him not to worry, and either rename the character (the sad solution), or give him some big company backing (since this indirectly also touches the issue of their public API data), and hope the guy reconsiders after he’s called on his bluff.

Of course, chances for the sad solution are much higher because it requires less work and expenses from SOE’s side.

This is the world we’re living in, girls and boys.

If I had the money, I’d be thinking about registering every single character name I ever used as a wordmark now. These days, playing the stupid trademark game seems to be the only way to get rid of the scourge of trademark frivolity.

]]>
https://randomwaypoint.fajs.de/2013/07/schoolyard-bullies/feed/ 2 2670
Where have I gone? https://randomwaypoint.fajs.de/2013/07/where-have-i-gone/ https://randomwaypoint.fajs.de/2013/07/where-have-i-gone/#comments Fri, 12 Jul 2013 10:58:44 +0000 http://randomwaypoint.fajs.de/?p=2441 Continue reading Where have I gone? ]]> The blogosphere (a term that I dislike for reasons I can’t quite pin down) is up for a round of navel-gazing (word of the day: ὀμφαλόσκέψις (omphaloskepsis), a term that I like for reasons I can’t quite pin down). Not in the unhealthy, overly self-absorbed way, simply in the way of talking about itself. A lot of people have the impression that blogging is going through another rough phase. Maybe that’s partially because Google finally shut down its reader after they realized they can’t scare everybody away with sudden arbitrary UI messups, and people are worried what that will mean to the dissemination of their thoughts.

I’m really not too worried about that, considering that I don’t think most of my thoughts are well-disseminated anyway. Not the way the bigwig’s thoughts are, in any case. And that’s just as well, because my flow of posts comes and goes, like rainy season in the Okavango Delta, forming a huge stream that then unceremoniously seeps away in the savannah. (Fun fact: after half a year of almost no posts, recently Feedburner claims my readership count has gone up. Though I’m not convinced that counter is completely trustworthy, I’ve seen it do strange things before.)

Anyway. Where was I? Oh, right. People ask “where have all the bloggers gone?“, (there’s a nice collection of posts at Wilhelm’s blog, someone who seems to deal much better with steady flows of posts) and when I read their posts, I can’t but feel part of the group they’re talking about. Even though I don’t feel like a cowboy at all, which is the image Ravious chose: I’m most definitely one of the bloggers that came and seems to have gone.

I still refuse to acknowledge that fact, though. That’s the reason there hasn’t been a Goodbye post, that’s why I still update this wordpress installation and the plugins (which is probably not noticeable at all from the outside, but I won’t let this site rot). It doesn’t have to do with me thinking that the medium is dying. I still like it, and I haven’t figured out how Facebook, Google+ or (least of all) Twitter could ever replace this method of publishing thoughts.

So, if I actually don’t want to stop writing, why have I? The reason, as often, is simple, mundane, and sounds like a copout, but it’s still true. Let me present my personal hierarchy of needs:

That's how it's supposed to work.

That’s how it’s supposed to work.

The pyramid is simplified, of course. Everybody needs food and sleep, but I skipped air and all those other pesky things you can read about from Maslow. Work sometimes becomes a WoW’s peon’s “Work Work”, and then there’s not much to do about it. I like my job, and it has good fringe benefits (billiard table at work?), but as it often is with jobs that provide a lot of amenities at your work place: they also tend to gobble up a good extra amount of time compared to the average drab cubicle job. Playing games (which again stands in for and has to share its time with other pastimes such as reading) is where it gets interesting, because who wants to blog about work? Or sleep? Food I can see, but that’s a different kind of blog. But of course, to write about games, I need to play games to write about. And for me, following other people’s blogs and reading their posts comes before writing my own posts. Mostly because I guess I don’t feel my posts are that exciting half the time, and I often only get inspiration to write after reading what others wrote. Plus, I’m a selfish bastard and, hey, I already know myself what I want to write, so I’d rather go and absorb other people’s thoughts before divulging mine!

So, what happened a lot this past half year was something like this:

Too much work makes it work how it's not supposed to work.

Too much work makes it work how it’s not supposed to work.

I wasn’t completely overworked to the point where I only knew work and sleep, but it was enough to sap anything more involved than clicking a button a couple of times in a game. Even with reading, I fell behind. Now, of course, it hasn’t been like this for half a year nonstop. That would be horrible. Sometimes, it’s better, like it was recently:

That's somewhat better, but still not quite right...

That’s somewhat better, but still not quite right…

I was able to play a bit, and I even managed to read some blogs again relatively regularly. I’m still ways behind with some of them (Hi, Wilhelm! Hi, HarbingerZero! Hi, MMO Melting Pot! Hi, Syl! Hi, Jester!) and will probably have to do a cut at some point and just skip some old posts. But at least I feel more connected again to what other people are doing and writing about. Still, whenever I sat down to write, either something else came up, or I just stared at a blank screen because I didn’t have the necessary rest and focus to write something of my own.

But when people start asking where everybody went, you have to at least shout that you’re still there. As I said, I still refuse to let this blog die. I’m not sure how much more time I’ll have in the future (I will have to write my actual dissertation document very soon, we’ll see how that much writing effects writing on this blog), but I will try. I actually have a bunch of half-finished posts in the queue. Some are quite old by now, but they will still work once I finish them. What can you expect? Well, I stopped playing EQ2 in the meantime, then started again. There are one or two posts about that in the queue. I also finally got the invite to the FF XIV beta, sadly only now during what looks like the publicity stunt “stress test beta”. But better than nothing, and once I order my thoughts about what I think about the game, I’ll probably have something to say there, too. There’s also some more general stuff about “the state of MMO gaming” which might or might not ever get finished. It seems people enjoy me talking about that, so I’ll try, but at the moment, they are a mess. To get back into the groove, I’ll probably try simple things first.

I’ll do my best.

]]>
https://randomwaypoint.fajs.de/2013/07/where-have-i-gone/feed/ 6 2441
I’m STILL not dead https://randomwaypoint.fajs.de/2013/03/im-still-not-dead/ https://randomwaypoint.fajs.de/2013/03/im-still-not-dead/#respond Thu, 14 Mar 2013 13:16:25 +0000 http://randomwaypoint.fajs.de/?p=2395 Continue reading I’m STILL not dead ]]> Sorry to everybody who might’ve hoped otherwise!

There are just too many things going on. Teaching classes, teaching students, trying to finally wrap up and write down my thesis, an impending move and other random bits are just tying me down. I also dusted off my piano for the first time in years and now am trying to get back to the level I once was at (which is going much better than I had hoped for, at the moment!). A certain MMO ennui is also a contributor. Though I’m slowly feeling the itch return. Maybe, one day…

I got a couple of half-finished drafts in my box. Maybe I’ll try and finish them finally, to get something rolling here again. Soon. Probably not before Easter though, because for now, it’s packing for yet another work trip.

]]>
https://randomwaypoint.fajs.de/2013/03/im-still-not-dead/feed/ 0 2395
I’m not dead https://randomwaypoint.fajs.de/2012/12/im-not-dead/ https://randomwaypoint.fajs.de/2012/12/im-not-dead/#respond Wed, 12 Dec 2012 07:12:53 +0000 http://randomwaypoint.fajs.de/?p=2369 Work is just crazy right now. Crazy enough that I haven’t even been able to get a single Christmas present yet.

Thankfully, it seems as if it’s slowly spinning down again (as you can guess from the fact that I at least can write about not having time).

I’ll be back.

]]>
https://randomwaypoint.fajs.de/2012/12/im-not-dead/feed/ 0 2369