Page 2 of 2 FirstFirst 12
Results 21 to 26 of 26
  1. #21
    Network Hub
    Join Date
    Dec 2011
    Posts
    122
    Quote Originally Posted by Ernesto View Post
    Except that it is allowed to log in from any PC.
    But instead of logging in once with my username and password, I also have to log into my email account to get a 'special access code' or something. I can't imagine that this additional step significantly slows down an attacker who apparently already knows my login credentials.
    But maybe I just don't understand how that is supposed to work...
    The assumption is that the attacker knows your *Steam* login credentials, but not necessarily any of your other credentials.
    Especially if you're a sane human and are using two-factor authentication for your email (if it's webmail), then it's much less likely that an attacker will have access to the email account *and* your Steam account, so the additional check does reduce the possibility that the login is fraudulent.

    (I'd prefer them to just do straight two-factor with tokens or SMS, but "this computer is untrusted" queries are cheaper to implement I suspect (and push the need for actual security onto the email provider, which may be more important to Valve) ).

  2. #22
    Network Hub Stellar Duck's Avatar
    Join Date
    Jun 2011
    Location
    Denmark
    Posts
    448
    Quote Originally Posted by aoanla View Post
    (I'd prefer them to just do straight two-factor with tokens or SMS, but "this computer is untrusted" queries are cheaper to implement I suspect (and push the need for actual security onto the email provider, which may be more important to Valve) ).
    Emphasis mine.

    I absolutely think you're right. Valve is the king of half arsed lazy implementations of anything when it comes to Steam.
    Snatching defeat from the jaws of victory since 1982.

  3. #23
    Secondary Hivemind Nexus
    Join Date
    Jun 2011
    Posts
    2,006
    Unlike what 99.9999999 % of people think. Theres a right level of security for everything, and almost never is 100%. Arguably, you sometimes want it to be less than 100% to be more safe.

    Sometimes you want the police, or firemen, to break a door. Or people trapped inside a car want to break the glass. Or you want some password to be simple and easy to remember...


    I specially hate the idea that you need a login for everything, and a username for everything. More sistes should give you the option to be anonymous.
    Last edited by Tei; 24-07-2014 at 06:14 PM.

  4. #24
    Secondary Hivemind Nexus Zephro's Avatar
    Join Date
    Aug 2011
    Posts
    1,918
    Most content on the web if it is translated from some kind of CMS will have lots of information like preferred language from the browser, from user input, from geolocated IP (which is hilariously inaccurate at times, to whomever said it IPs are really terrible ways to identify anyone) and that gets mixed with whatever the CMS actually has. It's not unusual for the content providers to provide translations for parts of things which forces the server to drop back to a default in places, or default everywhere (normally English oddly enough).

    But yeah it is a big mess with most companies.

    I think a lot of the newer implementations are to avoid exploits as well as hacking. Hmmm this person normally logs in to NetFlix from the UK but is suddenly logging in in the US suddenly... Steam have had similar problems of people trying to cherry pick store fronts etc.

  5. #25
    Secondary Hivemind Nexus Skalpadda's Avatar
    Join Date
    Jun 2011
    Location
    Sweden
    Posts
    1,300
    Quote Originally Posted by postinternetsyndrome View Post
    Check out the Swedish translations of L4D2 and TF2 if you dare. The achievement names in particular are extraordinary.
    I did get a surprise Swedish translation of Portal 2 when visiting a friend. It was weird.

    I can see how there are technical problems and other shenanigans when serving web pages, but still, why use a translation as default at all in regions where everyone understands English anyway? And if I already have an account where I've manually set the language to English at some point would it really be that hard to simply set a flag somewhere that this account should get content served in English?

  6. #26
    Secondary Hivemind Nexus
    Join Date
    Jun 2011
    Posts
    5,348
    There's something INCREDIBLY important about business which we can see working here in isolation...

    In commercial terms, it's never about doing something well - it's never about being the best - it's always about ensuring you pass the blame to others if/when it goes wrong. It's "musical chair risk' and it's what 99% of managers spend 99% of their time doing.

    Millions of manhours each day are spent simply moving risk and shifting blame - I have a relative who's a healthcare manager and her ENTIRE job is attending meetings to ensure that documents are created to ensure that whatever happens, no-one can be blamed if something goes awry. None of what she does has 1 iota of benefit to any patient - it's all about keeping her employer 'clear of risk' - and she's one of dozens of people who do that for just 1 hospital trust.

    Internet Security is almost a perfect example of this tho - you have to be seen to do 'enough' - to have just enough "stuff" to pass the blame along to the customer rather than accepting that it was, in fact, your staff's incompetence which allowed hackers to steal passwords and credit card details and hijack accounts etc. etc.

    You may, one day, have to back that up with a lot of spin and lies (see Microsoft and the endless XBOX scams - their attitude is "our customers are stupid - it's their fault" despite mountains of evidence to the contrary) but you have to ensure the basis of those lies is there in the first place.

    "We put in place 2-factor security" - "we added a location-checking system" - "we added more secure (less rememberable) passwords" and so on.

    The reason we don't have better security systems is that there's no money in making them tho. Customers wouldn't pay more for a 'more secure' login system and there's no real motivation for the service provider to spend more than is ABSOLUTELY necessary to keep things 'as secure as will keep your job safe'

    So we're stuck with a lot of unnecessary and pointless shit masquerading as 'security - often for sites which have little need for it other than some fucker, somewhere "wanted your email address".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •