This is a game I could totally love if it had more depth. Maybe Paradox picks up the idea and turns it into something awesom. They have games set in pretty much every imaginable period of human history, except present day. :D

View this comment - View article - View full comments

I still hope they will release the Elusive targets as a pack one day, so we can enjoy them whenever we want, as it should be.

View this comment - View article - View full comments

Quoting: razing32

Quoting: BeamboomPS: I never started using Linux "to escape MS's monopoly" - I did it because it's simply the better OS for my line of work. ;)

Sysadmin ?

My guess would have been developer. ;)

And well, Linux is a better OS than Windows in every regard I can think of. The area Windows is ahead is the number of software products available for it, that's really all. Namely games and design software. If we'd be evenly supported by software, nobody in their right mind would still be using Windows.

View this comment - View article - View full comments

Quoting: Creak

Quoting: GuestNow just hurry up blizzard and give me Overwatch then I can get rid of windows and use my SSD for linux!

Hehe, I've lost hope on Blizzard, they just deeply hate Linux.

In my case, the feeling is mutual. I don't like their games either. They are the only larger publisher I have never bought a game from. I couldn't care less if they ever support Linux. But as far as Overwatch goes, wasn't it supposed to run in one of the newer WINE patches just nicely?

View this comment - View article - View full comments

I have a Razer Naga for about 4 years now (I disagree on the MMO buttons being useless btw. - I couldn't imagine playing a MMO without them anymore, or really any game that needs the number keys). I never had any issues with the mouse, and I'd probably buy from Razer again. Btw. even on Windows you don't need their software if you can live with the buttons assigned to standard keys. The MMO buttons are liked to the 1-9,0,-,= keys, which in 99% of the time is what you want anyway.

View this comment - View article - View full comments

Quoting: BeamboomTwo layers of security is and will always be better than one.

You will hear no dissent from me here. I said a few times already that 2FA looks good on paper.

Quoting: Beamboom

Quoting: KimyrielleBut go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

That is not the topic. The topic is security. Two layers of security are better than one - period.

To me, that IS the topic. That and nothing else is. A security system that increases security (it does, we don't disagree here), but comes with a astonishing number of inconveniences, unsolved design flaws and privacy concerns is UNACCEPTABLE. Yes, even if it otherwise works. Security is not something you can and want to maximize. It always comes paired with secondary concerns. The most famous one being Security vs. Freedom. But convenience is -certainly- one of the secondary concerns, as is privacy, and making the system resilient against single point of failures. 2FA doesn't satisfy ANY of these considerations. It works in some select areas where these concerns do not matter. You named banks, and I agree with that, since they already know my identity anyway and can ask me to show up in person if I lose my token. It works because banking is still at least partially an offline business. Most other areas that need good online security aren't like that.

I do otherwise agree with you that we need something better than static passwords. Unfortunately nobody has ever come up with a great idea what to replace them with. 2FA isn't it, at least not without considerably improving the way it's currently implemented. For the time being, I am rather willing to accept somewhat weaker security than living with the plethora of unsolved issues it comes with. *shrug*

View this comment - View article - View full comments

Quoting: BeamboomWell, then criticise that, then.

That's indeed what I do and what I called the "reality check" that 2FA doesn't survive. The entire concept has several really fundamental problems that just aren't solved and probably never will be. Like how to solve the lost token recovery WITHOUT trampling on your privacy (and please don't point me at Facebook or Google...we know for a fact that neither of them gives a flying shit about your privacy). Which is a hilarious circumstance given that the most popular token is a device people are super prone to lose - their smartphone.

In the end, my fundamental problem with 2FA that it doesn't really provide any significant additional security for people who use good passwords or service providers that aren't completely inept. Basically 2FA is an attempt to cure stupid. And we all know that in the end you can't. For people who are NOT stupid, it doesn't do anything except making their life more complicated. And introducing a lot of new problems, like making one lose access to -everything- if they happen to lose the single point of failure in that system - their phone.

But go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

View this comment - View article - View full comments

Quoting: BeamboomBut again - once you understand how this works you'll realise that this system is, in fact, very good.

I find it both funny and a little offensive that you're basically suggesting that I don't understand how 2FA works. But I guess rule #1 for internet debates applies: Whenever you're running out of good arguments, take a stab at the other person's qualifications!

I know that you're not -technically- handing your keys to Google. You're still making yourself dependent on them and their service. Which is in the end just as bad.

QuoteTwo password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.

The problems with 2FA I tried to point out isn't related to that. I already said it's a good idea on paper. Unfortunately one that doesn't survive a reality check. See my above postings.

QuoteAnd the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Yes, that's my point. Most of these recovery procedures are really weak security. As weak as a bad/lost password. "Answer this silly question about you, that every halfway determined person can find out in 5 mins". Yeah, right!
To me, the recovery question is actually THE central weakness of 2FA as a concept. I can't remotely think of a good solution to that problem that wouldn't completely do away with any notion of privacy/anonymity online. Which is unacceptable.

QuoteAn offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open.

You do realize that brute force attacking a file encrypted using a proper cypher and a -good- password takes multiple lifetimes, yes?

QuoteEspecially since most users use a simple password on that file - since they have to open it quite regularly.[quote]

Can't cure stupid. But if they can't be bothered using a good password for the most important file they possess, what makes you think they'd want to add a super-inconvenient second authentication layer on top of that? And that 2FA is super inconvenient is just an objective fact, sorry.

[quote]So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.

No, they can't. I'd die long before they'd be finished. In contrast to Darth Helmet I don't use 12345 as a password. That being said, I'd still change my passwords if I'd ever lose my phone. Chances are that I am done before they brute forced my password file. *shrug*

View this comment - View article - View full comments

Quoting: Beamboom

Quoting: Kimyrielle

I totally disagrees with all you say, Kim. A good password is unique to each account. And a collection of unique passwords WILL have to be stored in a password file of some sort, and that file WILL, for most persons who do practise good password policy, be stored on the mobile phone too (typically via cloud). And then you're pretty much back to square one if you do lose your mobile and someone gets past the login of the phone.

To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.

In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).

The vital difference is that if I lose the phone with my encrypted password file (people who put unencrypted password files on phones or cloud servers are stupid anyway), I still have a copy of it in my backup, or on my desktop PC. So, if I lose my phone with my encrypted password file, I can simply recover the copy from my backup and carry on. OTOH, losing a 2FA token is a major disaster, since that's the exact thing you need to authenticate with. Recovering lost 2FA tokens is a completely unsolved security problem, btw. There is no satisfying way to prove that the lost token was actually yours, because the possession of the token IS what the system is using to identify you. A service provider will usually resort to asking you things you know, essentially opening possible social engineering attack routes and eliminating most of 2FA's additional security (authenticating with something you KNOW is what passwords do...)

I find it also hilarious that people use Linux to escape MS's monopoly, but would be willing to handle Google the keys to each and every online service they use. Just sayin'.

View this comment - View article - View full comments

Quoting: meggermanAll sites should use 2FA if resonably possible.

The problem with 2FA is that it's a complete PITA. There are about as many authenticators around as there are applications using 2FA, which is bad to begin with (If you use 30 services protected by 2FA, chances are that you will have to deal with at least 25 different authenticators). But the worst thing about 2FA is that most services want you to use your smartphone as authenticator, which is a really, REALLY stupid idea. Smartphones have a much greater chances to get lost or stolen than (good) passwords have, so doing that is adding a security liability, not an asset.
You also cannot use smartphone based authenticators without exposing your identity, at least to the provider of the authenticator. Which is a significant privacy concern, for using such services anonymously is neigh on infeasible.
And since people tend to replace their smartphone quite often, you will have to reset every single authenticator app when doing that. Fun! Not.

2FA is one of the things that look good on paper, but just don't work in real life. The one possible solution to this dilemma would be a global standard provider of 2FA tokens you could purchase anonymously and that would work with every single service on the planet. But when has standardization ever worked anyway! And even then this would result in a single point of failure you better not ever lose. That's the intrinsic problem with 2FA - it's very point is to make you authenticate with something you HAVE and not just know (unlike passwords). But what you have, you can lose!

In the end, 2FA would be totally unnecessary if people would pick good passwords, not reuse them anywhere, and the service providers would stop being daft and start properly hashing/salting them. 2FA does NOT protect services from getting hacked. All it really does is protecting stolen passwords.

View this comment - View article - View full comments