SOE Forums Go For Security Theater

Written by Feldon on . Posted in Commentary, Game Updates & Maintenance

If you like posting on the EQ2 forums, you’ve probably been seeing a lot of the above screen.

Over 2 weeks ago, the SOE forums lost the ability to store login information using cookies. In other words, anyone who was not actively browsing an SOE forum or website was logged out after 15 minutes of activity. At the time, this was explained as a temporary glitch.

However last week, EQ2 Community Manager Amnerys (who returned to work at SOE in early January) had this unbelievable update on the issue:

The forum auto logout has been changed to 3-hours now. This should satisfy the security reasons for the change as well as allow a decent amount of time before needing to log back in.

EQ2Players is very much “coming soon.” I know you won’t believe it until you see it, but it truly shouldn’t be very long now. I haven’t seen it with my own eyes, but others on my team have.

Amnerys posted elsewhere:

I believe there is now a 3-hour auto logout on our forums. So it’s not indefinite like it used to be, but not so short that you’re having to log in again every few minutes. Hopefully this timing will be better for users and still accomplish the security goals.

A player who contacted a different forum administrator received this cryptic info:

Unfortunately, due to security reasons we had to disable that feature and change the way everyone logs in to the forums. We have recently adjusted the forums so that it will now keep you logged in for up to three hours.

It hasn’t been made clear what security reasons there were for invalidating cookies after 3 hours. I posted an explanation for why requiring a login every 3 hours is just Security Theater:

I’ve been administrating forums for 12 years. This is the first forum I’ve used that has a standard policy of logging you out every 3 hours.

The industry standard is 14 days. That’s Google, WordPress, Facebook, Twitter, etc. Every forum I’ve ever set up or dealt with (I participate in about a dozen) actually allows you to stay logged in 30-90 days on a cookie. To date I’ve never seen a security problem on a forum that resulted from the cookie’s duration being “too long”.

Requiring a login multiple times a day DECREASES security because if a malicious zero-day keylogger program slips past your Anti-spyware prevention on your PC, it’s far more likely to grab your SOE/Station password because of how frequently you are having to type it.

Obvious trolling about people having “no life” for spending X hours a day on the forums is irrelevant blather and is just a nonsense smokescreen coverup for the reality. Web security has never and will never require invalidating cookies after 180 minutes.

Trackback from your site.

Comments (16)

  • bhagpuss

    |

    It’s never even occurred to me to stay logged into any forum or service. I always log in when I want to use something and then log out when I finish. It’s just tidy, like turning off the light when you leave a room.

    Interesting point you make about it being more secure to stay logged in. Would it also be more secure to allow your PC to remember your passwords, sometime I never do? I always imagined it was more secure not to allow that but the same logic about keyloggers would apply, would it?

    Reply

  • Deiussum

    |

    I can kind of see their security point. Storing username/passwords in a cookie isn’t the most secure either. Cookies can be sniffed by malicious JavaScript and since the username/password you use to log in is also the same as you log in for your game account info, I can see where they’d want to try and secure that as much as possible.

    Reply

  • Kralus

    |

    Having an authenticator makes this mess even more annoying. Their reasoning is laughable at best.

    Reply

  • badcat

    |

    If they think this is going to fix their security problems they should fire who gave them this advise. At first we all thought it was a mistake but honestly all it is was a pain in everybody’s neck.

    Reply

  • Feldon

    |

    Bhagpuss wrote:

    It’s never even occurred to me to stay logged into any forum or service. I always log in when I want to use something and then log out when I finish. It’s just tidy, like turning off the light when you leave a room.

    You must write drafts of all your forum posts in an external editor like Wordpad, UltraEdit, etc. and then paste them into the editor when you’re ready to post. Being automagically logged out every 15 minutes would lead me to lose a lot of posts during submission.

    Reply

  • skippydippy

    |

    Its never occured to me NOT to stay logged in to any of the many forums i’ve been a member of over the years its makes no sense whatsoever,on my home PC of course,to keep being logged out.

    Now thanks to the morons at SOE “web team” i’m forced to log in everytime i visit the damn forum its mind bogglingly stupid to me,the sheer issue of security is of course the main concern for me but the inconvience of it is a major bugbear,to em it just shows how utterly out of touch all aspects of SOE are at the present time.

    Reply

  • Kwill

    |

    They have clearly demonstrated in too many instances recently that they really don’t know what they are doing — and this is just another example of that. It sounds good, but as Feldon so intelligently pointed out, it’s actually counterproductive.

    Security theater! I love it.

    Reply

  • Kryvak

    |

    Yeah, I didn’t think about it from the view of a keylogger, but it does seem ridiculous. They did change it from 15 minutes to 3 hours, which is at least acceptable, the only problem I have now is that it doesn’t redirect you to the page you were on after signing in.

    Reply

  • Kwill

    |

    It’s just going to discourage people from posting as much. Which is probably what they want, anyway.

    They are moving away from community sites, interaction, and communication. What better way than to require extra efforton the reader’s part to log in and post, versus just read? Less work for the mods.

    Sounds a little paranoid, but really, the way things are going, it’s not out of the realm of possibility.

    Reply

  • Eschia

    |

    I’m too lazy to keep logging in so I use FireFox’s feature to remember my details and autocomplete when I try to type in my login name. It speeds things up a little. Rather annoying having to even worry about it though, since other forums I go to I can choose to have it never log me out. Nobody but me uses this computer and I’m well secured, so I don’t have much to worry about anyway.

    Reply

  • Bhagpuss

    |

    @Feldon No, I don’t do that. It would be very unusual for a comment to take me longer than 15 minutes to type, although it wouldn’t be unheard of, I guess. I do tend to save any lengthy diatribes into notepad as I go along in case of interruptions, though, just to be on the safe side.

    I never log into any forum, blog or website if I expect just to read or view it. I’d only ever log in if the forum/website requires it (which would usually lead to me not going there much) or when I have to do so to comment, which is not really that often. For example, I use the EQ2 forums every day, many times most days, and I wasn’t even aware of this issue until I read about it here.

    Is there any particular reason to log into a forum if you aren’t actually posting or commenting? Do you see some extra information? I didn’t really know that people logged in as a matter of course.

    Reply

    • Feldon

      |

      Is there any particular reason to log into a forum if you aren’t actually posting or commenting? Do you see some extra information? I didn’t really know that people logged in as a matter of course.

      I have to be logged in to see 3 extra forums, to report posts, to send PMs, and to easily see which posts I have and haven’t read.

      I really didn’t know there were people who DIDN’T just stay logged in at all times except on, say, a shared computer. 🙂

      Logging in once every 14 or 30 days is one of those features of web browsers (via cookies) I have been taking advantage of since Netscape 1.0. 😉

      Reply

  • Brienae

    |

    I don’t normally say much. There are boards though that I do post on and I like to take time to think about what I want to say. I found myself copying my post logging back in and pasting. I’ve always logged in when I want to and logged out when I’m done, but being automatically logged out is a bit of a pain.

    Reply

  • Dark Grue

    |

    Web security has never and will never require invalidating cookies after 180 minutes.

    Have to concur with Feldon’s assessment. Except I’m acutally an information assurance professional – I assess risks and issues like this every day. I also do a bit of software development on the side. The explanation for the change regarding the cookie timeouts that was provided is nonsensical.

    Sony’s BS hand-waving with regards to security is pathetic. The SOE Authenticators passed out at Fan Faire have likewise been a fiasco. When I mentioned at the Fan Faire panel that, while the tokens are great and all, it wouldn’t have done a whit of good to prevent the particular data break that Sony had experienced company-wide – and what had they done to prevent it from happening agian – they clammed up tight. I don’t think any of their team actually uses the Authenticators, as everything they’ve done of late only makes those tokens more and more obnoxious to use.

    The mobile app (which costs nothing to implement) is still MIA.

    I don’t think SOE has any experienced or qualified people working the issue, or they’re getting buried by their own management. From the consumer’s perspective, it really doesn’t matter which it is, it’s a disaster. Not only are they failing to deliver security, they’re also failing to deliver functionality. A forum that you have to log into over and over again is neither.

    Reply

  • Karofin

    |

    This isn’t really safe at all. i don’t see their reasoning behind it. There are only 2 cheap, en masse safe ways to manage log ins.

    1 – The keygens (which they have now to allow folks to buy)
    2 – Password reapers (give me the 4th and 7th and 9th character of your password) which is then done by mouse clicks ith keys disabled.

    Anything else, from a hacking point of virew, really is much of a muchness if you know how it all works.

    Reply

  • Evrett

    |

    This has got to be cultural and work force-based behavior. If you are posting on a desktop computer you prob dont turn off the computer that often. If your posting on a laptop or smartphone you prob dont stay logged for huge amounts of time.

    Viewing the very beginning of some “lets play” videos on Youtbue gives one a tour of the various different computer habits of gamers.

    Reply

Leave a comment

You must be logged in to post a comment.


Powered by Warp Theme Framework