Spot the Racist

Loses job, series cancelled

*crickets*

If one is racism, how is the other one not?

Planet Commander – Review

As anyone who has spent more than twenty seconds perusing this blog can tell, I like space combat games. I have been a fan of the genre since I discovered Elite, way back in 1981. Since then I have played literally dozens of these games, including StarLancer, Freespace I and II, The Homeworld series, Freelancer, and of course my two current faves, Vega Conflict and Dreadnought.

Planet Commander is the latest in this long line. I’ve been playing this for a couple of months now. You start with one ship, and can unlock and buy more as you progress through the game. Like Dreadnought, this is an online multiplayer game: you participate in online battles up to 4v4. You can only fly one ship at a time. If the ship is killed, you can move on to another of your ships until you win, leave the game, or all of your ships are destroyed. You then get points (which improve your ranking and level) and cash (Coins and Crystals). The ships come in different shapes and sizes, ranging from Frigates through Destroyers, Interdictors, Cruisers, Battleships, all the way up to the Dreadnoughts.

The game is a lot of fun and is well-balanced; my one most glaring criticism is the pricing structure. Things start off well enough; an introductory pack costs about $3, and a follow-up pack which unlocks a ship costs another $8 or so. They are decent enough value, and most players can have a lot of fun for $11. The following pack, which unlocks the Kingsword Cruiser (I find myself wondering whether that is pronounced “King Sword” or King’s Word“) is just under $17, which is a little expensive for me – but the ship alone costs $27 to unlock, so there you go.

Many of the ships automatically unlock when you reach a given level, but some ships – including the top ship in each tier – can only be unlocked with a liberal application of cold, hard cash.

• Wyrm Frigate $10.49
• Olympus Destroyer $12.49
• Reaper Interdictor $16.99
• Kingsword Cruiser $26.99
• Soul Catcher Battleship $42.99
• Nemesis Dreadnought $55.99
• Tyrant Dreadnought $112.49

That adds up to $278.43, which is way too high for a phone/tablet game.

In my opinion, such a game should not cost a player more than $100 in total… in which case those ships are overpriced by a factor of three.

Who are you calling an “Imperial Star-Destroyer”?

Bottom line: a fun game, especially if you have a tablet (I have three!). Decent value if you buy the first two packs, and you will get months of play out of that modest outlay. But the subsequent ships are overpriced, and if you play it long enough I am pretty sure that you will come up against a pay-to-win barrier.

Why ebay does not care about security

The Past

I have been on eBay since 1997.

For the past ten years, I have been using two-factor authentication to protect my eBay, Paypal and other accounts.

It started with the Paypal Security Key, also affectionately known as the “Paypal Football” because of its shape.

Introduced in 2007, the football is a $5 hardware device that displays a quasi-random six-digit number when the button is pressed. The code changes every thirty seconds and makes it impossible to get into your Paypal account without the “Football”, which lived on my Key-ring and went everywhere with me. When eBay bought Paypal, the football could be used to protect access to my eBay account as well.

Four years went by. The battery in the football ran down, and the device fell to pieces when I tried to replace it. Alarmingly, eBay no longer offered the “Football”, offering instead A Credit-Card device that fulfilled the same function at the somewhat higher price of $30.Getting the feeling that eBay was trying to turn a profit out of (in)security, I looked elsewhere… and found the Yubikey VIP.

I had been using a Yubikey in the past to protect, among other things, my Gmail account (The epic Hack of the famous Wired Journalist Mat Honen, could have been thwarted, by his own admission, had he done the same). Now the good folks at Yubico were offing a Yubikey that also doubled as a Verisign VIP key (the technology that PayPal used in the football). I purchased one and have used it ever since. I am still using it to this day.

The Present

I got the following email from them yesterday.

Let me be clear: This is a really, really bad idea for a whole bunch of reasons. Let me enumerate a few:

1. Texting is insecure. SMS is not encrypted, and SMS messages can be readily intercepted with the right equipment. Using SMS as a one-off mechanism to sign up for something is not too bad, but sending out a text every time you want to log in is a really bad idea.
2. Not everybody has a texting plan. I am on Verizon’s ancient (not offered since 2012) un-capped, un-throttled, un-limited data plan. Verizon charges extra for text messages, so I have disabled text messaging.
3. My phone is not always available. I may be able to take a call. I may be in a meeting. I may be in a basement or out of coverage. I may be overseas.
4. I purposefully purchased serious security… and now eBay are replacing it with something that is less secure.

In an age where websites are becoming more and more secure, this is a retrograde step. So why did eBay do this astoundingly bone-headed thing?

1. Money. It is my understanding that eBay have to pay Verisign to use this system, while a text message/voice system would be far cheaper.
2. Support: Security, it is said, is the enemy of convenience. The previous system had some potential shortcomings that allowed users to easily revert to less secure options (“secret questions”, etc) if they didn’t have their hardware token with them. A properly-designed secure system would make it impossible to turn off two-factor authentication without extended vetting… which means hiring Customer Service people to establish the identity of the customer. Given the choice between “good” security and “CHEAP” security, it is hardly surprising that eBay went with the “less-good-but-dirt-cheap” option.

So what *should* ebay be doing?

• If it ain’t broke… offer the $5 footballs again, or admit that you don’t know or care about security.
• Use a known and trusted out-of-band key-generation system: If you don’t want to pay Verisign, use the Google Authenticator system, which runs in software, and is already trusted with Google, WordPress, DropBox and others who apparently care about security more than you do.
• Roll your own like Blizzard and others. The technology is tried and trusted. Just do it.

But what if…What if the user cannot, for one reason or another, use the second factor? In addition, it should be possible to allow the users print out a set of recovery codes to use when the second factor is unavailable. Talk to Google about this; they obviously know something you don’t.