Pirating as a 'demo'. Your opinions?

Post all other topics which do not belong to any other category.
Locked
therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

muzzy wrote:Yes. There have been cases of people downloading music and getting caught, and trying to defend themselves by saying they already owned the CD. It didn't fly well.

Ownership is about a specific copy, not about a title. Only the copyright holder owns the actual work, you own a very specific copy of it and the origin of this copy matters. You can't just replace it with another, even if the replacement is 100% identical, because the origin matters.

There's a good article about the issue of data origin, "What color are your bits?" which explores the issue.
Apparently your wrong. Those people could not prove they owned the CD, or were guilty of "Format Shifting" thru piracy. I repeatedly tryed to include the caveat of, having your receipt, saying you own a CD somewhere is not enough. I don't want to rehash the same stuff over again, but read my earlier posts rather than just skimming them for the details.
muzzy wrote:In my opinion, keyrings are the current best practice of password management.

While keyring software is a single point of failure, it's a point of failure that exist within my protected computer alone. The attack scenario against keyrings involves malware that grabs they keyring after it has been decrypted by me. In the future, I believe keyrings will be secure even against ring0 attacks against the host that is using them because the keyring is decrypted inside another VM that isn't directly accessible from the operating environment.

And your alternative is to use the same password everywhere? That is a single point of failure that is exposed across all your services, if one gets hacked you lose everything.
Your opinion is not compatible with the accepted practices of layered security. My solution is NOT to use a single password fro everything (Again, read my whole posts instead of just skimming, because I don't want to repeat huge paragraphs of info if you can't be bothered to read them) What I was telling you, is that when you use a keyring, or even worse, use a password storing program, you have already effectively reduced your entire list of passwords to a single password anyway. Some weird malware is not the risk to your password when you use a keyring, the risk is the same risk of any password or computer, being rooted, a hacker gaining remote access, malware as you pointed out. And the keyring or password storing program also poses EXTRA points of failure versus using multiple passwords, your keyring can be stored in a memory dump during an error or crash or your keyring program can have flaws that expose the entire contents of the keyring to hackers creating exploits to the most popular keyring programs. (this is exactly what happened to the linux keyrings, which is why people have begun to rethink this technique in linux distros.)

"The keyring uses weak encryption, yeah, weak. A simple password to unlock all your passwords? That's a joke in term of security. But it's easy to use, so a lot of people like it."

Can't agree with this enough, what your talking about, while very convienient is a complete JOKE in terms of security. A keyring is the DEATH and NEGLIGENCE of security, not a secure password storage policy in any stretch of anyone's imagination. I respect your "opinion" but wether or not keyrings are congruent with layered security and other good security practices isn't a matter of opinion like the question "does this apple taste good" it's a binary proposal that has either a true or false value. I assert it is FALSE that keyrings are a secure password policy in any way shape or from.
muzzy wrote:You mean heartbleed? You know, the keyring is local and even if it was stored on the internet you would only have the encrypted copy of it. This attack scenario doesn't play out.
No, many keyring programs (most of them are browser extensions that I'm complaining about here specifically) use an account based login to send you your password to any browser, anywhere you are in the world. I'm glad it sounds like you only use a linux-style locally based keyring, but the reason i mentioned heartbleed is because there are many people who use programs that sends your password, even when encrypted, over the internet. Local keyrings, and account based password manager services both put your entire list of passwords behind the security of a single password. This is not security "THIS IS MADNESS!".
muzzy wrote:Password leaking is the worst scenario you can think of? The recovery involves changing your password, and in the worst case you'd have to contact support. That's not so bad.
*Sigh* Yes, the unauthorized use of everything related to my factorio account is the worst eventuality I can think of if my password for that account were to be compromised, along with my digital product "rights" being terminated. What kind of terrible things live in your imagination? Do you really think they are going to leave my account active while thousands of people around the world use my password to bypass the login system? They'll terminate my account citing the violation of the terms of service.

This all doesn't change the fact that any video game that attempts to write it's own password system is a bad idea. We have alot of tryed and true methods of login, that have become "hardened" over years and years of use. Game developers cannot be reliably and safely tasked with developing a platform for logging in within a video game exe without subcontracting to a company who specializes in: developing, updating, and keeping secure a platform for user authentication. For examples, Look at all the games that do micro-transactions (World of Tanks), and the larger MMO games. Under the box where you log in, is the name of the company that handles user security. This company works just like McAfee or Norton or other security networks in the way that they obtain, categorize, and defend against each and every exploit, or piece or software that causes the exploit or compromise of user passwords. An indie game developer just isn't going to track down copies of malware or troll security and hacker forums constantly to figure out weaknesses in the login system, this is why the other company exists, they develop a platform specifically for this purpose.

I'm repeating myself alot, or unnecessarily elaborating to the point of arthritis and it's because you either are not reading my posts, or are ignoring parts of what I say so you can argue with an easier, softer argument than I have actually made. I'm sorry for the walls of text, but I'm reading yours, and if you responded to what I actually said, rather than a weak watered down depiction of what I had said, I wouldn't have to spend paragraphs giving you specifics. You'll probably just read the last paragraph's last scentance so I must reserve this last part for what I have been tasked by god to do, promote better computer security practices:
For the love of god and the divine mandate for computer security, get rid of that keyring. I'm not going to sleep well knowing that people still think this insecure security fad is a good idea just because they tryed it out in some linux distros. Sudoing was a bad practice, but a keyring is like a concentration camp where security concepts gets murdered by the trainload.

muzzy
Fast Inserter
Fast Inserter
Posts: 187
Joined: Sat Nov 23, 2013 7:17 am
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by muzzy »

Image

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

Image

User avatar
Khyron
Fast Inserter
Fast Inserter
Posts: 178
Joined: Fri May 30, 2014 5:47 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by Khyron »

Gammro wrote:It's really stupid that this bothers me the most:
Mail still uses the age old protocol we use since back in 1982(SMTP). Possibility for encryption has been added in, as have some protocols for actually getting the mail off your server(POP3 vs IMAP etc.), but the protocol to send and receive mail HAS NOT CHANGED. Those services still run with the same protocol, and it's still possible to run your own mail server. Nobody forces you to go to a centralized mail solution.
The fact that you say this makes you seem like you don't know your stuff, so don't even go there.
http://en.wikipedia.org/wiki/Mail_protocol
I can't tell you how much I appreciated having someone else chime in on that. :lol:

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

Khyron wrote:
Gammro wrote:It's really stupid that this bothers me the most:
Mail still uses the age old protocol we use since back in 1982(SMTP). Possibility for encryption has been added in, as have some protocols for actually getting the mail off your server(POP3 vs IMAP etc.), but the protocol to send and receive mail HAS NOT CHANGED. Those services still run with the same protocol, and it's still possible to run your own mail server. Nobody forces you to go to a centralized mail solution.
The fact that you say this makes you seem like you don't know your stuff, so don't even go there.
http://en.wikipedia.org/wiki/Mail_protocol
I can't tell you how much I appreciated having someone else chime in on that. :lol:
The approach of putting outlook on every office computer has mostly given way to centralized cloud mail services like gmail, yahoo, live.com etc. Rather than setting up a mail server, my customers get to use their own domain while still using live.com;s services for their email, I can manage all of their accounts or get the live team to do my job for me if I'm lazy, I can even rebrand how their mail application's interface looks to add their company's logo and things like that. Did I mention all of these things are 100% free for me. I think only old farts bother setting up their own mail services for their companies anymore. Who cares if the protocols behind this movement towards centralization are old? DNS is old too. I still like it, despite the very scary security flaws. Large mail services like gmail and live also have a trust list, this means: if I get an email from some random russian mail service, and that service tries to fake the sender to be "dave@gmail.com" or something like that, they warn me the sender is probably fraudulent because it didnt come thru the proper channels you would expect that mail to come from.

I guess rebuilding the mail services from the ground up to include features like this would be helpful, but can I ask you guys why you think that would be preferable to what we have now?

User avatar
Darthlawsuit
Fast Inserter
Fast Inserter
Posts: 247
Joined: Thu Feb 28, 2013 7:32 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by Darthlawsuit »

:shock: Email is a browser based service these days grandpa. Even outlook has become something called "live.com". If you want to use google mail for your business, it costs $15 a month last I checked. The companies I run IT for use live.com, because their service is free. I called the email login service DRM because unlike the old outlook application, a centralized company like google or microsoft can "turn off" your login if you stop paying or abuse their application. Email is email even when it is a application, I don't think it prudent to limit the word email to the ancient protocols from which it was birthed.
"Browser based" e-mail is merely a web interface for the basic mail. Behind the browser the mail program is running and it is using standard mail protocols, may use unique protocols internally but if it wants to send/receive anything it is still using the standard protocols. The browser is merely an interface the same as Outlook/Thunderbird/Zimbra is however it is less configurable than computer/phone based programs, unless you have mail server access like I do :P. You can use both a browser and a program to access your e-mail. You are quite behind the times, perhaps you should ask your grandpa to teach you how the internet works 8-)

$15 dollars a month? I can get e-mail + webhosting for $10 a month and setup an infinite number of e-mail addresses, that is a ripoff.

An e-mail login is DRM? Are you joking? You have no idea what you are talking about. An e-mail login is account authentication used to secure your account from random people accessing it not DRM. Well duh you are paying them to use their servers for your e-mail; if you had a car loan and stopped paying on it the bank would repossess your car, same idea. E-mail is still running on those "ancient protocols" and even if you use a browser it is merely using those protocols behind the scenes.
Large mail services like gmail and live also have a trust list, this means: if I get an email from some random russian mail service, and that service tries to fake the sender to be "dave@gmail.com" or something like that, they warn me the sender is probably fraudulent because it didnt come thru the proper channels you would expect that mail to come from.
Don't need a large mail service like that to do such a thing, ever heard of spamassassin? My e-mail programs even warn me of such a simple trick because it is obvious when looking at the header.


Since this is being discussed...
Check Password Strength here: https://passfault.appspot.com/password_ ... .html#menu

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

Darthlawsuit wrote: "Browser based" e-mail is merely a web interface for the basic mail. Behind the browser the mail program is running and it is using standard mail protocols, may use unique protocols internally but if it wants to send/receive anything it is still using the standard protocols. The browser is merely an interface the same as Outlook/Thunderbird/Zimbra is however it is less configurable than computer/phone based programs, unless you have mail server access like I do :P. You can use both a browser and a program to access your e-mail. You are quite behind the times, perhaps you should ask your grandpa to teach you how the internet works 8-)
I'm aware of how email works, thanks, my point is no one uses a program like outlook to send mail to their local company mail server using a mail protocol anymore, you send the data to an application thru thru your browser, and the server's of that company convert that to email rather than having Outlook/Thunderbird/Zimbra, which are more than just an interface, do the actual mailing or sending of mail to a mail server. (wtf is Zimbra? maybe I am behind the times)
Darthlawsuit wrote:$15 dollars a month? I can get e-mail + webhosting for $10 a month and setup an infinite number of e-mail addresses, that is a ripoff.
I agree, I want to use the domains I already own, manage an unlimited amount of accounts across different domains and subdomains, email aliasing so companies can fake like they have alot of departments they dont have that all dump into one guys mail account, and have all the help, service, support, uptime, and security of a giant company that deals with email, and I want it for free god dammit.

Thats why I'm on live.com, beofre that gmail, and I'll probably migrate again when Microsoft changes their "Freeness" policy.
Darthlawsuit wrote:An e-mail login is DRM? Are you joking? You have no idea what you are talking about. An e-mail login is account authentication used to secure your account from random people accessing it not DRM. Well duh you are paying them to use their servers for your e-mail; if you had a car loan and stopped paying on it the bank would repossess your car, same idea.
Yeah, I was joking. Asking me if logging into email is DRM was insulting sarcastic and kind of stupid, an obvious rhetorical question, so I was just being an ass. Sorry. Of course all authentication is not DRM, although I do think it's sort of like account based DRM (except for a service, not an owned product so its obviously different) in the way they use it to shut off your account. You all seem to think everytime I point out a thing happens I'm taking some stand against it. Of course I understand why they would shut off your account if you dont pay, I'm not here to fight that, it makes sense.
Darthlawsuit wrote:E-mail is still running on those "ancient protocols" and even if you use a browser it is merely using those protocols behind the scenes.
Ultimately, when the mail is transferred your right, but this is a TOTAL RETHINK of how mail used to work in the past. Outlook on every computer means that an email protocol (MAPS? or something like that? I wasn't born in the 80's so I don't study that ancient crap) is used on the local computer, by a local program, to actually exchange email with a server. Companies used to run a mail server, and let every computer on their network send and receive mail from that server. NOW, we just log into a centralized application, send or receive the text that is intended to end up within an email, and the application does the actual converting to e-mail. Gmail doesnt require me to have or understand some obscure mail protocol for mail to work, it encapsulates and mails things for me.

Darthlawsuit wrote:Don't need a large mail service like that to do such a thing, ever heard of spamassassin? My e-mail programs even warn me of such a simple trick because it is obvious when looking at the header.
Hmmm. Interesting, I was under the impression headers were the very thing being forged, and were unreliable without some kind of PCG Signing/Verification/Key thing (Email is not a big part of what I do, so all of these acronyms are probably off by several letters)

I like the big services because they bundle services similar to spamassasin in with all the other extras and dont charge me for it, plus I can call them if I run into issues. I agree its probably manlier and a show of mighty mighty IT skills to get each small businesses that I manage IT/IS stuff for their own mail servers and all that, but I really think they are better serviced by these large email companies, the other plus side being, I get to be paid to do almost nothing while their email works forever without a hitch.

User avatar
Darthlawsuit
Fast Inserter
Fast Inserter
Posts: 247
Joined: Thu Feb 28, 2013 7:32 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by Darthlawsuit »

I'm aware of how email works, thanks, my point is no one uses a program like outlook to send mail to their local company mail server using a mail protocol anymore, you send the data to an application thru thru your browser, and the server's of that company convert that to email rather than having Outlook/Thunderbird/Zimbra, which are more than just an interface, do the actual mailing or sending of mail to a mail server. (wtf is Zimbra? maybe I am behind the times)
A lot of the companies I have worked for use Lotus notes (outlook like program) then had a central mail server that all the lotus notes sync'ed with. Zimbra is similar to outlook except it doesn't crash much and has a very nice layout. Using it to IMAP my main e-mail address which has around 8 other e-mails redirecting e-mail to folders in my main e-mail address.
Ultimately, when the mail is transferred your right, but this is a TOTAL RETHINK of how mail used to work in the past. Outlook on every computer means that an email protocol (MAPS? or something like that? I wasn't born in the 80's so I don't study that ancient crap) is used on the local computer, by a local program, to actually exchange email with a server. Companies used to run a mail server, and let every computer on their network send and receive mail from that server. NOW, we just log into a centralized application, send or receive the text that is intended to end up within an email, and the application does the actual converting to e-mail. Gmail doesnt require me to have or understand some obscure mail protocol for mail to work, it encapsulates and mails things for me.
(IMAP and its hardly obscure) I can connect outlook to G-mail the same as I could to my mail server. IMAP allows me to access e-mails and file structure remotely (technically it clones it) just the same as a browser based e-mail system does. However when I am in control of the e-mail server I can access more advanced features while while Gmail only offers me control over certain things and access to others for a price. If you have it setup right you still have a centralized application managing your e-mails it is just controlled by you. I have specifically moved away from having my e-mails hosted by yahoo/google/microsoft/etc because they have full access to your e-mails and they do search them to improve their targeted ads, I view that as a security risk.
Hmmm. Interesting, I was under the impression headers were the very thing being forged, and were unreliable without some kind of PCG Signing/Verification/Key thing (Email is not a big part of what I do, so all of these acronyms are probably off by several letters)

I like the big services because they bundle services similar to spamassasin in with all the other extras and dont charge me for it, plus I can call them if I run into issues. I agree its probably manlier and a show of mighty mighty IT skills to get each small businesses that I manage IT/IS stuff for their own mail servers and all that, but I really think they are better serviced by these large email companies, the other plus side being, I get to be paid to do almost nothing while their email works forever without a hitch.
The headers are being forged, however forging your IP address to be the same as the range of IP addresses allowed to send an e-mail is much harder. Can even send a "key" with every e-mail that gets validated and makes it very difficult to modify the headers, if your missing the key then the lock doesn't open :P. E-mail servers double check the headers and validate them with info from the domain name.

Spamassassin comes with most hosting accounts and is of no extra cost. Haha, not having to do much work and getting paid for it is nice when it happens.

CobraA1
Inserter
Inserter
Posts: 27
Joined: Sun May 04, 2014 4:31 am
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by CobraA1 »

Uhhh - if the game has a demo, why pirate? I find it highly unusual - probably just to thumb nose at authorities is all I figure.

Technically speaking, it is violating copyright either way. Whether or not the authors of Factorio care may be a different matter.
I do acknowledge Blizzard and EA chose to implement an "always-online" DRM for Starcraft and SimCity (although I think that's no longer the case with SimCity?).
You are correct about SimCity - they finally implemented an offline mode.

I will have to check to see if Starcraft 2 has an always online requirement for single player. Unfortunately, it is not installed on my system right now. I do find it odd that I did not research that before buying the game :/ (I abhor always online requirements for single player games).
The approach of putting outlook on every office computer has mostly given way to centralized cloud mail services like gmail, yahoo, live.com etc.
You'd be surprised. Many businesses I've worked for still use Outlook. Moving to cloud services is popular, but not universal.

That being said - even when mail crosses between different cloud providers, it often does so as plain text. Unless both yourself and your recipient use end to end encryption, there is no guarantee that your email will be protected for the entire route.

muzzy
Fast Inserter
Fast Inserter
Posts: 187
Joined: Sat Nov 23, 2013 7:17 am
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by muzzy »

CobraA1 wrote:I will have to check to see if Starcraft 2 has an always online requirement for single player. Unfortunately, it is not installed on my system right now. I do find it odd that I did not research that before buying the game :/ (I abhor always online requirements for single player games).
I recall SC2 only enables the offline mode if you really don't have the internet connection available. But if you have connectivity, it refuses to let you play offline.

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

CobraA1 wrote:Uhhh - if the game has a demo, why pirate? I find it highly unusual - probably just to thumb nose at authorities is all I figure.
Because you can be mislead by a demo. You might want to see what a game is actually like in totality before you buy it. Maybe you want to know details about a game that are not represented in a demo before you buy. Trying out the actual real product, and then choosing to buy or not can never be misleading, its like trying on a coat before you buy it. My thought is, why try the crippleware-demo when there is a pirate version to try as a true demo of a game's capabilities and feature set?
CobraA1 wrote:Technically speaking, it is violating copyright either way. Whether or not the authors of Factorio care may be a different matter.
Well of course, we know it's illegal, we just dont believe the law = morality. Almost all pirates can admit that downloading a game, playing it excessively, and then never buying it is immoral and downright wrong. But back to the coat, I don't find it wrong to try a thing out before a buy it, I wish it was like xbox and I could go to my cousin's house and check out the game and play it at his house before I buy it, but with factorio, I can't.
“good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws”
― Plato
You are correct about SimCity - they finally implemented an offline mode.
The pirates beat them to it, so EA didn't want a large percentage of their legitimate customers switching over to the pirate version just to get the "extra features" of offline play. You can pretend EA finally fixed this problem and just wanted to make customers happy, but I believe the pirates FORCED their hands. Thanks again piracy, for doing what developers won't.
I will have to check to see if Starcraft 2 has an always online requirement for single player. Unfortunately, it is not installed on my system right now. I do find it odd that I did not research that before buying the game :/ (I abhor always online requirements for single player games).
Yeah it did have that requirement, then several pirated versions of SC 2 were released that allowed you to play single player without buying the game or going online. Again, the developer was forced by pirates to give up on DRM when their DRM was proven ineffective. I half admire these companies for giving up on punishing their legitimate customers with DRM when the DRM was broken, but I half hate them for punishing their customers in the first place with unnecessary restriction. Should pirates really have to meet consumers demands first just to twist a company's arm into meeting it's own customers demands? It's disrespectful to the people who payed you and love you the most.
You'd be surprised. Many businesses I've worked for still use Outlook. Moving to cloud services is popular, but not universal.
True, but seeing as how I'm the company's IT guy, if I end up in that situation, I switch them over. Sure, I set it up so the top brass so they can still use outlook if they want, but the peons all have to comply with my wishes in order to lower the companies cost of IT. Most companies like it that I can eliminate the service calls that center round emails and deliver email thru an internet interface, then you just have to keep the internet connections alive and you are almost guaranteed email, let the big companies worry about the email system's uptime.
That being said - even when mail crosses between different cloud providers, it often does so as plain text. Unless both yourself and your recipient use end to end encryption, there is no guarantee that your email will be protected for the entire route.
Wha Wha Wha? Isn't this completely unheard of since back in the days when we all pulled off those "session jacking" attacks and they switched almost every email service over to https? I think you might have your facts backwards on this one. I was under the impression using the ancient mail techniques was less secure, because it is your job to squash every vulnerability to your mail server, keep it up to date, harden it, etc etc, where as in the cloud, you can let the giant corporate gmail or live team have a huge team of experts lock the servers down with all their monies.

muzzy
Fast Inserter
Fast Inserter
Posts: 187
Joined: Sat Nov 23, 2013 7:17 am
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by muzzy »

therapist wrote:
That being said - even when mail crosses between different cloud providers, it often does so as plain text. Unless both yourself and your recipient use end to end encryption, there is no guarantee that your email will be protected for the entire route.
Wha Wha Wha? Isn't this completely unheard of since back in the days when we all pulled off those "session jacking" attacks and they switched almost every email service over to https? I think you might have your facts backwards on this one.
WTF? Who is this "we all" that you pretend to be part of and WTF does https have to do with this?

Stop trying to pretend you're something you're not, unless you mean to say you're a script kiddie.

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

fuzzy wrote:WTF? Who is this "we all" that you pretend to be part of and WTF does https have to do with this?
WOW there sparky, calm it down.

"We all" is the IT security enthusiast and IT/IS security professionals community. I assume if someone talks about encryption and plain text email, they are also a part of that "we".

Back when http was used rather than https for almost every email service there was, it was very easy it intercept mail, the way CobraA1 was talking about. Https implements SSL/TLS onto html, which means, as the guy I was responding to was questioning, that your traffic is encrypted and IS NOT transferred plain text. Https also fixes the attack that lets you "session jack" a person and steal their email in that way.

http://en.wikipedia.org/wiki/Session_hi ... Prevention

Look under the first part of preventing Session Jacking, it says:
wikipedia wrote:Encryption of the data traffic passed between the parties; in particular the session key, though ideally all traffic for the entire session by using SSL/TLS. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. In response, scientists from the Radboud University Nijmegen proposed in 2013 a way to prevent session hijacking by correlating the application session with the SSL/TLS credentials
(SSL/TLS is an encryption protocal, so https seemed relevant to what that guy was saying about emails being plain text, rather than encrypted)

The point is, if my local users are encrypting their gmail with https (This was not always standard practice for email, and made mail very insecure, now it is mandatory) then I don't have to worry about their mail being stolen or their inbox being taken over by cookie stealing (sounds delicious)

Edit: Article about WHY https is a good idea to encrypt email between client and server and how gmail made this practice mandatory:
http://www.slate.com/blogs/future_tense ... _make.html
fuzzy wrote:Stop trying to pretend you're something you're not, unless you mean to say you're a script kiddie.
I don't develop my own tools for doing security audits. Do you? No? Then we both use other people's "scripts" to do our jobs.

I think you need to understand that the people who want to protect you from hackers also have to pull off these exact attacks to understand them and defeat them. Am I a script kiddie when I use the program reaver to retrieve WPA/WPA2 passwords in order to convince companies that their data is not secure? It is an easy enough trick, I admit, only takes 6 hours but when you hand the head of a company his own passwords that he didn't give you, and you show him a log of all of his supposedly secure traffic, he pays you to fix the problem. These are the easy tricks that even laymen known about so I don't mind discussing them anywhere, I could get into doing security exploits on particular software suits if you needed some kind of proof of my skillset, but I don't do that kind of stuff publicly because it degrades IT security as a whole.

TLDR: You mad bro? Why?

muzzy
Fast Inserter
Fast Inserter
Posts: 187
Joined: Sat Nov 23, 2013 7:17 am
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by muzzy »

So you were talking about stealing webmail session cookies in response to a comment about end to end encryption in message transmission? OKAY, that makes sense!

Image
therapist wrote:I don't develop my own tools for doing security audits. Do you? No? Then we both use other people's "scripts" to do our jobs.
Oh, funny that you asked. Yes, I have developed my own security tools. I have personally reverse engineered security holes and developed attacks for them. I have written password crackers, network analysis tools, filesystem scanners, rootkits, live process patchers, DRM systems, disassemblers, static analysis tools, decompilers, all sorts of fancy things.

Glad you asked! But, what does this have to do with anything? Oh right, you were trying to make some sort of point... what was it again? I didn't quite hear it from behind the sound of your attempt at fallacy having an unexpected heart attack. Oh, yes, I'm sure you can find a name for my fallacy as well. I figured we could make this an arms race.

PS. Any "questions" posed in this message are rhetorical. You don't have to answer. Just please do yourself a favor and stop with the nonsense you don't know anything about.

CobraA1
Inserter
Inserter
Posts: 27
Joined: Sun May 04, 2014 4:31 am
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by CobraA1 »

Because you can be mislead by a demo. You might want to see what a game is actually like in totality before you buy it. Maybe you want to know details about a game that are not represented in a demo before you buy.
Well, I generally don't just look at the demo by itself; I'll often look at screenshots and preview the product on YouTube or gameplay trailers (if available). I'll also look to forums and reviews and other such things; the public is generally very quick at ratting out the company if it's being misleading. Here in the internet age, being misleading is unlikely to remain a secret. I refrained from buying SimCity until they added the offline mode - I didn't need to pirate the game to know they were misleading their customers.

Being that there are a variety of ways to see what the product it like, and customers will know rather quickly if a business is misleading them, I find the the argument for trying out a product via piracy to be a rather weak argument.
Well of course, we know it's illegal, we just dont believe the law = morality.
The thing about piracy is that it basically breaks a basic economic principle of the transaction - that goods and services are exchanged for money. It's an agreement between the buyer and the seller. If you pirate a game, you're basically intentionally breaking the agreement, which in turn breaks the transaction and ultimately breaks trust between the buyer and the seller.

While I understand that some people may buy the game anyways if they "like it" - I also understand that this is very likely a rare event. I don't think most people who pirate the game actually end up buying it. Most of the time, that transaction just ends up permanently broken.

I don't really consider piracy to be a high, almighty, and ultimately good thing. I've yet to see anybody really hold it up as a moral ideal that everybody should strive for. Most of the time, I just see people barely squeaking out a thin justification for it.
Wha Wha Wha? Isn't this completely unheard of since back in the days when we all pulled off those "session jacking" attacks and they switched almost every email service over to https?
I'm not talking about the front end, where you're accessing things via the browser.

Let's say you're on Hotmail, and your recipient is on Yahoo. Here's the chain:

You -https- Microsoft -SMTP- Yahoo -https- the recepient

Okay, the https links are secure - check.

Now - what about those SMTP links between the mail servers; what about them?

Ehhhh - it's still broken for many businesses.
where as in the cloud, you can let the giant corporate gmail or live team have a huge team of experts lock the servers down with all their monies.
Oh, that's the hypothesis.

Note I said "hypothesis" not "theory." A theory actually requires evidence.

No, when it comes to things between large businesses, there's gracious amounts of conservatism and politics. I'm sitting here watching the whole "net neutrality" thing totally blow up as Netflix and ISPs fight over the pipes their customers pay for. Big monies just means bigger fights and bigger mistakes. It doesn't mean less fighting or less mistakes.
Last edited by CobraA1 on Sat Jun 07, 2014 9:55 pm, edited 1 time in total.

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

muzzy wrote:So you were talking about stealing webmail session cookies in response to a comment about end to end encryption in message transmission? OKAY, that makes sense!
I just mentioned that his concern ended during the era when session jacking became a problem and then was fixed. Both problems were fixed at the same time.

What did you mean when you said "What does https have to do with anything?" doesn't it have to do with everything, session jacking AND the encrypting email?
muzzy wrote: Oh, funny that you asked. Yes, I have developed my own security tools. I have personally reverse engineered security holes and developed attacks for them. I have written password crackers, network analysis tools, filesystem scanners, rootkits, live process patchers, DRM systems, disassemblers, static analysis tools, decompilers, all sorts of fancy things.
Oh get over yourself, we all write these programs as a learning experience and for comprehension of how they work. I seriously doubt you're some kind of internet woodsman that only uses program that you write. My point is: You also use other people's scripts, if you went out to a security audit, and developed your own tools to audit their security, that would be kind of stupid, and it doesn't really prove their network is insecure either. The point of a security audit is to tell a company if there are established weaknesses to their security scheme. The point IS NOT to develop zero day attacks against their network.

CobraA1
Inserter
Inserter
Posts: 27
Joined: Sun May 04, 2014 4:31 am
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by CobraA1 »

therapist wrote: What did you mean when you said "What does https have to do with anything?" doesn't it have to do with everything, session jacking AND the encrypting email?
https is between you and Google. That's only one link in the chain.

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

CobraA1 wrote: Well, I generally don't just look at the demo by itself; I'll often look at screenshots and preview the product on YouTube or gameplay trailers (if available). I'll also look to forums and reviews and other such things; the public is generally very quick at ratting out the company if it's being misleading. Here in the internet age, being misleading is unlikely to remain a secret. I refrained from buying SimCity until they added the offline mode - I didn't need to pirate the game to know they were misleading their customers.
Maybe mislead is the wrong word, maybe you actually want to see the game for yourself before you buy it, like trying on a coat. I can show you pictures of a coat, show you forum discussion about a coat, coat-in-action trailers etc, but actually trying it on is still nice.
CobraA1 wrote:Being that there are a variety of ways to see what the product it like, and customers will know rather quickly if a business is misleading them, I find the the argument for trying out a product via piracy to be a rather weak argument.
Some people think gameplay trailers spoil things, screenshots are always CG, etc etc. I agree that there are other methods, but I can't believe you don't see any benefit in actually trying the real game first to see if you like it.

I'm a fan of being direct.
CobraA1 wrote:The thing about piracy is that it basically breaks a basic economic principle of the transaction - that goods and services are exchanged for money. It's an agreement between the buyer and the seller. If you pirate a game, you're basically intentionally breaking the agreement, which in turn breaks the transaction and ultimately breaks trust between the buyer and the seller.
I don't think we break that agreement if we end up buying it, and we don't break that agreement when we try a game at a friend's house, do we? Thats why we don't really care if we are breaking the agreement at all, our house, friends house whats the difference? As long as you discard the games you don't like, and purchase the games you like, agreements be damned, fair capitalism lives on.
CobraA1 wrote:While I understand that some people may buy the game anyways if they "like it" - I also understand that this is very likely a rare event. I don't think most people who pirate the game actually end up buying it. Most of the time, that transaction just ends up permanently broken.
I disagree, anyone with monies who pirates, usually ends up buying the games they like so they can support the developer. The only time you are actually right is about very poor people who can't afford games, and we don't really see a problem with people who were never going to pay anyway playing the game. It's when you have money, and you don't pay, that you are a giant prick son a beach piece of poo, and i think that this is a rare occurrence, especially in the indie scene.
CobraA1 wrote:I don't really consider piracy to be a high, almighty, and ultimately good thing. I've yet to see anybody really hold it up as a moral ideal that everybody should strive for. Most of the time, I just see people barely squeaking out a thin justification for it.


Same goes with capitalism.
CobraA1 wrote: I'm not talking about the front end, where you're accessing things via the browser.

Let's say you're on Hotmail, and your recipient is on Yahoo. Here's the chain:

You -https- Microsoft -SMTP- Yahoo -https- the recepient

Okay, the https links are secure - check.

Now - what about those SMTP links between the mail servers; what about them?

Ehhhh - it's still broken for many businesses.
Regular people don;'t have access to the backbone of the internet enough to read your emails as they pass between the major players in email. Only government and the like can do this, and you're naive if you really think that they will let you implement a system to hide the data they want without pressuring the companies to give them the "keys to the encryption" as it were, or embedding a backdoor into said encryption. I'm not FOR the NSA at all, I just think that you can't secure company email from the NSA in the way you describe.

I guess what I'm saying is, the NSA doesn't count. I'm not really implementing security from them, because they embedded a backdoor into all windows operating systems anyway, how can I defeat that without rewriting an MS OS? If I can;t switch the company over to an NSA backdoor free operating system, then I'm not going to try and hide email from them on the backbone between major email companies.
CobraA1 wrote: Oh, that's the hypothesis.

Note I said "hypothesis" not "theory." A theory actually requires evidence.

No, when it comes to things between large businesses, there's gracious amounts of conservatism and politics. I'm sitting here watching the whole "net neutrality" thing totally blow up as Netflix and ISPs fight over the pipes their customers pay for. Big monies just means bigger fights and bigger mistakes. It doesn't mean less fighting or less mistakes.
Well, I think your hypothesis that locally run email servers are more secure is equally baseless. If you really think your companies IT security team is better than google's or yahoo's or microsoft's, I think it is you who make wild assumptions, not me. They set the standard and patch vulnerabilities before it is even possible for you to become aware of them. The idea that your company's IT can compete with major companies who have been proven to receive information about vulnerabilities before the general public do, is rather hard for me to believe.

therapist
Fast Inserter
Fast Inserter
Posts: 177
Joined: Tue May 27, 2014 7:22 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by therapist »

CobraA1 wrote:
therapist wrote: What did you mean when you said "What does https have to do with anything?" doesn't it have to do with everything, session jacking AND the encrypting email?
https is between you and Google. That's only one link in the chain.
Correct, if that other person uses gmail, no problem, if they use yahoo or some other large firm, the email passes thru an internet backbone. Where are you anticipating a point of failure after google? And how do you purpose to stop it?

drs9999
Filter Inserter
Filter Inserter
Posts: 831
Joined: Wed Mar 06, 2013 11:16 pm
Contact:

Re: Pirating as a 'demo'. Your opinions?

Post by drs9999 »

therapist wrote:Maybe mislead is the wrong word, maybe you actually want to see the game for yourself before you buy it, like trying on a coat. I can show you pictures of a coat, show you forum discussion about a coat, coat-in-action trailers etc, but actually trying it on is still nice.
There is one problem in your argumentation. You do not have the right to try the coat before you buy it per se. It is a permission given by the seller. It is absolutly legit -as a seller- to say: Nope, you cannot try it before buying, so take it or leave it. And I cannot remember that I saw any kind of permission like this for games...

Locked

Return to “General discussion”