Apparently your wrong. Those people could not prove they owned the CD, or were guilty of "Format Shifting" thru piracy. I repeatedly tryed to include the caveat of, having your receipt, saying you own a CD somewhere is not enough. I don't want to rehash the same stuff over again, but read my earlier posts rather than just skimming them for the details.muzzy wrote:Yes. There have been cases of people downloading music and getting caught, and trying to defend themselves by saying they already owned the CD. It didn't fly well.
Ownership is about a specific copy, not about a title. Only the copyright holder owns the actual work, you own a very specific copy of it and the origin of this copy matters. You can't just replace it with another, even if the replacement is 100% identical, because the origin matters.
There's a good article about the issue of data origin, "What color are your bits?" which explores the issue.
Your opinion is not compatible with the accepted practices of layered security. My solution is NOT to use a single password fro everything (Again, read my whole posts instead of just skimming, because I don't want to repeat huge paragraphs of info if you can't be bothered to read them) What I was telling you, is that when you use a keyring, or even worse, use a password storing program, you have already effectively reduced your entire list of passwords to a single password anyway. Some weird malware is not the risk to your password when you use a keyring, the risk is the same risk of any password or computer, being rooted, a hacker gaining remote access, malware as you pointed out. And the keyring or password storing program also poses EXTRA points of failure versus using multiple passwords, your keyring can be stored in a memory dump during an error or crash or your keyring program can have flaws that expose the entire contents of the keyring to hackers creating exploits to the most popular keyring programs. (this is exactly what happened to the linux keyrings, which is why people have begun to rethink this technique in linux distros.)muzzy wrote:In my opinion, keyrings are the current best practice of password management.
While keyring software is a single point of failure, it's a point of failure that exist within my protected computer alone. The attack scenario against keyrings involves malware that grabs they keyring after it has been decrypted by me. In the future, I believe keyrings will be secure even against ring0 attacks against the host that is using them because the keyring is decrypted inside another VM that isn't directly accessible from the operating environment.
And your alternative is to use the same password everywhere? That is a single point of failure that is exposed across all your services, if one gets hacked you lose everything.
"The keyring uses weak encryption, yeah, weak. A simple password to unlock all your passwords? That's a joke in term of security. But it's easy to use, so a lot of people like it."
Can't agree with this enough, what your talking about, while very convienient is a complete JOKE in terms of security. A keyring is the DEATH and NEGLIGENCE of security, not a secure password storage policy in any stretch of anyone's imagination. I respect your "opinion" but wether or not keyrings are congruent with layered security and other good security practices isn't a matter of opinion like the question "does this apple taste good" it's a binary proposal that has either a true or false value. I assert it is FALSE that keyrings are a secure password policy in any way shape or from.
No, many keyring programs (most of them are browser extensions that I'm complaining about here specifically) use an account based login to send you your password to any browser, anywhere you are in the world. I'm glad it sounds like you only use a linux-style locally based keyring, but the reason i mentioned heartbleed is because there are many people who use programs that sends your password, even when encrypted, over the internet. Local keyrings, and account based password manager services both put your entire list of passwords behind the security of a single password. This is not security "THIS IS MADNESS!".muzzy wrote:You mean heartbleed? You know, the keyring is local and even if it was stored on the internet you would only have the encrypted copy of it. This attack scenario doesn't play out.
*Sigh* Yes, the unauthorized use of everything related to my factorio account is the worst eventuality I can think of if my password for that account were to be compromised, along with my digital product "rights" being terminated. What kind of terrible things live in your imagination? Do you really think they are going to leave my account active while thousands of people around the world use my password to bypass the login system? They'll terminate my account citing the violation of the terms of service.muzzy wrote:Password leaking is the worst scenario you can think of? The recovery involves changing your password, and in the worst case you'd have to contact support. That's not so bad.
This all doesn't change the fact that any video game that attempts to write it's own password system is a bad idea. We have alot of tryed and true methods of login, that have become "hardened" over years and years of use. Game developers cannot be reliably and safely tasked with developing a platform for logging in within a video game exe without subcontracting to a company who specializes in: developing, updating, and keeping secure a platform for user authentication. For examples, Look at all the games that do micro-transactions (World of Tanks), and the larger MMO games. Under the box where you log in, is the name of the company that handles user security. This company works just like McAfee or Norton or other security networks in the way that they obtain, categorize, and defend against each and every exploit, or piece or software that causes the exploit or compromise of user passwords. An indie game developer just isn't going to track down copies of malware or troll security and hacker forums constantly to figure out weaknesses in the login system, this is why the other company exists, they develop a platform specifically for this purpose.
I'm repeating myself alot, or unnecessarily elaborating to the point of arthritis and it's because you either are not reading my posts, or are ignoring parts of what I say so you can argue with an easier, softer argument than I have actually made. I'm sorry for the walls of text, but I'm reading yours, and if you responded to what I actually said, rather than a weak watered down depiction of what I had said, I wouldn't have to spend paragraphs giving you specifics. You'll probably just read the last paragraph's last scentance so I must reserve this last part for what I have been tasked by god to do, promote better computer security practices:
For the love of god and the divine mandate for computer security, get rid of that keyring. I'm not going to sleep well knowing that people still think this insecure security fad is a good idea just because they tryed it out in some linux distros. Sudoing was a bad practice, but a keyring is like a concentration camp where security concepts gets murdered by the trainload.