Facebook Apps – if you are like me than you have no idea how you got into even playing with these apps… I normally only use Facebook for keeping in touch with college friends. However, I see these as a new way to stagger through my work day.  Some of these apps are meant to just take your mind off of what you were currently doing and waste a little bit of time.  Others are so addictive that you just find yourself now checking your Facebook for updates with these apps and freak out because your co-worker or some friend you haven’t seen in 3 years just beat your Chain Rxn score by 32 million…and you need to sit in an imaginary bubble for just 10 minutes while you try and beat this gloriously high score…I’ve been there already.

1) Farm Town and Farmville (they are both basically the same): Pretty self explanatory, you plant seeds and trees and watch them grow. Then you harvest and sell them for money. The more you plant and harvest, the more experience you receive and then higher your level will be. You can also get animals and fences, buildings, the list goes on. You can also send plants and animals to your friends for their farms. The only down side I have yet to see is you either check your farm too late and have to delete the withered left overs or wait 3 days for your corn/wheat to grow, some plants take 4 hours and some take 3 days.

2) Chain Rxn: This is a super-massive addictive game, no lie. The object of the game is to click anywhere on the screen to start a chain reaction of balls as they bump into the other balls that have explodedfrom the initial ball. The longer the chain goes, the higher the score for each ball that bumps into another exploded ball. I have nothing bad to say about this except that it is the new crack, it’s that addictive.

3) Mafia Wars: I cannot really review this only because I have never played it, though I am going to review it now because it was the first app that made me cringe at using any other app. I used to have about 40+ new updates about my friends’ Mafia and always got invites to join the crew. I am sure that within the next few months, I will probably give up and join. I am a lemming…

4) Bejeweled Blitz: Come on, my generation and even those who may be a little bit older certainly remember the game Bejeweled. I would play that game like it was then end of the world, if I even turned my head away, the Earth would face certain horrifying death. Yeah, I know, I had issues. Either way, Bejeweled Blitz on Facebook is basically Bejeweled 2 with a 1 minute time frame, thats pretty much it. I adamantly tried to burst all of your bubbles there to save you the annoyance, because that is what happened to me.

Hopefully, this little tidbit of highly important information will either have you interested in playing with some of these Facebook apps (there are a TON more out there.)  If you do happen to get into most of the apps I mentioned…send me something for my farm…please…

Essentially, XP Mode runs an on-demand virtualization of a Windows XP install using Microsoft’s Virtual PC allowing programs that would normally require Windows XP to run on a Windows 7 Machine.  The name, however, is deceiving as XP Mode will let you run any version of Windows including Vista and 7.  Compared to a normal virtualization, XP mode is different in that the VM runs quietly in the background and the virtualized programs can interact seamlessly with those running on the native operating system.

Microsoft’s goal with XP Mode is to reduce bulk in Windows 7 by removing legacy code required for old programs to run.

For the full rundown on XP Mode, check out the following link:  http://community.winsupersite.com/blogs/paul/archive/2009/04/24/secret-no-more-revealing-virtual-windows-xp-for-windows-7.aspx

Recently, on an episode of Windows Weekly, Leo asked, “Why would someone want to run a version of Windows besides XP in XP Mode?” and I feel that “Security” would be a reasonable response.

There are currently products on the market that provide similar, in-line virtualization but with a security orientation.  One common example is SandboxIE, an application initially designed to isolate your web browser from the rest of your system that has been now expanded to be able to sandbox any program you would run.

It is effectively able to sandbox any program by creating copies of files that the program attempts to modify and giving the user the ability to scrap virtualizations once things seem to be going wrong.  It is a very effective tool when used in conjunction with web browsers and e-mail clients.

One thing that SandboxIE does NOT do, however, is protect information on your system from a privacy perspective.  It allows any application running within its sandbox full read access as it would normally have; the only restriction is when applications attempt to write data.

For more information on SandboxIE, visit the creator’s site: http://www.sandboxie.com

Now, with this framework laid before us, there aren’t many lines to draw for the bigger picture to come together.  Having a version of Windows 7 installed via XP Mode on your main install of Windows 7 would allow you to run your web browser, mail application or any other program in a virtualized enviroment, cutting them off from the rest of your system.

The security provided from running an application in a fully virtualized environment as opposed to SandboxIE’s methods is somewhat superior as (like we mentioned before) the programs running in the virtualization have no access whatsoever to your primary install.  And now, since these virtualized apps are appearing right in the main install of 7’s start menu, the inconvenience stigma that was always attached to virtualization in the past is moot.

Hopefully, as long as Microsoft delivers as promised, anyone who will be able to install XP Mode will also have a nice built-in security feature that they may not recognize right off the bat.  It would be great if Microsoft would recognize this as well and rename XP Mode to something that more accurately represent the capabilities of the feature.

The potential downside to this whole thought is that Microsoft may (as they have in the past) sacrifice security for ease of usability.  From the perspective of a user trying to run legacy XP code on a Windows 7 machine, the ability of applications running within the VM to read the native harddrive would be more convenient, but basically negate any security bonus.

Any gamer knows that the biggest fear in an MMO is having your account hacked and all of your gear, gold and potentially characters stolen or removed.  On a daily basis we hear stories from our fellow gamers about having their accounts hacked and gear sharded and sold off.  Blizzard has made a solid effort with their authenticators that definitely do add a great second factor of authentication, but there are other (free) games that are seemingly ahead of the game with their methods of authentication, and they don’t require you to carry around a big blue key chain (or pay an additional $7).

The threat of having your account hacked is spread across all MMORPGs and attacks can range from simple brute force to complicated social engineering and clickjacking setups.  In the past, there have not been many attempts by the game developers to implement methods of preventing account theft, and it’s only been in the recent generation of MMOs that GMs have become more willing to restore “stolen” gear.  I would attribute this to the improvement in their ability to log the trafficking of goods and golds from character to character and realm to realm making it harder to fake your account being hacked in hopes to get some free lewt.

The most well known example of a game developer providing additional account security is Blizzard’s World of Warcraft Authenticator (pictured above), and it does provide a solid, two-factor, method of authentication that will effectively thwart any attempt at access to your account without the device.  However, there has been a strong effort among developers of free MMOs to provide enhanced security without any additional cost.  Below, we will profile three games, WoW and two free MMOs, and their particular methods of account security.

World Of Warcraft (Blizzard Entertainment)

Security Method: Additional Hardware

Blizzard has a lot of weight on their shoulders when it comes to ensuring account security if for no other reason than the fact that they have a huge subscriber base and every time someone’s account is hacked, they need to devote resources to researching the attack and restoring anything lost. It is, therefore, Blizzard’s best interest to promote account security and keep gold and epics on the players who earned them.  The solution they have provided is an additional piece of hardware, a key fob which produces a pseudorandom yet sequential number when a button is pressed that is entered in addition to your password.

This security model is not particularly new, individuals in the security field may be familiar with RSA SecurID tokens, CryptoCards or YubiKeys which provide either an on-demand or cycling one-time-password (OTP) that can be used for additional authentication when entered either separately or appended to the end of your normal password.  PayPal has also recently begun producing their “football” which is the same type of device, but has some security issues of it’s own that we don’t need to get into here.

The benefit of a  separate hardware device that produces a OTP is that is truly provides you with two-factor authentication.  That is to say, logging in required both someting you KNOW (your password) and something you HAVE (the authenticator) and one will not work without the other.  Multi-factor authentication is extremely strong in this situation because it bypasses any type of keystroke monitoring, be it some keylogging software or hardware on the computer you are using or someone staring over your shoulder.  It’s no problem if they are able to log your password and write down your authenticator code.  The next time someone attempts to login to your account, WoW will simply request the next token code in the cycle and deny anyone without it.

The downside to Blizzard’s authenticator is twofold – the cost and the fact that it is something else you need to carry around.  The Blizzard Store (when it’s available) lists the authenticator for about $7, which seems a reasonable price to ensure the security and longevity of your virtual life, and it is unarguably the most secure method of what we will be discussing today, but the point still stands that there is an additional cost associated with it.  Also, if you happen to lose the token or if it breaks – which has been known to happen, you are pretty much without the ability to login at all, which could theoretically cause more downtime than actually getting hacked, with how efficient Blizzard generally is when restoring accounts.

Requiem (Gravity Interactive)

Security Method: Mouse-entered PIN

Here we have the character login screen for Gravity Interactive’s free MMORPG, Requiem.  Requiem chose to go a different route than Blizzard and added additional security to the logon process by requiring a separate PIN that needs to be entered when logging into a character.  As a free MMO, they would be hard pressed to convince customers to invest any amount of money in the game, particularly for account security.

Requiem’s PINs are character specific.  Each time you make a new character on the account, you are required to create a 4-digit PIN which then has to be entered whenever you attempt to login or delete the character.  An interesting side effect of this feature is that you could have multiple people playing on the same account without having to worry about one interfering with another’s character (not that you couldn’t just make a new account for a second player as the game is free).

What makes this PIN feature truly secure is the fact that it only accepts input from a mouse click, which eliminates key logging, and each time you click on a number they all shuffle.  This would prevent a potential hacker from mapping your mouse movements and clicks – each time you enter your 4-digit PIN, you are clicking different areas of the screen.  Additionally, with the software based logon, you don’t have to worry about losing anything and not being able to connect.  Regardless of where you need to access the game, your PIN will always be available (depending on your state of mind, of course) to authenticate you.

The weakness that is inherent to any static logon information is that someone could watch/video/otherwise observe you entering your password and PIN (though, they are both displayed as *’s on screen so they would have to observe your keystrokes and mouse clicks – a privacy screen would prevent this) and then be able to log into your account and characters.  However, even having one character’s PINs found out does not totally compromise the account; each character should have a unique PIN.

Runes of Magic (Runewaker Entertainment)

(RoM actually has decent graphics, this SS was taken on a laptop at lowest settings)

Security Method: On-Screen Keyboard

The final case we will be looking at is Runes of Magic.  While they provide what I would consider the least revolutionary of the three, their effort is not to be scoffed at as it still provides key-logger-proof password entry.   When logging into your account initially and you tab down into the password entry field, an onscreen keyboard appears and you are encouraged to use a mix of the keyboard and mouse clicks to enter your password.  Using only the mouse input as opposed to a combination of both if the better route, especially if your password is something that could be easy to figure out with a few blanked out characters “p__swo_d” wouldn’t be THAT hard for a potential hacker to decipher.

As with the numbers on Requiem’s keypad, RoM’s keyboard is not in a static location on the screen, again in efforts to prevent the mapping of mouse movements and clicks to spoof a login.  Each time you go into the password field, the keyboard will appear in a different location on the screen.  Additionally, RoM required you to create a second password whenever you create characters on a new server.  However, you will only ever be prompted for this password again when trying to delete a character (which, interestingly, has a 24-hour “undo” option which will immediately restore your character).

Summary

While it would be hard to argue against Blizzard’s authenticator being the most secure of the bunch, the fact that it requires an additional investment seems unnecessary.  While I’m not opposed to having to pay for the hardware, which is really about all they’re charging, they should not alienate those who don’t want to or for whatever reason can’t get an authenticator by leaving them susceptible to key logging or social engineering attacks.  Implementing a simple, free option similar to Requiems or even just the on screen keyboard would be much appreciated and would go even further to ensure the safety of everyone’s accounts.

[View with PicLens]

]]> http://www.muchgeek.com/blog/2009/04/why-blizzard-is-losing-the-race-for-account-security-and-what-free-alternatives-are-doing-to-win/feed/ 4 http://www.muchgeek.com/blog/2009/04/empire-state-building-going-green/ http://www.muchgeek.com/blog/2009/04/empire-state-building-going-green/#comments Tue, 07 Apr 2009 07:15:36 +0000 MG_Chris http://www.muchgeek.com/blog/?p=36

http://www.howardmodels.com

With support from Bill Clinton’s foundation, Mayor Bloomberg has announced a plan to massively cut the carbon dioxide emissions of one of the more recognized landmarks world-wide.  This project is one of the first steps in the Mayor’s plan to cut New York City’s total carbon footprint by 30% before the year 2030.

Clinton spoke on the subject, saying “We have to prove it’s good economics, and we have to prove we know how to do it” and by retrofitting something as well known as the Empire State Building, it sends a message around the world that “going green” is more than a just a hippy fantasy.

The upgrades to the sky scraper are scheduled to be completed by the end of 2010 and will, if everything goes as planned, will reduce the building’s carbon emissions by 105,000 metric tons – about the equivalent of the annual emission of 17,500 cars

[via Telegraph]