Thread: Beware of BioWare!
View Single Post
  #9  
Old 15-05-2008, 11:44
AstralWanderer AstralWanderer is offline
Member
  
Join Date: Jul 2006
Location: Unified Kingdom
Posts: 35
Thanks: 0
Thanked 0 Times in 0 Posts
AstralWanderer is on a distinguished road
Quote:
Originally Posted by TippeX View Post
a skilled person would be able to figure out what was sent..
If the data is encrypted? Forget it! Even a skilled cryptanalyst could take 1-2 years to decipher strongly-encrypted content.
Quote:
Originally Posted by TippeX View Post
when you buy something in the shop with a credit card, does that shop also not have your name, credit card number (and probably access to your address)?
No they do not. They'll have your name and credit card details only - which is why many ask for an address separately for marketing or product warranty mailings.
Quote:
Originally Posted by TippeX View Post
if a game did record personal information and sent it when you registered / logged onto their server it would be pretty damned stupid.
Nonetheless it has happened. Blizzard did this with StarCraft 10 years ago (in this case, extracting user names and email addresses from the Windows Registry).
Quote:
Originally Posted by TippeX View Post
the protection companies have better things to do
Really? And on what experience do you base this judgement? Do you work for one such company?

If having "better things to do" was their main criteria, most protection companies would be closing down. Their products don't actually benefit anyone (cost and inconvenience to developers, further inconvenience to users, little to no perceptible effect on piracy) but they play on the fears of publishers in order to make their living. In their eyes, the end customer is a resource to be exploited (and often demonised as someone who would pirate at the drop of a hat if not for protection system X) so if a little extra profit can be made by harvesting and marketing personal data, their main concern would likely be covering themselves with a open-ended EULA.

There is plenty of monitoring online already (financial sites like Paypal or American Express supplying visitor data to Omniture, retailers reporting purchases to ShopZilla, Nextag or Coremetrics, smaller sites using Google Analytics) so this is a well established (and presumably profitable) business. It is only a small step for a company using compulsory online activation system to contribute to (and benefit from) this.
Quote:
Originally Posted by TippeX View Post
as for the data being encrypted 'in transit', it has to be plain text at one point in time for it to be stored and then encrypted, a skilled reverse engineer could find it by simply backtracing buffers when the data is actually sent out...
If cracking encryption was that simple, then nobody would rely on it. As long as a verified algorithm is implemented properly (and that certainly can be harder than it looks), it isn't going to give up its crown jewels when someone fires up SoftIce or anything similar. In the case of pre-existing data (which is what is under discussion) there would be no need to store cleartext separately anyway - just encrypt and send. You could use other software to monitor (and restrict) file and registry access, but this would only be feasible for the most technically expert users.
Reply With Quote