Last night I received the following email.
Having not been to the Pokémon site in many months, since about the time Pokémon Go came out, I found this odd. I promptly emailed the recommended address with a call for help as advised.
I then realized that perhaps I had forgotten to secure my account properly. Or maybe I could reset the password again before the attackers could change any vital account details.
I went to Pokemon.com and found the reset password link. https://club.pokemon.com/us/pokemon-trainer-club/forgot-password, provided my email address(widely available from many sources) and was taken to this page. This page then sends you a link to what I would hope is a random and secure page to do the password rest. That page looks like this.
So I fill out all the information to the best of my ability and attempt to issue the rest. I can’t remember a Player ID, I look through my email to see if I got assigned one I don’t remember, and having not found one elsewhere I fill in the same as my username. I also apparently fat fingered one of my two passwords. On submission of the form I get the following message.
I did eventually get my password reset. This does not make me feel safe. Why is that? Because what I’m able to change in no way negates what the attackers know to do the reset so they can simply reset my password again.
Lets Talk About Password Security
First lets be clear. Someone is negating Pokémon Company’s security somehow. I don’t know how. Perhaps they have access to one of my other accounts which let them bypass the randomized “reset your password” email link? Perhaps they’ve actually bypassed that on Pokémon Companie’s side via some form of man in the middle. That’s not what I’m here to call out.
What I am here to call out is all the ways that Pokémon Company has failed to provide additional security that could secure an account even in the face of the aforementioned penetrations. Lets start at the beginning of this story.
I received a notification that my password was changed AFTER the password had already been changed. This was received at 8:16PM CST. I received no prior link to authorize the reset before this communication. Which does hint at perhaps a man in the middle intercepting the email on it’s way to my account or perhaps no email was sent at all because Pokémon Company is compromised in some way. Either way it looks less like my Gmail account, which is phone app based 2FA and password reset regularly, is the culprit. This is where the single point of failure seems to lay because the rest of this password reset procedure is laughable. Had this not been such a joke for Pokémon Company perhaps this account compromise may not have succeeded.
First the date of birth is a super insecure piece of information as verification. Jump on Youtube and search “how to dox” and you’ll find a wealth of resources at easily obtaining this information.
Second the username…the one on the public facing profile for every Pokémon game you play? Do I really need to spell out how worthless that is as security?
Finally the Player ID which I presume is some number assigned via one of the games which is probably at least semi-private. This was the last best hope for stopping the compromise and it’s not even required!(see the screenshot above).
The TL:DR is that none of the steps following the email link do anything at all to keep the account secure. No “reminder questions”, no bot preventative captcha, no option to change username, and lack of any proper 2FA. At the moment there is no way for myself or anyone else to properly secure their account because of the initial compromise however that happened.
Pokémon Company you should be ashamed. The rest of us should be really, really concerned.
P.S. In doing some Googling for “Pokémon Shit”(I needed a cover graphic) I found this lovely piece about previous security issues surrounding Pokémon games. http://effortlessoffice.com/pokemon-go-security-risk/
There is no singular definition of real gaming. That being said there are a few things that tend to differentiate what most think of as a PC or console experience from a mobile one. The 3 things that tend to differentiate are Free 2 Play, Micro transactions and amount of content. While there is clearly a blurring of the lines these days there is still a clear delineation between the two experiences that most people can see and point to. So with that defined I’m on a quest to find the best experiences on Android that replicate that full game experience. Lets get started with my first pick.
by Phosphor Games Studio
This game is an oldie but a goody. Released back in August 2012 for iOS and Android it is inspired by the likes of Zelda Infinity Blade and Fable. This was one of the earliest games to use the Unreal Engine when it was ported for mobile. Pay once play forever, no micro transactions and a length that is longer than many PC and console games.
You play Horn a young Blacksmith’s apprentice who wakes up in a mysterious tower to learn that all other living beings have been turned into mechanical monstrosities.
Digital Spy and Appspy have already said the things I think about the game so I’ll let them speak.
Digital Spy wrote ” Horn is by far one of the most substantial games released for mobile devices yet, with a quest spanning several hours that is better suited to setting aside time to focus on your game than a quick session here or there. But for those looking for a mobile game that can live up to its console contemporaries, Horn is a must-have. ”
Appspy said ” Horn brings a rich fantasy world to life, combining elements of classic and modern adventure titles to create something all its own; an incredibly engaging title and a definite must have.”
How Long 2 Beat puts the game at 12 hours of play time. That makes the game at $1.99 a steal.
I can’t recommend this game enough.
Large Bowl with a lid. I use a big glass 4qt bowl that came with a lid.
Liquid measure cup.
Dry Measuring cup. 1 cup, .5 cup and 1tbsp
Spoon, spatula or bread whisk. Whatever bread dough won’t stick to.
1.5 Cups Lukewarm Water
1 Tbsp Yeast
.5 Tbsp Salt
3.25 Cups flower
If you are doing a 50/50 bread do half white, half of whatever other flour you like.
1.75 All Purpose unbleached white
Mix Lukewarm Water(this is important just warmer than you can actually tell) and the full measure of Yeast.
Let stand for 2 minutes so the yeast can activate.
Add the rest of the dry ingredients.
Mix for approx 2-3 mins until ingredients are just integrated with no lumps or dry material left.
There’s your 5 minutes the first day.
Cover the bowls or container but leave a bit of a crack in the cover.
Let rise at least 2 hours.
Putting it in the fridge is so fast it doesn’t count.
Refrigerate with the lid still slightly cracked open.
Regrigeration time can vary from 12hrs to 3 weeks.
The longer you refrigerate it the stronger the sourdough like taste will be.
When you’re ready to take it out and cook it.
Use butter or oil to coat the loaf pan.
Put some flour on your hands so the dough won’t stick.
Take the dough out of the bowl and pull the edges under it so it forms a smooth oval to fit in your rectangle loaf pan.
Put it in the pan!
Let the dough rise in the pan for at least 2 hours. If it looks like it’s rising well sometimes I’ll let it rise 3 hours.
Set a timer for the rise time, we’ll say 2hrs for example minus 30 minutes. So 1.5hrs instead of 2.
The reason you’re cutting off half an hour is because you need to pre-heat your oven for 30 minutes.
When your timer goes off put a broiler tray in the bottom rack of the oven turn the oven to 400F.
Reset the timer for 30 minutes.
When the timer goes off that will signal the end of pre-heat and rise.
Fill a mug with the hotest water your tap will make.
Put the loaf pan in the oven.
Using an oven mit quickly but carefully pour the water in to the broiler tray and quickly shut the oven.
Bake for 40 minutes. Your oven may vary.
It’s an interesting thing to note but there’s a distinct bread cooking smell that you’ll notice. That smell starts to go away and then change in to a sort of over cooked smell. Once you bake the bread a few times you’ll start to notice and recognize the smell. You can adjust your bake time once you get a nose for this.
These instructions should allow you to install Blizzard Updater and Heroes of the Storm on Linux using Wine. From what I understand these instructions will allow some of the other Blizzard games to be run on Linux as well.
First install wine 1.7.
I stumbled across this video the other day and thought this was a neat idea.
In the face of the first gen plastic peeling and tearing issues finding an alternative stick seemed like a great idea. Plus different colors would look cool. So I decided to go out and give this a shot myself. Below you’ll find instructions and photos to help you do this yourself as this video leaves out a little bit of information. (more…)
Let me cut to the chase. VR is real and it’s amazing. If you’re one of those people who can’t see it, or who despite the fixes in place still get sick from it, I’m so sorry but you’re missing out. I honestly hope if you’re in that small subset of people that the geniuses who make these things figure out how to fix it for you.
I first had my eyes opened to VR way back at some age I can’t even specifically remember with the Virtual Boy by Nintendo. It was SUPER basic and low power but it was stereoscopic 3D when the only other option to do that was in the pages of Popular Mechanics or happened to have access to some MIT or Silicon Valley lab. This amazing technology disappeared(not entirely but at least in popular culture) until recently when it was announced that it was finally time and that a kid out in California figured out that modern technology is ready for that. The Occulus Rift was born and I got to try a pre-DK1 unit at Quakecon 4 years ago. Let me expound on that experience for a moments to give some better context.
Let me preface this by saying this system is by no means perfect. You may need more or less depending on what you’re doing. Things like saving all your broadcasts locally will incur more of a cost in storage.
The goal is to stream 720p at 30FPS at a minimum. The system can then be upgraded from there to provide whatever additional power is necessary.
I decided, as a proof of concept that I wanted to see if I could make this work. My roommate throws a video game party called GamesAtSams every Saturday. I figured this would serve as a good test bed for such a system. We have one main TV with multiple consoles attached and then a PC lan party. So lets look at the tools at hand. (more…)