If you’re a bit of a gamer and have a bit of loose change, you’ll probably have the tendency to acquire Steam games during sales.

This will invariably lead to you having a pretty big Steam game portfolio over time. According to steamcalculator.com, my account is worth about 2000 USD right now. That’s the current prices for the games, which is way more than what I put into the games — after all, I bought most of them during sale actions.

On the other hand, I’ve also put quite a few hours of my time into Steam games, and even with minimum wage I’d probably get a couple thousand more. Hell, I’ve played Fallout: New Vegas for “only” 70 hours, and that’s actually not pretty much.

The thing is that you’ll invariably build up a backlog. Even with the mixed «blessing» of rather short single player portions of games these days, you’ll have a hell of a time catching up with each game that you bought, especially if you want to milk them for their money’s worth.

Which is pretty interesting, since in the end, you could spend up spending more money for the fun of having variety than the professed goal of getting the most worth out of single games.

And what actually happens is that you’ll probably end up not playing some games at all.

There’s a multitude of reasons for it. For example, you might just not have the time to actually play a game. More commonly, though, you will probably not have time to pursue a game. You might play it for a bit, but then you’ll start inevitably filing it under “have to play this more during downtime”.

Except you’ll never use that downtime for that game, since there’s probably something else that actually tickles your current fancy. Often enough, there’s no real chance to get bored “enough” for you to go back to your gaming backlog except if you make a conscious effort.

So the backlog grows, and grows, and grows.

In my case, there’s still some Humble Bundle games that are lying around, which isn’t that much of a loss since I mainly bought it for the other games.

But then, there’s quite a lot more: The King’s Bounty series, probably about at least 100 hours of gaming. Cthulhu saves the world, a charming little adventure. The Penumbra and Amnesia games, supposedly very great. The very cute Braid. Darksiders. Anomaly: Warzone Earth. Atom Zombie Smasher. Frozen Synapse. Far Cry 2. Machinarium. Magicka. Indigo Prophecy. Osmos. Nation Red. Recettear. Saira. SpaceChem. Trine.

All very good games and I don’t feel bad for having bought them. (As opposed to Dead Rising 2. Blech.)

There’s just no way I’ll have the kind of casual downtime that allows me to click off with one of these for half an hour. I’d rather hit up Borderlands and finish up some DLC, for example.

Thus, in conclusion, I have to liken this to something internet nerds everywhere have a certain connection with. There’s other things which you sometimes really need to get around to, but never seem to be able to finish.

Two dreaded words: “inbox zero”.

That time when you actually manage to have zero unread mails — or rather, zero mails that still need your attention, if you don’t use read state to indicate that.

Using that nomenclature, it seems I’ll never be able to one day post a status update containing the simple words “Steam zero”.

First off: I’m not saying that two-factor authentication (2-FA) is bad. It’s a rather good method. But people should be aware of what their authentication factors really are, and not presume properties that they do not have.

Let me explain.

We all know about the quality of the easy “something you know” factor: it’s a password/-phrase/-poem or similar, stuff that you can easily memorize and thus do not need to carry around outside of your head. Let me repeat: it’s a memorizable quantum of information. Thus, the only safe storage for this — logically — is your head, as this information can be extracted terribly easy by humans if it’s anywhere else. That means reading it off a post-it, finding the file containing the password — or even guessing it, because, let’s face it, many people use mnemonic passwords.

As the name of 2-FA implies, there’s also a second factor, often described be the phrases “something you have” or “something you are”. What these mnemonics insinuate is that there is nothing that you “know” about these factors, which — although in most cases mostly true — isn’t accurate.

When using common second factors like cryptographic tokens, keys, biometric data or similar, you shouldn’t forget that you’re still dealing with simple information. It’s just that this particular piece of information, usually, is not memorizable in the usual terms. A key’s beard can be easily mapped into information describing where the pits are, how deep they are, etc. A human’s DNA can be represented in a pretty long string. A key ring authentication fob is usually little more than a secret “seed” plus an algorithm applied to it.

So it’s not that it’s impossible to gain access to the second factor without possessing it, it’s just way less trivial than a simple effort of memorization. Key fobs don’t allow you to view the seed, for example, but if you can eavesdrop on a synchronization, you’re game — and don’t even need the key. Depending on the complexity of a physical key, a simple photograph is enough to fake it. And these are all methods where you wouldn’t even know your secret information was leaked, if done right.

Thus, always remember: two-factor authentication isn’t inherently secure. You need to protect all the factors equally well, and do not trust a factor to be “safe”. After all, you are susceptible to rubber-hose cryptanalysis.

For a quick popular culture example of authentication factor secrecy, the movie “Inception” is an unexpected but welcome candidate. (Spoilers.) In it, each character that delves into dreams is urged to fashion a “totem” with specific properties that only they know, so that they can check they’re not in someone else’s dream. It’s vital for them not to let anyone else see their totem, as it would give them the power to fool the other into believing in an invalid authentication.

Here, the information is physical, but due to the special nature, also memorizable. You might argue this reduces it into a “what you know” category, but it is a physical factor that allows you to verify that the current reality is the same as the one you created your totem in. Just due to the fact that the relevant system isn’t a computer but the real world shows how feeble the idea of a physical token actually is.

Cypherpunks everywhere know that using two-factor authentication, when done right, is inherently more secure.

Nothing can be said against the security of wisely-used one-factor authentication, but care must be taken to ensure the ongoing security of that factor. If you use a password, you need to choose a secure one — and if you don’t change it regularly, it logically gets weaker, too.

I know of at least one WoW player who is positively paranoid about exposing their passwords to someone, even though they don’t exhibit that behaviour elsewhere.

And then, of course, there’s the people who complain about having their accounts hacked, even though they used a secure password like their birthday. Or abcde.

A mitigating factor against people being too stupid to use passwords securely, then, is needed. And that’s where two-factor authentication comes along.

Two-factor authentication, in essence, means that there you need to prove your own identity by two different means. This isn’t like using two different passwords. The common examples for factors include “things the user knows” — like a password, PIN, etc, “things the user has”, like some form of physical security token, and “things the user is”, i.e. biometric verification methods.

Biometric verification is more “comfortable” to use, but does have two major drawbacks:

1. it requires specialized equipment (in most cases)
2. it is vulnerable to replay attacks

So, mainly for reasons of practicality, owning an authentication token is the best method of getting a second factor into the mix.

But why would a company like Blizzard, for example, cough up the effort to actually enable something like authenticators — not only via device, but by mobile phone, too — and then go ahead and reward players (in the form of an in-game pet, but nevertheless) for using an authenticator — merely to save people from their own stupidity?

Simple enough: to help battle against “economic” abuse, and to help protect their own interests by having to deal with less “hacked account” cases.

Even though the latter reason might just be enough to implement it, the former is actually the most important one. Gold farming is a serious problem for online gaming companies, and even underdeveloped economies like that of WoW can suffer greatly from such manipulation.

If you want to read a fictional example of a near-future vision on the importance and concepts of gold farming, you should read up on Cory Doctorow’s “For The Win”. Even though it’s a bit over the top compared to the current state of the game, it might very well be similar in the years to come.

Of course, the battle.net authentication token Blizzard distributes does seem to have reliability problems, the mobile authenticator — a Java application — seems to work fairly well, and, compared to the DIGIPASS Go 6 authenticators used by Blizzard, actually has a reverse-engineered spec available.

Even though the DIGIPASS algorithm was, to the author’s knowledge, not broken so far, the fact that the developing company does not disclose the DIGIPASS source code to non-customers, along with a rather cheeky attitude, should serve as sufficient indicators to avoid their products.

After I stumbled upon the wonderful URL shortener http://to/ today and immediately began posting it on IRC, I received a comment that someone didn’t even know that is was possible to do so. I, of course, could only comment “of course it’s possible”. But in the same train of thought, I just had to have a look at who else has a valid A record on their top level domain. So I fetched the IANA TLD list and, after being baffled by the punycode TLDs, threw some sh at the problem:
(for domain in $(grep -v '^#' tlds-alpha-by-domain.txt); do host -t A "${domain}."; done) | grep -v 'has no A record'

For the sake of enjoyability, I thus offer the results in table form, along with what kind of site is running on port 80. Data timestamp is 2010–01-08T16:05:00+0100, location for routing is DTAG-DIAL26 / AS3320.

TLD IP content (port 80) AC 193.223.78.210 “Always connected” (NIC.AC) AI 209.59.119.34 “Offshore Information Services” BI 196.2.8.205 “It works!” CM 195.24.205.60 cm [195.24.205.60] 80 (www) : Connection refused DK 193.163.102.23 “DK Hostmaster” (NIC.DK) GG 87.117.196.80 Channel Isles Domain Registration HK 203.119.2.28 hk [203.119.2.28] 80 (www) : No route to host IO 193.223.78.212 NIC.IO JE 87.117.196.80 Channel Isles Domain Registration PH 203.119.4.7 HTTP 500.100 via broken Microsoft IIS PN 80.68.93.100 Apache default home page PW 203.199.114.33 pw [203.199.114.33] 80 (www) : No route to host SH 64.251.31.234 sh [64.251.31.234] 80 (www) : No route to host TK 217.119.57.22 “TK your long URL”, free .tk domain name registry TM 193.223.78.213 NIC.TM TO 216.74.32.107 TO./ URL shortener UZ 91.212.89.8 some WAP page I can’d decipher WS 63.101.245.10 ws [63.101.245.10] 80 (www) : Connection timed out

So, in short, 5 of 18 (27%) are downright broken, one is being autistic, and a further 2 (11%) are not configured to do anything meaningful, leading to a total of 8 — or 44% — of TLD A records being useless. Bonus: none of the sites have AAAA records and, thus, no IPv6 availability.

Since I was playing around with Date modules a bit, I decided to conjure up some iCal files for the Discordian calendar, which chronicles the Year of Our Lady Discord, as described in the Principia Discordia.

With the goal eliminating any kind of dependency on actions by me to generate the calendar files, I just pregenerated them for the whole 21st century.

The files are stored at /discordian/$year.ical, with $year ranging from 2001 (which was the real start of the century and the millenium) to 2100.

For the sake of easy access — and as an experiment to see what Google’ll make of it — I’ve compiled a handy table so you can just click for the file you want.

Feel free to include this on your Google calendar (will make for an interesting traffic study) or redistribute it with a kudos to me, linking to this page (http://ydal.de/discordian-ical/). Copyright shouldn’t be an issue since this compilation does not exceed the Schöpfungshöhe, but I’ll declare them to be CC-BY-DE 3.0 just in case.

2001 2001 (short) 2051 2051 (short) 2002 2002 (short) 2052 2052 (short) 2003 2003 (short) 2053 2053 (short) 2004 2004 (short) 2054 2054 (short) 2005 2005 (short) 2055 2055 (short) 2006 2006 (short) 2056 2056 (short) 2007 2007 (short) 2057 2057 (short) 2008 2008 (short) 2058 2058 (short) 2009 2009 (short) 2059 2059 (short) 2010 2010 (short) 2060 2060 (short) 2011 2011 (short) 2061 2061 (short) 2012 2012 (short) 2062 2062 (short) 2013 2013 (short) 2063 2063 (short) 2014 2014 (short) 2064 2064 (short) 2015 2015 (short) 2065 2065 (short) 2016 2016 (short) 2066 2066 (short) 2017 2017 (short) 2067 2067 (short) 2018 2018 (short) 2068 2068 (short) 2019 2019 (short) 2069 2069 (short) 2020 2020 (short) 2070 2070 (short) 2021 2021 (short) 2071 2071 (short) 2022 2022 (short) 2072 2072 (short) 2023 2023 (short) 2073 2073 (short) 2024 2024 (short) 2074 2074 (short) 2025 2025 (short) 2075 2075 (short) 2026 2026 (short) 2076 2076 (short) 2027 2027 (short) 2077 2077 (short) 2028 2028 (short) 2078 2078 (short) 2029 2029 (short) 2079 2079 (short) 2030 2030 (short) 2080 2080 (short) 2031 2031 (short) 2081 2081 (short) 2032 2032 (short) 2082 2082 (short) 2033 2033 (short) 2083 2083 (short) 2034 2034 (short) 2084 2084 (short) 2035 2035 (short) 2085 2085 (short) 2036 2036 (short) 2086 2086 (short) 2037 2037 (short) 2087 2087 (short) 2038 2038 (short) 2088 2088 (short) 2039 2039 (short) 2089 2089 (short) 2040 2040 (short) 2090 2090 (short) 2041 2041 (short) 2091 2091 (short) 2042 2042 (short) 2092 2092 (short) 2043 2043 (short) 2093 2093 (short) 2044 2044 (short) 2094 2094 (short) 2045 2045 (short) 2095 2095 (short) 2046 2046 (short) 2096 2096 (short) 2047 2047 (short) 2097 2097 (short) 2048 2048 (short) 2098 2098 (short) 2049 2049 (short) 2099 2099 (short) 2050 2050 (short) 2100 2100 (short)