Fully Automated Trade Preview

Competition is always good for the market. I look forward to your new products.

 

Well, it's been fun PoxBox...

 

how quickly will you adjust the ratios when the new sharding rate come in?

 

only at the start

 

I as poxbox got to say I do have serious security concerns (I can do the same thing, frankly I use the same method to move large amount of runes from accounts within minutes, and already built automated trading like shown here):

Saying SSL does not prove safety like at all... and for sure does not cover 'terms of use'.

Unless the browser is connecting with poxnora.com (which I seriously doubt unless poxnora.com is allowing crossdomain scripting (if so for login, poxnora should fire their IT security)) and thus not sending ANY information to the traders site there is absolutely no guarantee what is done with the username + password. Compared to the mass-shard program... you could check if it was not sending info anywhere with programs like fiddler. Now you are willingly sending all credentials to someone having no control over what happens next after you send it.

SSL protects from man-in-the-middle attacks. Saying you cannot read SSL is non-sense, you receive data over SSL so others cannot read it but you still can, how else could you login for the user on the server side if you cannot read the credentials given?

Not trying to be in the way of new sites and I also declared the mass-shard program safe, but the reason why I never implemented this is simply because the party that gives credentials has absolutely no guarantee that nothing bad happens with the info. Even when bugs are found in the software, on poxbox it was always my own account that took the hit, but it could just be the players account now. Games like Eve Online go to a great extend to give 3rd parties API keys to interfaces so that programs can access their info on behalf of the user without providing actual credentials, but only for viewing purposes.

Coming to another point.... there is no poxnora API, all we programmers do is interface with the website like any other user has to and try to automate it. Poxnora does not support in any way what automated traders do....

Also saying, if in some way people obtain passwords of poxnora users from your sites through stuff like server side logging or server side malware or httpmodules from the GAC, wel... then you can bet you will have serious claims on you... you temper with information that is not suppose to be yours, so any way of leaking it (even unintended) is gonna be a legal nightmare.

 

Yeah I'm going through a 2nd empty account if I'm using that new store.

I trust that my information is safe with them (the sharder was fine), it's everyone else I'm worried about.

 

@newsbuff will get back to you on this. It's his field of expertise, he told me it was 100% secure and I have no reason not to believe him.

"Will it be 100% secure for the user?" was one of the first questions I asked him when we were still just talking about this new tradestore.

There is no need to make a new account, you can always use the manual option in case you prefer not to use your PoxNora credentials (in which case it will work the same way Poxbox works)


Cheers,

Josh753

 

There is only one way for data to be 100% secure. That is to shutdown the server and disconnect it from the network. The next best is to have an air gap firewall, which means you need physical access to the server as it is not connected to the internet.

That said, if you're not storing passwords, using TLS 1.2/1.3, and properly harden your internet facing server, you're probably alright.

 

forgive any typos or weird punctuation, I am dictating this to my iPhone while driving to visit my mother in the hospital.

decondor, I am glad you acknowledge the security of our SSL method for securely transmitting user credentials. As you know SSL or H TTP S is the same method used by pox Nora.com itself.

we do not store users passwords on the server, neither in our database nor even in a session on the server. The password is received via https://, immediately transmitted to pox Nora.com, and then permanently discarded.

regarding your concerns over our use of users credentials, you have no guarantee other than our perfect reputations. as everyone has already noted, my previous utility mass shard never misused user credentials. Joshes website pox bro's operated for years without once being accused of impropriety of any sort. even so, we understand if you don't want to use the automatic trader feature, it is only there for your convenience. And so if you prefer simply use the old manual method, we also support that method.

regardless of whether you choose to use the automatic trader or the manual trader on our new site, our customers can expect better prices and a better shopping experience on our site than on our competitor's.

as a sidenote, mass shard and automatic trader are not the first applications I have worked on that handled users third-party credentials. One of my first projects was a iOS application that allowed you to log into your league of legends account and chat with your friends who are logged in or playing the game.

I remember when we first launched the app how there were vocal skeptics on forums saying they would never trust their league of legends credentials to an iPhone app. This is despite our having submitted the source code to Apple for review before being allowed to sell it on the iTunes store. since we launched several years ago, we have had tens of thousands of downloads, many happy users, and no misuse or loss of user credentials. The reason I tell this story is because I don't expect or intend to convince 100% of our customers to trust us with their user credentials. However, for the users who want to, the feature is there and our perfect reputations stand.

 

Honestly, I do not think you and Josh are going to try to steal credentials, and like I said, I also checked your mass shard program. I believe you as programmer know what you are doing.

Apple does do code reviews and approves and carries part of the risk by doing so. A 3rd party checks your actions, while now, -I also don't think you have bad intentions-, there is absolutely no guarantee what you will do with the obtained passwords. It is something people should be aware off.

 

@Poxbrothers @newsbuff I knew this would come in handy someday.

Note, haven't ready any of the new posts on this thread since I last made a post. Not sure if this is not longer relevant.

 

The biggest issue isn't the intentions of the site owners. It is those whom decide to go through the backdoor without their permission and gets a hold of your credentials. While not a likely issue since PoxNora doesn't draw the crowds that would provide a valuable ROI for a hacker to do so; it is that situation where I would be concerned.

I was looking for a bit at writing a tournament system but due to this same issue with user credentials (so you can validate decks used) really puts a crimp in it working properly.

@Senshu, when can we get a token based user API for the website? As a bonus you could tie it into the forums so we can share info on our runes/decks here.

 

The thing is we're at least as hard to hack as PoxNora itself is. So if they would want to hack into the store to get someones users credentials, they're better off trying to hack into PoxNora itself directly.
We're using Azure serverspace from Microsoft (with all the security this provides).


Cheers,

Tibout

 

Sorry, but part of my job is being aware of the darker side of the internet. Using Microsoft, cloud, and secure all in the same sentence is silly. Although to be fair it is the nature of cloud computing that is the security concern, not the company running it. However, it isn't my intent to start a pissing contest on the matter. If you are visible online; you are hackable. Thankfully in this case there is no valuable ROI to make it worthy of doing so.

 

Sorry, but not sure what you mean about multiple machines. The token API isn't for standard use; it is intended for 3rd party to be provided access to users information generally in a read only format. The token just ensures that the player provided access without having to provide a login credentials. For a fully multi-tier version you only have to look as far as what CCP did for Eve. For Pox it would be far simpler. Perhaps just runes and decks as well as a more condensed stats page (rather than having to scrape the return from the current user's page on the site). This type of access should be fairly simple to implement since you only need to code a generator for the token, a few pages for accessing it, and finally the simplistic json returned API using the existing user structure. You could even add in a secondary token for the 3rd party must use in conjunction with the players token to ensure that no one but those who are supposed to use it are using it. (A secondary layer of protection would be to add a referrer url check on the 3rd party token to ensure it is being used from their site; spoofable sure but as it would be read only nothing horrible.)

If you want to allow automated trading you could add in another system for sending emails to validate with the player before a trade is created, or accepted. Although that would be obviously more programming than just setting up a read only API. Particularly since you would want to track all requests to make sure you have a history in case something nefarious happens.

Again, the coolest part is the ability for players to post their direct decks here in the forums to ask for advice on how to improve them. Since the API would be accessible by the forums as well. Hell the API could be how you provide if they are in game currently or not (not just if they are on the forums) without having to write a ton of code to do so.

tl;dr
This would not affect regular players experience and would only be taken advantage of by those that care about using it. So multiple machines doesn't make sense in this instance.

 

Not gonna use the automated trader but

Ye. That was a good one.