ANSWERED:Poll-Hatcheries Require DC password authentication

[missy_]

I searched, and there was no topic for this suggestion that didn't also discuss other options.

 

ETA: New poll here: http://forums.dragcave.net/index.php?act=ST&f=2&t=150666

 

This continues the suggestion that

 

(1) All hatcheries require the Dragon Cave API username and password before one can add eggs/hatchlings.

 

Or

 

(2) All hatcheries implement third-party site password protection similar to Soti's.

 

Apparently #1 is possible.

 

Players wouldn't have to create a separate log-in for each hatchery. The authentication would be tied to a player's DC username/password.

 

Hatcheries would not store one's DC password. Much like EATW does now if one wants to trade there, one would enter one's DC username and password and log in to the DC API that way. Therefore, a player's DC credentials are not at risk, users do not have to sign up to any third-party hatcheries, and all a player has to do is "authorize" the DC API to use their info on a third-party site (a hatchery).

 

Twitter controls which apps can interact with it by having a user input their twitter password. If it is not input correctly, that app will not be authorized by twitter. So theoretically, it may be that TJ and the DC API might be able to require third-party fansites which issue calls to the DC API to require a DC password to authenticate. This could conceivably be done on the DC end of things.

 

But if that is not possible (on the DC end of things), then I support having all hatcheries implement password protection (on the hatchery end) similar to Soti's.

 

If we show enough support for this idea, perhaps it will get implemented.

Edited May 28, 2013 by missy_

[Princess_Pinkie]

but what if a friend/family member goes away for a few days and youwant to ensure their eggs/hatchlings grow? you arent supposed to share passwords with anyone and if you have to input a scroll name and password then thats kind of like logging in on another scroll.

 

i don't support, its unnecessary. just keep a watch on your stuff, fog when you aren't around.

[missy_]

Modifying the poll, then, to add another option: for hatcheries to implement their own passwords for each site.

 

 

Edited May 28, 2013 by missy_

[DarkEternity]

It would make phishing easier, however, because users would become used to putting in their details into websites to the extent it wouldn't be that difficult to create a fake DC website to harvest your passwords.

Edited May 28, 2013 by DarkEternity

[Nectaris]

Please no. I don't want to have to jump through hoops to add my eggs/hatchlings. Also, what about scrolls who do allow help, or if a friend asks you to add something to a fansite for you? This would block both.

 

I would honestly rather have a BSA to protect eggs for those who are worried rather than force those who aren't worried to change.

Edited May 28, 2013 by Nectaris

[missy_]

New poll which includes options for hatcheries to offer their own password protection, independent of the DC API.

 

It will not allow me to change the above poll. *flails* New poll here:

 

http://forums.dragcave.net/index.php?act=ST&f=2&t=150666

Edited May 28, 2013 by missy_

[Fiona]

I don't think this site can require hatcheries to use the login api. It's really up to each user to determine if they'll use hatcheries that don't require logins, or will use hatcheries that do require logins. It's up to the hatchery sites whether they'll offer the option to people that they must log in to add or remove dragons.

[KageSora]

Yeah, fansites are outside of DC control--there's absolutely no way TJ can force them to do that.

 

And what about viewbombers who don't use fansites, but put the eggs on really high-traffic forums?

 

Also for those who allow help--that would become utterly useless if you weren't able to post the eggs of a user who is allowing others to post them.

 

 

Now, if DC were to have an official hatchery or something that required a password, that would be different. But all fansites are just that--FANsites. They're all unofficial.

Edited May 28, 2013 by KageSora

[missy_]

But if that is not possible (on the DC end of things), then I support having all hatcheries implement password protection(on the hatchery end) similar to Soti's.

 

I don't think this site can require hatcheries to use the login api. It's really up to each user to determine if they'll use hatcheries that don't require logins, or will use hatcheries that do require logins. It's up to the hatchery sites whether they'll offer the option to people that they must log in to add or remove dragons.

 

Fiona, that may be the case about it being up to the hatcheries to implement, with DC having no control of it. Although Twitter controls its API, and does not allow sites to interact with users unless the user has authenticated, which is why it seems theoretically possible.

 

Even if it is not possible for TJ to implement it on DC's end, I am still in favor of hatcheries implementing a password log-in, whether it is DC authentication or their own site password. Soti's takes me an extra few seconds to log into, but the peace of mind is worth it.

 

Soti's uses a padlock. Meaning if you are a member, a malicious viewbomber cannot add your eggs/hatchlings to their site. I do believe that is a deterrent.

Edited May 28, 2013 by missy_

[KageSora]

Peace of mind for who?

 

People who want help from others won't have it--nobody will be able to add their stuff without hacking their account. People who want a friend to scroll-sit and add/remove their stuff from hatcheries when they're away will have no peace of mind because suddenly they have to let another person log into their accounts (be it the DC account or the on-site one).

 

I use the ones that don't require that kind of thing now because it's fast and easy. I would absolutely not have peace of mind if I were required to jump through hoops every time I wanted to add or remove eggs/hatchlings.

[missy_]

Peace of mind for who?

 

People who want help from others won't have it--nobody will be able to add their stuff without hacking their account.  People who want a friend to scroll-sit and add/remove their stuff from hatcheries when they're away will have no peace of mind because suddenly they have to let another person log into their accounts (be it the DC account or the on-site one).

 

I use the ones that don't require that kind of thing now because it's fast and easy.  I would absolutely not have peace of mind if I were required to jump through hoops every time I wanted to add or remove eggs/hatchlings.

 

Viewbombing has become a more widespread problem. If fansites were to use some form of passwords, whether it be a third-party password or a DC API password, fewer eggs/hatchlings could be made maliciously sick.

 

If I allow help from a scroll sitter, I am also opening the door for a viewbomber to "help."

 

If I have to choose both or neither, I prefer to take help from neither.

 

I prefer a more secure option rather than one that is "fast and easy."

[KageSora]

Okay, still don't agree with you but whatever.

 

So, again--how the hell are you gonna prevent a viewbomber from posting your eggs to a high-traffic forum?

 

All a viewbomber has to do is post the eggs to a non-fansite website that's very high-traffic, and BAM you're screwed. And, unlike with a fansite, you can't even remove the eggs even if you happen to find where they're posted.

[missy_]

Okay, still don't agree with you but whatever.

 

So, again--how the hell are you gonna prevent a viewbomber from posting your eggs to a high-traffic forum?

 

All a viewbomber has to do is post the eggs to a non-fansite website that's very high-traffic, and BAM you're screwed.  And, unlike with a fansite, you can't even remove the eggs even if you happen to find where they're posted.

The latest round of viewbombing has been focused on the hatcheries.

 

If we can contain the hatchery problem, that will be a big deterrent. It may not be a complete fix, but right now, it is way too easy for a viewbomber to target random people and quickly add them to a lot of fansites/hatcheries.

[Fiona]

Soti's uses a padlock. Meaning if you are a member, a malicious viewbomber cannot add your eggs/hatchlings to their site. I do believe that is a deterrent.

Yes, Soti's uses a padlock. It can be set or un-set as each users decides. However, nothing requires any hatchery to use this. It is up to the hatchery. And up to the user. I don't know if TJ can or is interested in making it mandatory for all sites to set things up to require the log in. I doubt if all users would be in favor of having to log in. And as KageSora says, those who want help or those who temporarily would like someone to keep an eye on things while they're gone would be out of luck if it were required.

 

 

I don't know how much of a deterrent Soti's padlock is. I'm using it, but there are so many other ways a determined bomber could use.

[KageSora]

The latest round of viewbombing has been focused on the hatcheries.

 

If we can contain the hatchery problem, that will be a big deterrent. It may not be a complete fix, but right now, it is way too easy for a viewbomber to target random people and quickly add them to a lot of fansites/hatcheries.

Who's to say that's not only because it's easiest? If I was determined to viewbomb somebody, then I wouldn't be deterred by a fansite thing. I'd just go elsewhere. It's not like it's all that hard to make a fake e-mail, sign up for a high-traffic forum, add them to your sig, and then post BS. It's really not.

[Vhale]

I think I'd like to see more people encouraged to try Soti's padlock trick to see if it takes off. I'd like a mass fog and unfog option or a hide growing things. And eggs/hatchlings in trade protected from views. But I feel a bit like this suggestion might be cart ahead of horse, though I appreciate you taking the initiative to act. But talking to the hatchery owners and getting their feedback first might be valuable.

[girlgamerjen]

Whether or not this is a good idea.... (Ive never - knock on wood here - been viewbombed... but thats also what hiding your scroll and fogging is for) I dont see it able to be implimented. I mean, anyone can make a click site, I've made one for facebook games before. It isnt like these clicksites are made BY DC.

[HeatherMarie]

I honestly don't even know how this would be *possible*, and I'm sorry because I may not be as tech-savvy as some of you, but I really doubt it IS possible.

 

TJ is NOT in control of hatcheries and fansites. Period. He can't force *any* of them to use certain type of protections, log-ins, etc. He can't do *anything* about what those hatcheries/fansites/forums do or don't do.

 

I guess, hypothetically, TJ could internally just BAN everything, and have a "whitelist" for "acceptable hatcheries" that DO use type of protections.... But that's honestly at the expense of TONS and TONS of users who PREFER to use other hatcheries. And I don't think it's fair AT ALL to say "hey, you can only use (list of four hatcheries) because these are the only ones pre-approved", if you know for a fact that you've *used* those ones in the past and it hasn't given you the stats you need.

 

...... See how complicated this is? There are MUCH simpler ways to deal with "viewbombing", including constantly hiding your eggs/dragons until they are less vulnerable, or any of the White BSAs proposed to cure/prevent sickness.

[KageSora]

Also to think about is that I'd infinity prefer to be viewbombed from a fansite than from some unknown high-traffic forum.

 

With a fansite, I can generally remove them myself and hide them to ensure that they don't get re-added.

 

But if they're in a post or a signature on a high-traffic forum, they're not going to be removed after 12-24 hours of being fogged. The minute they're unfogged they'll start getting views again.

 

And I won't know where to even begin looking to find where they're posted.

 

On top of that if I DO find them, what can I do about it? It's not like I can edit the posts or sigs of other users. And it's not like I can be sure that if I contact somebody who is in charge that they'll even care that my pixel dragons are being killed by a member of their forum posting them without my consent.

[missy_]

1. I honestly don't even know how this would be *possible*, and I'm sorry because I may not be as tech-savvy as some of you, but I really doubt it IS possible.

 

2. TJ is NOT in control of hatcheries and fansites. Period. He can't force *any* of them to use certain type of protections, log-ins, etc. He can't do *anything* about what those hatcheries/fansites/forums do or don't do.

 

3. I guess, hypothetically, TJ could internally just BAN everything, and have a "whitelist" for "acceptable hatcheries" that DO use type of protections.... But that's honestly at the expense of TONS and TONS of users who PREFER to use other hatcheries. And I don't think it's fair AT ALL to say "hey, you can only use (list of four hatcheries) because these are the only ones pre-approved", if you know for a fact that you've *used* those ones in the past and it hasn't given you the stats you need.

 

4. ...... See how complicated this is? There are MUCH simpler ways to deal with "viewbombing", including constantly hiding your eggs/dragons until they are less vulnerable, or any of the White BSAs proposed to cure/prevent sickness.

1. It is possible. As determined in another thread.

 

2. Don't throw out the whole idea just because "TJ is not in control of fansites." (A) fansites could still use the DC API to authenticate or B. they could implement their own password protection.

 

3. We are not suggesting that here.

 

4. There is nothing simple about hiding one's scroll, fogging and unfogging, etc. Hiding, fogging, unfogging, is time-consuming.

Edited May 28, 2013 by missy_

[Taintedtamer]

I like this idea. I always feel awful for the people who post saying they've been view-bombed and lost gorgeous eggs and hatchlings. Though despite me liking the idea, I don't have the slightest idea how to get it rolling? Maybe talking to some of the hatchery owners to get their opinion? Talk to Soti to get an idea of how their password system works and ask other hatcheries if they've considered it or why they're against it?

 

I think this idea needs more information before it can really be discussed properly.

[shikaru]

I understand viewbombing is a problem, and it's a horrible thing, but I don't like this idea. As a few others have said as well, I don't use fansites that require a log in because they're much quicker to use and don't require me to register another account. I also don't like the idea of having to log into my DC account on them, it's not really something I enjoy doing and it feels cumbersome...

 

It just doesn't make sense to punish the userbase as a whole for something that a few users are doing/experiencing. Besides, I don't think TJ could enforce this well enough (eggs gaining views is different than connecting to your twitter account), and even if this did become required of fansites viewbombers would just find another way.

[DarkEternity]

 

4. There is nothing simple about hiding one's scroll, fogging and unfogging, etc. Hiding, fogging, unfogging, is time-consuming.

But that is a more secure solution then one that is fast and easy. As far as I can see, this suggestion is neither fast nor easy nor is it secure.

Edited May 28, 2013 by DarkEternity

[ZzelaBusya]

No, as much as I hate view-bombing, I have to say I don't like this suggestion at all.

 

There are many ways to view-bomb. No one can actually control anyone in this case, and even if some (or all, which I think is impossible) hatcheries suddenly switch to that option, who will keep view-bombers from posting dragons on some forum or whatever?

 

I think one of the following would be a better solution:

1) Allowing people to use an alternative fog option, that would make an egg/hatchling and its lineage still viewable, but would make it stop gaining views.

2) Allowing people to set a maximum amount of views/clicks/etc. each of their growing dragons would be able to get in a preferred time frame (including 0, if a person wants the egg/hatchling to have NO views, for example if it's for a trade and the user doesn't want it to grow up too soon or be view-bombed). <- this idea, I believe, has been expressed by casprrr, with zero being my addition.

 

Dragon Cave can't control what's going on off-site...

Something has to be done on-site. This is the only way to make sure there are no loopholes.

Edited May 28, 2013 by ZzelaBusya

[missy_]

But that is a more secure solution then one that is fast and easy. As far as I can see, this suggestion is neither fast nor easy nor is it secure.

There are ways to make websites secure, whether an API authorization is used or whether another method of password protection is used.