Okay,
I was the one who began this thread - there on the Wotc forums - and I want to write my own 2cents here:
I am also one of the many developers here on these forums. And therefor I know that this kind of "bug" is patched in no time.
BUT:
A) I always thought that the actual DDI - with the pages of Dragon and Dungeon - is a showcase of the coming - subscription based - DDI. In this case I would show my future customers that I take security very seriously. So no "&authentic=true"-Bug should slip through.
B) I see the thinking of "the security in my applications is enough, I don't have to make more for it" more or less everyday in the field out there. This is just not true. You cannot do enough about security.
Really, I have the fear that the DDI developers just think : "Oh, let them access it with "&authentic=true" now. We just patch it before going production. Then all things will be okay. People will be happy." And then at the day when DDI goes really online - with all the subscription services - all hell breaks loose.
Do they really think, that people will not give away their accounts to brothers, sisters and good friends?
Do they really think that no one will try to get the articles for which others paid for nothing?
Do they really think no one will try to access the accounts which will be at the back of the printed books?
To make it fair for the
authors - who are and will be making their money with the content in DDI - by not let everyone access their texts, pictures etc.
and the customers - who will pay for the content and support the authors - by only letting them access the content,
you have to "test, validate, patch, test, validate ..." __today__ so that from the developers over the administrators to the customers, everyone will work on one line regarding the security after the "day one" of DDI.
WotC has a special kind of customers: These people love to read and learn. It should be very easy to teach them how to help the devs and admins of DDI so that the security breaches will be minimized.
Believe me, the most security breaches have their source in uneducated guesses.
"Ohh, the laptop full of WotC customer data is secured by cryptography. I can take it with me to my home by bus. It is secure."
You have to take the customers in such an app as DDI on board regarding the security of the system. Because if Joe-Anne is just giving up to her 11 year old brother Chris, who whined so long until he got the account data from her, and the next day he gave the account to this best friend Marc in school - just to make a presence before him that he has the account -
then yo make what you want but accounts will be misused.
But because Jow-Anne is a RPG freak - loving reading and learning - you can teach her __now__ how to use the acconts-.
BUT to to THIS you have to implement the security now so that from the devs to the admins to the customers everyone can train.
But in the end it the choice of WotC and their devs and admins what they want to do about their apps.
Not my company, not my app(-suite) ... <trollmode>I am just waiting on slashdot for the message that data of 1.5M customers of WotC are stolen</trollmode>
If even the army is loosing data then how comes that WotC is so sure about their security?
regards
sunmaster
