May 21st 2010 10:48AM I've had problems using PowerAuras to track rage, energy, and runic power. Either the aura didn't trigger at all, or it triggered after a substantial lag. It's less critical for my mana-based classes because changes in mana are slower and more predictable over the course of an encounter.
Jan 13th 2010 12:43PM Of course, as I said in my post, I'm talking about a sin that mostly occurs in lower-level instances. In other words, not PoS.
Jan 12th 2010 9:26PM As someone who tanks low-level instances I think two rogue abilities need to be on the list:
Pick Pockets: It's all fun and games until you miss. Then we gotta take down the mobs that two-shotted you.
Sap: If I want CC, I'll mark CC.
Thankfully, somewhere between 50 and 80, rogues tend to stop doing this.
Jan 11th 2010 4:35PM @Joel
Or as was the case with successful attacks on bank authenticators last year, a simple man-in-the-middle trojan coupled with an automated bot that takes advantage of the brief window of opportunity.
Jan 11th 2010 4:25PM @jfofla
The ugly fact of the matter is that two-factor authentication using one-time passwords has already been broken for banking sites. It's a simple man-in-the-middle attack:
1: install keylogging malware on the system
2: forward username, password, and authenticator code to a bot
3: the bot automatically authenticates the hacker while,
4: the malware denies access
As Mr. Black Hat only needs to authenticate once to do significant damage, it's not THAT hard.
Jan 11th 2010 1:42PM Of course, we are not talking about DARPA mind-control projects. We are talking about active exploits that have been used against banking OTP systems in the last year. Authenticators have been broken using quick man-in-the-middle attacks. It's history.
Should people use authenticators? Almost certainly because one-factor authentication is definitely worse than two-factor authentication systems. Are people justified in believing that authenticators will magically protect their accounts from malicious software? No.
Jan 11th 2010 1:35PM "Sorry, but I don't buy this argument of authenticators not being insurmountable as an argument against them. "
Well, lets make something clear. I'm not arguing against authenticators. I'm arguing against the magical thinking expressed here that authenticators will completely negate the threats posed by malware and social engineering exploits. Even if you have an authenticator on your account, you need to keep your computer clean.
Jan 11th 2010 1:06PM Sure it's not doubling. With man-in-the-middle exploits in the wild for two-factor authentication, its not even that.
The basic problem still remains. If your operating system gets compromised with a virus or trojan that can intercept user input, the game is up. Blizzard can certainly mitigate this by locking out accounts with multiple logins from different IPs, but the malware could lock you out of access to Blizzard while exploiting your account. (Or worse, run as a bot such that the login comes from your IP.)
Which certainly raises the bar in terms of sophistication, it's well within the abilities of current malware designers.
Jan 11th 2010 12:22PM The question with making authenticators mandatory with Cataclysm is how this will affect direct download accounts.
Jan 11th 2010 11:50AM "The amount of effort it would take to "Crack" you authenticator that is in your physical custody would not be worth the benefit."
They wouldn't need to crack the authenticator. It would simply require a modification of the strategies currently used:
1: install a keylogger onto the target system
2: forward keypresses to a remote host
What the authenticator will add to the process is the need for:
3: an automated system that takes advantage of the limited window of opportunity.