Editor at Techmeme

Fighting hundreds and hundreds of little enemies in Borderlands 2 feels like work. I found that grind so frustrating as a gunzerker that I quit at level 14 and uninstalled the game. 10 months later I tried again with the commando. When unimportant enemies attack I just drop the turret and move on to something more interesting (missions, dialogue, loot, new environments, boss fights). It’s sad that such a unique and funny game is only enjoyable when you skip large chunks of gameplay.

In Alan Wake Remedy created a beautiful, believable, cohesive place and culture to tell a mystery thriller unlike any I’ve experienced. Bright Falls feels like a normal town in the pacific northwest and its citizens seem like people that would live there. That this world remains coherent in spite of paranormal events is absolutely incredible.

News of the Halo TV series reminded me of this phenomenal extended trailer for Halo Reach. I didn’t make the connection between Noble’s backstory and the characters in “Deliver Hope” when I first played Reach a year after release. That realization today made this short story even more beautiful.

Time to play Reach again.

According to Twitter those two-factor authentication exploits shouldn’t work

An article on F-Secure described two ways someone could exploit Twitter’s new login verification using SMS spoofing.

  1. You have two-factor authentication enabled. Someone with your Twitter password and phone number could turn off 2FA by spoofing a command to remove your number from Twitter’s SMS service.

  2. You don’t have two-factor authentication enabled. Someone with just your Twitter password could turn on 2FA for any phone number he can spoof, locking you out of your account.

Fortunately Twitter has addressed SMS spoofing before in response to a separate issue.

Most Twitter users interact over the SMS channel using a “shortcode.” In the US, for instance, this shortcode is 40404. Because of the way that shortcodes work, it is not possible to send an SMS message with a fake source addressed to them, which eliminates the possibility of an SMS spoofing attack to those numbers.

So neither exploit will work with spoofed text messages. Someone with your Twitter password and your phone could do exploit number 1, but a stolen phone is an issue with your physical security, not Twitter’s 2FA. Exploit number 2, however, could be a problem for any platform that uses SMS verify logins. If an attacker who maliciously gains control of an account (Twitter, Google, Dropbox, whatever) is willing to use a real phone number (from a throwaway prepaid phone for example), he could easily enable 2FA on that account to lock the owner out and slow the support process.

Still, two layers of security are better than one, and three are better than two.