Posted June 01, 2016
Post edited June 01, 2016 by HijacK
HijacK
Ambition
Registered: Apr 2012
From Romania
_ChaosFox_
Zero fox given.
Registered: Nov 2008
From Germany
Posted June 01, 2016
You got your answer from GOG. They use Cloudfront as part of their performance monitoring tools. What you're essentially asking them to do is modify their entire log in structure just to satisfy your paranoia. You shouldn't be remotely surprised that they haven't contacted you again, but you seem to believe that you obsession with this makes you the centre of the universe when GOG's support is being flooded with actual complaints about payment, login and download issues that actually affect people's ability to use the site.
Alaric.us explained to you in the last thread what the script was and it concurs with the explanation you received. It's a script used to generate performance metrics. It uses an Amazon CDN because the server needs to be located elsewhere to provide accurate results. If you choose to ignore actual explanations as to what a script does whose source code is open for all to see just to stroke your tinfoil ego, that's your problem. If you don't have the know-how to examine the code yourself, that's your problem. GOG has given you everything you need to solve your problem.
So is it any surprise that you're not receiving any response to your repeated unreasonable requests?
Alaric.us explained to you in the last thread what the script was and it concurs with the explanation you received. It's a script used to generate performance metrics. It uses an Amazon CDN because the server needs to be located elsewhere to provide accurate results. If you choose to ignore actual explanations as to what a script does whose source code is open for all to see just to stroke your tinfoil ego, that's your problem. If you don't have the know-how to examine the code yourself, that's your problem. GOG has given you everything you need to solve your problem.
So is it any surprise that you're not receiving any response to your repeated unreasonable requests?
BrandeX
New User
Registered: Mar 2011
From China, People's Republic of
Posted June 01, 2016
I'd prefer to keep this thread to the issue of communication, thank you.
Post edited June 01, 2016 by BrandeX
amok
FREEEEDOOOM!!!!
Registered: Sep 2008
From United Kingdom
Posted June 01, 2016
I think there is a spelling mistake in the thread title, it should be customer, not customers
nightcraw1er.488
Want some Wang!
Registered: Apr 2012
From United Kingdom
Posted June 01, 2016
Its probably on the list of things to fix on this website, and that list is far to big for one company to hold, so they have had to get Amazon in...
TT_TT_TT_TT
Notanew user -.-
Registered: May 2011
From Germany
Posted June 01, 2016
Is this thread even real? OP really expects a second reply to a very unique and complex problem after already having received a genuine basic answer. Since the 5/24 there was exactly 3 business days in Poland (Thursday and Friday they had off, Sat and Sunday as well ^^).
Also this problem is a really unique (meaning it next extra man power to work on it if they decide to work on it - changing a website is not done by standard customer support ^^) and there is no high priority problem here at all anyway so if there is an offered solution it may take a while - there is no problem with payment , nor was somebody overcharged, nor was someones account hijacked nor has somebody lost access to his account (the OP HAS ACCESS to his account but just REFUSES to access his account).
Also this problem is a really unique (meaning it next extra man power to work on it if they decide to work on it - changing a website is not done by standard customer support ^^) and there is no high priority problem here at all anyway so if there is an offered solution it may take a while - there is no problem with payment , nor was somebody overcharged, nor was someones account hijacked nor has somebody lost access to his account (the OP HAS ACCESS to his account but just REFUSES to access his account).
classicgogger
Registered: Feb 2013
From Germany
Posted June 01, 2016
Actually, he posted in a few threads so he does not refuse to access his account. He's just annoyed by a third party script breaking the login process. It's not like GOG is owned by Amazon so there's no need for it breaking the core feature of this site, is there?
Bad Hair Day
Find me in STEAM OT
Registered: Dec 2012
From Other
Posted June 01, 2016
I'm still lost here and I'm not trying to give the OP shit, but what the hell is this "Amazon Script" he is talking about?
For starters, I don't know what the hell it is, why I don't seen to have it, and why it's a problem to begin with.
The only thing I know about Amazon is that, because of my location, I am forced to use it constantly, and it has proven itself to be one of the safest and most reliable sites out there in terms of security and customer service, so again I'm lost as to why he is so upset.
Of course, I'm jumping to conclusions; I'm not even sure he is talking about that Amazon. For all I know it could be some malicious spy ware named after the river, which would admittedly piss me off too.
For starters, I don't know what the hell it is, why I don't seen to have it, and why it's a problem to begin with.
The only thing I know about Amazon is that, because of my location, I am forced to use it constantly, and it has proven itself to be one of the safest and most reliable sites out there in terms of security and customer service, so again I'm lost as to why he is so upset.
Of course, I'm jumping to conclusions; I'm not even sure he is talking about that Amazon. For all I know it could be some malicious spy ware named after the river, which would admittedly piss me off too.
Johny.GOG
☕️
GOG.com Team
Registered: Dec 2014
From Poland
Posted June 01, 2016
high rated
Hi. For clarity and transparency I'll try to put this into simple words:
1. Amazon's CloudFront is just storing scripts, we could embed them ourselves and we will. (we have a small technical thing to overcome before we do this in a proper way) So yay for script blocking users. :P
[edit: there is no CloudFront hosted script right now]
2. We don't send anything to Amazon. The script hosted there (by opbeat itself) is angular-opbeat and it's used by us to collect erros in JavaScript on the user side, alert us etc. - it's created also to be helpful in debugging performance issues on users side. The data is sent to opbeat servers. So the aim in including the opbeat (or other services in future) is:
- Instantly know about site crashes on your side, even if you're in a small group of users or have the issue individually
- Make our website faster for you
3. You can block google analytics and opbeat on your side, we're prepared for that and we respect it - and you'll be able to use our website without this particular amazon-hosted script soon (can't say when, I'm sorry).
[edit: it's done]
You can read the discussion starting from this post (a few pages of related and unrelated posts):
https://www.gog.com/forum/general/the_what_did_just_break_thread/page75#p_b_1504
1. Amazon's CloudFront is just storing scripts, we could embed them ourselves and we will. (we have a small technical thing to overcome before we do this in a proper way) So yay for script blocking users. :P
[edit: there is no CloudFront hosted script right now]
2. We don't send anything to Amazon. The script hosted there (by opbeat itself) is angular-opbeat and it's used by us to collect erros in JavaScript on the user side, alert us etc. - it's created also to be helpful in debugging performance issues on users side. The data is sent to opbeat servers. So the aim in including the opbeat (or other services in future) is:
- Instantly know about site crashes on your side, even if you're in a small group of users or have the issue individually
- Make our website faster for you
3. You can block google analytics and opbeat on your side, we're prepared for that and we respect it - and you'll be able to use our website without this particular amazon-hosted script soon (can't say when, I'm sorry).
[edit: it's done]
You can read the discussion starting from this post (a few pages of related and unrelated posts):
https://www.gog.com/forum/general/the_what_did_just_break_thread/page75#p_b_1504
Post edited June 06, 2016 by Johny.
TT_TT_TT_TT
Notanew user -.-
Registered: May 2011
From Germany
Posted June 01, 2016
nvm then - i missread that part <It's been two weeks since I became unable to access my account (and all the games in it) without letting Amazon in (do not want, thank you). > and thought he is not only "mad"/"disappointed" about the running script itself but actually refuses to unblock the script and by this technically blocks access to his account (and by that then complains about not having access to it..).
Wishbone
Red herring
Registered: Oct 2008
From Denmark
Posted June 01, 2016
high rated
To all you fellow GOGlodytes who currently revel in ridiculing the OP for his "paranoid tinfoil hat delusions":
I don't think any of you have understood the actual concern he has, which is completely legitimate.
You think he is concerned with what the Cloudfront hosted script included by GOG actually does. He isn't.
The problem is not the script, but where the script resides. Anybody can host any kind of file on Cloudfront. Naturally, GOG.com do not include any script in their site if they don't know what it does. That is not the issue.
The issue is that by hosting their script on Cloudfront, GOG makes it mandatory for users to allow their browsers to access Cloudfront, which means that any other site which might host something less savorable on Cloudfront is then free to serve up said less savorable content to the user's browser.
"So don't visit shady sites", I hear you say. Well, the site itself doesn't have to be shady. It just has to have some sort of vulnerability which allows users to embed external content in it remotely. Take for instance a trusty, reputable site such as, oh, I don't know, say, GOG.com. Some of the users who have been here for several years may remember when someone discovered a vulnerability in the forum software, allowing users to embed HTML code directly in a thread title. Said someone were fortunately not malicious, but chose to highlight the problem by exploiting it somewhat innocently, in order to make sure that GOG fixed it ASAP. The result was that, for a while, anyone visiting the General Discussion forum were instantly redirected to a brony site. Someone less benign could have done something much worse, and done so much more easily by hosting malicious code on, say, a free cloud hosting service.
In short, the fact that you cannot log into your GOG account without allowing access to Cloudfront is actually a potential security risk, despite the fact that the script GOG includes from there is completely clean.
I don't actually expect anybody to man up and apologize to the OP, and I fully expect some more ridicule to be headed my way. So be it. I said my piece.
I don't think any of you have understood the actual concern he has, which is completely legitimate.
You think he is concerned with what the Cloudfront hosted script included by GOG actually does. He isn't.
The problem is not the script, but where the script resides. Anybody can host any kind of file on Cloudfront. Naturally, GOG.com do not include any script in their site if they don't know what it does. That is not the issue.
The issue is that by hosting their script on Cloudfront, GOG makes it mandatory for users to allow their browsers to access Cloudfront, which means that any other site which might host something less savorable on Cloudfront is then free to serve up said less savorable content to the user's browser.
"So don't visit shady sites", I hear you say. Well, the site itself doesn't have to be shady. It just has to have some sort of vulnerability which allows users to embed external content in it remotely. Take for instance a trusty, reputable site such as, oh, I don't know, say, GOG.com. Some of the users who have been here for several years may remember when someone discovered a vulnerability in the forum software, allowing users to embed HTML code directly in a thread title. Said someone were fortunately not malicious, but chose to highlight the problem by exploiting it somewhat innocently, in order to make sure that GOG fixed it ASAP. The result was that, for a while, anyone visiting the General Discussion forum were instantly redirected to a brony site. Someone less benign could have done something much worse, and done so much more easily by hosting malicious code on, say, a free cloud hosting service.
In short, the fact that you cannot log into your GOG account without allowing access to Cloudfront is actually a potential security risk, despite the fact that the script GOG includes from there is completely clean.
I don't actually expect anybody to man up and apologize to the OP, and I fully expect some more ridicule to be headed my way. So be it. I said my piece.
JMich
A Horrible Human Person. If you need me, chat.
Registered: Apr 2011
From Greece
Posted June 01, 2016
_ChaosFox_
Zero fox given.
Registered: Nov 2008
From Germany
Posted June 01, 2016
But that is all moot, because as you point out, GOG's own site has hardly been a paragon of absolute security, regardless of the external CDNs that it uses. I buy from GOG because of what it does, but I would never consider buying anything through the Galaxy client directly, for instance. I know the bandwagon hate for major companies like Amazon is strong, but ultimately, it's very likely to be more robust security-wise than an SME like GOG with less in-house security expertise.
As you yourself pointed out, it was a vulnerability that enabled some benign hacktivist to redirect the forum to a brony site. No disrespect to GOG, but this is the company you would want to host a JavaScript script in place of Amazon Cloudfront? Well, that's what you're getting now.
Post edited June 01, 2016 by jamyskis
Wishbone
Red herring
Registered: Oct 2008
From Denmark
Posted June 01, 2016
JMich
A Horrible Human Person. If you need me, chat.
Registered: Apr 2011
From Greece