Jump to content
Rosiebelle

Official forums down

Recommended Posts

Yepp, would be interesting if the hole is already closed. Maybe freundlich could check the servers again, but I'm afraid, that this would mean another breaking of the law.

Share this post


Link to post
Share on other sites

If my experience is any indicator, BBB submissions get little more than a canned reply from Turbine.

It doesn't hurt to have it on their record, but customer service is by far their weakest suit.

This little database fracas makes that even more apparent due to their reluctance to inform the holders of said (potentially) compromised data that they should take general measures to protect their security (like change passwords at least).

Regardless of what was or was not able to be obtained from the loophole, this would just be good practice. It's obvious that Turdbine is more concerned with saving face (taking forums offline, saying really nothing) than protecting their customers (taking forums offline, saying something).

Such nontransparency. I have to wonder if it would still be the same if this were pre-sellout?

Seems like they can only dig deeper holes these days.

Share this post


Link to post
Share on other sites

well, one semi-positive about the forums being down is that this place is getting more exposure.

Share this post


Link to post
Share on other sites

Yepp, would be interesting if the hole is already closed.

It is. However, if they're going to bring the forums down for days like this, closing some open firewall ports and fixing their MySQL configuration isn't all they're likely to do. There have been a few SQL injection vulnerabilities exposed in vBulletin over the past several months, and I'd want to make sure those were shut down tight as well if they weren't already (something that could take awhile).

Khafar

Share this post


Link to post
Share on other sites

Also, I have a sneaking suspicion that the databases were left open to anonymous access for a reason. It is likely they were still working on the migration and possibly other things, so there may very well be things that need to be taken care of that weren't initially high priority in order to close them up and go back on-line. They may also be rethinking (and possibly redesigning) their entire approach. This could take a while.

Share this post


Link to post
Share on other sites

It always felt like the migration was somewhat sudden in that they barely gave a months notice. Then following migration there were issues with the payment options which, if they were working with codemasters in advance would have been covered prior to migration not post.

From the approach Turbine have taken to customers over the past year, I suspect security issues have been given low priority - it feels like a lot of things have been given low priority really. The big question is why, but any answers are pure speculation.

I am hoping Paiz and co are on there way out and our next producer will be a little more customer focussed... well I can hope can't I? :)

Share this post


Link to post
Share on other sites

*watches a squadron of pigs flying past*

Some info, any bloody info would be nice at this point. Their communication is worse than rubbish.

Share this post


Link to post
Share on other sites

Also, I have a sneaking suspicion that the databases were left open to anonymous access for a reason.
There is absolutely no circumstance in which those ports should be open on the firewall for a publicly-accessible server. None. Ditto for allowing anon access with grants to look at databases, tables, etc. It may have been set that way while they were testing something, but if so, whoever forgot to put it back is probably afraid for their job right now.

Something is confusing me, though. For an operation of this size, it's strange to have account data stored on their primary web servers, which makes me wonder if that wasn't a "left-over" from some server reshuffling they did along the line. In other words, perhaps it wasn't an active database... just one they forgot to remove when the server was retasked. That doesn't mean that it didn't have valid information in it, though, which is a huge problem if that were dumped by anyone.

Khafar

Share this post


Link to post
Share on other sites

I am hoping Paiz and co are on there way out and our next producer will be a little more customer focussed... well I can hope can't I? :)

ya know...we havent heard from Mrs Paiz in a looooong time, though Mr Paiz has been vocal recently.

maybe Mrs Paiz is just imitating an ostrich or is it possible she has gone the way of the extinct Steefel bird?

Share this post


Link to post
Share on other sites

Some info, any bloody info would be nice at this point. Their communication is worse than rubbish.
The most you'll get is "We're still working on it. Thank you for your continued patience". Only once they get these issues resolved will they say anything beyond that, and even then it's going to be pretty vague. They don't want to give hackers any ideas.

Khafar

Share this post


Link to post
Share on other sites

I really don't understand such things so all I have to go on is a little common sense.

I would have expected that company's handling personal data for online services would have checks in place to test the security of their systems periodically - especially after making changes? Something basic at least...

Share this post


Link to post
Share on other sites

There is nothing about Turbine and Lotro lately that shows any polish. From bad moderation on their forums, horrible PR, deceptive marketing, screwing over people who buy TP, buggy unfinished delayed content and this could possible be worst of all if it turns out to be true. They even got their lotrostore wrong by mistakenly putting Draigoch on sale for 20% this past week LOL.

There is something wrong with the leadership and the culture there that lets this get out of hand in all facets of their business. When I think of Turbine I think one word: Unprofessional! It's too bad, there is a lot about the game that I really like, but I wonder how much of it is really left over from the beginning days of LOTRO? Once the content creation tools were made how many of those developers stayed with the product?

Share this post


Link to post
Share on other sites

I just noticed something a bit odd. According the "New Forum Posts" widget on my.lotro.com there has been 2 new posts today.

Man I love this game!

Thursday, October 13, 2011 - 8:52:04 AM

the cosmetic gear is so sweet.

Gastfreundschaft?

Thursday, October 13, 2011 - 7:13:47 AM

Kann mir jemand bieten einige Nahrung und Unterkunft zu einem neuen Spieler?

Share this post


Link to post
Share on other sites

Once the content creation tools were made how many of those developers stayed with the product?
Lots of them, actually. Some have left the company, and some have moved over to the unannounced project... but there are a fair number that have been there since the beginning. Not all of those post on the public forums anymore, though.

My suspicion is simply that their financials still aren't great. This project was funded and initially staffed with the expectation of closer to 1M subscribers than 100K, and it's doubtful they've had any new VC coming their way for at least the last few years. Yes, they said revenues had increased after going F2P, but 1) revenues aren't profits (which is what matters), and 2) those numbers are now 10 months old, and may not be close to accurate anymore.

When you're underfunded, things slip through the cracks, and you're very likely to scrimp on things you really shouldn't.

Khafar

Share this post


Link to post
Share on other sites

... and the official Rift forums, built on vBulletin 4 (same as LOTRO's highly modified forums are) has been brought down for "Emergency Maintenance". I'm hoping they are either just being careful or had unrelated issues come up, but just in case I have a bright, shiny new password for that game, too.

Share this post


Link to post
Share on other sites

There is nothing about Turbine and Lotro lately that shows any polish. From bad moderation on their forums, horrible PR, deceptive marketing, screwing over people who buy TP, buggy unfinished delayed content and this could possible be worst of all if it turns out to be true. They even got their lotrostore wrong by mistakenly putting Draigoch on sale for 20% this past week LOL.

There is something wrong with the leadership and the culture there that lets this get out of hand in all facets of their business. When I think of Turbine I think one word: Unprofessional! It's too bad, there is a lot about the game that I really like, but I wonder how much of it is really left over from the beginning days of LOTRO? Once the content creation tools were made how many of those developers stayed with the product?

Paints quite a picture doesn't it? I think all the above you mention (draigoch on sale made me laugh!) are signs of poor leadership and / or resources. Steefel may have been clueless, but the product was generally delivered in good shape - when they didn't meet their own release dates it wasn't for lack of trying, they were just a bit ambitious I think.

I can't help but wonder what their longterm aims are, would love to take a peak at some of the emails or meetings that taken place regarding lotro's future.

Share this post


Link to post
Share on other sites

... and the official Rift forums, built on vBulletin 4 (same as LOTRO's highly modified forums are) has been brought down for "Emergency Maintenance". I'm hoping they are either just being careful or had unrelated issues come up, but just in case I have a bright, shiny new password for that game, too.

now that is VERY curious.

Share this post


Link to post
Share on other sites

It may have been set that way while they were testing something, but if so, whoever forgot to put it back is probably afraid for their job right now.

Of course, that assumes that it wasn't an intentional effort by the person who didn't put it back. There's a significant trend lately, involving people on the inside trying to make money on the outside by leaving an open window.

Share this post


Link to post
Share on other sites

Of course, that assumes that it wasn't an intentional effort by the person who didn't put it back. There's a significant trend lately, involving people on the inside trying to make money on the outside by leaving an open window.

Well, in that case, whoever left it open is afraid about going to jail right now.

Khafar

Share this post


Link to post
Share on other sites

Just out of curiosity: Has "freundlich" actually accessed the game account-database or "just" the vBulletin-databse? I know, even the vBulletin/forum-database would be terrible enough since the forum-accounts are connected with the game-accounts, and a hacker would gain access to the usernames and email-adresses, but at least the subscription details should be safe. Sine the game servers are still online, and other vBulletin boards are suddenly in maintenance mode as well and I since can't remember, that "freundlich" has shown any other information than hashes and email-addresses, I wonder, if he "just" stumbled across a previously unknown breach in vBulletin or if he actually had access to the more critcal game account-database.

Share this post


Link to post
Share on other sites

Of course, that assumes that it wasn't an intentional effort by the person who didn't put it back. There's a significant trend lately, involving people on the inside trying to make money on the outside by leaving an open window.

There's a difference between a "window" and this... uhm... how should I put it... work.2107358.2.flat,550x550,075,f.the-pointless-gate.jpg

Share this post


Link to post
Share on other sites

I stumbled on these forums by accident after searching for more info on the breach. I've been following this thread quite closely for the past 12 hours or so and I created an account to ask a question, is there any way to get this info out to the general lotro community, who may not know about these forums?

I know my kin/tribe are both well updated but I can imagine plenty of the (forum) community still being totally oblivious of the problem. I'm amazed that turbine haven't asked us to change our passwords yet, regardless how big the problem is. Assumimg its sony scale, they're more or less sealing their own graves by remaining silent. I'd like to suggest those of you with twitter/FB/LotRO related blogs post a warning with the suggestion to change account passwords.

Share this post


Link to post
Share on other sites

There is absolutely no circumstance in which those ports should be open on the firewall for a publicly-accessible server. None. Ditto for allowing anon access with grants to look at databases, tables, etc. It may have been set that way while they were testing something, but if so, whoever forgot to put it back is probably afraid for their job right now.

Oh, I agree it's unconscionable, but that doesn't mean it wasn't intentional. You don't know how many times I've run across system admins who should know better (and do) counting on secrecy (nobody knows so it's "safe") when leaving ports open with full access to the network, the servers, the routers and installing secret back doors and other every other stupid thing you can think of. It happens all the time. I have a feeling (just my gut, so take it with a grain of salt) that some party or parties needed access during the migration and this was the simplest and quickest way to accomplish it. I doubt it was ever meant to stay that way for long, though.

This has not been raised before that I'm aware of, but there is also always the possibility of sabotage. I've never worked for a company where every single employees was happy, and I doubt it's any different over at Turbine. 'Nuff said about that, I guess.

Something is confusing me, though. For an operation of this size, it's strange to have account data stored on their primary web servers, which makes me wonder if that wasn't a "left-over" from some server reshuffling they did along the line. In other words, perhaps it wasn't an active database... just one they forgot to remove when the server was retasked. That doesn't mean that it didn't have valid information in it, though, which is a huge problem if that were dumped by anyone.

I think it's strange, too. But, I have no idea how they have the data from the game tied to the forums, and what performance problems they may be dealing with. You sure don't want to affect game performance when the forums get busy. It could also have been a temporary database to use during migration. That kinda makes sense since so many people from the EU are complaining that they don't have access to current data on their characters in the forums. So, who knows. Pretty stupid way to run an airline, though, if you ask me.

IMHO

Share this post


Link to post
Share on other sites

The last post in this thread, https://www.vbulletin.com/forum/showthread.php/389042-Forum-Hacked-help-please, is intresting. No idea if it has anything to do with this situation

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×