Jump to content
LOTROCommunity

Official forums down


Recommended Posts

Well, my huband posted a comment on the FB thread suggesting that people contact their local State Attorney Generals requesting them to investigate a possible security breach at Turbine and his thread was deleted (almost immediately) and he was banned from posting.
This won't be popular here of course, but that's the sort of post I would have deleted myself if I were in that job. If people want to agitate to sue my company, cause legal nightmares for my company, etc... I'm going to require them to do so elsewhere. Yes, that's part of why this forum exists, but I think it's completely unreasonable to expect Turbine to allow such advocacy on communications outlets they host or control.

Khafar

Link to post
Share on other sites
  • Replies 921
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

My 2 cents, if I were Turbine. It’s my first post here and I realize I’m going against the overall trend of these forums by taking Turbines side but I feel it needs to be said. Before things “take a

Guys, you have to read this. No seriously, guys. Guys... no, guys, listen... guys... the simple solution to fix... no, seriously listen... to fix the problem of losing our details is to just never use

No offence but anyone defending Turbine at this point comes across like the 10 or so rabid fans on Turbines forums who report or troll anyone who says one negative comment about Turbine. We have been

https://twitter.com/#!/rickheaton/status/124855047577276416

#FF I've decided some companies need to hire better VO talent. Hire these people: @UNnouncer @candaceMcCarty

Oo

I've decided Turbine need to hire some better admins: <insert some people here> #lotro #ddo #ac

I've not tweeted this.

Link to post
Share on other sites

My 2 cents, if I were Turbine. It’s my first post here and I realize I’m going against the overall trend of these forums by taking Turbines side but I feel it needs to be said. Before things “take a life of their own” as someone said.

If I was handling this situation I would not release any definitive statements until I had definitive facts. I would not make suggestive announcements that could cause fear and panic unless there was a reason to do so. I would allocate all my resources in this order.

1. Stop the damage

2. Comb the servers to determine the extent of the damage

3. Secure the fallout damage through announcements and legal activity

4. Fill the hole

5. Burn in test the system.

6. Put the system back into service.

7. Final announcement.

I think we are still in phase 2. Phase 2 is the most important phase and will not change without rigorous and lengthy searching. Until phase 2 is completed releasing any announcements that are not absolutely accurate will only cause more fall out damage, including lawsuits.

When a statement is “official” you have to be absolutely clear and accurate. You never speak about nebulous things like “It’s possible…”. These official statements are not like when you tell your boss the generator isn’t starting because it needs a new sensor; we can repair in 3 hours and resume normal operations. These are CEO, presidential, senator type statements. Every word has incredible ramifications.

They have lawyers on payroll. They know the law and what happens when they break the law. I truly believe we are on phase 2, and that nothing nefarious or insensitive is going on. Considering that phase 2 is the most important I would expect it to take at least a week to be sure.

Please do not make statements to the BBB based on rumor or speculation (referring to the servers being down and the speculation of theft). That is not the way to do things. Wait till we know something because you can’t take it back once you state it.

I’m not saying do nothing. Some of you are investigating and that is great and we thank you. Just don’t do anything damaging without knowing the facts first.

  • Upvote 3
Link to post
Share on other sites

Turbine were not hosting such advocacy :) Facebook were.

Which is why I amended my post to say "host or control". People find LOTRO through many channels, including Facebook and their own forums. I would absolutely expect them to delete posts that are agitating for what could amount to major financial damage to the company in either place, and were I in that job, I'd delete them myself. You want to complain? Fine. Be my guest. But threatening legal action or trying to get individuals at my company fired? You can do that elsewhere.

Khafar

Link to post
Share on other sites

Every time I read this thread it's like watching a train wreck in that I can't turn away, but there are a few differences.

This time I'm on the train and it's a multi-day ride with no end in sight. On the outside of it are the words "Turbine Express." We've already had the big wreck and some of the train's wheels are missing. It's a very bumpy ride and people are fearing for their safety.

Days after the wreck I heard the conductor say, "We might have hit some air resistance."

A day after that, as the train was still teetering on the tracks, I heard, "There is a potential issue with the train."

Since then all the conductor has been saying is, "Enter our Twitter contest for free train tickets!"

*sigh*

  • Upvote 1
Link to post
Share on other sites

Haven't there already been reports of them clean-sweeping the FB threads as well? I thought I had read a

couple of days ago of that happening. If that's the case, we will never know how many posts were swept away.

I'm pretty sure Sapience has control of the FB account too and we already know how heavy handed he can be.

The CM team, including Sapience, run the LOTRO page on FB and the @LOTRO Twitter account. So it is no surprise if the FB page is handled much the same way the LOTRO Forums are.

Link to post
Share on other sites

Have e-mailed the Information Commissioner’s Office in the UK to find out what the legal situation is.

Normally I wouldn't bother, but if bank and Credit Card information has been compromised, then I feel we, their customers, have a right and a need to know ASAP.

Link to post
Share on other sites

Gah it won't let me file a complaint with the MA Attorney General because I don't have a US zip code! Stupid online form!

Rosie, I have spoken to the AG's office and they say to put zero's in the zip code box and it should work then. If it doesn't work, let me know as I have an email address you can write to instead.

I am waiting for a call back, however the person I did speak to seemed to think that putting the complaint forwards was worthwhile and has put me in touch with a division that deals with these issues to see if they can offer more help in this matter.

Link to post
Share on other sites

I think we are still in phase 2. Phase 2 is the most important phase and will not change without rigorous and lengthy searching. Until phase 2 is completed releasing any announcements that are not absolutely accurate will only cause more fall out damage, including lawsuits.

Good posting in my eyes, plus what you said about the phases makes a lot of sense to me. I hope you are right and I also hope once they sorted it out we get to hear a honest statement. That's the most important thing to me, them being honest.

Link to post
Share on other sites

My 2 cents, if I were Turbine. It’s my first post here and I realize I’m going against the overall trend of these forums by taking Turbines side but I feel it needs to be said. Before things “take a life of their own” as someone said.

Welcome to the forums :) I think you are safe here posting your own thoughts even if we don't always agree with you :)

They have lawyers on payroll. They know the law and what happens when they break the law. I truly believe we are on phase 2, and that nothing nefarious or insensitive is going on.

They may have lawyers on the payroll, but that certainly hasn't made them comply with the consumer protection laws in other ways so I am not holding my breath that it will in this case either.

Please do not make statements to the BBB based on rumor or speculation (referring to the servers being down and the speculation of theft). That is not the way to do things. Wait till we know something because you can’t take it back once you state it.

The point is that while Turbine are going through their own stages, anyone who already has the data can be making good use of it. I accept that Turbine cannot give information as to the damage caused until they have done a full assessment, nor would I expect them to.

The cat is out of the bag, there most certainly was a serious security breach and after three days of the forums being down Turbine are yet to acknowledge this. The odds are the majority of their customers (whether actively playing or not) have no idea that their account information has been compromised. Whether the information was stolen or not is another matter, but it has certainly been put at risk.

Link to post
Share on other sites

This won't be popular here of course, but that's the sort of post I would have deleted myself if I were in that job. If people want to agitate to sue my company, cause legal nightmares for my company, etc... I'm going to require them to do so elsewhere. Yes, that's part of why this forum exists, but I think it's completely unreasonable to expect Turbine to allow such advocacy on communications outlets they host or control.

Khafar

Khafar,

I understand your position and reasoning (and don't necessarily disagree with your main point), but there are several issues at play here.

1. Prior to the shutdown we know there was a rash of hacked accounts (in hindsight calling them "hacked" is probably a bit disingenuous).

2. It's pretty common knowledge in Europe that Turbine was hacked. By whom exactly, for what purposes, and how severe it was is yet to be known.

3. There are some very serious ramifications of people's personal information getting "on the street" and while Turbine consider's it's own fate, it must also consider the consequences to it's customers.

4. Turbine's absolute failure to either confirm or deny what's going on is demonstrative of their lack of concern for their customers and evidence that they are only concerned about Turbine. And their continued silence is doing nothing but "fanning the flames". So given that, if Turbine won't inform customers what is going on (and show some modicum of concern for them), then customers have to take action to find out what is going on and having no clout with Turbine, must seek other avenues.

Every first year Public Relations student is taught to get ahead of a PR disaster and stay ahead. That is the only way to control it. If you don't it begins to spiral out of control and like a plane spiraling out of control, there comes a time when it can't be saved and the crash is terribly ugly.

Link to post
Share on other sites

Every first year Public Relations student is taught to get ahead of a PR disaster and stay ahead. That is the only way to control it. If you don't it begins to spiral out of control and like a plane spiraling out of control, there comes a time when it can't be saved and the crash is terribly ugly.

Ah so that's where Turbine has been going wrong! They hired a spin doctor in place of a PR student :)

Link to post
Share on other sites

Guess I'm going to hang out in this thread.

Really concerned about all this. My bank isn't going to be impressed if I wait four days to inform them of a breach, and I bet Turbine will reject my inevitable hacking report with "well, why not change your password when we were breached last week?"

We've got nothing to protect ourselves with here.

Link to post
Share on other sites

The first course of action for customers who believe their personal data may have been compromised is to contact privacy@wb.com with your concerns. You may first want to read the privacy agreement at http://www.turbine.com/support/135.

Fredelas,

Thanks for the reference. I actually read it. :)

I find this statement very interesting:

"OUR COMMITMENT TO SECURITY

We have put in place appropriate physical, electronic, and managerial procedures to safeguard and help prevent unauthorized access, maintain data security, and correctly use the information we collect online."

Please note it says "We have put in place...". That is a statement of fact. If the rumors of the nature of this breach turn out to be true, that claim in their policy might come back to bite them in the behind. Hard enough to leave marks.

Link to post
Share on other sites

Sure, if they have evidence that their databases were dumped (or if they don't have sufficient logging in place to tell). I'm not sure whether this is true or not. Are you?

It's not practical to log every access (read access) to a password database like this. Just calculate on your own how much data that would be.

Link to post
Share on other sites

Khafar,

I understand your position and reasoning (and don't necessarily disagree with your main point), but there are several issues at play here.

1. Prior to the shutdown we know there was a rash of hacked accounts (in hindsight calling them "hacked" is probably a bit disingenuous).

There is always a rash of compromised accounts. We just don't usually notice it until other circumstances cause us to be more attentive. More active players means more compromised accounts being reported, and prior to the forums being taken down, there were more active players due to the release of the expansion. Those of us without compromised accounts also tend to spend more time reading the forums after an expansion, and are more likely to notice these reports.

As an analogy, people are more likely to believe that an area's overall crime rate has risen when a crime is committed against them or someone they know, or even when a single crime is prominently reported in the media, even when the overall crime rate has actually significantly decreased.

This doesn't mean that this incident hasn't caused some (or even many) accounts to be compromised, it only means there are alternative explanations that are statistically (and historically) plausible.

2. It's pretty common knowledge in Europe that Turbine was hacked. By whom exactly, for what purposes, and how severe it was is yet to be known.

Why is this common knowledge in Europe and not elsewhere? Do Europeans have some special insight into hacking? What evidence supports this knowledge, if no one knows who, why, or what? Or are you referring to this specific incident and the evidence we've seen on these forums?

3. There are some very serious ramifications of people's personal information getting "on the street" and while Turbine consider's it's own fate, it must also consider the consequences to it's customers.

I absolutely agree. I think Turbine should take time to do its own careful investigation, but it's been nearly 72 hours since Turbine took its initial actions. If they haven't reached any reliable conclusions yet, I'm concerned that they never will.

4. Turbine's absolute failure to either confirm or deny what's going on is demonstrative of their lack of concern for their customers and evidence that they are only concerned about Turbine. And their continued silence is doing nothing but "fanning the flames". So given that, if Turbine won't inform customers what is going on (and show some modicum of concern for them), then customers have to take action to find out what is going on and having no clout with Turbine, must seek other avenues.

I don't think this particular incident demonstrates the company's lack of regard for its customers. (I do think there are other individual examples of that in Turbine's history, though.)

Rather, I would speculate it represents the degree to which the company's legal advisers keep its hands tied and mouth sealed to protect its own interests. A company can care deeply about its customers and at the same time have to comply with legal and regulatory procedures that frustrate its customers. (At least this isn't the health care industry, where decisions and actions can impact life or death, rather than passwords and credit card numbers.)

Every first year Public Relations student is taught to get ahead of a PR disaster and stay ahead. That is the only way to control it. If you don't it begins to spiral out of control and like a plane spiraling out of control, there comes a time when it can't be saved and the crash is terribly ugly.

I agree that Turbine seems to have been caught unprepared by this. There's really no excuse, in my opinion. With everything that has happened with SOE lately, Turbine should have already had an action plan and statements ready to go for when the plague spread to them. No one in the industry is immune.

Link to post
Share on other sites

Ok, I give in.... I've changed my password to something completely new and different (again). I checked my account and Turbine do have my cc details - I actually thought they didn't. Now I vaguely remember them asking when I transferred my account. And why not, eh? After all, surely you can trust a big computer company like Turbine.... *sigh*

Cara

Link to post
Share on other sites

Fredelas,

Thanks for the reference. I actually read it. :)

I find this statement very interesting:

"OUR COMMITMENT TO SECURITY

We have put in place appropriate physical, electronic, and managerial procedures to safeguard and help prevent unauthorized access, maintain data security, and correctly use the information we collect online."

Please note it says "We have put in place...". That is a statement of fact. If the rumors of the nature of this breach turn out to be true, that claim in their policy might come back to bite them in the behind. Hard enough to leave marks.

Because Turbine has customers residing in Massachusetts (and not because the company is located there), Turbine also has to comply with the very strict data protection laws in that state.

The company I work for (not in Massachusetts) had to temporarily stop doing business with our customers in Massachusetts for almost a month last year while our lawyers determined we were in compliance.

Because of your particular interest, you may also want to read these regulations (PDF file): http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Link to post
Share on other sites

It's not practical to log every access (read access) to a password database like this. Just calculate on your own how much data that would be.
The product I work on does this (i.e. storing all non-trivial queries), for the same reason... we use it to collect and collate query usage information, to identify bottlenecks, to debug intermittent/infrequent problems, find security threats, etc. The log has its own disk I/O, allowing it to be stored at high speed without impacting system performance much. When a customer calls and tells us that such-and-such happened yesterday at 2:36 PM and we need to fix it, this logging is one of the primary tools used to accomplish that.

Yes, it adds up to many hundreds of thousands (and sometimes millions) of lines per day in our case, but we actually store billions of records on our 24TB sytems... the logging is pretty small compared to the data. Because you can set a threshold for what size/length of queries are stored, you can control the performance/usage characteristics of the logging.

Khafar

Link to post
Share on other sites

This doesn't mean that this incident hasn't caused some (or even many) accounts to be compromised, it only means there are alternative explanations that are statistically (and historically) plausible.

Ok, I'll accept your "plausible" alternative but it's equally "plausible" then that the recent rash of hacks were related to this alleged security breach.

Why is this common knowledge in Europe and not elsewhere? Do Europeans have some special insight into hacking? What evidence supports this knowledge, if no one knows who, why, or what? Or are you referring to this specific incident and the evidence we've seen on these forums?

Ok, you got me. It's pretty common knowledge in a lot places. Except Turbine, of course.

I don't think this particular incident demonstrates the company's lack of regard for its customers. (I do think there are other individual examples of that in Turbine's history, though.)

Sadly, I must agree with one point. This is not the only incident that represents their total lack of concern or caring for thier customers. And at some point though, when crap keeps showing up on your lawn and you don't have a dog, but your neigbor does, you have to reach the conclusion, that no matter how cute and cuddly the neigbor's dog is, he's a lawn pooper.

So, at what point does Turbine's actions indicate they don't care?

Link to post
Share on other sites

My 2 cents, if I were Turbine. It’s my first post here and I realize I’m going against the overall trend of these forums by taking Turbines side but I feel it needs to be said. Before things “take a life of their own” as someone said.

If I was handling this situation I would not release any definitive statements until I had definitive facts. I would not make suggestive announcements that could cause fear and panic unless there was a reason to do so. I would allocate all my resources in this order.

1. Stop the damage

2. Comb the servers to determine the extent of the damage

3. Secure the fallout damage through announcements and legal activity

...

I think you're totally right, as long as Turbine is just concerned about their own damage. Step 1 and 2 are heavily integrated: you can't stop damage you don't know is there yet, but good security practices say that when if there's a breach of security and you don't know if data has been stolen and can't find out in time, you assume it's been compromised.

I know a little about server operations and they are likely to have a team working on this and it's not too hard to have a idea of what's likely untouched and what not in a few hours, especially in general terms of 'Payment data', 'Passwords', 'Customer information'. Right now prudent customers are still at stage 1, and lacking information from them about what's secure and what not, you've got to assume anything Turbine has on file about you has been public. But considering Turbine's own response it's also likely that there's been a leak, but that freundlich was perhaps the first to find out. In which case there's little risk of passwords and credit-card info actually being misused. By not giving any information about the extend of the damage, they let concerned customers either take unnecessary precautions or put them at additional risk. You'd expect a decent company to try to keep that period of uncertainty as short as possible.

Silly comparison: If you see smoke rising from a house, you'd expect someone to take a quick look around and ring the bell to see if it's not just the barbecue in the backyard, and then call the fire department even though he's not 100% sure it's a fire. Not call an investigator to find out the exact source of the smoke and ask him to call the fire department if he discovers the source was indeed a fire.

Link to post
Share on other sites

There is always a rash of compromised accounts. We just don't usually notice it until other circumstances cause us to be more attentive. More active players means more compromised accounts being reported, and prior to the forums being taken down, there were more active players due to the release of the expansion. Those of us without compromised accounts also tend to spend more time reading the forums after an expansion, and are more likely to notice these reports.

As an analogy, people are more likely to believe that an area's overall crime rate has risen when a crime is committed against them or someone they know, or even when a single crime is prominently reported in the media, even when the overall crime rate has actually significantly decreased.

This doesn't mean that this incident hasn't caused some (or even many) accounts to be compromised, it only means there are alternative explanations that are statistically (and historically) plausible.

There was a rash of compromised accounts when RIFT was released. People kept blaming user error, web sites, key loggers etc... Trion put the blame on the users. Myself and others believed after the first week that there was a security flaw in RIFT's game launcher.

A month later a white hat hacker pointed out the flaw in their security and Trion admited that the rash of hacked accounts was a fault on their end. That around 10,000 accounts were raided due to the security flaw.

When you been lurking game forums for 13 years you begin to notice when things are not right. You notice when you see people posting they got hacked each day. You notice when mods delete any threads related to the subject and you notice when your own account gets hacked through no fault of your own.

Codemasters got hacked a few days before account migration and peoples accounts got raided. Due to this codemasters coulden't take action against the hackers as banning the compromised accounts to prevent damage also stops them from being migrated. They didn't have the time to sort out the accounts so the hackers who compromised codemasters web site got away with it. It's clear it was well planned and co-ordinated.

After migration there has been a big rise in hacked accounts and Turbine has done nothing. You won't notice much evidence of this because Sappy and Turbine likes to keep things tidy on the forums and blame the users.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...