Jump to content
LOTROCommunity

Official forums down


Rosiebelle
 Share

Recommended Posts

Forcing me to think of a ten-character password is obnoxious.

Forcing my password to contain a bunch of garbage characters making it impossible to commit to memory is obnoxious.

It's not, it's common sense. The longer a password is, with more than just lowercase, the harder it becomes to crack(in normal circumstances. It of course doesn't help when Turbine leave the backdoor open). When I worked for the local council's IT department, we brought the "at least 7 chars long, must contain 3 out of 4 categories: Lowercase, uppercase, numbers, symbols....not allowed to contain any part of full name, must be changed every 28 days, cannot be changed to anything you've had the last 20 passwords"

Link to comment
Share on other sites

Forcing me to think of a ten-character password is obnoxious.

Forcing my password to contain a bunch of garbage characters making it impossible to commit to memory is obnoxious.

I can understand you feeling that way and to some degree I share your sentiment. I think sometimes it is a question of 'how far can you reasonably go?' in terms of protecting your security.

While I fully understand the need for us to take our internet security seriously, encouraging log in systems that are on par with internet banking is just taking things too far for an online game. There has to be some reasonable expectations - although no doubt what these are could be discussed and debated for months! :)

For what its worth, here are my own thoughts on what is 'reasonable' security for someone playing lotro;

- have good malware / antivirus security suite installed and keep up to date

- be wary of emails that come to your inbox and don't click on links in them to change passwords etc

- I use Firefox and there is a nice script blocker and flash blocker that I use and recommend, but am sure there are numerous things that do the same thing. The script blocker does give me a sense of awareness and security that I didn't have previously, the flash blocker... well flash annoys me :) Oh and add blocker can be good too although I don't know if this helps with security itself.

- Use different usernames and passwords

The general security rules regarding usernames and passwords seem contradictory to me. On the one hand you aren't supposed to use the same username and password for different things and on the other hand you aren't supposed to write them down. Now I consider myself intelligent but far from genius and there is no way I could manage to do both of the above at the same time. There are just too many different accounts for me to keep track without writing them down. So I guess the average security conscious person has to figure out where their own comfort zones are. When I started to use more adventurous passwords I realised I had to start keeping them noted down somewhere as I just couldn't keep track.

The point is that businesses should not be expecting customers to be going to great lengths to make it hard for hackers to guess their passwords in the event of being hacked. I think in regards to lotro a decent account / character restoration system is important considering it is a paid product - it could even be free to VIPs and require a fee for Premiums since the nature of Premium is 'pay as you go'. Naturally there would still need to be guidelines to avoid abuse of the system etc.

Promoting and recommending security online is important, but there do need to be limits as to how far an average customer can be expected to go and security measures expected need to be 'user friendly' for the most part for them to be realistic.

There are a lot of players who are savvy when it comes to technical stuff, but many others who don't have a clue and can only manage to cover the basics. Basics should be enough (including software protection and being aware of phishing). The rest must be down to businesses to keep things safe on their end and to be helpful when accounts are hacked. This is a lot like personal security in RL;

- Education about not putting your personal safety at risk unnecessarily (e.g. walking down dark alleys at night in dodgy neighbourhoods)

- Taking basic security measures (e.g. lock your windows and doors at night or when out)

Otherwise it is like the police telling us to not leave the house as the world can be a dangerous place. I am all for people learning some basic self-defence just in case it is ever needed, but it should not be a requirement for the average person to go out to work each day. That doesn't negate the need for a healthy dose of common sense and avoid walking down dark alleys in dodgy areas late at night etc.

Its all about balance.

Link to comment
Share on other sites

It's not, it's common sense. The longer a password is, with more than just lowercase, the harder it becomes to crack(in normal circumstances. It of course doesn't help when Turbine leave the backdoor open). When I worked for the local council's IT department, we brought the "at least 7 chars long, must contain 3 out of 4 categories: Lowercase, uppercase, numbers, symbols....not allowed to contain any part of full name, must be changed every 28 days, cannot be changed to anything you've had the last 20 passwords"

This was similar to what they change it to where I used to work, but at that time I have 14 passwords and changing them that often was far too annoying

Link to comment
Share on other sites

I read most of this thread, and I can't understand how some players are minimizing Turbine's responsibility in this debacle. Here are the extra-steps I take to ensure that my account is as secure as possible:

- unique game login (never used elsewhere, not connected to my toons' names)

- unique password (complex and random of course, and not stored anywhere including encrypted key vaults)

- special e-mail address for the game

- no credit card information ever given to Turbine

- unique windows install for the game (no other use for this hard disk, not mounted in any other configuration)

- account management only done through a linux box

and yet some people will just show up here saying "hey, you agreed to use a computer, prepare to be robbed !".

What Turbine does on their side:

- leave the database open for anyone to read

You can't be serious when you say that it is as much my fault as Turbine's fault ?

Link to comment
Share on other sites

I read most of this thread, and I can't understand how some players are minimizing Turbine's responsibility in this debacle. Here are the extra-steps I take to ensure that my account is as secure as possible:

- unique game login (never used elsewhere, not connected to my toons' names)

- unique password (complex and random of course, and not stored anywhere including encrypted key vaults)

- special e-mail address for the game

- no credit card information ever given to Turbine

- unique windows install for the game (no other use for this hard disk, not mounted in any other configuration)

- account management only done through a linux box

and yet some people will just show up here saying "hey, you agreed to use a computer, prepare to be robbed !".

What Turbine does on their side:

- leave the database open for anyone to read

You can't be serious when you say that it is as much my fault as Turbine's fault ?

They are just trolling in the hope that this thread gets locked. Unfortunately for them, this isn't Sapience's domain where he can infract and ban and close threads at will after getting his cronies to troll, make personal attacks about "negative" posters, etc etc.

This is a forum run by people who allow us to speak our minds, and they will not close threads just because something's being discussed that's causing embarrasment to Turbine, or pointing out other flaws they have.

Btw, Hey Faya! :D

Link to comment
Share on other sites

I agree completely. The fact that the official forums are down has brought more Lotro playing people here. Something good out of the mess, eh?. Apparently some of them are more in favour of Turbine than the general consencus of this forum - which is rather negative towards T, even if for a valid reason IMO.

But let us be the good guys and just add these irritating people to our ignore list rather than bring the drama and badmouthing here, where there has been amazingly little of it. So a kid with AOL language tries to start a fight, big deal. It's probably Sapience since he's all boo-hoo for not being able to ban people. devilish.gif

So, anyone who thinks that Turbine is not deliberately out to screw their customers is someone who should be ignored, is that it? Nice. Are the mods here going to do anything about this poster's personal attacks? No, I didn't think so. What a joke.

Link to comment
Share on other sites

I think everyone here is quite free to express either pro or anti Turbine sentiments. The issue though is not pro or anti Turbine and to try and say that is wrong.

The issue is did Turbine do enough security wise in the first place and are they doing enough now to meet their legal and moral obligations to their customer base in keeping them informed when a major security breach may have occured?

  • Upvote 1
Link to comment
Share on other sites

Wow. What a thread. lotrocommunity must be dead pleased. Congrats on achieving your highest ever membership sign up since you all spat the dummy about moving to Turbine and set the forum up.

I guess the problem most posters have is the way that Turbine have dealt with their security hole. I find it distasteful that the mods have allowed posts to stray from the topic, but I realise they do not wish to find themselves in a situation where someone is a kettle and the other is a pot, both being black.

Speculation is as speculation does. It merely speculates. There are now 27+ pages of posts. If anyone would care to look objectively at them, you'll notice there are quite a few "...and to continue..." posts. In other words, posts made purely to continue this discussion, adding nothing to the debate. If you further consider this thread, you'll also notice that there is nothing else to debate. Almost all points of view have been put across and defended and attacked. Posts are now degenerating into "...I can't believe...", "...what you say is clearly nonsense...", "...if I were them...", "...who are you to judge us...", "...this security is better than that..." type posts.

This indicates that there is very little else to say, and will be little else, until there is an update from Turbine.

Clearly there is need for another outlet for LOTRO forum goers, and this site provides it. However, there is little that this thread brings to the essential point, that being we're all really pissed off with Turbine. It reads like a column in a Points of View magazine.

I've read these forums since they opened, and chuckled at the occasional anti-Turbine sentiment mainly because I agree with it, but this has to be the worst ever thread for expressing dislike of the way that things have been handled.

Link to comment
Share on other sites

Wow. What a thread. lotrocommunity must be dead pleased. Congrats on achieving your highest ever membership sign up since you all spat the dummy about moving to Turbine and set the forum up.

I guess the problem most posters have is the way that Turbine have dealt with their security hole. I find it distasteful that the mods have allowed posts to stray from the topic, but I realise they do not wish to find themselves in a situation where someone is a kettle and the other is a pot, both being black.

Speculation is as speculation does. It merely speculates. There are now 27+ pages of posts. If anyone would care to look objectively at them, you'll notice there are quite a few "...and to continue..." posts. In other words, posts made purely to continue this discussion, adding nothing to the debate. If you further consider this thread, you'll also notice that there is nothing else to debate. Almost all points of view have been put across and defended and attacked. Posts are now degenerating into "...I can't believe...", "...what you say is clearly nonsense...", "...if I were them...", "...who are you to judge us...", "...this security is better than that..." type posts.

This indicates that there is very little else to say, and will be little else, until there is an update from Turbine.

Clearly there is need for another outlet for LOTRO forum goers, and this site provides it. However, there is little that this thread brings to the essential point, that being we're all really pissed off with Turbine. It reads like a column in a Points of View magazine.

I've read these forums since they opened, and chuckled at the occasional anti-Turbine sentiment mainly because I agree with it, but this has to be the worst ever thread for expressing dislike of the way that things have been handled.

I hope you are not suggesting that the forum or the thread should be closed because people are repeating things that have already been said.

I do think we should make more use of the voting system (yes there is one, the ittle + button at the bottom of the post) maybe the forums admins can make it more prominent and use it more.

Link to comment
Share on other sites

So, anyone who thinks that Turbine is not deliberately out to screw their customers is someone who should be ignored, is that it? Nice. Are the mods here going to do anything about this poster's personal attacks? No, I didn't think so. What a joke.

Thats is because they dont have a Sapience here. Thank God.

Turbine s^%ks

JRR Rocks

Link to comment
Share on other sites

I think everyone here is quite free to express either pro or anti Turbine sentiments.

Modbreak: This is exactly the case. This forum is for all lotro fans irrespective of their personal feelings towards Turbine.

Please express your opinions and sentiments without making any personal attacks and keep it civil.

There is a report tool for use on posts that require moderation. Please use this instead of responding directly in thread. Thank you.

Link to comment
Share on other sites

I think everyone here is quite free to express either pro or anti Turbine sentiments. The issue though is not pro or anti Turbine and to try and say that is wrong.

The issue is did Turbine do enough security wise in the first place and are they doing enough now to meet their legal and moral obligations to their customer base in keeping them informed when a major security breach may have occured?

Well, until we DO know the extent of the breach, we won't know that. But since the calls for "heads rolling" started about five SECONDS after the POTENTIAL of a problem was discovered, I don't think some people here are actually interested in finding out the truth, only in being inflammatory and confrontational.

I would definitely think that Turbine needs to come forward with SOMETHING early this week. And while I do not think it would be a good idea to get into specifics (giving details of how your security works is almost as bad as having no security at all), an outline of new security measure might be in order also. And, if this open door was a deliberate maneuver on the part of someone at Turbine, a prosecution would also be good.

Link to comment
Share on other sites

So, anyone who thinks that Turbine is not deliberately out to screw their customers is someone who should be ignored, is that it? Nice. Are the mods here going to do anything about this poster's personal attacks? No, I didn't think so. What a joke.

Would you rather that people who are offended by your comments dish out trash on the forum... or that they ignore you, thus saving all of us from useless bickering? Yes, I suggest everyone to ignore people on forums (if not elsewhere), when they aggrevate you. You can ignore me or you can try see my point, the choice is yours. Turbine denies us the right to choose to think differently and express how we see things.

I did think about what you said there. I don't think Turbine are treating us, the customers, right. I don't think they're deliberately making us angry or trying to sell our account information to third parties. I think Turbine has made a good game, not perfect but a good one. I think they could have done a lot better, though.

Link to comment
Share on other sites

As an additional precaution we recommend that all players change their passwords by visiting http://myaccount.turbine.com. Please remember to use unique, hard-to guess passwords that are not associated with other online services or sites, and always look for and report unusual activity in your account to Turbine customer support.

We are still in the middle of phase 2 (referencing my post at the bottom of page 14). I do not speak for Turbine (not affiliated in any way) but what they are saying is "we have determined that changing your password will not put you at further risk."

Now that they know that they have the hole filled up, and they know that passwords are safe to change, they are asking for reports from clients to determine if and how much data was leaked. They did not want to tell people to change their password until they knew that it was safe to do so.

At this point they know that the system is secure. They know the hole is filled, and they have made certain that there are no hidden artifacts in the system that might do harm without them knowing. It was wise of them not to tell people to change their passwords until they knew for certain it was safe to do so.

We still have a long way to go before phase 2 is over. I would expect that they will give themselves at least a week to receive reports from players before they can report on the fallout. (At this point they can fix it while they receive reports)

Link to comment
Share on other sites

At this point they know that the system is secure. They know the hole is filled, and they have made certain that there are no hidden artifacts in the system that might do harm without them knowing. It was wise of them not to tell people to change their passwords until they knew for certain it was safe to do so.

This assumes a certain amount of corporate responsibility that heretofore Turbine has not demonstrated. IMHO, the only reason they changed their statement from "We've discovered" to "We've been informed" is because the lawyers explained to them that it's a lot easier to argue the merits of a case if you aren't also having to defend against charges of perjury.

Well, that and the fact that if they "discovered" it today, they had the ability to have "discovered" it a long time ago and didn't.

Link to comment
Share on other sites

Because in general, I'd bet that the vast majority of hacks are due to compromised clients or lousy passwords, not a compromised server.

How do you know that? Care to point out a single trojan out in the wild that sits on the LOTRO launcher?

(yes, I can easily point out many that sit on web browsers)

Of course the server issues should be fixed, but that's no reason not to require better passwords from customers too.

How would better passwords help against "compromised clients"?

Link to comment
Share on other sites

Well, until we DO know the extent of the breach, we won't know that. But since the calls for "heads rolling" started about five SECONDS after the POTENTIAL of a problem was discovered, I don't think some people here are actually interested in finding out the truth, only in being inflammatory and confrontational.

your timeline for when the calls for "heads to roll" happened is naively wrong.

this thread started AFTER the forums went down.

the forums went down AFTER a white hat posted publicly about the breach.

which happened days after the white hat informed turbine.

so it was closer to FIVE DAYS not 5 seconds.

Link to comment
Share on other sites

The "extend" will not be known.

It is pretty much impossible to enable so much logging on a SQL database that every single access to a certain field is individually logged, for a heavily hammered game login database, and one that is supposed to be firewalled off anyway and where no information worth stealing by employee is located.

Just do the math. 80 characters line every time any play accesses the account, be in game or forum login (and don't forget the silly forum re-auth). The logins/min are in charts posted here. I know Kafahr says of course his company has done it, but with no details as to what kind of database and in any case Kafahr always has everything ready just to draw out a reply some more. I don't believe a single word of it.

Turbine will not know whether large amounts of passwords were stolen or not.

Link to comment
Share on other sites

If they cannot be certain that passwords etc were not taken then they should be cautious and assume they were taken and contact people accordingly. It's the lack of infomation and contact from Turbine that is ticking people off more and more as time goes by.

Link to comment
Share on other sites

The "extend" will not be known.

It is pretty much impossible to enable so much logging on a SQL database that every single access to a certain field is individually logged, for a heavily hammered game login database, and one that is supposed to be firewalled off anyway and where no information worth stealing by employee is located.

Just do the math. 80 characters line every time any play accesses the account, be in game or forum login (and don't forget the silly forum re-auth). The logins/min are in charts posted here. I know Kafahr says of course his company has done it, but with no details as to what kind of database and in any case Kafahr always has everything ready just to draw out a reply some more. I don't believe a single word of it.

Turbine will not know whether large amounts of passwords were stolen or not.

Ever since I heard about this breach, I decided to personally assume my information was stolen, and reacted accordingly. I won't cancel because I'm a Lifer, but my password was changed, as was my wife's, and when Trion took down their vBulletin 4 forum for Rift last week, I changed my password there too.

Sometimes a little paranoia is good for you.

Link to comment
Share on other sites

We are still in the middle of phase 2 (referencing my post at the bottom of page 14). I do not speak for Turbine (not affiliated in any way) but what they are saying is "we have determined that changing your password will not put you at further risk."

If that's the case I'll revise my opinion... instead of being stupid with handling the communication of this event, they're just plain incompetent with handling security issues at all. Emergency fixes for this kind of thing aren't easy, but they're not rocket science either... yes it will likely take a day or so to figure out what's happened, but 4 full days is just too long before coming with any kind of warning like that while the game servers remain open and ready for abuse.

Link to comment
Share on other sites

At the very least the security hole has been open since June 1st at most its been open ever since they made it where forums account = Player account. This happened despite many warnings from the players.

What do we know?

Games companys DO NOT tell their users when there is a hole in their security UNTIL a hacker uploads evidence of one. Just look at the cases of Sony, Trion and Turbine Not one of them companys informed their users till AFTER a white hat uploaded proof of a database dump/capture.

This means that Turbine:

a) They are not aware of the security hole or when hackers gain access to our private information. They don't even know when hackers do a database dump or screen grab until a white hat publishes proof.

b ) They know when hackers steal our private information but they don't care and they choose not to tell us until they are FORCED too by a white hat hacker.

Either way both Turbine and Sapience have been lying to the players ever since they updated the forums to be part of our accounts. They owe every single player whos been hacked since June 1st or since they updated the forums a apology and reimbursement of everything they lost including the loss of their private information.

Sapience has made it clear serveral times over the last year that our accounts are safe. That there was no risk having our forum accounts linked to game accounts. He should be fired for blantantly lying to the community.

  • Upvote 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...