Jump to content
LOTROCommunity

Official forums down


Rosiebelle
 Share

Recommended Posts

To be fair: the updated statement is a good start.

to be fair the updated statement SHOULD have been what was put up at the onset.

there was NO maintenance.

they pulled it down for the very reason that is now listed.

waiting ~24hours to do so screams coverup.

there should have been an official statement by now.

there is none which is also screaming coverup.

Link to comment
Share on other sites

Maybe they'll start taking the community's warnings about their security issues seriously from now on..................

.....................and then I awoke from my dream.

thanks...i needed to clean my monitor anyways

Link to comment
Share on other sites

Here's a question about that, though. Since Turbine hasn't resolved the matter, how can we be certain that it's safe to change your passwords?

You cannot retrieve the encrypted passwords right now.

Even if you could, attackers will use whatever password they got at one particular point in time. Enough will work, they won't come back to do battle with people who constantly change. Why would they?

Link to comment
Share on other sites

You cannot retrieve the encrypted passwords right now.

Even if you could, attackers will use whatever password they got at one particular point in time. Enough will work, they won't come back to do battle with people who constantly change. Why would they?

so in other words its ok/safe to change passwords.

Link to comment
Share on other sites

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

Turbine did this:

1) although they were originally smart enough to use separate passwords for game and web they decided to just change their opinion. Apart from all problems below that makes their players instantly vulnerable to keyloggers.

1b) they offer no additional account security whatsoever, although e.g. Blizzard does it with WoW.

2) they upgraded vbulletin to 4.x which has a secure password system. They decided not to use vBulletin's and rolled their own.

3) although their own password system might have been as secure as vbulletins at some point, it looks like they simply opened it up to make their work easier when transitioning the European users.

4) they do it in a way that it is visible from the outside, so that a *friendly* user could figure it out.

5) the friendly users sends them this information and they sit on it for days.

6) then they don't communicate clearly with the users. It is confirmed information that passwords did leak. People need to be warned about this because the majority of users uses passwords that are either identical between sites or follow an easy to follow scheme of variance.

Link to comment
Share on other sites

You cannot retrieve the encrypted passwords right now.

Even if you could, attackers will use whatever password they got at one particular point in time. Enough will work, they won't come back to do battle with people who constantly change. Why would they?

What I mean is that I'm not ruling out the possibility of port sniffing.

Link to comment
Share on other sites

Furthermore, I would question why the original poster who expressed these security issues directly to Turbine did not trigger any immediate investigation.

I think, it's quite obvious, why they didn't. Just look at what is going on in the forums every day. As soon as soon as two people complain about hacked accounts, the community believes, that there as huuuuge security leak, that requires an investigation. Of course Turbine does not switch into panic mode for everyone, who claims to have evidenced of a security leak. And we don't know anyway, what happened at Turbine when freundlich has sent his report to Turbine. We don't know, if Turbine did or did not investigate the case immediately and closed the forums after the technicians have(?) confirmed the issues (which might have taken some time).

But there's no doubt, that Turbine doesn't handle the situation very well. Cutting all "information channels" is a very, very bad was to deal with the situation, even though it is difficult to communicate a security leak. Turbine should at least give some information about what the players should and can do in this situation. Should they change their account information or should they not? And what about those, who are not as technophilic(?) as we are? They need clarification and some information, that might help them to deal with the situation.

Link to comment
Share on other sites

All we can do is keep putting pressure on them until they come clean - e-mail everyone you can think of at Warner Brothers Interactive Entertainment, every tech journalist/games website you can think of, anyone who might be able to make life uncomfortable for Turbine.

Link to comment
Share on other sites

Turbine's databases allowed ANONYMOUS access - read-only, but still.... WTF?

If I am not mistaken, freundlich said he could get root access anytime he wanted to. If he was serious, it was not read-only.

Question is, was he right.

Rarehero, I am not a db admin myself, but I work with them every day.

The kind of information freundlich was able to provide in his white hat report should immediately put any half-decent admin on full alert to at least check the allegations, especially since the check would be a minute-job.

No-one bothered for 3 days, this is beyond sloppy.

Link to comment
Share on other sites

I contacted all my kin via the in game kin mail last night - I hope they got it and it wasn't nobbled by a GM but I bet there are plenty of players out there who don't check forums etc who will have no idea at all that anything might be wrong.

Link to comment
Share on other sites

They are in loo loo la la land if they think that just pretending this has not happened will make it all go away. Do they have laws in the US concerning personal data and it's storage and useage? In the UK under the Data Protection Act if an organisation compromises an individual's data they are legally obliged to tell them it has happened.

Link to comment
Share on other sites

Turbine doesn't abide to laws until they have no other option and are legally threatened.

If you're an UK citizen, Turbine provides the service to you under UK laws so you can demand this information.

I think they responded last time someone send them actual law directives.

If you're an UK customer and would like to reach for an expert opinion, contact Consumer Direct like Hajile did ().

I'd like to know what the actual legal status of this situation would be, at least for UK.

Link to comment
Share on other sites

Warner Bros customers services contact page can be found here

http://www.warnerbros.com/main/help/customer_service.html

I have sent a message under the subject "legal". I suggest as many of us as possible contact them - not just from a legal perspective but just to try and squeeze some info/action out of them. Forums have been down about 48 hours, possibly affected since Sunday. This is nothing short of crackers.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...