Jump to content
LOTROCommunity

Official forums down


Rosiebelle
 Share

Recommended Posts

If I am not mistaken, freundlich said he could get root access anytime he wanted to. If he was serious, it was not read-only.

To the database or as in a login shell?

--

The United States in general are working on laws to protect people's data.

Massachusetts, the state where Turbine is, is one step further:

http://en.wikipedia.org/wiki/201_cmr

Identity theft and fraud are the major concerns at the core of the implementation of the 201 CMR 17.00. For example, if a Massachusetts resident's information is leaked or captured, there could be serious consequences for the business that allowed the breach and for the individual whose information was leaked. Therefore, making changes to keep residents' information secure will be required to avoiding security breach and fines.

My reading is that if you have been breeched and leaked passwords you better tell your customers proactively.

Link to comment
Share on other sites

The exact wording was:

ich könnte vollen root zugriff auf den server haben wenn ich wollte!

ich mach das aber nicht, weil ich kein übler mensch bin,mehr daten hab ich auch nicht gespeichert.

I will try to translate it to English (sorry if there are mistakes, because English was the 3rd language I learned ;) )

-----

ich könnte vollen root zugriff auf den server haben wenn ich wollte!

I could get full access to the server if I want to do so!

ich mach das aber nicht, weil ich kein übler mensch bin,mehr daten hab ich auch nicht gespeichert.

But I will not do so, because I am not a bad man. I also have not saved any data.

-----

Best regards

Link to comment
Share on other sites

Sounds like an emergency then.

Let's hope it isn't a Sony sized emergency. nopompom.gif

Doubtful - Despite the fact that the game and the community site uses the same login, account information should be kept on a different database. Even if someone was able to grab the entire forum DB, the most they'd be able to get is your account name, and a hashed password. Which, if people put any thought into it at all, there's basically no chance they can get anything useful out of it.

Simple fact of the matter is - someone found a way to get somewhere where they're not supposed to be, and that's certainly enough of a reason to shut things down until they can figure out how they did it, and take corrective action.

It's the downside of using a popular commercial forum as opposed to a proprietary one. It allows more people to know how everything is set up, and find exploits in the comfort of their own home. Regardless, no reason to panic yet - if it were their account database on the other hand, then maybe it's worth batting an eye at.

Link to comment
Share on other sites

If they could only use it for the forum to login, there wouldn't be a problem, but those are shared with the myaccount login info, which gives a lot more valuable information for the hackers.

And the passwords are hashed, but if i understand correctly with an older type hash, so relative easy to brute-force it;

Link to comment
Share on other sites

He claimed to have had access to much more than just the login data. Based on the screen shots posted over at tweakers.net, I tend to believe him.

http://tweakers.net/nieuws/77371/databaseserver-lotro-was-toegankelijk-voor-anonieme-gebruikers.html

EDIT: What I mean is that while I'm not familiar with that particular interface (i'm used to phpMyAdmin), it looks to me like he had access to more than one database. One for forums and one for accounts.

Link to comment
Share on other sites

valandir has misused his rights as an admin and he gives internal data such as ips to his friends to arresting "freundlich" without judicial arrangement.

this is not allowed.

Turbine is having "freundlich" arrested? That would be absolutely unbelievable.

Link to comment
Share on other sites

Can a german speaker please summarize the issue between Valandir and Cutholen ? I am reading google translations of the german part of the forum, but I don't understand half of it.

To be honest i haventread the last posts in detail because the german thread has become a personal dispute between some users.

But if I am right "freundlich" had posted personal data of "Cutholen" out of the hacked material he achieved from the Turbine-forum.

Then "Cutholen" announced that he would contact a lawer because of this.

After this "Valandir" seems to have given "Cutholen" the IP of "freundlich", so he has some substantial data for the lawer.

And now there is the discussion if this transfer of the IP is an abuse as admin or not.

To bring more confusion some older parts of the thread have been deleted / modified.

The best would be that everybody cools down - its just a game and not a murder-case.

Link to comment
Share on other sites

no

cutholen and valandir, because "freundlich" posted cutholen's email here.

Oh, thank you.

Cutholen was one of the three users who's limited data was posted publicly to prove that Freundlich actually had access to the database, is that correct?

Link to comment
Share on other sites

valandir has misused his rights as an admin and he gives internal data such as ips to his friend (cutholen) to arresting "freundlich" without judicial arrangement.

this is not allowed and valandir can be punished

This is wrong. Cutholen was asking for details that "freundlich" posted in the removed posts. We don't know what Valandir sent him.

Link to comment
Share on other sites

Could we please move the conversation back to the security breach? Preferably before these rumours of Valandir supplying IPs and whatnot to third parties start leading a life of their own. I'll look into those, but I'd rather not have fingers pointing and pitchforks being sharpened based on a misinterpretation.

Link to comment
Share on other sites

Could we please move the conversation back to the security breach? Preferably before these rumours of Valandir supplying IPs and whatnot to third parties start leading a life of their own. I'll look into those, but I'd rather not have fingers pointing and pitchforks being sharpened based on a misinterpretation.

Roger. Curiosity got the better of me.

Link to comment
Share on other sites

I expect they'll make an announcement once they have the hole(s) plugged, and not before.

If they have evidence of a wide-scale breach (and not just a "white hat" breach), they should of course notify customers of what data was stolen so we can make appropriate changes... including saying "the hell with it" and going off to play another game, in some cases. This would be a first for them in 12 years of online gaming, but once is all it takes. After watching Sony get a 2nd breach this week after their truly massive one last summer, there's simply no way in hell I'm going to trust them to protect my data.

If Turbine didn't see anyone dumping their account databases, I expect they'll just apologize and try to reassure people that they've put in all measures to keep that from ever happening again (without giving out details).

Passwords are hashed, hopefully salted, so that's not the biggest worry here. CC data is likely encrypted too (other than the last 4 digits, which are often stored in the clear in a separate field). But I don't want my other data "out there" either, and if I start getting a huge flood of e-mails from gold-sellers and the like... I'm going to be pissed.

There is one potential good thing that could come from this, and that's if Turbine finally decides to offer some more security options (e.g. smartphone authentication app) to customers. They're likely to be looking for ways to soothe angry customers, and that sort of announcement would help...

Khafar

Link to comment
Share on other sites

I expect they'll make an announcement once they have the hole(s) plugged, and not before.

If they have evidence of a wide-scale breach (and not just a "white hat" breach), they should of course notify customers of what data was stolen so we can make appropriate changes... including saying "the hell with it" and going off to play another game, in some cases. This would be a first for them in 12 years of online gaming, but once is all it takes. After watching Sony get a 2nd breach this week after their truly massive one last summer, there's simply no way in hell I'm going to trust them to protect my data.

If Turbine didn't see anyone dumping their account databases, I expect they'll just apologize and try to reassure people that they've put in all measures to keep that from ever happening again (without giving out details).

Passwords are hashed, hopefully salted, so that's not the biggest worry here. CC data is likely encrypted too (other than the last 4 digits, which are often stored in the clear in a separate field). But I don't want my other data "out there" either, and if I start getting a huge flood of e-mails from gold-sellers and the like... I'm going to be pissed.

There is one potential good thing that could come from this, and that's if Turbine finally decides to offer some more security options (e.g. smartphone authentication app) to customers. They're likely to be looking for ways to soothe angry customers, and that sort of announcement would help...

Khafar

One can only hope it's leading them to see sense, but at the same time, I think it's prudent to not hold one's breath about this.

Link to comment
Share on other sites

I phone up the Office of Fair Trading today, who referred me to Consumer Direct. So after having an agreeable chat with someone who actually could contemplate words over two syllables, I was told the most prudent course of action was to register a complaint about Turbine via the Better Business Bureau in the US.

There may be a legal precedence to declare security breaches of this nature.

Even if there has not been one, Turbine are foolish for not just being up front and placating their customers.

As usual I blogged about the matter in general: http://www.containsmoderateperil.com/turbine-consumer-rights-part-three/

I quoted a tweet from Mr Heaton. I think it may be more applicable to Turbine's entire approach to customer service ;)

  • Upvote 1
Link to comment
Share on other sites

It's quite simple, if they have found that there's a leak that is due to gross misconfiguration (as Freundlich seems to suggest) they know they're liable to legal proceedings. So they will be passing everything through their legal department before saying anything. Since they won't want the forums to come up before they've got answers ready, they'll just stay down until the PR and legal department figured out an appropriate response. Since I think we all know how fast those work in corporate environments (and I'm betting it's the Warner legal department on it as well), I don't expect the forums to be up anytime soon. I'm convinced the engineers will have plugged the hole by now and are just biding their time with reading logs for damage assessment and checking for other mistakes (or looking around for new jobs..). Going after them for answers now won't really do much good... you'll either get no answers or restrict whatever wiggling room they have to say anything about it even further.

Wait for them to give a response or reopen the forums and then you can sue them to the highest court you can find for my part...

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...