We have detected that cookies are not enabled on your browser. Please enable cookies to ensure the proper experience.
Page 1 of 2 1 2 LastLast
Results 1 to 25 of 42
  1. #1

    Exclamation IMPORTANT: Lotro.com and the Heartbleed OpenSSL security flaw

    As some of you may have heard, a rather large security flaw has been found in OpenSSL, a common protocol used to secure traffic over https:// websites. This security flaw is serious, and can be abused by just about anyone that knows a thing or two about hacking. The big recommendation of course is for everyone to change their password..... BUT, not so fast! Before you go and change your password, it has 0 effect until the website in question updates its OpenSSL version, and issues a new security certificate.

    If you didn't read about it yet, here are a few news articles from recent press:

    http://techcrunch.com/2014/04/07/mas...-the-internet/
    http://www.slate.com/blogs/future_te...eel_mehta.html


    There are several tools to check for the security flaw, known as "Heartbleed" and this is one of them: https://lastpass.com/heartbleed/

    Simply put in your website, and it will tell you if the site is ready, secure, and you can change your password.

    These are the results for Lotro's websites:

    Site: lotro.com
    Server software: nginx/1.1.19
    Vulnerable: Very likely (known use OpenSSL)
    SSL Certificate: Unsafe (created 2 years ago at 2012-04-07 00:00:00)
    Assessment: Wait for the site to update before changing your password


    Site: turbine.com
    Server software: Apache
    Vulnerable: Very likely (known use OpenSSL)
    SSL Certificate: Unsafe (created 2 years ago at 2012-04-07 00:00:00)
    Assessment: Wait for the site to update before changing your password


    The problem of course is, that the passwords used to communicate over OpenSSL, are the very same passwords used to log on to the game. So at this very moment your accounts are actually at a potential risk of being hacked, as this bug allows the password of your account to be captured. Whats worse, apparently this bug leaves no logs or trace, so there is no real evidence to be found if password information was already stolen, sysadmins are advised they simply have to assume it already has happened.

    Sapience: Is Turbine taking this seriously, and how soon can we expect lotro.com and underlying billing systems to be patched, so our information and game accounts are no longer at risk? Ergo, when is it safe to change our passwords?
    Moved from Riddermark to Arkenstone on 9/29/2015!
    -----
    Disclaimer: The definition of "Soon™" is based solely on Turbine's interpretation of the word, and all similarities with dictionary definitions of the word "Soon™" are purely coincidental and should not be interpreted as a time frame that will come to pass within a reasonable amount of time.

  2. #2
    Join Date
    Jun 2010
    Posts
    7,583
    I'd like to point out before everyone rushes out to change this and other passwords that unless you can verify the site has been fixed, all you're doing is wasting your time by changing the password, because there's nothing to stop it from being captured by this vulnerability until it is resolved.
    Crell-L85-Champion - Riddermark ; Swego-L85-Burglar ; Kotvi-L95-Runekeeper
    Delego-L85 Hunter ; Stodden-L51-Captain ; Edhul-L61-Loremaster
    Deglorion - SoA XP Disabler

  3. #3
    Join Date
    Apr 2007
    Location
    Gallifrey. I need a Jelly Baby.
    Posts
    18,073
    It's a good thing I bought lifetime 6 years ago. The bank account I used no longer exists and I have moved to a different address since then. Heck, I've probably changed phone numbers at least twice since then. Granted, my real name is probably there, but that's about it. Word would get out that my name is Samwise Gamgee.
    Life is not a journey to the grave with the intention of arriving safely in a well preserved body, but rather to skid in broadside, totally worn out & proclaiming "WOW, what a ride!"
    Continuing the never ending battle to keep Lobelia Sackville-Baggins in check

  4. #4
    Join Date
    Apr 2007
    Location
    Brooklyn
    Posts
    3,712
    Quote Originally Posted by Nymphonic View Post
    It's a good thing I bought lifetime 6 years ago. The bank account I used no longer exists and I have moved to a different address since then. Heck, I've probably changed phone numbers at least twice since then. Granted, my real name is probably there, but that's about it. Word would get out that my name is Samwise Gamgee.
    I guess that'll be a silver lining when you log in to find all your characters stripped of their gear and/or deleted.
    [color=red]Work like no one is watching, dance like you don't need the money...[/color]

  5. #5
    Join Date
    Apr 2007
    Location
    Gallifrey. I need a Jelly Baby.
    Posts
    18,073
    Quote Originally Posted by Frisco View Post
    I guess that'll be a silver lining when you log in to find all your characters stripped of their gear and/or deleted.

    I've been here for 7 years and it's just a game. I've had my fun. If it does happen, it will be from something beyond my control. After having that small stroke, I really don't worry about what happens to a game.
    Life is not a journey to the grave with the intention of arriving safely in a well preserved body, but rather to skid in broadside, totally worn out & proclaiming "WOW, what a ride!"
    Continuing the never ending battle to keep Lobelia Sackville-Baggins in check

  6. #6
    Quote Originally Posted by Nymphonic View Post
    It's a good thing I bought lifetime 6 years ago. The bank account I used no longer exists and I have moved to a different address since then. Heck, I've probably changed phone numbers at least twice since then. Granted, my real name is probably there, but that's about it. Word would get out that my name is Samwise Gamgee.
    That does not mean however, you are safe. A potential hacker that knows lotro can still log into accounts and wreak havoc by deleting characters, items, etc.... not sure why anyone would do that, but it is possible. Biggest problem here is this bug allows usernames and passwords to be captured, without any logs left behind a sysadmin can use to find out who did it. Only thing they may have is the last IP address used for logging in, if they log that, and if it is very different then normal there may be something going on.

    This is actually a very VERY serious security issue, and affects more then half a million websites.
    Moved from Riddermark to Arkenstone on 9/29/2015!
    -----
    Disclaimer: The definition of "Soon™" is based solely on Turbine's interpretation of the word, and all similarities with dictionary definitions of the word "Soon™" are purely coincidental and should not be interpreted as a time frame that will come to pass within a reasonable amount of time.

  7. #7
    Join Date
    Apr 2007
    Location
    Gallifrey. I need a Jelly Baby.
    Posts
    18,073
    Quote Originally Posted by maartena View Post
    That does not mean however, you are safe. A potential hacker that knows lotro can still log into accounts and wreak havoc by deleting characters, items, etc.... not sure why anyone would do that, but it is possible. Biggest problem here is this bug allows usernames and passwords to be captured, without any logs left behind a sysadmin can use to find out who did it. Only thing they may have is the last IP address used for logging in, if they log that, and if it is very different then normal there may be something going on.

    This is actually a very VERY serious security issue, and affects more then half a million websites.

    And I'm not saying otherwise. I'm just not going to stress out over something I cannot control. All they can do is wreck my account and I've had 7 years of fun. It's just a game. If turbine had my bank account info I'd be concerned, but they do not. They don't even have my address or phone number.

    No one has my bank info, I do everything by cards I buy at the store. Amazon is a good example.
    Life is not a journey to the grave with the intention of arriving safely in a well preserved body, but rather to skid in broadside, totally worn out & proclaiming "WOW, what a ride!"
    Continuing the never ending battle to keep Lobelia Sackville-Baggins in check

  8. #8
    Quote Originally Posted by maartena View Post
    This is actually a very VERY serious security issue, and affects more then half a million websites.
    The defect was introduced 2? years ago. Probably known and used by organizations like the NSA for a very long time. It is anybody's guess how many people knew about it.

    Usually when this kind of exploit gets explained on the public internet it is because the problem has been identified for some time. There is little to no progress being made to fixi the vulnerability. The number of people exploiting the vulnerability is steadily increasing. The upsurge in attacks caused by publicity is deemed worth it to force the deployment of the fix.
    Unless stated otherwise, all content in this post is My Personal Opinion.

  9. #9
    Join Date
    Jan 2007
    Location
    Decatur, AL
    Posts
    5,442
    If you give away gold bars, someone will complain they're too heavy.
    .: Dannach, 100 WDN :.: Daire, 83 LMR :.: Gyrefalcon, 92 CHN :.: Brandon, 72 CPT :.: Honey, 71 GRD :.: Griffon, 69 HNT :.: Kaelenea, 72 RNK :.
    .: Iryth, 56 WDN :.: Baye, 56 WDN :.: Samtal, 64 WDN :.:Dunnock, 56 WDN :.: Sedgewald, 68 LMR :.: Breyon, 41 CHN :.: Tieran, 40 HNT :.

    I am the master of my fate. I am the captain of my soul.
    Might as well face it, I'm addicted to WDN

  10. #10
    Join Date
    Sep 2013
    Location
    Land of the Midnight Sun
    Posts
    131

    That one can't work...

    Quote Originally Posted by Brandon_Blackbird View Post
    But i checked lots of sites and their all "safe" so we can't be sure?
    Please read the post overhead and understand it fully before responding with overwhelming negativity to opinions you have no personal interest in, but still want to complain about. Don't troll the feeders. Great, you acknowledge the need to apologize, but I don't see an actual apology anywhere. Are you a politician by any chance? - xandervix_tog.

  11. #11
    What website are you using to test?

    Seems that not all websites test the same way.

    Nevertheless, I think a statement from Turbine on the issue might be appropriate.
    Moved from Riddermark to Arkenstone on 9/29/2015!
    -----
    Disclaimer: The definition of "Soon™" is based solely on Turbine's interpretation of the word, and all similarities with dictionary definitions of the word "Soon™" are purely coincidental and should not be interpreted as a time frame that will come to pass within a reasonable amount of time.

  12. #12
    Join Date
    Jan 2007
    Location
    Decatur, AL
    Posts
    5,442
    I'm using http://filippo.io/Heartbleed/ . It performs the test by performing the actual attack.
    If you give away gold bars, someone will complain they're too heavy.
    .: Dannach, 100 WDN :.: Daire, 83 LMR :.: Gyrefalcon, 92 CHN :.: Brandon, 72 CPT :.: Honey, 71 GRD :.: Griffon, 69 HNT :.: Kaelenea, 72 RNK :.
    .: Iryth, 56 WDN :.: Baye, 56 WDN :.: Samtal, 64 WDN :.:Dunnock, 56 WDN :.: Sedgewald, 68 LMR :.: Breyon, 41 CHN :.: Tieran, 40 HNT :.

    I am the master of my fate. I am the captain of my soul.
    Might as well face it, I'm addicted to WDN

  13. #13
    Join Date
    Apr 2008
    Location
    The Highlands of Scotland
    Posts
    5,414
    Quote Originally Posted by maartena View Post
    There are several tools to check for the security flaw, known as "Heartbleed" and this is one of them: https://lastpass.com/heartbleed/

    Simply put in your website, and it will tell you if the site is ready, secure, and you can change your password.
    Having tried this checker on some of my company's servers, it appears to give false positives.

    Quote Originally Posted by Brandon_Blackbird View Post
    I'm using http://filippo.io/Heartbleed/ . It performs the test by performing the actual attack.
    This checker appears to be more accurate.
    TANSTAAFL

  14. #14
    Quote Originally Posted by Nymphonic View Post
    And I'm not saying otherwise. I'm just not going to stress out over something I cannot control. All they can do is wreck my account and I've had 7 years of fun. It's just a game. If turbine had my bank account info I'd be concerned, but they do not. They don't even have my address or phone number.

    No one has my bank info, I do everything by cards I buy at the store. Amazon is a good example.
    That's great and all, to be one of the rare lifers who also has no risk of having their bank account hacked, AND doesn't care what happens to their years of progress in the game. But for the other 99.99% of us, it's a pretty big deal.

    Goreamir - 100 Cap | Jinwe - 88 Hnt | Celebourne - 90 Champ | Humblefoot - 75 Min | Dorfus - 74 Grd | Creonath - 55 Wdn | Stormcraban - 35 LM | Whippit - 35 Brg | Thangadir - 33 RK | Bucksexton - 24 Bng

  15. #15
    Join Date
    Aug 2008
    Location
    Vancouver, BC Canada
    Posts
    3,090
    Until we have final word from Turbine on this, it would be unwise to assume that the sites are vulnerable, or that they are not. We just don't know. The sites that supposedly test for this vulnerability give different and conflicting results. The only authority I will trust on this matter is Turbine.

  16. #16
    Join Date
    Apr 2008
    Location
    The Highlands of Scotland
    Posts
    5,414
    Quote Originally Posted by frickinmuck View Post
    Until we have final word from Turbine on this, it would be unwise to assume that the sites are vulnerable, or that they are not. We just don't know. The sites that supposedly test for this vulnerability give different and conflicting results. The only authority I will trust on this matter is Turbine.
    Wise words.
    TANSTAAFL

  17. #17
    Join Date
    Jan 2008
    Location
    East coast, USA
    Posts
    1,909
    This is one of the many reasons I preferred having the forum account be different from the game account. I know I'm going back years and years on this topic, but with the forums having been revised recently, maybe it is worth discussing again.

  18. #18
    Quote Originally Posted by Thornglen View Post
    This is one of the many reasons I preferred having the forum account be different from the game account. I know I'm going back years and years on this topic, but with the forums having been revised recently, maybe it is worth discussing again.
    And considering that it seems that lotteries, the last remnant of the old forums left that required your account info, are dead in the water, that might not be a bad idea.
    Note: My posts are my OPINION, and are NOT intended to "troll", "provoke", "bait" or "harass".
    If my posts are taken as such, then I humbly apologize in advance.


  19. #19
    Join Date
    Jun 2011
    Location
    Italy
    Posts
    43
    Since the bug-fixed OpenSSL version 1.0.1g is just a minor (in term of quantity of changes) update compared to the Heartbleed bugged versions 1.0.1 through 1.0.1f, it shouldn't be a much of a hassle to quickly update the OpenSSL package on the servers.

    In fact the Heartbleed test seems to indicate that the LOTRO servers have been already fixed.

    Therefore I don't understand why Turbine is not speaking up about this matter.
    Difious - member of the Dark Sith Lords's community.

  20. #20
    Join Date
    Jun 2011
    Location
    Finland, having a costume party with Jon Sandheaver
    Posts
    746
    Quote Originally Posted by frickinmuck View Post
    Until we have final word from Turbine on this, it would be unwise to assume that the sites are vulnerable, or that they are not. We just don't know. The sites that supposedly test for this vulnerability give different and conflicting results. The only authority I will trust on this matter is Turbine.
    Exactly. I just checked my secondary MMO's (Neverwinter) forums and I see it took 1 hour for the community manager there to react to a worried forum member's query on the matter, and total 6,5 hours to confirm that they are not affected. Here it's been more than 2 days now since the first thread opened about Heartbleed that I'm aware of... I appreciate Turbine's recent activity when it comes to interaction with their playerbase, but it seems there are still sections where it could be done better.

  21. #21
    Join Date
    Sep 2011
    Location
    Nashville Tn, USA
    Posts
    521
    Quote Originally Posted by Thornglen View Post
    This is one of the many reasons I preferred having the forum account be different from the game account. I know I'm going back years and years on this topic, but with the forums having been revised recently, maybe it is worth discussing again.
    I think this is a bit of a misconception no matter the password or username nor how or where its used has no bearing If this site has a security hole that big the only thing that will help is for turbine to close the hole. If this is true this is the type of thing they should have a team working on 24/7 to resolve also this post should have never happened as it just put everyone account in danger. now every 2 bit hacker that is bored on a saturday nite will take a poke at it.

    I know you think you're doing a good thing but this thread was a foolish thing to do and to tell everyone that until the hole is shut that changing your passwords and usernames won't help al this thread did was put us all at risk why would you get on your soapbox and yell at the top of your lungs and draw attention to a problem like this. U don't expose a issue like this.

    I will also say if anything happens to my account my first call will be to the lawyers to start a lawsuit for gross negligence. If this issue it for real the site and game should be shut down ASAP until the problem is fixed not leaving it up and running and is this problem was known about for 2 years that pretty sad for turbine to leave its customers twisting in the wind.

    Shut the gamer down and fix it now and not leave us all at risk just so they don't lose money I would say this is a very serious problem every moment now that this has been broadcasted it has just became about 500 times worst.

    This entire post should be deleted asap as well so maybe just a few of the hackers out there that don't know about this stay that way

    why would someone post this maybe to cover the tracks because they plan to hack it
    Completeness is the only way to play! No fast track ever! Xp Disable Toggle Supporter

  22. #22
    Join Date
    Jan 2008
    Location
    East coast, USA
    Posts
    1,909
    Quote Originally Posted by Fearless.one View Post
    I think this is a bit of a misconception no matter the password or username nor how or where its used has no bearing If this site has a security hole that big the only thing that will help is for turbine to close the hole. If this is true this is the type of thing they should have a team working on 24/7 to resolve also this post should have never happened as it just put everyone account in danger. now every 2 bit hacker that is bored on a saturday nite will take a poke at it.
    First, if anyone with the know-how to exploit this bug needs to get the information from a post on the LOTRO forums, I'd be shocked.

    Second, it looks like the site may already be ok, we just hope Turbine drops by to confirm it for people.

    Third, my desire for a separate password on the forum and on the game account is not because it would somehow solve this bug. It is because a forum is the most likely part of the game for a player to access when not at home and not on a computer where he or she has direct control over security. That, to me, makes it one of the weakspots for having a password stolen, heartbleed or no heartbleed.

    Fourth, lawyers? You don't really want to be that game forum cliche, do ya?

  23. #23
    Join Date
    Jun 2011
    Location
    Germany
    Posts
    2,036
    Quote Originally Posted by Thornglen View Post
    This is one of the many reasons I preferred having the forum account be different from the game account. I know I'm going back years and years on this topic, but with the forums having been revised recently, maybe it is worth discussing again.
    A good idea, but this would not help in this case, because the account system server could also be affected.



    Quote Originally Posted by Difious View Post
    In fact the Heartbleed test seems to indicate that the LOTRO servers have been already fixed.
    My guess is, they never were affected.

    Check the server certificates. They are from 2012. If the server were affected, they had to replace the server key and certificate, too. Which is obviously not the case.
    Wer Hilfe will, muss Informationen liefern.
    >> Lotro World transfer status <<

  24. #24
    Join Date
    Jun 2011
    Location
    Slough,UK
    Posts
    1,024
    Quote Originally Posted by Fearless.one View Post
    I think this is a bit of a misconception no matter the password or username nor how or where its used has no bearing If this site has a security hole that big the only thing that will help is for turbine to close the hole. If this is true this is the type of thing they should have a team working on 24/7 to resolve also this post should have never happened as it just put everyone account in danger. now every 2 bit hacker that is bored on a saturday nite will take a poke at it.

    I know you think you're doing a good thing but this thread was a foolish thing to do and to tell everyone that until the hole is shut that changing your passwords and usernames won't help al this thread did was put us all at risk why would you get on your soapbox and yell at the top of your lungs and draw attention to a problem like this. U don't expose a issue like this.

    I will also say if anything happens to my account my first call will be to the lawyers to start a lawsuit for gross negligence. If this issue it for real the site and game should be shut down ASAP until the problem is fixed not leaving it up and running and is this problem was known about for 2 years that pretty sad for turbine to leave its customers twisting in the wind.

    Shut the gamer down and fix it now and not leave us all at risk just so they don't lose money I would say this is a very serious problem every moment now that this has been broadcasted it has just became about 500 times worst.

    This entire post should be deleted asap as well so maybe just a few of the hackers out there that don't know about this stay that way

    why would someone post this maybe to cover the tracks because they plan to hack it
    You realise this is an internet wide issue and not just isolated to turbine?
    "The internet is a bubble dominated by the loudest, most unrepresentative voices; an infinitesimally small minority of a minority which, deaf to reason and the opinions of others, deludes itself that somehow it is the voice of the majority. An infinite echo chamber of shrieking, witless banality."

  25. #25
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,390
    Quote Originally Posted by Fearless.one View Post
    --[A lot of invective and baseless accusations against someone merely conveying essentially harmless information]--
    I'm sorry, but you really should know what you're talking about before you presume to dictate to others what they should post.

    I don't normally put a lot of stock in credentials. But in this case, it might help others to know that I'm a Network and Systems Administrator. Oooooooo!

    Quote Originally Posted by Fearless.one View Post
    . . . also this post should have never happened as it just put everyone account in danger. now every 2 bit hacker that is bored on a saturday nite will take a poke at it.
    This is utter nonsense. This vulnerability is worldwide, affecting a huge number of (mostly) unix/linux-based servers. Our discussing it here will have no effect. The bad guys, and the good guys are already well aware of the issue.

    I know you think you're doing a good thing but this thread was a foolish thing to do and to tell everyone that until the hole is shut that changing your passwords and usernames won't help al this thread did was put us all at risk why would you get on your soapbox and yell at the top of your lungs and draw attention to a problem like this. U don't expose a issue like this.
    I just can't imagine the hubris it takes to tell another person this while being so utterly, 100%, completely wrong on the facts. And worse, all your "ifs" and hedging throughout your post indicates that you're even aware of how little you know about this, and yet you have the temerity to repeatedly attack someone when anyone who knows what they're talking about here realizes that they did absolutely nothing wrong.

    I will also say if anything happens to my account my first call will be to the lawyers to start a lawsuit for gross negligence. If this issue it for real the site and game should be shut down ASAP until the problem is fixed not leaving it up and running and is this problem was known about for 2 years that pretty sad for turbine to leave its customers twisting in the wind.
    What, exactly, will be the basis of your lawsuit? Are you going to sue them for running the most up-to-date version of OpenSSL. You don't seem to be aware that it is the latest, newest, presumably* safest and most "secure" branch of OpenSSL (until 2-3 days ago when this issue was fixed via a patch) that has been discovered to have this flaw. The flaw, it is now known, has existed for two years in this branch of OpenSSL (but not the older branch that is run by default on older operating systems). Knowing about something and that something existing are not synonymous.

    Shut the gamer down and fix it now and not leave us all at risk just so they don't lose money I would say this is a very serious problem every moment now that this has been broadcasted it has just became about 500 times worst.
    Again, posting this info has zero effect. And, if the version of OpenSSL Turbine is using has been patched since the fix has been implemented (and it appears that it has), then the immediate, likely, most scary danger has passed (that someone is sending specially/maliciously-crafted packets to the server and receiving back random bits of the server's memory that could potentially contain credentials). And, now, the concern becomes whether our credentials might have already leaked and whether it's therefore now safe for us to use Turbine's services to change our passwords.

    why would someone post this maybe to cover the tracks because they plan to hack it
    Unbelievable.

    With all that aside. . .

    There are two steps to fixing this issue in as plain a language as I can muster while writing in haste (I'm on a deadline, and working to mitigate this issue on my own servers). . .

    First, you stop the potential for your server to leak credentials by patching the version of OpenSSL the server is running. With that done, you can be confident that people currently using the system are no longer in danger of having their credentials leaked to someone exploiting this flaw in OpenSSL. However, since we don't know how long the bad guys have been aware of this issue, there is still concern that they might have been gathering credentials previously. So, it's a good idea to have your users change their passwords. . . but only after OpenSSL is patched. If your users change their passwords before OpenSSL is patched, then they'll just be exposing their new credentials to potential leakage. Hence, the advice is to not change your password until a vendor/publisher confirms their site is either fixed/patched or was never vulnerable from the outset.

    Second, there is some potential (though not as likely as first reported) for this vulnerability to actually leak the server's certificate itself (it takes a certain configuration and a certain amount of bad luck for this to happen). If the bad guys have a certificate, they can then impersonate a server. But. . . this is not as scary or as immediate a risk because before they can impersonate a server to any effect (an impersonated server to which nobody connects isn't hurting anyone), they first need to get the customers to connect to the fake/malicious server. So, this would really only come into play if the bad guys not only install the stolen certificate but also hijack DNS (or perhaps send out malicious emails to direct people to bad links) to somehow direct traffic intended for the legitimate server to the bad server. Again, this is not as criticial or as immediate a concern as step 1 above, but best practice is to replace the certificate for servers that were vulnerable (again, unbeknownst to anyone) for the last two years.

    I can't say for sure, but my impression is that Turbine has done step 1 (if they were ever vulnerable to begin with). . . but the date of the certificate currently up indicates that step 2 hasn't been done yet or has been deemed not to be necessary if they were never vulnerable. Based on the version of SSL and TLS they are using as of today, I would guess that step 1 was necessary and step 2 will be happening soon.

    How could a (linux-based) server not be vulnerable? Well, for example, CentOS (a popular linux distribution for servers that is based on Redhat linux) has two popular version, 5.x and 6.x. A lot of servers still run the older version (5.x). Ironically, it is those folks running the older distribution who are happy right now, because 5.x uses an older branch of OpenSSL that never implemented the "heartbeat" feature of OpenSSL. Whereas CentOS/Redhat 6.x does uses the newer branch of OpenSSL, so people running the newer distribution are scrambling right now to implement the patch made available, and then recreating their servers' certificates.

    It should just be stated plainly: This is a world-wide, internet-wide problem. There has been no negligence or malfeasance on the part of Turbine. They have been running the most up-to-date version of OpenSSL as anyone would expect. They are no more to blame than are any of the other (large, well-known) companies who have been using OpenSSL in good faith. And, really, there are no realistic alternatives. This is just what happens when a catastrophic bug is discovered in a foundational technology that is in (very) widespread use.

    As for shutting down the game. . . it's a game. There are banks and other financial institutions that aren't shutting down over this. But Turbine is expected to shut everything down so we won't lose our imaginary people and items?

    The End.

    --H

    P.S. Some official word from Turbine about when/if we should change our passwords would be greatly appreciated. Again, anything I wrote above regarding Turbine's services and their current state is merely "best-guesses" and should not be relied upon.

    *We often presume the newest version of anything is the safest. But that often proves to not be the case. As things are changed, potentially unsecure** code can be introduced. So quite often, it's the older, simpler code that is more secure. . . though you often trade off capability and features to stay with the older code.

    **I refuse to use the term "insecure" in the context of computing. That makes it seems like a bit of code should be shy, introverted, and confined to their darkened bedroom listening to Morrissey.
    Last edited by Hurin; Apr 10 2014 at 06:35 PM. Reason: Had a bit of extra time to clarify and/or fix typos.

 

 
Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload