We have detected that cookies are not enabled on your browser. Please enable cookies to ensure the proper experience.
Page 1 of 2 1 2 LastLast
Results 1 to 25 of 29
  1. #1
    Join Date
    Apr 2007
    Location
    Colorado Springs, Colorado
    Posts
    237

    Lotro.com and the heartbleed bug

    While my testing appears to suggest that lotro.com is not vulnerable, I believe an official announcement would be appropriate.

    Brad

  2. #2
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    4,995
    Why? I never heard of it before but googled it. Google seems to indicate this bug is nothing new. And why would Turbine make an announcement about it? There are bugs and hacks all over the internet -- that doesn't mean Turbine needs to give us an announcement about all of them. They made an announcement about Pando Media Booster because it was directly linked to this game's download. But any random bug floating around? I'm not sure why you feel that Turbine should announce it? That would be like Turbine making an announcement about a Windows 8 bug that doesn't even effect them.
    R5 100 GRD Marevayave - Leader of Riddermarked For Death
    R8 100 MNS Fayah/100 LM Siennah/100 HNT Dinenol/100 RK Dhurik
    100 CHN Alachas/85 CPT Dinfaerien/60 BUR Dhax/35 WDN Godoric
    R9 100 MNS Fayeh (alt Wilya) - Lonely Mountain Band @ Landroval

  3. #3
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by Mar-Evayave View Post
    Why? I never heard of it before but googled it. Google seems to indicate this bug is nothing new. And why would Turbine make an announcement about it? There are bugs and hacks all over the internet -- that doesn't mean Turbine needs to give us an announcement about all of them. They made an announcement about Pando Media Booster because it was directly linked to this game's download. But any random bug floating around? I'm not sure why you feel that Turbine should announce it? That would be like Turbine making an announcement about a Windows 8 bug that doesn't even effect them.
    The mind simply boggles. . .

    I'm tired of repeating myself. So I'll be brief (edit: No, I guess I won't).

    People who have no idea what they are talking about need to stop feeling compelled to chime in after a cursory google search or half-understood and poorly reported news article imbues them with a false sense of certainty.

    The entire problem here, and what makes "heartbleed" so scary is that the vulnerability itself is "nothing new." The flaw in OpenSSL's code that makes "heartbleed" possible has indeed been in the wild for over two years. But. . . we (on the "good" side) just discovered it now. That makes it bad. Not better. There are some indications that this flaw might have been exploited in the wild for some time now. In other words, it's entirely possible that the bad guys have known about this for much longer than the good guys have known about it. And that means that passwords and other sensitive information might have already gotten into the hands of bad guys over the last two years.

    I've seen thread after thread here and elsewhere with concerned people with at least a modicum of understanding of how serious this can be asking legitimate questions only to have folks who are quite confused state matter-of-factly that this vulnerability is "old" and therefore nothing to worry about. It just. . . as I said. . . boggles the mind.

    If someone tells you today that the key that you've been using to lock your door hasn't actually been locking it (but you thought it had), you don't console yourself with the knowledge that you bought that lock two years ago. You begin to look around for what might be missing and wonder who might have been coming in and out of your house at will over the last two years. But in this case, it's worse, because you can't really see if anything was taken from your house. Because what they were really interested in doing was rifling through your files and making copies. And for all you know, they did. Hooray for (flawed, though still apt) analogies!

    This is not just "any random bug." I don't put a lot of stock in credentials but in this case I'll mention I'm a Network and Systems Administrator before I assure you that the tech community is actually quite freaked out over this particular one. Many of us have been scrambling since it was announced.

    Anyone who was running the newest and greatest version of OpenSSL over the last two years in any standard way (and that's figured to be about 50-65% of servers worldwide) has had their barn door open at least until earlier this week. And now the question is whether anyone was snooping around that open door, and for how long. . . and it's very difficult (if not impossible) due to the nature of the exploit to determine if any malicious activity took place. You can know you were vulnerable. But you may not be able to know for sure whether you were hit or not.

    Current testing, run after the patch to address this vulnerability was released, shows that Turbine's server do not (now) appear to be vulnerable. But that does not in any way answer the question about whether they were vulnerable like so many other over the last two years, and whether our game credentials are now at risk (and should be changed).

    Personally, lacking any word from Turbine (other gaming companies have made statements about it), I'd change my password now. And then change it again when/if Turbine tells us what's up. We're not supposed to change our passwords on systems that are not yet patched (since you're just moving your credentials to the "top of the pile" on a server that could be getting exploited). But, since there are indications Turbine's servers are not vulnerable as of a few days ago, I personally am willing to take the "risk" and change them now, to mitigate any potential leak over recent past.

    The End.
    Last edited by Hurin; Apr 11 2014 at 11:08 PM.

  4. #4
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    4,995
    Quote Originally Posted by Hurin View Post
    The mind simply boggles. . .

    I'm tired of repeating myself. So I'll be brief (edit: No, I guess I won't).
    No one asked you to repeat yourself... just so you know...

    At what point did I say this was not a serious problem? The vulnerability is old: fact. And Turbine has no control over the problem beyond ensuring they don't use the effected software. The comparison to physical keys is insignificant, because there is nothing we can do. Think about it: this issue is not restricted solely to Turbine (if they were even effected at all). How many websites do you use? How many does the average person use? Facebook? Google? Various email websites (hotmail, yahoo, gmail, etc)? Dozens and dozens and dozens... Are you guys seriously expecting every legitimate website in existence to make some sort of announcement? This is hardly the first serious security issue that has cropped up since the internet was invented. Getting all panicky and hyped up and at Turbine's throat does nothing but spread fear.

    This is not just "any random bug." I don't put a lot of stock in credentials but in this case I'll mention I'm a Network and Systems Administrator before I assure you that the tech community is actually quite freaked out over this particular one. Many of us have been scrambling since it was announced.
    Big deal? The tech community is not freaked out. The MEDIA is freaked out. Your department may be, but your department does not equal the whole tech community. After updating the servers that were potentially vulnerable, there is nothing more that can be done, so why get their panties in a knot? The bug has been around for 2 years and the internet hasn't blown up yet. I'd be willing to bet there is some serious flaw that has been around since the internet was created that we have no knowledge of. This kind of thinking leads to paranoia.

    People seem to think that everything they do "securely" on the internet is private. Well, I hate to burst anyone's bubble, but it's not. It doesn't even take bugs for that "secure" stuff to become public. All it takes is one very lowly individual. In some cases, your information is used without your consent even by the professionals. My mother has pictures on her facebook page and they are set so that NO ONE ELSE can view them. What did facebook do? They took her pictures, combined them into a album, and offered to sell it to her.

    At the end of the day, the vast majority of people won't be effected in the slightest. The types of people who would exploit this bug really, really don't care if you have 3 level-cap toons on server XYZ. They really don't care. They aren't going to delete them, they aren't going to sell your stuff, they aren't going to steal your gold and sell that. The places that are most vulnerable are banking websites and the such. The kind of hackers who would take advantage of this are far more concerned with your money than they are with how many toons you play on some random MMO. And if you see suspicious transactions on your bank account, you just report it and the banks are required by law (at least in the US) to issue you new cards and not hold you responsible. In a little while it will all be a thing of the past anyway. The data that has the potential for being stolen is not permanent. The cache will clear out and the data will be gone. Hackers have to take advantage quickly in order for it to be any good for them.

    What boggles my mind is how so-called "professionals" can get their panties in a knot about this and intentionally try to knot up other people's panties at the same time. Are you TRYING to spread fear and paranoia? >.<
    R5 100 GRD Marevayave - Leader of Riddermarked For Death
    R8 100 MNS Fayah/100 LM Siennah/100 HNT Dinenol/100 RK Dhurik
    100 CHN Alachas/85 CPT Dinfaerien/60 BUR Dhax/35 WDN Godoric
    R9 100 MNS Fayeh (alt Wilya) - Lonely Mountain Band @ Landroval

  5. #5
    Join Date
    Sep 2008
    Location
    Escaping Mizzery, one tart at a time.
    Posts
    213
    First off, couple people on DDO-side also ran security checks and concur that Turbine is not currently vulnerable.

    Second, agreed that this is a bad thing to have gone undetected for so long. However, the creepers that might have known about this vulnerability are more surely looking at profitable stuff like bank/investment account information rather than game log-ins, or even the single CC that might be tied to a game account. (edit: Just back-read and see Mar already mentioned this.)

    Be concerned for your other online activities, and change passwords accordingly. Just follow standard online safety routines, and avoid media-bolstered panic/hysteria.
    Last edited by Devolved; Apr 12 2014 at 12:20 PM.

    Brandy: Cupcakes of Doom.
    Landro: Trueheart Companions.

  6. #6
    Join Date
    Jun 2011
    Posts
    1,656
    Quote Originally Posted by Mar-Evayave View Post
    At the end of the day, the vast majority of people won't be effected in the slightest. The types of people who would exploit this bug really, really don't care if you have 3 level-cap toons on server XYZ. They really don't care. They aren't going to delete them, they aren't going to sell your stuff, they aren't going to steal your gold and sell that. The places that are most vulnerable are banking websites and the such. The kind of hackers who would take advantage of this are far more concerned with your money than they are with how many toons you play on some random MMO. And if you see suspicious transactions on your bank account, you just report it and the banks are required by law (at least in the US) to issue you new cards and not hold you responsible. In a little while it will all be a thing of the past anyway. The data that has the potential for being stolen is not permanent. The cache will clear out and the data will be gone. Hackers have to take advantage quickly in order for it to be any good for them.

    What boggles my mind is how so-called "professionals" can get their panties in a knot about this and intentionally try to knot up other people's panties at the same time. Are you TRYING to spread fear and paranoia? >.<
    THIS 100%!

    I have been thinking to post a similar response since this came up on the forums but decided not to bother until now; well said, Mar-Evayave.

    I also cannot understand how a professional network technical department are in a panic. I can tell you that the network team where I work are not bothered in the least.
    How to get help on the Tech Forums and how to contact Turbine

    Please reply to the topic or PM me if a solution I posted works for you: The more data I can gather the better I can help.

  7. #7
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by Mar-Evayave View Post
    At what point did I say this was not a serious problem?
    When you said that it was "nothing new" and that it's no different than "bugs and hacks all over the internet."

    The vulnerability is old: fact.
    Nice try. But you said that this "bug is nothing new." But, to the public (and the good guys) knowledge of its existence is new. You used that "fact" as a mitigating factor. It is the opposite. Its long-term (undiscovered) existence is a bad thing. To try to allay someone's concern by stating this is "nothing new" when news of existence broke only this week demonstrates that you did not know what you were talking about when you wrote that.

    And Turbine has no control over the problem beyond ensuring they don't use the effected software. The comparison to physical keys is insignificant, because there is nothing we can do.
    No, there is something we can (and should) do. We can and should change our passwords. But ideally only once we are assured that a service is no longer vulnerable. Responsible companies and vendors are alerting their customers when it is safe to change their passwords (or notifying them that there is no need to do so despite indications that they use OpenSSL).

    This is not just me saying this. This is the widely disseminated procedure for mitigating this (again, newly discovered) issue.

    Think about it: this issue is not restricted solely to Turbine (if they were even effected at all). How many websites do you use? How many does the average person use? Facebook? Google? Various email websites (hotmail, yahoo, gmail, etc)? Dozens and dozens and dozens... Are you guys seriously expecting every legitimate website in existence to make some sort of announcement?
    Okay, brace yourself. . . this might sting a little.

    See, you start to realize just how serious this is. . . but then you recoil at the (potential) reality of it. Yes, OpenSSL is so ubiquitous that, yes, a lot of sites were vulnerable. It's funny how you start to get your mind around just how bad this could potentially be, and just how unprecedented this situation is, but then just say "Nah! You're all fear-mongers!" right after urging others to "think about it." No matter how much your mind instinctively rejects the notion. . . it is potentially that bad. And that's relatively unprecedented. And yes, a responsible company will make it known if/how they were affected and when it's safe (or whether it's necessary) for customers to change their passwords. Just as many game companies already have. And just like all those companies/sites in that list are doing (though you thought the notion that they would do so outrageous).

    This is hardly the first serious security issue that has cropped up since the internet was invented. Getting all panicky and hyped up and at Turbine's throat does nothing but spread fear.
    I suggest you re-read the OP's post. He merely asked for an official notification along the lines of what other companies (even gaming ones) are providing. You then proceeded to embarrass yourself (though you may not know it yet). And it is not "getting all panicky" or "hyping it up" to point out to you where you were wrong to dismiss his concern based on your demonstrably flawed understanding of the issue.

    People seem to think that everything they do "securely" on the internet is private. Well, I hate to burst anyone's bubble, but it's not. It doesn't even take bugs for that "secure" stuff to become public. All it takes is one very lowly individual. In some cases, your information is used without your consent even by the professionals. My mother has pictures on her facebook page and they are set so that NO ONE ELSE can view them. What did facebook do? They took her pictures, combined them into a album, and offered to sell it to her.
    Cool story!

    At the end of the day, the vast majority of people won't be effected in the slightest.
    The irony is that this will likely be the case because it is handled responsibly by those who know what they're doing and talking about. Despite your best efforts. Those who handle this though, have a little more to do than just wish it away and assert it'll all be fine.

    The types of people who would exploit this bug really, really don't care if you have 3 level-cap toons on server XYZ. They really don't care. They aren't going to delete them, they aren't going to sell your stuff, they aren't going to steal your gold and sell that.
    You say all of this as though there haven't been egregious cases of this happening throughout LotRO's (and every other game's) history.

    The kind of hackers who would take advantage of this are far more concerned with your money than they are with how many toons you play on some random MMO.
    You're essentially arguing for "defense by obscurity". . . and I learned long ago that it doesn't work. There's no profit motive in having sites defaced and data deleted. But it happens all the time. It's nice to know that you've declared it to be a non-issue though. I'll remember that the next time a developer on one of my servers has his non-profit site maliciously defaced via SQL-injection.

    In a little while it will all be a thing of the past anyway. The data that has the potential for being stolen is not permanent. The cache will clear out and the data will be gone. Hackers have to take advantage quickly in order for it to be any good for them.
    Yes, they have to "take advantage quickly". . . if they hypothetically sniffed passwords from a vulnerable site, then they need to use those passwords before the passwords are changed. In this case, people are being told to wait to change passwords until they're notified that it's safe to do so. Someone came to this thread requesting that (recommended) notification. And at that point, you decided you need to get involved. With unfortunate results. . .

    What boggles my mind is how so-called "professionals" can get their panties in a knot about this and intentionally try to knot up other people's panties at the same time. Are you TRYING to spread fear and paranoia? >.<
    It's quite dismaying (though also a bit amusing) to see how your prior unfortunate remarks now require you to willfully get just about everything else backwards as well lest you have to admit that you were just out of your depth when you first chimed in.

    The "fear" and "paranoia" comes in the absence of information. The OP asked for information that would only help (if responsibly and carefully disclosed) to allay "fear" and "paranoia." Other companies (gaming and otherwise) have provided their users with the information required/requested.

    It is not "intentionally trying to knot up other people's panties" to come to the OP's defense when you say many silly, unfortunate, misguided, and flat-out wrong things while asserting that there's absolutely no reason why Turbine should say anything at all.

    I realize there is a temptation to stick up for Turbine against all the unreasonable complaints, demands, and other shenanigans. I have done so quite often in the past myself. But when I do so. . . I try to know what I'm talking about. In this case, you clearly didn't.

    Would you please just stop now? Anyone with the requisite knowledge and the (incredible) patience to read this knows that you don't have a leg to stand on here. I'm actually embarrassed at the lengths I've gone to above to demonstrate where you're engaging in shenanigans. It would be incredibly nice if you would just admit that you were a bit out of your depth in this particular context and then we can all just move on.

    --H
    Last edited by Hurin; Apr 12 2014 at 01:35 PM.

  8. #8
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by WBS View Post
    I also cannot understand how a professional network technical department are in a panic. I can tell you that the network team where I work are not bothered in the least.
    Were you one of my users, you would have gotten that impression from me as well.

    It took me about 20 minutes to address the issue on my systems. And their nature is that I don't really need to worry about what has gone on with them over the last two years.

    I was asked by a few people if/how we were affected. I told them it's essentially a non-issue for us. Meanwhile, other related entities in my immediate proximity have indeed been scrambling (though I would not now say "freaking out").

    So, for all I know, one of my users might have recently told a friend or family member: "Hurin doesn't seem all that concerned about this. It's probably no big deal."

    Now, if they asked me about this in detail, I would have gone on about how this is one of those infrastructure-wide zero-day vulnerabilities that the tech community has been fearing might happen since time began. Could it be even worse than this? Of course. But does that make this one as trivial as all those "other bugs and hacks on the internet". No. It does not. As such, while we're not likely to be affected directly, and as always things will "turn out alright in the end". . . that doesn't mean we don't need to handle this responsibly.

    Indeed, part of making sure things like this "turn out alright in the end" is by handling these types of things responsibly.

    And that's all the OP was doing and requesting help in doing according to the (good) guidance being given to him. . . when someone decided to discredit his request with specious and misleading information and reasoning.

    And yet I'm spreading "panic" by pointing out where that information and reasoning is wrong. That's my favorite part.

    You guys go on just saying: "Pfffft! It'll all be fine" even while you demean those who are trying to make it so (the OP, not me).

    --H

  9. #9
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    4,995
    The amount of panic and slander is really astonishing. But I guess even if I can lead a horse to water, I can't make it drink. Be concerned, take whatever actions you personally feel you should take. But please, leave the sarcasm and slander outside. I started to reply to your post and the further I got in, the more tired I became of the condescending tone. It is very clear that you won't change your mind, and I have no need to change my mind. I will continue to encourage people to remain calm and not freak out about the matter. What you do is your own business.

    For the record, while I may have known squat until yesterday, I got the story in layman's terms from my father, who has been in the tech business for a living for the past 30-some-odd years. And frankly, I value and trust his advice and knowledge far, far more than I would yours. Because I KNOW him and I KNOW his expertise. I trust that far more than I trust the expertise you claim to possess.
    R5 100 GRD Marevayave - Leader of Riddermarked For Death
    R8 100 MNS Fayah/100 LM Siennah/100 HNT Dinenol/100 RK Dhurik
    100 CHN Alachas/85 CPT Dinfaerien/60 BUR Dhax/35 WDN Godoric
    R9 100 MNS Fayeh (alt Wilya) - Lonely Mountain Band @ Landroval

  10. #10
    For those who wish to learn for themselves if this is a big deal or not...

    https://www.schneier.com/blog/archiv...eartbleed.html

    Bruce Schneier Posted on April 9, 2014 at 5:03 AM schneier.com

    Heartbleed

    Heartbleed is a catastrophic bug in OpenSSL:

    "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
    Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

    "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

    Half a million sites are vulnerable, including my own. Test your vulnerability here.

    The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

    At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
    So Who's this guy Bruce.. bet he doesn't know do-dah.... http://en.wikipedia.org/wiki/Bruce_Schneier

    We know that on the face of it the person who wrote the code in question is not in the arms of a security service, although there are indications that the services noticed it right off but don't bother to tell anyone about it.

    Next up for those interested in the under the hood bits and bobs stuff - warning takes a strong stomach to work through it all.



    04/11/2014

    http://blog.cloudflare.com/the-resul...lare-challenge

    Earlier today we announced the Heartbleed Challenge. We set up a nginx server with a vulnerable version of OpenSSL and challenged the community to steal its private key. The world was up to the task: two people independently retrieved private keys using the Heartbleed exploit.

    The first valid submission was received at 4:22:01PST by Software Engineer Fedor Indutny. He sent at least 2.5 million requests over the course of the day. The second was submitted at 5:12:19PST by Ilkka Mattila at NCSC-FI, who sent around a hundred thousand requests over the same period of time.

    We confirmed that both individuals used only the Heartbleed exploit to obtain the private key. We rebooted the server at 3:08PST, which may have caused the key to be available in uninitiallized heap memory as theorized in our previous blog post. It is at the discretion of the researchers to share the specifics of the techniques used.

    This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability.

    The full documentation of their analysis of the bug and their challenge that it was in part, No Big Deal, which of course was retracted after 9 hours.

    04/11/2014

    http://blog.cloudflare.com/answering...ing-heartbleed

    Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?
    Published on April 11, 2014 04:27AM by Nick Sullivan.

    CloudFlare provides performance and security for any website. Hundreds of thousands of websites use CloudFlare.
    The tl;dr

    Cloudflare posted a retraction (04/12/2014) of their assertion that the SSL keys could not be retrieved when 2 separate groups retrieved them. It took less than 9 hours of attack to get them. One group send 2.5 million requests and the other group sent 100K requests.

    If you look further you can find exactly what you need to do to test it for yourself and the information is rather technical as to what actually is and isn't in the server heap memory at any one time. A simple botnet for tests works wonders for this.

    If you do any programming it's a buffer over run problem. Thie following decription from Cloudflare describes the mechanism and most programmers will recognize the problem right away by its description.


    http://blog.cloudflare.com/answering...ing-heartbleed

    Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?

    Published on April 11, 2014 04:27AM by Nick Sullivan.

    (snip)

    The incoming message is stored in a structure called rrec, which contains the incoming request data. The code reads the type (finding out that it's a heartbeat) from the first byte, then reads the next two bytes which indicate the length of the heartbeat payload. In a valid heartbeat request, this length matches the length of the payload sent in the heartbeat request.

    The major problem (and cause of heartbleed) is that the code does not check that this length is the actual length sent in the heartbeat request, allowing the request to ask for more data than it should be able to retrieve. The code then copies the amount of data indicated by the length from the incoming message to the outgoing message. If the length is longer than the incoming message, the software just keeps copying data past the end of the message. Since the length variable is 16 bits, you can request up to 65,535 bytes from memory. The data that lives past the end of the incoming message is from a kind of no-man’s land that the program should not be accessing and may contain data left behind from other parts of OpenSSL.

    (snip)
    The good news is... it's getting better all the time and will be fixed soon, except in Germany, where it's embedded in a whole lot of Android Cell Phones. And some of us wondered how they managed to snag Merkel and Friends cell phones soooo easily and so often.

    http://www.bloomberg.com/news/2014-0...bleed-bug.html

    It seems to be only Android 4.1.1 that has the bug. Android 4.1.x is about a third of the installed Android base, but I don't know what fraction of that is 4.1.1
    It's apparently particularly common in Germany, where there's some very popular device still running 4.1.1.


    http://www.spiegel.de/netzwelt/netzp...-a-964032.html
    note: A cell phone in Germany is called a Handy.
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  11. #11
    Join Date
    Aug 2008
    Location
    Vancouver, BC Canada
    Posts
    3,092
    Thanks to Hurin and SabreOfLorien for posting some great and detailed information on this for those of us who aren't as technically savvy in these matters. It's staggering to think about the scope of this issue. I mean, wow. For 2 years there has been an open doorway on most major mainstream sites, and it's just now come to light. Pretty amazing and truly shocking revelation.

    Mar, I like you and all, but this is a big deal. No, people shouldn't panic and no, they shouldn't freak out. But nor should they pooh-pooh it and pretend it's not a big deal. It comes off as a bit flat-earthy. The facts are what they are.

  12. #12
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by Mar-Evayave View Post
    I started to reply to your post and the further I got in, the more tired I became of the condescending tone.
    When people are just flat-out wrong, misinformed, and demonstrated to be so even while they are (rather arrogantly) dismissing the concerns of others even though they clearly have no basis upon which to do so other than their own biases and preconceived notions, it is not surprising that they would interpret facts delivered by someone that does know what they're talking about as "condescending." Rather, it's just likely that you find it so because what I have to say is uncomfortable for you to hear and accept. Since it would require you to admit that you were wrong and spoke out of ignorance while undermining the legitimate point/question of another person (and I'm not talking about me).

    It is very clear that you won't change your mind, and I have no need to change my mind.
    I don't need to change my mind. Because I know what I'm talking about and nobody I've seen that works in this field is saying anything along the same lines that you are (for the record, nobody is saing "panic!" either). I'm open-minded enough to change my mind if someone who knows what they're talking about shows me contradictory evidence or even just presents a plausible case based on reasonable assumptions. But so far I have my own knowledge and experience in these matters combined with the knowledge and experience of the technical community up against a stranger on a gaming forum that spent a minute googling the issue, clearly misunderstood crucial elements of what he read, and now feels confident in telling everyone to just shut up about it already and stop asking silly questions. Seriously. I wish you would think about that. Because that is a fair description of what has gone on here. And it's unfortunate.

    I will continue to encourage people to remain calm and not freak out about the matter. What you do is your own business.
    Except, that's not what you were counseling prior. You were undermining a legitimate request for information while spreading disinformation yourself. You equated (erroneously and with no basis in fact) this issue with all the other "bugs and hacks on the internet," asserting that it was "nothing new," all while bizarrely trying to discredit a completely legitimate question to which many of us would like a definitive answer.

    Also, for what it's worth, I'm still looking for the part where I (or others) have been screaming "Panic! Panic everyone! The end is nigh!" You are now conveniently portraying yourself as the voice of reason in the face of hysteria. Yet there is absolutely no hysteria, and that characterization of your own position doesn't comport with your original post which is chock-full of misinformation and incorrect assumptions that seemed solely intended to just make another person feel stupid for asking what was actually a very good question.

    For the record, while I may have known squat until yesterday, I got the story in layman's terms from my father, who has been in the tech business for a living for the past 30-some-odd years. And frankly, I value and trust his advice and knowledge far, far more than I would yours. Because I KNOW him and I KNOW his expertise. I trust that far more than I trust the expertise you claim to possess.
    So, we're to believe that you googled this, came to your (erroneous, which now even you seem willing to concede) conclusions, posted them. . . and only then called your father who just happened to agree with you even though it's been demonstrated that your viewpoint was based upon bad facts, and misinterpretations? I'm sure your father is quite wise. However, if he agrees with you that this issue is no different than all the other "bugs and hacks all over the internet" and thus "nothing new". . . and that it's silly to even ask a company that we have reason to believe was affected if the issue has been addressed and it's now safe to change passwords. . . he might be wise, but in this case, he's just as wrong as you are. But that's okay. . . people get things wrong all the time. Even our dads! And of course, I'm sure you called him and approached the topic from a completely impartial perspective and would never "lead the witness."

    The facts are the facts. You can "urge calm" all you want. Just don't say things that are demonstrably untrue or tell someone that they shouldn't be asking (or at least should not expect an answer to) entirely legitimate questions.

    If all you had said was: "I bet this will blow over. I wouldn't freak out". . . I'd have had no issue with what you wrote. But since you instead told someone that their question was downright silly (perhaps even illegitimate) and based that on demonstrably bad information and even worse reasoning, yes, I'm going to take issue with that. That you find my doing so "condescending" is unsurprising. As for it being "slanderous". . . you must have a truly idiosyncratic understanding of the word "slander." One could just as soon see your original post in this thread as "condescending" towards the OP. And, indeed, I did. And I do. But do you know what makes "condescension" even more unsavory? . . . when the person doing the condescending is actually the one who is demonstrably wrong on the merits. And you were. You still are.

    If this does end up being a tempest in a teapot (and I actually think that's possible or even likely because people are working to mitigate the issue and communicate broadly) both here and across the world, I'll be as happy as anyone (and requests for information only help to ascertain how likely that is to be the case). But responsible companies and responsible users still need to exercise due diligence. That's why, worldwide, companies are communicating with their users about this issue. That's not "hysteria." Nor is requesting such communication (or correcting those declaring such requests to be silly). That's just doing what's necessary to protect everyone in case the "bad guys" were indeed exploiting this vulnerability prior to it becoming known and the issue addressed. Just declaring that "it'll probably burn up in the atmosphere and whatever's left will be no bigger than a chihuahua's head" isn't a terribly responsible or constructive position. Even if, through sheer unadulterated luck, it turns out to accurately predict the end result, those who truly understand the nature of this issue realize that hoping for the best isn't a responsible option. To say nothing of actually trying to dampen and discourage communication about it.

    --H
    Last edited by Hurin; Apr 12 2014 at 10:12 PM.

  13. #13
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by frickinmuck View Post
    Thanks to Hurin and SabreOfLorien for posting some great and detailed information on this for those of us who aren't as technically savvy in these matters. It's staggering to think about the scope of this issue. I mean, wow. For 2 years there has been an open doorway on most major mainstream sites, and it's just now come to light. Pretty amazing and truly shocking revelation.
    Indeed. And even though we don't know if (or for how long) people might have been surreptitiously using that "doorway" on any given server, if the server was running that vulnerable version all that time, there isn't really a valid option to just say: "Well, let's just hope nobody was using it, pretend this never happened, and say nothing to our users about how or when they should take their own measures to mitigate the potential compromise of their credentials."

    I'm hopeful as well that the bad guys haven't known about this any (or much) longer than the good guys. So the damage (if any) will be minimal. However, it's rarely advisable to make decisions and plans based on "hope." This is certainly true about decisions regarding network and systems security.

    Regardless, I think it's safe to say that we've disabused people of the mistaken notion that this is just another run-of-the-mill "hack" or "bug". . . or that nobody should expect or request information because this is "nothing new." Loathe as they are to admit it.

    Given the scope and unprecedented nature of this particular vulnerability, information from Turbine --if carefully prepared and expressed-- can only help to alleviate the concerns of those users aware of the issue (and bring it to the attention of more people if action does indeed need to be taken). Heck, the best news possible would be that they were not running the vulnerable version (which doesn't seem to be the case, but we can't say for sure) or that they were running the vulnerable version but have other measures or features in place that would have mitigated any attempt to exploit the vulnerability (this is possible even when the vulnerability was unknown). But, if the server was vulnerable, just hoping that nobody was exploiting the vulnerability over the last two years is not an acceptable response. Even if it turns out to be (technically) effective through sheer, dumb luck.

    Which is why a response from Turbine would be just ducky.

    Edit: The thing is, though, that those in the business of thinking through and managing these things are always aware of the potential for something like this existing. I never say "my servers are secure." I'll only say "my servers are secure to the best of my knowledge." You can't prove a negative. You can't prove that something you don't know about doesn't exist. Just as if you asked the head of the CIA if he has any foreign spies operating within his agency, he couldn't tell you with 100% certainty that he did not. He could only tell you with 100% certainty that he doesn't know of any. One just hopes that such potential vulnerabilities are unknown to both the good guys and the bad guys. And that when something like this is discovered, that the good guys find it first or are at least right behind the bad guys in discovering it. That's why one of the first questions in a case like this is: "When was the faulty code introduced?" In this case, the answer of "two years ago" makes everyone think: "Oh boy. . . the potential for catastrophic damage. . . on something as ubiquitous as OpenSSL. . . and it's been there for two years." That is unprecedented. But we've long-expected that eventually something like this will come up. And it will someday happen again.
    Last edited by Hurin; Apr 12 2014 at 11:45 PM.

  14. #14
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    4,995
    Quote Originally Posted by frickinmuck View Post
    Mar, I like you and all, but this is a big deal. No, people shouldn't panic and no, they shouldn't freak out. But nor should they pooh-pooh it and pretend it's not a big deal. It comes off as a bit flat-earthy. The facts are what they are.
    Never once did I pooh-pooh it. And it is a big deal... for some. Banking websites, for example. The facts are that, once potentially vulnerable structures (websites) update their software, then the story is over. Change your passwords (and the such) if you feel the need and be done with it. Until that software is updated, no amount of password-changing will help. If the bad guys got your old password, then changing it will just give them your new password. There is no difference to them. The servers my dad maintains at work (and elsewhere) have already been updated, so he and his crew are moving on to different matters. For day-to-day activities, it isn't a threat anymore for them. If you have sensitive data (such as that which you'd store on banking websites: CC info, etc) then you'll want to protect that. But LOTRO is just one very small fish in a very, very big ocean. If there's a shark swimming around, it may swallow a goldfish by chance, but it's gonna be going after the bigger meat.

    Hurin - I'll say this once and only once: Despise me and my opinion all you want, but I won't tolerate slanderous comments against my father.

    As for the rest: you clearly need to reread my original post. The driving point was to ask why the OP thought Turbine had to make an official announcement about Heartbleed (a question which they still have not answered). At this point, after 3+ threads on the topic and a lot of concern, an announcement IS warranted, just to put people's mind's at ease.

    But until the problem is fixed, what good does it do? "Hey guys, we are vulnerable right now. Just wanted to let you know!" That would do us all a world of good. (Not.) People need to sit tight and wait instead of blowing this all out of proportion. Once the issue is resolved, THEN is the time for an announcement. If there is nothing we can do and there is nothing they can do, then what good does an announcement do? Does publicly acknowledging it somehow change the facts?

    Heartbleed is a serious issue. The question is: for whom? THAT has been my stance the entire time. A tornado in the middle of a field on the other side of the planet doesn't affect me. The question people need to be asking is, how does this affect me? And when it gets right down to it, it may not affect me at all. I believe the numbers fall around 66% of the internet that uses Apache (and a second piece of software; I forget the name). Those two were, IIRC, the most vulnerable.

    For what it's worth, Heartbleed is identified as CVE-2014-0160. CVE stands for Common Vulnerabilities and Exposures. Apparently it's a serious "common" bug. The reason it is so serious is twofold: the duration of its undetected existence and how easy it is to exploit without leaving a trace. The German PhD student who inadvertently gave birth to the bug made a programming error, which is rather common. A loophole, I suppose, would be the best analogy.

    For recovery, there are four categories of data. Primary key material can only be safeguarded by a service's owners. Secondary key material are our passwords and the such. It is essential that we, the user, first confirm that the problem has been dealt with. As the fixed code is already into circulation, I imagine every business, organization, etc. will have it taken care of swiftly. It's already been (roughly?) a week. Any competent business would ideally have it fixed by now. After that, users can start changing passwords and whatnot. Naturally, that depends on whether the service was compromised in the first place (for what it's worth, I think Sapience has been on vacation and it is now the weekend -- not sure we can expect any word until Monday). The third category is protected material. This is general content (contents of emails, IMs, etc). Again, the owners have to deal with this (only after they ensured they are protected again) and there really isn't any way to protect it now. If your email is out there, nothing is gonna get it back. Lastly, collateral damage. Random bits of data that effectively lose all value once the service is protected.

    For the user, any number of things have the potential of being affected. Here are the recent versions of OpenSSL and their vulnerabilities (if any):

    Status of different versions:

    • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    • OpenSSL 1.0.1g is NOT vulnerable
    • OpenSSL 1.0.0 branch is NOT vulnerable
    • OpenSSL 0.9.8 branch is NOT vulnerable

    Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

    So the fixed version was released almost a week ago. Service providers have effectively had an entire work-week to deal with the situation and take appropriate action beyond updating. Some operating systems were also directly affected (having been shipped with the vulnerable versions), the most familiar to me being Ubuntu and Fedora (which I'm only familiar with by name).

    Almost amusingly (considering we are in an MMO with lots of bugs itself), there is listed a "bright side". Other bugs (on a far smaller and more "insignificant" scale) are getting taken care of with this. Fixing this bug has given the techs as good an opportunity as any other to fix a few others as they go, which will help seal up other leaks.

    So, we have all this in hand. Let's just put LOTRO aside for a moment and talk on broader, more generic terms. If you were a hacker who discovered Heartbleed and found the opportunity to steal data -- what would you be going for? Someone's pixels on a screen or someone's thousands in a bank? Just because the window was open, doesn't mean the perpetrator won't climb down the chimney. Once we know one way or the other about the status of Heartbleed and any services still affected (if any), then we can determine for ourselves whether or not further action is warranted. Some may decide to change their passwords. That's okay. It's generally a good idea anyway, just to keep bad guys on their toes. Others may decide not to. As I said, even if you get your credit card information stolen, banks are required by law to not hold you responsible. Report it as soon as you notice any suspicious activity and get a new card. There isn't any need to get a new card until then, unless you feel you must, for personal peace of mind. Also, some things simply can't be protected. A perpetrator may now know your home address. Are you going to sell your house and move just so they don't know where you live anymore? To what extent will you take it? Bugs, both severe and small, appear every day. Some on accident (as this one seems to be), some intentional. That's part of the reason why it's not a bad idea to change your passwords on a regular basis. At one of my jobs, we have to change our passwords every month. It's murder on the memory, but it's supposed to help keep things more secure. But one of the worst things a person can do is panic. Panicking tends to make people trigger-happy. Next thing you know, they'll be changing all their passwords without even knowing whether it's safe to do so.

    TL;DR

    An announcement would be good at this point, just to put everyone's minds at ease. But at the outset? The OP him/herself admitted that LOTRO/Turbine would seem to be unaffected, and yet he/she still wanted them to make an announcement. Why would Turbine make an announcement about something that doesn't even affect them? Do you guys seriously expect Turbine to let us know if some vulnerability gets detected in, for example, SWTOR? It's not their game, it's none of their business. If SWTOR was vulnerable (not saying it is, just using it as an example drawn out of thin air), then it's SWTOR's business to let their customers know. Not Turbine's.

    If the OP thought Turbine was vulnerable, then some shedding of light by a Turbine employee would be warranted. But the OP didn't think Turbine was vulnerable. That was the basis for my question in the first place. I see no reason why they shouldn't make an announcement, but I also see no reason why they should. Except, of course, now everyone seems quite scared, and a confirmation would go a long way towards restoring peace of mind (at least as far as LOTRO is concerned; everyone would still have to double-check their other services).

    Beyond that, the only reason I would understand to support an announcement, is to just let everyone know they are not affected, essentially confirming the OP's guess. But the end result is the same: peace of mind. There would be no need to have everyone change their Turbine passwords and other extra steps to protect their accounts. That kind of safeguarding wouldn't be warranted.
    R5 100 GRD Marevayave - Leader of Riddermarked For Death
    R8 100 MNS Fayah/100 LM Siennah/100 HNT Dinenol/100 RK Dhurik
    100 CHN Alachas/85 CPT Dinfaerien/60 BUR Dhax/35 WDN Godoric
    R9 100 MNS Fayeh (alt Wilya) - Lonely Mountain Band @ Landroval

  15. #15
    In regards to the 2 year open-end on this bug

    Part of the overall difficulty any company can deal with is the future, not the past. They can patch the software, they can get new encryption keys and certificates and users can change passwords as needed but.. no one can say what was or was not taken over the last 2 years.

    It's rather hard for people to realize that even very smart crypto folks did not see this coming but it (Heartbeat) is a feature that is not fully used but is included in the package. No one was looking and only 1 person "reviewed" the code and accepted it into the project.

    The problem that Heartbeat was intended to solve is inherent with the way the internet works: You don't want to send data to someone who's disconnected, so you have to ping them to see if they are still there. There are a lot of variations on this but it goes on throughout the 7 OSI layers. ( http://en.wikipedia.org/wiki/OSI_layer )

    There will no doubt be changes in the way the Open Source software gets handled in the future, but even with changes, if no one looks then no one knows, regardless of how many safeguards there are or bugs that may be introduced. The long term issue of programmer bugs and how they get resolved (or not) is the same in many corporations.

    Part of the problem for anyone saying it's fixed is that they really don't know what's fixed and what's not. Some of the bigger systems will be fixed but if 1 out of 1,000,000 servers gets missed well.. it's not fixed.

    The data that could be gathered is what was in the Active Server Memory at the time. For companies like Facebook with lots of users logging in and out that would be passwords and personal information. For companies that are technology companies like Google, that could be technical documents or corporate email or board of directors meeting minutes that was flowing through the memory at the time. For game companies it could be game plans, corporate email exchanges, personnel issues, chit chat, technical specs. For Cisco it might be the latest architectural documents on a new router.

    No one knows. It's hard to say it's safe when you cannot know. It's not a panic mode but certainly companies will respond with a new level of awareness.

    There are other exploits and malware for sure, all designed to get the exact same information. This one though was so In Your Face that no one realized The Emperor Had No Clothes. There are others just like this waiting to be discovered or uncovered.


    "The Emperor's New Clothes" (Danish: Kejserens nye Klæder) is a short tale by Hans Christian Andersen about two weavers who promise an Emperor a new suit of clothes that is invisible to those unfit for their positions, stupid, or incompetent. When the Emperor parades before his subjects in his new clothes, a child cries out, "But he isn't wearing anything at all!"

    http://en.wikipedia.org/wiki/The_Emp...7s_New_Clothes
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  16. #16
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    4,995
    Quote Originally Posted by SabrielofLorien View Post
    There are other exploits and malware for sure, all designed to get the exact same information. This one though was so In Your Face that no one realized The Emperor Had No Clothes. There are others just like this waiting to be discovered or uncovered.

    "The Emperor's New Clothes" (Danish: Kejserens nye Klæder) is a short tale by Hans Christian Andersen about two weavers who promise an Emperor a new suit of clothes that is invisible to those unfit for their positions, stupid, or incompetent. When the Emperor parades before his subjects in his new clothes, a child cries out, "But he isn't wearing anything at all!"

    http://en.wikipedia.org/wiki/The_Emp...7s_New_Clothes
    lol Now I know where the title for The Emperor's New Groove originated from. xD

    But anyway, not only is there no way to protect the past (too late is still too late, no matter how much you know now; sadly, there are no time machines for us) but there's also no way to know what (if anything -- there is no guarantee that even the bad guys knew about Heartbleed) was stolen. Someone out there may have had their credit card info stolen in the last two years. Heartbleed victim, or something else entirely? As Heartbleed leaves no traces, all the user would know is that they were hacked. They'd have no way of knowing whether it was Heartbleed or something else. All that can be done now is to take steps to "secure" the future, and I use quotation marks because, also as you and Hurin say (and I said earlier as well), nothing is truly secure. There are merely different levels of security, some more secure than others. Obviously, as far as Heartbleed is concerned, affected providers need to update to the "secure" form of OpenSSL, and moving forward be more vigilant. The German PhD student is innocent until proven guilty, in my book, but even if it was an accident, it still happened. Frankly, I find it more concerning that only 1 person checked a student's work before spreading a piece of code across so much data. It may be cliche but... epic fail?
    R5 100 GRD Marevayave - Leader of Riddermarked For Death
    R8 100 MNS Fayah/100 LM Siennah/100 HNT Dinenol/100 RK Dhurik
    100 CHN Alachas/85 CPT Dinfaerien/60 BUR Dhax/35 WDN Godoric
    R9 100 MNS Fayeh (alt Wilya) - Lonely Mountain Band @ Landroval

  17. #17
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by Mar-Evayave View Post
    Never once did I pooh-pooh it.
    This is blatantly untrue. Anyone reading your first post can see that. Now, if you want to disavow what you wrote, that's something else. . . why not just do so?

    Hurin - I'll say this once and only once: Despise me and my opinion all you want, but I won't tolerate slanderous comments against my father.
    Oh freakin' please. I said that he is no doubt wise. But can also be mistaken. If you cite your own father as an authority (belatedly) and yet claim that he agrees with your demonstrably mistaken understanding of the situation here, am I not allowed to tell you that he is possibly mistaken?

    Wait, are fathers now "I win" cards in internet arguments? You just say "my dad told me" and it's game over? That rules!

    Who knew that dads everywhere are now both infallible and unassailable? And that calling them wise is now "slander."

    Or can I trump something your father told you with something that my grandfather told me?

    As for the rest: you clearly need to reread my original post. The driving point was to ask why the OP thought Turbine had to make an official announcement about Heartbleed (a question which they still have not answered). At this point, after 3+ threads on the topic and a lot of concern, an announcement IS warranted, just to put people's mind's at ease.
    Though you're still downright hostile towards those who corrected and informed you, it's nice to see that you're finally coming around, and now understand the situation a lot better. Though there's still some things you either fail to understand or simply refuse to acknowledge because that would amount to admitting how wrong you were.

    I'm now going to skip over all of the following. It's nice that you're starting to learn about this before pontificating further. But why do I get the sense that you've only been (somewhat) learning all of this because you're desperate to find something, anything to prove that you haven't been completely wrong. . . but failing that, you're now just trying to drown us with all of your new-found knowledge. . . I mean, you're giving us the CVE and telling us what it means? Really?

    Heartbleed is a serious issue. The question is: for whom? THAT has been my stance the entire time. A tornado in the middle of a field on the other side of the planet doesn't affect me. The question people need to be asking is, how does this affect me? And when it gets right down to it, it may not affect me at all. I believe the numbers fall around 66% of the internet that uses Apache (and a second piece of software; I forget the name). Those two were, IIRC, the most vulnerable.

    For what it's worth, Heartbleed is identified as CVE-2014-0160. CVE stands for Common Vulnerabilities and Exposures. Apparently it's a serious "common" bug. The reason it is so serious is twofold: the duration of its undetected existence and how easy it is to exploit without leaving a trace. The German PhD student who inadvertently gave birth to the bug made a programming error, which is rather common. A loophole, I suppose, would be the best analogy.

    For recovery, there are four categories of data. Primary key material can only be safeguarded by a service's owners. Secondary key material are our passwords and the such. It is essential that we, the user, first confirm that the problem has been dealt with. As the fixed code is already into circulation, I imagine every business, organization, etc. will have it taken care of swiftly. It's already been (roughly?) a week. Any competent business would ideally have it fixed by now. After that, users can start changing passwords and whatnot. Naturally, that depends on whether the service was compromised in the first place (for what it's worth, I think Sapience has been on vacation and it is now the weekend -- not sure we can expect any word until Monday). The third category is protected material. This is general content (contents of emails, IMs, etc). Again, the owners have to deal with this (only after they ensured they are protected again) and there really isn't any way to protect it now. If your email is out there, nothing is gonna get it back. Lastly, collateral damage. Random bits of data that effectively lose all value once the service is protected.

    For the user, any number of things have the potential of being affected. Here are the recent versions of OpenSSL and their vulnerabilities (if any):




    So the fixed version was released almost a week ago. Service providers have effectively had an entire work-week to deal with the situation and take appropriate action beyond updating. Some operating systems were also directly affected (having been shipped with the vulnerable versions), the most familiar to me being Ubuntu and Fedora (which I'm only familiar with by name).

    Almost amusingly (considering we are in an MMO with lots of bugs itself), there is listed a "bright side". Other bugs (on a far smaller and more "insignificant" scale) are getting taken care of with this. Fixing this bug has given the techs as good an opportunity as any other to fix a few others as they go, which will help seal up other leaks.

    So, we have all this in hand. Let's just put LOTRO aside for a moment and talk on broader, more generic terms. If you were a hacker who discovered Heartbleed and found the opportunity to steal data -- what would you be going for? Someone's pixels on a screen or someone's thousands in a bank? Just because the window was open, doesn't mean the perpetrator won't climb down the chimney. Once we know one way or the other about the status of Heartbleed and any services still affected (if any), then we can determine for ourselves whether or not further action is warranted. Some may decide to change their passwords. That's okay. It's generally a good idea anyway, just to keep bad guys on their toes. Others may decide not to. As I said, even if you get your credit card information stolen, banks are required by law to not hold you responsible. Report it as soon as you notice any suspicious activity and get a new card. There isn't any need to get a new card until then, unless you feel you must, for personal peace of mind. Also, some things simply can't be protected. A perpetrator may now know your home address. Are you going to sell your house and move just so they don't know where you live anymore? To what extent will you take it? Bugs, both severe and small, appear every day. Some on accident (as this one seems to be), some intentional. That's part of the reason why it's not a bad idea to change your passwords on a regular basis. At one of my jobs, we have to change our passwords every month. It's murder on the memory, but it's supposed to help keep things more secure. But one of the worst things a person can do is panic. Panicking tends to make people trigger-happy. Next thing you know, they'll be changing all their passwords without even knowing whether it's safe to do so.

    TL;DR
    Wow. So. . . I'm also going to mostly gloss over the "defense by obscurity" in the above again. I mean, nobody takes that seriously. People engage in shenanigans all the time just to deface and vandalize. There need not be a profit motive. At all. I can put you in touch with several people who have fallen victim to folks who have gone to extraordinary lengths just to demolish their hard work for no real reason at all.

    If the OP thought Turbine was vulnerable, then some shedding of light by a Turbine employee would be warranted. But the OP didn't think Turbine was vulnerable. That was the basis for my question in the first place. I see no reason why they shouldn't make an announcement, but I also see no reason why they should. Except, of course, now everyone seems quite scared, and a confirmation would go a long way towards restoring peace of mind (at least as far as LOTRO is concerned; everyone would still have to double-check their other services).

    Beyond that, the only reason I would understand to support an announcement, is to just let everyone know they are not affected, essentially confirming the OP's guess. But the end result is the same: peace of mind. There would be no need to have everyone change their Turbine passwords and other extra steps to protect their accounts. That kind of safeguarding wouldn't be warranted.
    You are still, despite everything written above, missing one fundamental concept. It doesn't matter what the OP thinks or assumes, it only matters what he knows and can prove. At the time most players became aware of this, many sysadmins had already received the "red alert" and patched OpenSSL. In the case of the OP, he ran the test, saw that LotRO is not currently affected according to imperfect testing available to us, and now doesn't know what to do. . . because he only (imperfectly) thinks he might know Turbine's current state. The fact that their version of OpenSSL is the modern version and yet does not seem vulnerable (patched?) today seems to indicate one thing (they have addressed it), and yet the old date on the certificate seems to indicate another (they addressed it, addressed it incompletely, or didn't address it at all), etc. Only Turbine can tell us. . .

    1. We were never vulnerable. There is no need to change your password.
    2. We were vulnerable but recently patched and are no longer vulnerable. It is now safe to change your password which we advise. (ignore that our certificate is still old)
    3. We remain vulnerable (the external testing is inaccurate). We're working as fast as we can to address this and we'll tell you when it's safe to change your password. It's not currently safe to change your password.


    Because, based on prior situations like this, we know that Turbine may in fact never comment on this situation (edit: Incidentally, I've actually made posts similar to yours in which I sought to defend Turbine against spurious and/or silly calls for Turbine to make "announcements". . . the key difference being that I knew what I was talking about and could actually demonstrate via facts and sound reasoning why such calls were either silly or spurious), I've said both here and elsewhere that #2 above is the safest bet. But that is an assumption. My thinking is that if either #1 or #2 is true, then there's no harm in behaving according to #2. But, if I'm wrong, and #3 is actually the case, then people will be putting their passwords at risk by trying to protect them. So, hypothetically, fearing #3 is the case, they won't change their password. . . and the bad guys will use their credentials before they are changed. Even though, had Turbine communicated that the situation was really #2, the user could have changed their credentials and effectively protected them before the bad guys could use it.

    There is a freakin' reason why each and every announcement about "how to handle heartbleed" urges people to wait until their service provider confirms that they are no longer (or never were) vulnerable before changing passwords. And yet you're still trying to pretend that it's some mystery why people would even request this information if they can just run a (non-authoritative) test and see that the website isn't vulnerable as of now.

    Anyways, I can't stop you from continuing to pretend that you haven't said what you've said, or that what you said didn't actually mean what it obviously means. And I must admit that it's amusing that you've now gone from asserting that there's nothing new here and no need for an announcement to now repeating back in even more verbose form (though still somewhat misunderstood) all the very things we were trying to tell you all along as though all along you've been the one trying to educate us about the complexities and potential effects of this issue. Priceless.

    If you're not just willing to own up to what you said prior and admit that you were wrong. . . I can't make you. Nor do I really want to do so. I think it's blatantly obvious that your views about this have indeed changed (however reluctantly and however much you try to claim that they haven't lest you actually concede an inch of rhetorical ground). And that's good enough for me.

    I asked my dad if he thinks you realize you've been wrong and just won't admit it. He agrees with me. So I guess that settles that!

    --H
    Last edited by Hurin; Apr 13 2014 at 02:17 AM.

  18. #18
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by Mar-Evayave View Post
    Never once did I pooh-pooh it.
    Quote Originally Posted by Mar-Evayave View Post
    At what point did I say this was not a serious problem?
    Let's have a look. . .

    Quote Originally Posted by Mar-Evayave View Post
    Why? I never heard of it before but googled it. Google seems to indicate this bug is nothing new. And why would Turbine make an announcement about it? There are bugs and hacks all over the internet -- that doesn't mean Turbine needs to give us an announcement about all of them. They made an announcement about Pando Media Booster because it was directly linked to this game's download. But any random bug floating around? I'm not sure why you feel that Turbine should announce it? That would be like Turbine making an announcement about a Windows 8 bug that doesn't even effect them.
    Now. . . let's just make it a about a different (infinitely more tragic) topic with (otherwise) the exact same language/sentiments. . .

    Why would the government make an evacuation announcement about Katrina? I never heard of Katrina before but googled it. Google seems to indicate this storm is nothing new. There are storms and weather events all over the globe -- that doesn't mean the government needs to give us an evacuation announcement about all of them. They made an announcement about hurricane Andrew because it was headed directly for Washington D.C. But any random hurricane? I'm not sure why you feel that the government should announce it? That would be like the government making an announcement about a storm in Italy that doesn't even effect them.

    Am I equating a software vulnerability with a human tragedy like Katrina? No, I am not doing that in any way. But, by putting a different topic in there as the target of your language, I have demonstrated that nobody could honestly read that and not think that you are trying to "pooh pooh" or downplay the significance of what we're being warned about. See what I did there? By "raising the stakes" to something of which the severity is unquestioned, the inherent and inescapable meaning/intent of your words (to diminish or "pooh pooh") is highlighted.

    The End.
    Last edited by Hurin; Apr 13 2014 at 03:30 AM.

  19. #19
    Join Date
    Jun 2011
    Posts
    1,656
    Quote Originally Posted by Hurin View Post
    Were you one of my users, you would have gotten that impression from me as well.
    Ah, you have totally misinterpreted my post.

    This is not some far-away team of people that we just get emails from or some-such, these are people that we work closely with on a daily basis. The network team is actually housed within the same room as the technical department that I work in. These people are good friends of mine that I go socialising with as well. You can be certain that I would have known about it if they considered it a serious issue.
    How to get help on the Tech Forums and how to contact Turbine

    Please reply to the topic or PM me if a solution I posted works for you: The more data I can gather the better I can help.

  20. #20
    Join Date
    Aug 2008
    Location
    Vancouver, BC Canada
    Posts
    3,092
    Guys, this is getting increasingly harsh and off-topic. Can we get back on track?

    My question is, if the sites are vulnerable - which I doubt they are but if they are - now that the vulnerability is widely known, doesn't that mean that the likelihood someone is trying to take advantage of it is increased, and therefore changing one's password before we have the go-ahead to do so puts us at a greater risk than prior to the widespread knowledge of this vulnerability? I hope I phrased this in a comprehensible way. I'm just wondering if changing my password before it's been explicitly stated as safe to do so is a bad idea.

  21. #21
    Join Date
    Feb 2007
    Location
    USA
    Posts
    4,451
    Quote Originally Posted by WBS View Post
    Ah, you have totally misinterpreted my post.

    This is not some far-away team of people that we just get emails from or some-such, these are people that we work closely with on a daily basis. The network team is actually housed within the same room as the technical department that I work in. These people are good friends of mine that I go socialising with as well. You can be certain that I would have known about it if they considered it a serious issue.
    So, for the record, your guys are not only telling you that this is not a serious issue for them, but telling you that it doesn't have the potential to be a serious issue at all? For anyone? I just have to assume that they're in the "the bad guys hopefully didn't have this" camp and hope in that possibility is all they need to relax. That same rationale is why I'm not freaking out about my own servers because even if that hope fails, it won't be bad for us. But that's not the case for everyone. It wouldn't be the case for my seven-year old stable of characters.

    But, I'm done here. To each their own then.

    As is usually the case in these situations, I woke up dreading any replies that might be here.

    It's easy for someone (not you, just in general, everywhere) to post specious arguments. But it can be time-consuming and exhausting to diligently dismantle them and demonstrate cogently where facts are incorrect, assumptions are bad, or logic is faulty.

    So when I wake up with a pit in my stomach because I just know I'm going to feel compelled to waste more time doing all that for folks who won't ever give even an inch or even accurately represent what they said prior, it's just time to put on the brakes and exert a little willpower.

    If anyone wants to come in here, readily admit that they have no knowledge on this subject and didn't know about it until a minute ago, and then go on to undermine legitimate questions citing their fathers or their coworkers as authorities, you won't hear a peep from me. I'm done.

    Everything probably will be okay for the vast majority of people. But not because we just hope so. Hope has zero effect.

    --H
    Last edited by Hurin; Apr 13 2014 at 01:21 PM.

  22. #22
    Join Date
    Jun 2011
    Posts
    1,104
    Quote Originally Posted by frickinmuck View Post
    Guys, this is getting increasingly harsh and off-topic. Can we get back on track?
    Yes.
    Quote Originally Posted by frickinmuck View Post
    My question is, if the sites are vulnerable - which I doubt they are but if they are - now that the vulnerability is widely known, doesn't that mean that the likelihood someone is trying to take advantage of it is increased, and therefore changing one's password before we have the go-ahead to do so puts us at a greater risk than prior to the widespread knowledge of this vulnerability? I hope I phrased this in a comprehensible way. I'm just wondering if changing my password before it's been explicitly stated as safe to do so is a bad idea.
    Websites seem to be secure, but communication has to be considered as unencrypted in the worst case scenario.
    This could be a problem if you are in an unsafe network (e.g. a public WLAN) or any other network with potential listeners. Probability for this scenario is low, so if you're at home I guess your on the safe side.

    Still this does not say anything about the SSL version of the LOTRO game servers, so also your new password *could* again be compromised. Changing it regularly will lower the risk of exploitation.

  23. #23
    Quote Originally Posted by thinx View Post
    Yes.


    Websites seem to be secure, but communication has to be considered as unencrypted in the worst case scenario.
    This could be a problem if you are in an unsafe network (e.g. a public WLAN) or any other network with potential listeners. Probability for this scenario is low, so if you're at home I guess your on the safe side.

    Still this does not say anything about the SSL version of the LOTRO game servers, so also your new password *could* again be compromised. Changing it regularly will lower the risk of exploitation.
    This is another interesting side-view but not of the SSL issue. Changing passwords is a recommended procedure BUT if your system is already compromised all you do it hand the new password out. It doesn't protect you at all and can make it worse. It's a function of whether your system is "secure".

    How "secure" a system is has been shown to be not-at-all-secure over the last year. There are 2 sorts of bad guys out there today. The ones we thought were the "bad guys" looking to snag passwords, credit cards and financial information and install malware of all nasty sorts. The other set of "bad guys" to be outted are perhaps worse, because they are sanctioned by laws, legal proceedings, legal exemptions, congressional/parliamentary approvals, government (non) oversight and are part of every government in the world, they have access to nearly unlimited funding and create some of the worst malware on the planet. So much so, you really can just give up the idea that your system is "secure" and just move right on over to "not secure" for the duration.

    Heartbleed fulfills some of the requirements of such malware, but appears to have been a simple programming error. Similar to the ones recently at Apple with 2 bugs that were patched in @March 2014 and one of them had been in their code base since 2005, leaving thousands of apps subject to eavesdropping.

    Another aspect is that one person's security requirements don't always match with someone else's security requirements. For all the "bad guys" out there getting all the goodies they can on you there are the "good guys" that do pretty much the same thing, except we accept their tracking, data harvesting, information demands and invasive requirements "freely" and without much thought.

    If you give all your personal information "freely" to a corporation and permit them full access to information about you, then there's not much left that the "bad guys" of both kinds really need to gather up. Corporations track every thing about you. YOU are the commodity they SELL. You are not a CUSTOMER, you are the PRODUCT.

    The technical pieces are there to stop the "bad guys" but these will also stop the "good guys" who do exactly the same things. The Product that is being Sold is far too valuable to let "get away". If these corporations who offer "free stuff" cannot sell YOU to an advertiser, well.. lets just say they are not going to let that happen or happen easily. For this group and "bad guys #1 and #2". the requirements are identical. They want YOU and they want what YOU have and they want everything there is to know about YOU 24x7x365. They won't relinquish this access to YOU easily.

    The gravy train is so valuable that now these same corporations are moving to get YOU to track your Friends, Neighbors, Strangers in the Street for them. Every piece of data gathered ensures that YOU will remain 100% bought and sold to others. And they are so clever that they are getting YOU to buy your own tracking devices, giving them full access to everything in your life and the lives of those around you.
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  24. #24
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    4,995
    Quote Originally Posted by frickinmuck View Post
    My question is, if the sites are vulnerable - which I doubt they are but if they are - now that the vulnerability is widely known, doesn't that mean that the likelihood someone is trying to take advantage of it is increased, and therefore changing one's password before we have the go-ahead to do so puts us at a greater risk than prior to the widespread knowledge of this vulnerability? I hope I phrased this in a comprehensible way. I'm just wondering if changing my password before it's been explicitly stated as safe to do so is a bad idea.
    In an ideal situation, all doors have now been closed (unfortunately, I suspect the situation isn't quite so ideal at the moment). But I do wonder if you are right. Even supposing "the bad guys" didn't find out until the same time as "the good guys", there was still some measure of time between the initial discovery and the release of the update. That's time for the bad guys to do their dirty work.

    On the other hand, it strikes me as a bit brain-dead to publicly announce an issue in that manner. Wouldn't they want to first keep it hush-hush, scramble to put together a patch, verify the patch is gonna work, and then go public as the update is distributed? That reduces the amount of time the bad guys have to work with, keeping any potential problems to a minimum. After that point, if services are too slow to update, then it's sorta their own fault if they got hacked. It seems they would want to implement the fix asap, rather than procrastinate.

    As for an increased chance of being taken advantage of by changing passwords now, I'm not sure whether or not that would happen. It's been suggested that changing your password would put it at the top of the list. I can't speculate on that. In the very least, however, if the door is still open, changing passwords won't necessarily help. They may/may not hurt, but they wouldn't help either. If you change your locks, it really doesn't matter if the door is still open.
    R5 100 GRD Marevayave - Leader of Riddermarked For Death
    R8 100 MNS Fayah/100 LM Siennah/100 HNT Dinenol/100 RK Dhurik
    100 CHN Alachas/85 CPT Dinfaerien/60 BUR Dhax/35 WDN Godoric
    R9 100 MNS Fayeh (alt Wilya) - Lonely Mountain Band @ Landroval

  25. #25
    Join Date
    Jun 2011
    Posts
    1,104
    Quote Originally Posted by SabrielofLorien View Post
    This is another interesting side-view but not of the SSL issue. Changing passwords is a recommended procedure BUT if your system is already compromised all you do it hand the new password out. It doesn't protect you at all and can make it worse.
    This was the answer to the question, no more, no less. Is it a bad idea? No.
    Is it a good one? Difficult to say.
    Servers with heartbleed will potentially expose data with every login (no matter if passwords are changed or kept). This data can be retrieved by everyone.
    Servers with fixed heartbleed but old certificates/keys expose the client-server connection with every login. This data can be retrieved by listeners and man in the middle attackers that have those certificates/keys.
    In all cases logging in is exactly as bad as changing the password. People that wrote in this forum or played game have logged in. What could happen, could already happen now.
    Note we still do not know if the game servers are fixed.

    The rest is the same type of paranoia I also have.

 

 
Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload