Merry Christmas!!!

Posted by Kaelten Dec 26, 2008 at 04:12 UTC

I hope everyone has had a great Christmas, or observation of choice. Sorry I didn't post it earlier, my internet is spotty atm.

Anyway, blessed holidays to all!

  1. 2 comments

Re: QuestHelper or CurseClient Keylogger Rumors

Posted by Kaelten Dec 11, 2008 at 15:17 UTC

There are a great number of people who are claiming that after downloading QuestHelper and/or the CurseClient that they are getting hacked, keylogged, or that their babies are being stolen by ninja mutant Elvises (or would it be Elvisi?).

I'd like to point out that the first two are as likely as the last, providing that:

  • You're only using versions of the CurseClient that have been hosting on Curse/CurseForge or ones linked to you directly by myself or other staff members (aka alphas).
  • You're only getting QuestHelper from reputable addon sites, such as,, or To my knowledge it's not been uploaded anywhere else by the authors.
  • You haven't paid a ninja mutant to dress up as Elvis and steal your baby.

Sadly these type of rumors are often started and perpetuated by people looking to discredit others and most of the attacks I've seen recently are slanted as anti-Curse.

There was recently a 24 page thread generated (in one freaking day!) on the official WoW forums. The instance of some of the posters there into ascribing guilt to various people and groups combined with some obvious misinformation makes me wonder if it's an intentional propaganda move. However, this is mere speculation as I have no evidence to support the thoughts as fact.

As far as keyloggers go. Please keep in mind it's most likely not the last thing you did that got your account comprised. It is a fairly common practice for these the groups responsible for hacking your accounts to wait weeks or even months before attempting to use a password.

Also, brute force attacks are not completely unheard of. So if your password is 'god', 'sex', or 'secret' please change it right away!

Lastly, a few things to remember:

  • Curse does in no way support the keyloggers, account hijacking, or gold selling.
  • You can't get a keylogger from an addon as long as you just put the files contained therein in your addon directory. You'd have to run an executable somewhere!

  1. 20 comments

Per-project role-based access control system

Posted by ckknight Dec 05, 2008 at 17:27 UTC

Hey, beautiful people.

I've been working on a per-project role-based access control system, and it's finally in place now. You may have guessed yesterday when the site was having some downtime that something was happening, and we were working out the final kinks of the system then.

Side note: Technically, this is per-repository and not per-project, but the mainline repository defines users' permissions in a project.

What this means:

Instead of just Project leader and authors, we can have multiple roles, e.g. Translators, QA, Documenters, Authors, Managers, and really anything that we can think of.

The way the system works:

There is a set of roles that we administrators define. Each role has a set of permissions attached to it.

Each repository has a set of role assignments which grant a user to one or more roles (Yes, you could be both QA and a Translator at the same time).

Each user would then have a set of permissions on a repository defined by the set of permissions of all their roles on that repository.

Here's the set of permissions:

  • Abandon project
  • Clone closed repository
  • Commit to code repository
  • Delete repository
  • Manage english project translations
  • Manage files
  • Manage project components
  • Manage project pages
  • Manage project reward splits
  • Manage project milestones
  • Manage project images
  • Manage project tickets
  • Manage project ticket templates
  • Manage relationships
  • Manage remote sync
  • Manage roles
  • Merge project
  • Resubmit project for approval
  • View code repository
  • Manage repository
  • Manage project

As it stands, we only have Manager (which has all permissions) and Author (which doesn't have as many permissions).

We do want to work on adding more roles, but we need good ideas on what is wanted as far as that is concerned. So if you have some good ideas, feel free to contact us or just leave a comment here.

Currently, all managers are also authors, and any new projects will have the owner be both a manager and an author. Note that the manager can unassign himself as an author.

  1. 5 comments

Malicious Spammer Alert

Posted by Kaelten Dec 02, 2008 at 01:10 UTC

Hey guys,

Another jerk or group of jerks took advantage of the holiday weekend to spam a few thousand comments on the website.

These comments, due to a small security hole in one of the parsers, was able to embed an iframe on the page. It would then in turn try to target out of date versions of Flash.

We've cleaned up any of the comments that we can find, prevented any further ones from rendering, and plugged the leak in the parsers.

I'm not sure exactly what he was trying to install on machines, but I know it looks like it specifically targeted IE with Flash lower than 9 r124.

We're doing what we can to ensure that this type of attack on our users is impossible in the future. Please check your flash version, if you have a vulnerable version please run a virus scanner and try to make sure all is good.

If anyone discovers more information about what exactly they where trying to do, the effectiveness, and detection/cleanup techniques please post them in the comments.

  1. 6 comments

Author Rewards Program Launching Soon

Posted by ckknight Nov 17, 2008 at 21:28 UTC

Hello, friends.

We're going to be launching a program to award authors with redeemable points. You'll be able to spend the points on game cards or similar things.

You have to opt in to receive points. You can do this at

This is still very much a work in progress, so you won't see points accumulating until we officially launch this. There also will be a wait between when points accumulate and when you can spend them at the store.

Points will be distributed based on popularity of the project. We're probably not going to reveal the exact algorithm to prevent gaming the system. We will investigate allegations of gaming the system and are more than happy to ban those who try to cheat. This is a nice pat on the back for all the authors who help drive traffic to curse, a way to say thanks, and if everything goes smoothly, make it so authors don't have to pay for their own WoW accounts, and for the addons that drive the most traffic to the site (Omen, QuestHelper, etc.), some extra perks.

Kaelten and I (ckknight) are doing the coding on the rewards system and the eventual store. No, we didn't sneak in code to steal fractions of points from people just like in Superman 3, no matter how tempting.

  1. 11 comments