Posted by Kaelten Dec 11, 2008 at 15:17 UTC
There are a great number of people who are claiming that after downloading QuestHelper and/or the CurseClient that they are getting hacked, keylogged, or that their babies are being stolen by ninja mutant Elvises (or would it be Elvisi?).
I'd like to point out that the first two are as likely as the last, providing that:
Sadly these type of rumors are often started and perpetuated by people looking to discredit others and most of the attacks I've seen recently are slanted as anti-Curse.
There was recently a 24 page thread generated (in one freaking day!) on the official WoW forums. The instance of some of the posters there into ascribing guilt to various people and groups combined with some obvious misinformation makes me wonder if it's an intentional propaganda move. However, this is mere speculation as I have no evidence to support the thoughts as fact.
As far as keyloggers go. Please keep in mind it's most likely not the last thing you did that got your account comprised. It is a fairly common practice for these the groups responsible for hacking your accounts to wait weeks or even months before attempting to use a password.
Also, brute force attacks are not completely unheard of. So if your password is 'god', 'sex', or 'secret' please change it right away!
Lastly, a few things to remember:
Posted by ckknight Dec 05, 2008 at 17:27 UTC
Hey, beautiful people.
I've been working on a per-project role-based access control system, and it's finally in place now. You may have guessed yesterday when the site was having some downtime that something was happening, and we were working out the final kinks of the system then.
Side note: Technically, this is per-repository and not per-project, but the mainline repository defines users' permissions in a project.
What this means:
Instead of just Project leader and authors, we can have multiple roles, e.g. Translators, QA, Documenters, Authors, Managers, and really anything that we can think of.
The way the system works:
There is a set of roles that we administrators define. Each role has a set of permissions attached to it.
Each repository has a set of role assignments which grant a user to one or more roles (Yes, you could be both QA and a Translator at the same time).
Each user would then have a set of permissions on a repository defined by the set of permissions of all their roles on that repository.
Here's the set of permissions:
As it stands, we only have Manager (which has all permissions) and Author (which doesn't have as many permissions).
We do want to work on adding more roles, but we need good ideas on what is wanted as far as that is concerned. So if you have some good ideas, feel free to contact us or just leave a comment here.
Currently, all managers are also authors, and any new projects will have the owner be both a manager and an author. Note that the manager can unassign himself as an author.
Posted by Kaelten Dec 02, 2008 at 01:10 UTC
Another jerk or group of jerks took advantage of the holiday weekend to spam a few thousand comments on the website.
These comments, due to a small security hole in one of the parsers, was able to embed an iframe on the page. It would then in turn try to target out of date versions of Flash.
We've cleaned up any of the comments that we can find, prevented any further ones from rendering, and plugged the leak in the parsers.
I'm not sure exactly what he was trying to install on machines, but I know it looks like it specifically targeted IE with Flash lower than 9 r124.
We're doing what we can to ensure that this type of attack on our users is impossible in the future. Please check your flash version, if you have a vulnerable version please run a virus scanner and try to make sure all is good.
If anyone discovers more information about what exactly they where trying to do, the effectiveness, and detection/cleanup techniques please post them in the comments.
Posted by ckknight Nov 17, 2008 at 21:28 UTC
We're going to be launching a program to award authors with redeemable points. You'll be able to spend the points on game cards or similar things.
You have to opt in to receive points. You can do this at http://www.curseforge.com/home/rewards-program/....
This is still very much a work in progress, so you won't see points accumulating until we officially launch this. There also will be a wait between when points accumulate and when you can spend them at the store.
Points will be distributed based on popularity of the project. We're probably not going to reveal the exact algorithm to prevent gaming the system. We will investigate allegations of gaming the system and are more than happy to ban those who try to cheat. This is a nice pat on the back for all the authors who help drive traffic to curse, a way to say thanks, and if everything goes smoothly, make it so authors don't have to pay for their own WoW accounts, and for the addons that drive the most traffic to the site (Omen, QuestHelper, etc.), some extra perks.
Kaelten and I (ckknight) are doing the coding on the rewards system and the eventual store. No, we didn't sneak in code to steal fractions of points from people just like in Superman 3, no matter how tempting.
Posted by Kaelten Nov 15, 2008 at 19:38 UTC
I apologize for not making this announcement sooner.