Website & forum behaviors

[Uzephi]

You do realize that when you're on tuleap it shows the URL as https://report.nostalrius.org/ right?

Erm... it isn't https. All my browsers actually have the HTTPS crossed out meaning there is no secure encryption.

[Dreez]

You do realize that when you're on tuleap it shows the URL as https://report.nostalrius.org/ right?

Erm... it isn't https. All my browsers actually have the HTTPS crossed out meaning there is no secure encryption.

http://imgur.com/E8QOC7G


the certificate is outdated (which really shouln't have an effect), however the connection actually is encrypted

[jimstanky]

So you used the same account name/password combination for both the game and the bug tracker? Did I understand you correctly?

Nevermind, I found your thread and yes, that's exactly what you did.

Ok... so now Pottu, condescension aside, tell nostalrius take some fucking responsibility and say tuleap is the reason people are being hacked not stupid shit like keyloggers and other private servers. You've indicated pretty well that that is the exact reason why my account was compromised.

[Pottu]

I'm sorry that you are unable to follow Basic Internet Security 101 and not use the exact same account name and password at two different sites. I fail to see how that is our fault.

Viper's announcement made it clear that we suspect that a 3rd party has gained access to a bunch of passwords because of the repeated attempts to use our website to gain access - this method would not work in-game due to our brute-force safety as it would be so slow, hence why we've now changed the website log-in methodology as well.

So I hope you see how these are two different things. If you are telling the truth and/or remembering things correctly, that you didn't use the same password on any other private server that might have had their database compromised at some point, then it is possible that somebody got your details from Tuleap instead. However, we do not run Tuleap so even in that case it's pointless to blame Nostalrius for it.

I understand that you're upset and need to vent but you are barking up the wrong tree here.

[Uzephi]

the certificate is outdated (which really shouln't have an effect), however the connection actually is encrypted

Outdated means it is vulnerable to attack... Which is why browsers state it not being secure by crossing out https. One simple Google Search gave me the below as top result.

http://thehackernews.com/2014/12/SSL-Po ... ttack.html

There is other vulnerabilities TLS 1.2 have on the same simple search. (Heartbleed comes to mind)

Edit: Pottu please don't follow suit in thinking outdated security protocols are secure. There is reasons they are updated. Main reason security protocols are updated are to fix holes, like the one described in the link and also the one I remember that affected a lot of SQL databases and some TLS encryptions.

Edit 2: If it was using the POODLE exploit, they would have gotten a hash signature of your login and depending on your password security (check page 3 of this thread) a hash check can take a max of 3 days for a password as short as 8 characters, doesn't matter how secure it is to hack without even having the password to begin with, just the hash stolen from the POODLE attack, if it would be possible to brute force poodle (that requires rehashing and I am sure Tuleap has a prevention against brute force) they could get it as sooon as 4000 attempts on the site as said in the linked article. If the bot only logged hashes though and you had a password 8 characters or shorter (doesn't matter complexity with hash cracking) then you're account would have been hacked within 3 days time on a potato PC.

[Pottu]

You're not even making sense anymore.

[zaxwaffles]

i agree with you nostlaruis about this there is alot of attempts to hack pepole and sell gold for real money i even today found a gold seller .
but about the ip thingy what if your computer broke and you are playing in the liabrery (places where are computures) or maybe you gone to vaction in another place and you want to play a litte nostlaruis i know it will make hacking harder but it will piss ppl off that the only way to play nostlaruis without getting banned is by playing in the same place when your registered.

but ty nostlaruis team for your care about the commentiy and our acounts

[kittymaycry]

I really wish there was some kind of accountability here. I have been playing nost (on my old account which got compromised) since day 1. I had never posted on the forums before and my password was not the same as the one I used on feenix, but the hackers still got to me and deleted both my level 60s shortly after I posted for the first time on the forums. Clearly not a coincidence. Approximately 100 days played between both the characters and theres nothing nost will do to bring them back. Thanks for the timely heads up on this guys!

[Sauska]

Judging from the increasing number of whispers from goldsellers and the surge of goldselling on the Trade and General channels, the attempt to solve this issue has not been successful. Maybe that's the reason for the ban hammer that's currently banning numerous innocent accounts?

[elandriel]

You know what would be handy is if the password reset actually worked