Search the Community
Showing results for tags 'security'.
Found 14 results
-
I am coming back from a 3 year hiatus. Two of my accounts had their email changed by other players without my permission. I never received a notification, nor was I prompted for confirmation for this action. One account has been moved back to my email but the other is under active investigation. If I received a notification or a prompt none of this would be an issue. Account transferring is against the rules, so why does the game allow you to do so? This isn't 2003, people don't lose access to emails nearly as much as they used to. With account transferring being against the rules, email changes should require a support ticket and claims of lost email should require a waiting period to give someone time to respond of they're victim of fraud. At least ask for the security question when changing email. You already do when requesting a password reset. I only ever shared password hashes but its pretty common knowledge that they can be broken. This means that if someone shares an account, complying with account sharing rules, that account can have it's email changed by the other user without the owner knowing. This is an unnecessary security risk. -
Please add 2 factor Auth to game clients. Possibilities: Supporting OTP, via email. Apps like Google Authenticator, Authy, etc... More implementation: ( OAuth 2.0 is nice, like keycloak or Okta, etc... ) I bring this up as in this day and age of hackers and cyber attacks, it would be nice to protect our accounts, aside from a simple password. Personally work in cyber industry and while 2FA doesn't stop attacks, it at least slows it down. Devs can't ignore security and say it's not important. Security has to be put into every application across the internet, imo. (saw the better wurm shop suggestion, didn't want to hijack thread to put this )
-
So just a reminder look on the codes again ill was ingame and a certain time ill got total faliure of network, ill have no clue i found some wierd java files never seen before in wurm directory, then again ill been working with security a whole week, this aswell poped up, so just adding. Reinstalled computer and rested the whole network, was around 3hrs ago it shutdown my Java, it vanished, ill got back in but it removed my settings and stuff. Atleast Look Pls, i ll dont do java anymore u do. https://www.bleepingcomputer.com/news/security/new-spring-java-framework-zero-day-allows-remote-code-execution/
-
I was just renewing and noticed that the website shop is still lacking a secure connection, which carries a risk, though probably low, of account theft via Man in the middle attacks (paypal details are safe but not game accounts) Searching doesnt reveal exactly who is incharge of website/webserver maintainence but whoever if it is might be interested in https://letsencrypt.org/ it allows you to setup FREE automatic security certificates for allmost any webserver who can prove that they controll the domain name (e.g http://shop.wurmonline.com) and could be used to secure all the sites. Im assuming that there is not a current security certificate due to costs of obtaining one
-
Really really simple this one. Many systems include it but Wurm should as well. When you log in there should be at least two additional lines similar to Last logged in at : 2015 Dec 12 - 10:24:10 from IP xxx.xxx.xxx.xxx Last failed login attempt : 2015 Dec 11 - 16:33:41 from IP xxx.xxx.xxx.xxx It would be nice if it were also towards the end of the initial event messages so it could be visible for a bit longer but the important thing really is that it is captured in the _Event.log and a player can check for themselves if they are suspicious about the state of their account.
-
Permission systems are hard to understand (having a couple of layered rules) and all the checks are done in the background, intransparently. When you drive a wagon or take something from a container, where you realistically need to use a key the game just does the check in the background. The player gets no feedback whether a lock & key were involved. Instead, a player has the memorize whether they already locked, unlocked and relocked (for temporary access), checked the boat after a server crossing, etc. So unless you repeatedly double-check using examine and cross-indexing your friend list and manage list, it's really just guesswork if your stuff is secured or not. Since we are as players responsible for keeping tight security in a cooperative environment, please give us the tools for identifying security problems easily and efficiently! Some suggestions to help with making the current lock and access status more transparent: 1. Event log notification of key usage: add some text like "<XYZ> uses the key for the <item>'s lock." to any interaction messages, like taking or dropping stuff. 2. Icons for container inventory and vehicle management (somewhere at the top): a ) Lock icon that displays whether the vehicle or container is locked or unlocked b ) Pickup icon that shows current rights of access to inventory: - green: access only granted to owner and specific users (vehicle management) or villager roles - yellow: access granted to owner and people who sit on the friend list or alliance (or any new group in the new permissions system) - red: access granted to anybody Of course the pickup icon would change status when a vehicle is moved off-deed for instance or when it's locked/unlocked. On deed an unlocked vehicle may show the green pickup icon when inside a building and the yellow icon when moved outside, and the red pickup icon when off-deed. On being locked there the pickup icon changes to green again. I wonder whether the pickup icon idea is really feasible, or whether vehicles need a driving rights icon instead or in addition to ensure indication of security status?- 3 replies
-
- 1
-
-
- security
- permissions
- (and 3 more)
-
Given the recent events I was wondering if it would be possible to give a writ or mine door permission option for all forges and ovens? The reason is simple: A lot of people store items inside their forges, for example frying pans, armour they are imping, weapons, magical chests, and so forth. These items can be taken if anyone enters the house, say, by bashing a wall down. There is no way to secure these items in any other way except by physically moving them to a chest (which you cannot do if said items are too hot to fit into the container). If the forge has a writ/mine door permission, it would be peace of mind to log out knowing the stuff inside it is safe. Secondly, this will give us an option to use the forge or oven as a safe inside our houses. We can build forges and store valuables inside it locked away, not having to worry that it will be gone when we log in. Thirdly, inside mines, where we mine together in teams but sometimes with other people there too, it would be great to only allow people mining with you, to access your forges. The writ/permission should include the permission to load the forge as well, or alternatively, no forge should be able to be loaded while there is anything inside it. EDIT: Please look at cart and wagon permissions also. I would like to specify who I want to give access to my cart by name, not a blanket "all friends" or "all allies". I want to tick a specific name. This can be taken a step further then: Add a box for who you want to give permission to be able to drag or push or pull your cart/wagon. Then we can use locked carts and wagons inside our houses as storage for valuables, and as long as we did not give someone permission to drag/push/pull it , it will be safe inside the house, without the need of animals hitched to it (which is really not viable unless you drop grass for them all the time, or have a doughnut with enchanted grass). -
I've suggested this before but once again find myself paring down my friends list for the sake of vehicle security. I would like to give some members of our alliance, but not all, and some members of my friends list, but not all, permission to use my large carts and boats. Right now it's all or nothing for village and friends which forces me to reduce my friends list to only those I want to use my vehicles. Some people you may run into seem like decent folk on the outset, but if we friend each other to keep in touch and converse at a later date that should not automatically give them the right to access my boats, wagons or carts. This should be reserved for people that have proven their intent and trustworthiness, not any random player that throws you a friend request. I suggest changing the vehicle management and permissions to be similar to those of a building writ or mine door. -
This is for when you would rather keep the game money as it wouldn't work for an RTM. I read about sending the account details via the real world postal service but we have something as good in the game. We just need giftwrap back to do this. You write the details on a parchment, wrap it named to the buyer, mail it COD for you amount. They must accept the COD to get the wrap to open to get the details. They get their details securely and you get paid. There must be a server log of the item being mailed, when it was mailed, that it was received. In short, a paper trail verifiable by if not GMs then by Devs. Suggestion #2 that requires a new object. A certified parchment sealed to the name of the receiver that only that person can open and read. The point is that is must be opened outside of the mailbox so no one but the intended recipient can get the mail and no one but the intended recipient can open the letter. -
Despite choosing to "remember" my login, I keep finding myself being logged out the next day I visit the forums for a while now, and I've changed my password twice since the last "zomg it happened again" notice. Have you just decided to silently shorten the expiration date on these cookies, or...? Oddly enough, why only a post on the forums? Why are you not informing all players in any ways possible, to make them aware of the security leak that has apparently been abused at least twice? Official news item, E-mails. Yet, just a post in the GM Hall forum. Some people only knew by word of mouth, which is somewhat inappropriate. E-mails about the opening of Xanadu have certainly been sent out, why not a note that your password might have or seemingly certainly have leaked out? Or at least encrypted (thus decryptable data), or maybe just hashes that can be used in brute forcing or word lists etc.? I had not been giving it this much thought at first, because I was under the impression that the matter was handled appropriately, but I'm not so sure anymore. It's completely understandable to not disclose any details while investigations are still running, but it's closing in on a month now, and nobody talks about it anymore. So.. what's the status on this? What's the conclusion of the investigation?
-
So a friend had her ship stolen, it was found later but completely emptied, and she was in the middle of moving to Xanadu. I did some testing. As long as key's on me or my backpack, ANY item I activate gives me the "Unlock" option when rightclicking my vehicles. Hadn't given it much thought until now, when I realized "heeeey... some people, myself included, play with sound off at times". The clicking sound had tipped me off so far all these times but....... ARE YOU TRYING TO HELP THIEVES? I'm gonna assume it's a bug and not intentional. She was pushing her ship through a canal exit and accidentally unlocked it without noticing, and a vulture passed by checking for unlocked ships, magic. http://postimg.org/image/nhwxz8nr3/ Not cool at all, please fix.
-
Deeds need to become more secure in the PvE environment especially pertaining to crafted items like ships being built on deed. If one is building a ship and has one piece left to place to finish the creation, it should be able to be left until the person whom you intend ownership of it can come with your permission to finish it. I believe that people with shoreline properties should not have to build inside a building and use the "ship transporter," if they want to build a ship. It makes little sense that one cannot build a ship on a deed tile right next to the water without the possibility of some random player coming, finishing it, and leaving with it, even with the deed roles being locked to the public. As people pay for deeds and maintainence of them, it is not unreasonable to have some expectation of security on those tiles, in the PvE environment. I do realize that such a suggestion would not work in the PvP environment, due to the mechanics and type of game play. The members in my alliance all believe that PvE deeds should have ironclad security for all containers and crafted items and I speak for all of us. Moreover, if this idea of securing crafted items like ships cannot be implemented due to coding or another unforeseeable mechanical issue, than at the very least, there should be some sort of event logging system or tool that GMs can use to help with recovery or find out where it has gone other than using "tracking." A player can track. GMs should have access to other tools to assist them with this. In the event they have been provided such tools, I then must pose the question, why are they not being used? Finally, most new players are not aware of this type of situation and would assume the safety of items they are crafting on their deeds and the safety of containers on their deeds, whether inside a building or not. Issues of this nature could likely cause a domino effect with player retention, as people will become frustrated, that they cannot have security on spaces they pay to rent in the game and items they make can go missing without support being able to asisst them more, than telling them that "it's a costly lesson." Overall, it can equate to a loss of revenue and bad name developing for Wurm, which would be a shame, especially with all the new players we are expecting to join this gaming community.
- 10 replies
-
- 2
-
-
- deedsettlement
- boat
- (and 7 more)
-
It looks like the certificate that the Wurm client was signed with expired a couple of hours ago: Validity: [From: Mon Jun 13 20:00:00 EDT 2011, To: Sat Jun 15 19:59:59 EDT 2013] Any plans for regenerating the client with a new one? -Michael
-
About the 0 day exploit and the CERT advisory: http://www.computerworld.com/s/article/9235615/US_CERT_Disable_Java_in_browsers_because_of_exploit What this means is that people are encouraged to disable the Java plugin in their web browsers, not to stop using Java altogether. Instructions for how to do this in Google Chrome are here: http://superuser.com/questions/201613/disable-java-plugin-in-google-chrome http://www.podfeet.com/wordpress/tutorials/how-to-disable-java-in-chrome/ Instructions for Firefox are here: http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets For players who use the browser to load the game or who use a browser other than Firefox or Chrome, I can't offer any suggestions.
