Great news indeed, and I have passed it along! Hopefully now things can be taken at a less...breakneck pace better for the health and sanity all involved.
I do what I can to help.
Tis ma' job after all. Including, if need be, taking the reins on something.
So glad that when I first signed up for Cryptic, it was with my Yahoo address. Great spam filter there.
Say, Trendy, while you're at it, could you see if they can set the maximum-character limit on posts good and high? We'd kind of like to continue our Unofficial Literary Challenges, but it's hard to write a coherent story in less than 200 words...
So glad that when I first signed up for Cryptic, it was with my Yahoo address. Great spam filter there.
Say, Trendy, while you're at it, could you see if they can set the maximum-character limit on posts good and high? We'd kind of like to continue our Unofficial Literary Challenges, but it's hard to write a coherent story in less than 200 words...
I saw the posts regarding total length. Looking into it in the back end and I think I have that nailed down.
Even for the sake of successful importing I'd be willing to bet it will need to be raised to infinite, to match what we have here. I can imagine a lot of forms of Database Go Boom that could result from trying to crowd 50 pounds of...writing, into a 2 oz plastic Ziploc baggie. :eek:
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-) Proudly F2P.Signature image by gulberat. Avatar image by balsavor.deviantart.com.
Great news, Trendy. Thank you for deciding to hold off on the transfer until things are more ironed out, takes a weight of worry off.
Well tbh I don't think Trendy had much say it in being stopped for the moment, she most likely went look there is a lot of concerns being brought up and the top guy who thinks vanilla is epic was like oo, ya I see your point...
Will you defer to allow a selection of a committee to investigate these allegations.
And then Trendy was like oh TRIBBLE no...pew pew..
Well tbh I don't think Trendy had much say it in being stopped for the moment, she most likely went look there is a lot of concerns being brought up and the top guy who thinks vanilla is epic was like oo, ya I see your point...
Will you defer to allow a selection of a committee to investigate these allegations.
And then Trendy was like oh TRIBBLE no...pew pew..
I actually put the entire kabosh on it until I am satisfied by some changes. The hammer reaches farther than you know. :P
Its like jumping through hoops to report stuff right now. I have only had to report stuff a couple of times but it took me like 15 mintues to find the right link that would let me report a post. Half the links ended up at a userprofile that was on the main arc platform which were all .. private.
Then after I reported it.. it took me so long to figure it out that I had forgotten what I did to get it to work :P
I actually put the entire kabosh on it until I am satisfied by some changes. The hammer reaches farther than you know. :P
Thor called. He wants Mjolnir back.
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-) Proudly F2P.Signature image by gulberat. Avatar image by balsavor.deviantart.com.
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-) Proudly F2P.Signature image by gulberat. Avatar image by balsavor.deviantart.com.
No offence intended Trendy but just delaying it to make adjustments is not enough, it needs to be scrapped in my opinion.
To start with the forum software itself (vanilla) is the worst possible forum you guys could have chosen, It would need a website of its own to list all the issues and security holes vanilla has.
And then to make it worse you are using a third party host known for its love of marketing info trading, AND you link our ARC sign in with a third party forum login.
That's just insane and extremely bad decision making.
If you guys must insist on using vanilla please at least self host it because as it us you're just giving away our info to marketing firms at the very least.
Because of concerns about the security of the new forums, I decided to do some poking around. Forget about Vanilla Forums for the moment. What about PWE's own security? I'm not exactly happy with what I found. Keep in mind that I only have passing knowledge of this stuff. You should hire an expert to audit your security measures. Most programmers and IT staff are not experts in security. I would not feel comfortable performing such an audity myself.
Flash plugin installed by Arc
If I view my Firefox plugins, I see that I have two versions of Flash installed.
Above "Shockwave Flash 16.0.0.235", there is a warning message:
Shockwave Flash is known to be vulnerable and should be updated.
If I go to about:plugins, I see that "Shockwave Flash 16.0.0.235" was installed by Arc. The DLL was installed here:
C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\NPSWF32.dll
If I set "Shockwave Flash 16.0.0.235" to "Never Activate" and restart Firefox, I find that "Shockwave Flash 17.0.0.169" has also been disabled. Stop installing outdated, insecure versions of Flash on my computer. I keep my own version of Flash up to date. Even if you update Arc's version of Flash, I don't run Arc often enough to keep that version up to date.
arcgames.com
You may be missing an SSL certificate. I'm not sure whether you don't have one or whether Firefox doesn't accept yours because you're using a weak signature scheme. You are also using an encryption scheme that has been deprecated as insecure. I have provided reproduction steps below.
1. Start Firefox.
2. Type arcgames.com into the address bar and press Enter. You are redirected to
3. If you click on "Sign in" in the upper right, a form drops down asking for your "User Name / Email" and "Password".
4. Press Ctrl+U to view the source code for the page.
5. Search for the form with class="form-horizontal form-sign-in-header". The source code shows that the form posts to
6. Copy and paste the above URL into the address bar and press Enter.
7. Click on the warning icon to the left of the URL in the address bar. Firefox shows the following warning message:
This website does not supply identity information.
The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough.
8. Press Ctrl+Shift+K to open the web developer console. Search for the following warning messages:
This site uses the cipher RC4 for encryption, which is deprecated and insecure.
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
9. Type your user name and password, and click "Sign In".
10. Click on "CHARGE". You are sent to
as the most personal info you use on a forum is your account name in game handle and on very rare occasions maybe your email address what's the worst that can happen, so you get sent a few doggy emails that will probably get put strait in your junk folder anyway, boohoo.
When I think about everything we've been through together,
maybe it's not the destination that matters, maybe it's the journey,
and if that journey takes a little longer,
so we can do something we all believe in,
I can't think of any place I'd rather be or any people I'd rather be with.
as the most personal info you use on a forum is your account name in game handle and on very rare occasions maybe your email address what's the worst that can happen, so you get sent a few doggy emails that will probably get put strait in your junk folder anyway, boohoo.
So you're not worried about
(a) SQL injection attacks against PWE's database; or
(b) clicking on a malicious link or running malicious JavaScript code while logged into arcgames.com, the same place you go to buy Zen and manage your billing information; or
(c) browsing other websites with an outdated, insecure version of Flash installed by Arc?
You realize there's a woman weilding Mjolnir in the comics now, whose to say it's not Trendy?
I don't read comics, so no, I did not. O_O
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-) Proudly F2P.Signature image by gulberat. Avatar image by balsavor.deviantart.com.
Who are Disqus? I just received an email from them asking me to verify my email address:
Welcome to Disqus, frtoaster!
Why verify?
Many sites using Disqus require a verified email for commenting to prevent spam. Verifying lets you join discussions quickly and easily.
They know that my forum name is associated with this email address, so I can only assume it has something to do with the new forums. Does Vanilla Forums use Disqus to verify email addresses? Why am I receiving this email from them?
Who are Disqus? I just received an email from them asking me to verify my email address:
They know that my forum name is associated with this email address, so I can only assume it has something to do with the new forums. Does Vanilla Forums use Disqus to verify email addresses? Why am I receiving this email from them?
Disqus...Discuss...it's a common thing for commenting on various sites, will see it on news sites, gaming sites, and the like.
Is some other site you've registered on for commenting switching over to Disqus or the like?
So if you click on any of those where it has the comments thing...
It gives the option to login for...
Arc
Disqus
Facebook
Twitter
It has a thing there where it looks like there might be 1 comment, the little 1 in the red chat/speaking/dialogue icon...but when you click on it, it pops up in the current window the following:
So, what the Hell, let me log in and see what happens.
And yep, it logged me into Disqus...well then...hrmmm, that kind of sucks. Heh, I'd forgotten about Disqus until you mentioned it, one of those back of the mind things. But searching my email, I apparently signed up for it back in June 2012.
There is not a chance in Hell that my Arc password is the same password I would have used three years ago...
And I'm wondering just where I agreed to allow Arc to do that....ffs.
There's nothing that I see in any of the "smallprint" stating that I've agreed to that...
edit2: That's just some damn ****ed up bull**** there in your case then, cause it ****ing looks like they created the ****ing Disqus account on your behalf and Disqus is asking you to verify. What a load of ****...
So if you click on any of those where it has the comments thing...
It gives the option to login for...
Arc
Disqus
Facebook
Twitter
It has a thing there where it looks like there might be 1 comment, the little 1 in the red chat/speaking/dialogue icon...but when you click on it, it pops up in the current window the following:
OK, so I clicked on something while logged into Arc or arcgames.com. I don't remember seeing that dialogue though, so either something I'm running blocked it, or my memory is seriously failing me.
So, what the Hell, let me log in and see what happens.
And yep, it logged me into Disqus...well then...hrmmm, that kind of sucks. Heh, I'd forgotten about Disqus until you mentioned it, one of those back of the mind things. But searching my email, I apparently signed up for it back in June 2012.
There is not a chance in Hell that my Arc password is the same password I would have used three years ago...
And I'm wondering just where I agreed to allow Arc to do that....ffs.
There's nothing that I see in any of the "smallprint" stating that I've agreed to that...
edit2: That's just some damn ****ed up bull**** there in your case then, cause it ****ing looks like they created the ****ing Disqus account on your behalf and Disqus is asking you to verify. What a load of ****...
Is it time to start another Arc feedback thread? It looks as though no one has posted in the previous two threads in months,
edit: Mind you, that's not to suggest they should have moved to another version - newer isn't always better...one needs to weight the business needs, actionable improvements, stability/vulnerability concerns and the like...as long as a previous version has not reached end of life and is still being patched for vulnerabilities...it can be all good and whatnot.
edit: Mind you, that's not to suggest they should have moved to another version - newer isn't always better...one needs to weight the business needs, actionable improvements, stability/vulnerability concerns and the like...as long as a previous version has not reached end of life and is still being patched for vulnerabilities...it can be all good and whatnot.
It took me a while to figure out which site you were talking about. A quick look at the headers in the HTTP responses shows:
www.arcgames.com is running nginx/1.6.0.
sto-forum.perfectworld.com is running Apache (no version given).
perfectworld.vanillaforums.com is running nginx (no version given).
edit2: That's just some damn ****ed up bull**** there in your case then, cause it ****ing looks like they created the ****ing Disqus account on your behalf and Disqus is asking you to verify. What a load of ****...
I think they created one of these site-specific profiles for me instead of an actual account.
Comments
Tis ma' job after all. Including, if need be, taking the reins on something.
Say, Trendy, while you're at it, could you see if they can set the maximum-character limit on posts good and high? We'd kind of like to continue our Unofficial Literary Challenges, but it's hard to write a coherent story in less than 200 words...
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-)
Proudly F2P. Signature image by gulberat. Avatar image by balsavor.deviantart.com.
Great news, Trendy. Thank you for deciding to hold off on the transfer until things are more ironed out, takes a weight of worry off.
Well tbh I don't think Trendy had much say it in being stopped for the moment, she most likely went look there is a lot of concerns being brought up and the top guy who thinks vanilla is epic was like oo, ya I see your point...
Will you defer to allow a selection of a committee to investigate these allegations.
And then Trendy was like oh TRIBBLE no...pew pew..
When I think about everything we've been through together,
maybe it's not the destination that matters, maybe it's the journey,
and if that journey takes a little longer,
so we can do something we all believe in,
I can't think of any place I'd rather be or any people I'd rather be with.
Its like jumping through hoops to report stuff right now. I have only had to report stuff a couple of times but it took me like 15 mintues to find the right link that would let me report a post. Half the links ended up at a userprofile that was on the main arc platform which were all .. private.
Then after I reported it.. it took me so long to figure it out that I had forgotten what I did to get it to work :P
Thor called. He wants Mjolnir back.
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-)
Proudly F2P. Signature image by gulberat. Avatar image by balsavor.deviantart.com.
"Um, Yeah, No! Bad call! He loves his hammer"
Darn beat me to it.
[/SIGPIC]
Mjolnir has a mind of its own...
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-)
Proudly F2P. Signature image by gulberat. Avatar image by balsavor.deviantart.com.
You realize there's a woman weilding Mjolnir in the comics now, whose to say it's not Trendy?
Let us upgrade the Seleya Ceremonial Lirpa and Kri'stak Blade
To start with the forum software itself (vanilla) is the worst possible forum you guys could have chosen, It would need a website of its own to list all the issues and security holes vanilla has.
And then to make it worse you are using a third party host known for its love of marketing info trading, AND you link our ARC sign in with a third party forum login.
That's just insane and extremely bad decision making.
If you guys must insist on using vanilla please at least self host it because as it us you're just giving away our info to marketing firms at the very least.
Flash plugin installed by Arc
If I view my Firefox plugins, I see that I have two versions of Flash installed.
Shockwave Flash 16.0.0.235
Shockwave Flash 17.0.0.169
Above "Shockwave Flash 16.0.0.235", there is a warning message:
Shockwave Flash is known to be vulnerable and should be updated.
If I go to about:plugins, I see that "Shockwave Flash 16.0.0.235" was installed by Arc. The DLL was installed here:
C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\NPSWF32.dll
If I set "Shockwave Flash 16.0.0.235" to "Never Activate" and restart Firefox, I find that "Shockwave Flash 17.0.0.169" has also been disabled. Stop installing outdated, insecure versions of Flash on my computer. I keep my own version of Flash up to date. Even if you update Arc's version of Flash, I don't run Arc often enough to keep that version up to date.
arcgames.com
You may be missing an SSL certificate. I'm not sure whether you don't have one or whether Firefox doesn't accept yours because you're using a weak signature scheme. You are also using an encryption scheme that has been deprecated as insecure. I have provided reproduction steps below.
1. Start Firefox.
2. Type arcgames.com into the address bar and press Enter. You are redirected to
http://www.arcgames.com/en/games
3. If you click on "Sign in" in the upper right, a form drops down asking for your "User Name / Email" and "Password".
4. Press Ctrl+U to view the source code for the page.
5. Search for the form with class="form-horizontal form-sign-in-header". The source code shows that the form posts to
https://www.arcgames.com/en/sign/in
6. Copy and paste the above URL into the address bar and press Enter.
7. Click on the warning icon to the left of the URL in the address bar. Firefox shows the following warning message:
This website does not supply identity information.
The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough.
8. Press Ctrl+Shift+K to open the web developer console. Search for the following warning messages:
This site uses the cipher RC4 for encryption, which is deprecated and insecure.
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
9. Type your user name and password, and click "Sign In".
10. Click on "CHARGE". You are sent to
https://billing.arcgames.com/en/
11. Repeat steps 7 and 8.
When I think about everything we've been through together,
maybe it's not the destination that matters, maybe it's the journey,
and if that journey takes a little longer,
so we can do something we all believe in,
I can't think of any place I'd rather be or any people I'd rather be with.
So you're not worried about
(a) SQL injection attacks against PWE's database; or
(b) clicking on a malicious link or running malicious JavaScript code while logged into arcgames.com, the same place you go to buy Zen and manage your billing information; or
(c) browsing other websites with an outdated, insecure version of Flash installed by Arc?
I don't read comics, so no, I did not. O_O
Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-)
Proudly F2P. Signature image by gulberat. Avatar image by balsavor.deviantart.com.
They know that my forum name is associated with this email address, so I can only assume it has something to do with the new forums. Does Vanilla Forums use Disqus to verify email addresses? Why am I receiving this email from them?
Disqus...Discuss...it's a common thing for commenting on various sites, will see it on news sites, gaming sites, and the like.
Is some other site you've registered on for commenting switching over to Disqus or the like?
Not likely. I only use this handle with that email address here, so it must be related to PWE or Vanilla Forums.
Aha, found it.
http://www.arcgames.com/en/social/all
So if you click on any of those where it has the comments thing...
It gives the option to login for...
Arc
Disqus
Facebook
Twitter
It has a thing there where it looks like there might be 1 comment, the little 1 in the red chat/speaking/dialogue icon...but when you click on it, it pops up in the current window the following:
http://i.imgur.com/IwIZLYH.png
I wasn't logged in to Arc at the time.
So, what the Hell, let me log in and see what happens.
And yep, it logged me into Disqus...well then...hrmmm, that kind of sucks. Heh, I'd forgotten about Disqus until you mentioned it, one of those back of the mind things. But searching my email, I apparently signed up for it back in June 2012.
There is not a chance in Hell that my Arc password is the same password I would have used three years ago...
...that's pretty freaking effed up.
Must be some authorization scheme at play...meh.
edit: Gets into this: https://disqus.com/api/docs/auth/
And I'm wondering just where I agreed to allow Arc to do that....ffs.
There's nothing that I see in any of the "smallprint" stating that I've agreed to that...
edit2: That's just some damn ****ed up bull**** there in your case then, cause it ****ing looks like they created the ****ing Disqus account on your behalf and Disqus is asking you to verify. What a load of ****...
OK, so I clicked on something while logged into Arc or arcgames.com. I don't remember seeing that dialogue though, so either something I'm running blocked it, or my memory is seriously failing me.
Is it time to start another Arc feedback thread? It looks as though no one has posted in the previous two threads in months,
http://sto-forum.perfectworld.com/showthread.php?t=793591
http://sto-forum.perfectworld.com/showthread.php?t=977831
and I have some additional concerns:
http://sto-forum.perfectworld.com/showpost.php?p=23727411&postcount=259
1.6.1 ::: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3556
1.6.2 ::: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616
With 1.6.3 released back in April.
With 1.7, 1.8, and 1.9 being out there.
edit: Mind you, that's not to suggest they should have moved to another version - newer isn't always better...one needs to weight the business needs, actionable improvements, stability/vulnerability concerns and the like...as long as a previous version has not reached end of life and is still being patched for vulnerabilities...it can be all good and whatnot.
I'd buy That for a Dollar!!
It took me a while to figure out which site you were talking about. A quick look at the headers in the HTTP responses shows:
www.arcgames.com is running nginx/1.6.0.
sto-forum.perfectworld.com is running Apache (no version given).
perfectworld.vanillaforums.com is running nginx (no version given).
I think they created one of these site-specific profiles for me instead of an actual account.
https://help.disqus.com/customer/portal/articles/1897513-site-specific-profiles-
Of course, if they did create a Disqus account for me, I have no idea what the login and password would be.
Hrmm, that does sound more like what happened there then.
Still gets into PWE having shared your email account with a third party without notifying you of that action, eh?
If somebody were using an email account specifically for one thing - that one thing has been compromised by their actions.