GOA and Sanya getting owned

[Groborthir]

I was going through the Catacomb news and stumbled over this quite interesting post.

The post in question is a response to the following statement made by Sanya:

Taken from: http://daoc.catacombs.com/forum_news.cfm?ThreadKey=2&DefMessage=490701
Look y'all, I can't spell it out. The only people who could are at GOA. ALL I can do, legally and ethically, is tell you that the server security has never been compromised, that there is an explanation for this that doesn't involve anybody breaking into databases or servers (and therefore it is NOT hacking, no matter how many people misuse the word hack), and that the current situation can't possibly affect the US servers.

Basically, I can't say anything else until I retire to the Bahamas and write my tell all book. When that comes out, you'll see that I didn't spin a single thing and that I told nothing less than the truth.

Sanya Thomas
Internet Relations Manager and Sacrificial Goat
Check out www.camelotherald.com for more information.

And here's the response from Yomar that struck me, and Sanya, it seems, mute:

Taken from: http://daoc.catacombs.com/forum_news.cfm?Forum_thread=63874&forum_pagenum=3
Sanya, ofcourse I believe you if you say you state the truth. However, I do get the strong impression that your story doesn't contain all details. My mother always taught me that not telling the full story is the same as not telling the truth. I think she was right.

GOA states their security was compromised. Hack/abuse/whatever you want to call it, the security was compromised. It was compromised in such a way that it was necessary to mandatorily change (without prior notice) 24.000 passwords.

People who recently changed their e-mail address while GOA's customer support tool (RightNow, or RightNextDecade as we call it) was down will never receive this password, neither will people who simply forgot to update their e-mail address. To update your e-mail address, you need a password, which you don't have, because it was changed. The chicken and the egg. On top of that RightNow is still down, so you can't change your e-mailadress even if you had a password.

I quote:
Basically, I can't say anything else until I retire to the Bahamas and write my tell all book. When that comes out, you'll see that I didn't spin a single thing and that I told nothing less than the truth.

It's obvious that you can't state what you want to state and that somebody up there is watching you. I never understood this black box policy. You are a company. A company works with people. People make mistakes. Just state what's going on and be honest, and be surprised at the power of people to forgive and understand.

Postings like these feed speculations, which are far worse for your PR than stating the truth right from the beginning. I run a company myself so I know what I'm talking about.

So the servers weren't hacked. I believe you. But then what did happen? If we don't hear what really happened, people will simply say that it was a gruntled GM. Either that's the truth, and people reach the same conclusion whether you state the truth or not, or it's not the truth and things are by far not as serious as people assume.

So the worst that can happen if you state the truth is a confirmation of what people already assumed.

If it's necessary to change passwords, it means GOA has reason to believe that the old passwords were compromised. If the old passwords were compromised, it means our personal information was compromised. As the rightful owner of this info, which may be directly linked to our bank accounts, I believe that we have the right to know what has happened.

As a customer, we entrust you with confidential information. I believe we have the fullest right to know what actually happened with our information.

Since GOA has been rendered inactive (e-mail down, website down, customer support tool down/inaccessible and no telephone number), I believe it is Mythic's moral and lawful duty to inform us. After all, your name is on the package too, which means that you should take part of the responsibility. And if you are bound by contract and cannot state what happened even if you wanted to - really, I don't care whose signature is under that statement, but do make a statement please. Or force GOA to do it.

I'm getting especially concerned because I have reason to believe that GOA is making the problem worse: it seems GOA managed to send the wrong passwords to people. Some of these people received two passwords while they only have one account. These people may now have access to other people's accounts. Now if that doesn't compromise security, I am the emperor of China.

For the rest no hard feelings. I believe you're very actively involved with the community - you're doing a great job. It's just that I believe that this situation should have been dealt with in a different way.

Guild Master of Legends of Marr
Yomar Balthasar - Level 28 Eldritch, Excalibur, DAOC
www.legendsofcamelot.org

 

[Lubricador]

whats the problem if pple received 2 emails, there is not info about the account just a password

 

[Nalikin]

hmm ... the part about people getting the wrong passwords is kinda worrying as i've yet to recieve passwords for either of my accounts ... and no i haven't changed my email adress since joining the game .

Originally posted by Lubricador
whats the problem if pple received 2 emails, there is not info about the account just a password

now about this question i have this from GOA homepage :-


In the days to come we are going to process the change of all "subscription" passwords. Services shutdowns are thus planned in order to finalise the reinforcement of the security measures of our platform





Now IF and i double stress IF people are being sent passwords for accounts that aren't theirs , then might the same thing not happen when they issue the subs passwords as well ?

 

[Naveh]

Geez, I never liked using CC on the Internet but this is just creepy, if you get what I mean, it remains... credit

 

[Big-G-]

stlong reply from yomar

thought myself too tho, if our accounts are completely safe and nothign to worry about, whats the deal with changing everyones pw?

aint like any info GOA give us is gonna topple governments or cause ww3, its just a game in the end - holding back info is a bit silly

 

[Jonaldo]

If anybody gets my password by mistake can they get me a warshade bracer and complete the new SI quests that I got bored of please.

Oh and I just gotta kill the Siabra queen Cliodna for another quest for a staff, if you could do that for me also it would be a great help.

Thx

 

[Gamah]

Originally posted by Naveh
Geez, I never liked using CC on the Internet but this is just creepy, if you get what I mean, it remains... credit

FYI goa use a different company for CC info and they dont have ANY CC info stored on their servers.

 

[gengi]

I got the email ith the new pasword yesterday, in a quite good security measure the login name was not in it. As I have an account and the wife has one also that was quite good I thought.
If someone did get someone elses password hen they would he to guess the login name could take some time.
Later

 

[Hargh]

altho login names are flastname where f is your firstname (up to a certain number of chars)

so if someone gets ur email addy they might be able to deduce your login name - innit

 

[edoa]

yepp

Originally posted by Hargh
altho login names are flastname where f is your firstname (up to a certain number of chars)

so if someone gets ur email addy they might be able to deduce your login name - innit

And if im not wrong its acctually quite easy to "sniff up" other peoples e-mails ecpecially if you know that someone is sending them and from where(GOA has told them) then it should be to hard to try some logins if the person uses like first.lastname@company.com wich most do.

 

[accollon]

Well done for telling everyone how to figure out an account name if they got the more than one password.

idiot.

 

[edoa]

GIMP head

Originally posted by accollon
Well done for telling everyone how to figure out an account name if they got the more than one password.

idiot.

And where should they see the e-mail to that person?

 

[old.Kerosene]

Originally posted by Gamah
FYI goa use a different company for CC info and they dont have ANY CC info stored on their servers.

yeah.. so they said. GOA say a lot of things.