• published the article Merry Christmas!!!

    I hope everyone has had a great Christmas, or observation of choice. Sorry I didn't post it earlier, my internet is spotty atm.

    Anyway, blessed holidays to all!

    Posted in: Merry Christmas!!!
  • published the article Re: QuestHelper or CurseClient Keylogger Rumors

    There are a great number of people who are claiming that after downloading QuestHelper and/or the CurseClient that they are getting hacked, keylogged, or that their babies are being stolen by ninja mutant Elvises (or would it be Elvisi?).

    I'd like to point out that the first two are as likely as the last, providing that:

    • You're only using versions of the CurseClient that have been hosting on Curse/CurseForge or ones linked to you directly by myself or other staff members (aka alphas).
    • You're only getting QuestHelper from reputable addon sites, such as Curse.com, CurseForge.com, or WoWInterface.com. To my knowledge it's not been uploaded anywhere else by the authors.
    • You haven't paid a ninja mutant to dress up as Elvis and steal your baby.

    Sadly these type of rumors are often started and perpetuated by people looking to discredit others and most of the attacks I've seen recently are slanted as anti-Curse.

    There was recently a 24 page thread generated (in one freaking day!) on the official WoW forums. The instance of some of the posters there into ascribing guilt to various people and groups combined with some obvious misinformation makes me wonder if it's an intentional propaganda move. However, this is mere speculation as I have no evidence to support the thoughts as fact.

    As far as keyloggers go. Please keep in mind it's most likely not the last thing you did that got your account comprised. It is a fairly common practice for these the groups responsible for hacking your accounts to wait weeks or even months before attempting to use a password.

    Also, brute force attacks are not completely unheard of. So if your password is 'god', 'sex', or 'secret' please change it right away!

    Lastly, a few things to remember:

    • Curse does in no way support the keyloggers, account hijacking, or gold selling.
    • You can't get a keylogger from an addon as long as you just put the files contained therein in your addon directory. You'd have to run an executable somewhere!


    Posted in: Re: QuestHelper or CurseClient Keylogger Rumors
  • published the article Malicious Spammer Alert

    Hey guys,

    Another jerk or group of jerks took advantage of the holiday weekend to spam a few thousand comments on the website.

    These comments, due to a small security hole in one of the parsers, was able to embed an iframe on the page. It would then in turn try to target out of date versions of Flash.

    We've cleaned up any of the comments that we can find, prevented any further ones from rendering, and plugged the leak in the parsers.

    I'm not sure exactly what he was trying to install on machines, but I know it looks like it specifically targeted IE with Flash lower than 9 r124.

    We're doing what we can to ensure that this type of attack on our users is impossible in the future. Please check your flash version, if you have a vulnerable version please run a virus scanner and try to make sure all is good.

    If anyone discovers more information about what exactly they where trying to do, the effectiveness, and detection/cleanup techniques please post them in the comments.


    Posted in: Malicious Spammer Alert
  • published the article Virus Alert

    Hey guys.

    We had a trojan briefly hosted on the site here. It was accidentally approved by one of our moderators and has since been removed. We're stepping up our protections to make sure that this doesn't happen any further.

    The project in question was "Time Calculator" and was downloaded 88 times.

    I apologize for this oversight, and you have my word that we're going to be more diligent and step up our preemptive measures.

    I was hoping to make it a little longer than 8 months without a virus, but here is hoping to not seeing another for a long, long time.


    Posted in: Virus Alert
  • published the article Explicit Terms of Use Agreement now Required

    Hey guys, as of a day or two ago we started requiring an explicit agreement to the Terms of Use for full usage of the site, this includes svn commits and (for curseforge) uploading of files.

    Please check out this link to accept the ToU.

    I apologize for not making this announcement sooner.


    Posted in: Explicit Terms of Use Agreement now Required
  • published the article NewsFlash: Incoming Improvements to the Curse Client

    The State of the Client

    I want to start out by stating that we're well aware of the issues. We're not deluded into thinking that the current state of the Curse Client is as good as it gets.

    Up until this point I've been on the sidelines of the Client, however I'm pleased to say that I'm taking over the project and will be leading product development on the client.

    I've spent a large portion of my time over the last several weeks reading forums and talking to people to get a better idea of what people want, need, and hate.

    We've recently broken 500,000 Client installs. While that is a very exciting number for us to reach, it also shows us the level of responsibility we have to making sure that the client is the best possible.

    The Big Issues

    It is the primary purpose of this announcement to help communicate what's going to be changing in the near future. But first let me recap some of the things that are definite issues(in no particular order). This is also not necessarily an all inclusive list.

    • Ignoring manual deletions
    • Installing over addons
    • Downgrading addons
    • UI feedback failures
    • Poorly worded options and button text
    • Too much automation in some places, too little automation in others
    • Lack of features that are considered defacto standards
    • General reliability

    Now I want to tell you what we're going to be doing in order to improve things.

    What we're going to do about it!

    UI Changes

    First we're giving the UI an overhaul. The overall goal here is to make sure that the interface is more intuitive, more usable, and that it gives better feedback about what it's doing. To that end we're taking the following steps:

    • In an effort to increase the usefulness of the listings we're making the bottom details pane shrinkable so that you can see more addons listed at a time. You'll be able to view it if you want, but if you prefer you'll be able to use the full size of the window for the listings. Long term you'll even be able to decide what portion of the window is taken up by the bottom pane.
    • We're taking and applying some background colors the listings in order to let you know what' s happening.
      • Gray - For svn, git, and mercurial working copies.
      • Yellow - Ignored addons.
      • Red - Addons that are out of date.
      • Green - Addons that have been updated recently.
      • Purple (maybe) - Addons with unrecognizable versions. (more on that later)

    In addition to the above colors we're going to be using sorting to help it make sense. All Yellows and Grays will be forced to the bottom of the listings. All Red and Purples(?) will be forced to the top for easy identification.

    • We're rewording the buttons to make things make more sense to the end user. Intuitiveness is a major concern.
    • Version numbers will be defaulted to instead of dates in the addon listings. We will provide an option for people who prefer dates.
    • Reorganization of the buttons and other controls so that the important ones are more obvious.

    We're also going to be enhancing the activity log panel, making some adjustments to the change log viewers, redoing the listing controls to allow you more options, adding more messages back to the user, etc.

    New Features

    Like I mentioned before we're missing de facto features. And we'll be moving quickly to add them.

    • Alternate Packages - Up until now we've called this disembedded support. It is coming back.
    • Dependency Resolution
    • Manual Deletion Detection
    • Alpha Support
    • Multiple Game Support - So you can manage your PTR or Beta installs separately of your main install
    • Version Pinning - Installation of a specific version.
    • Submodule support - For example you'll be able to selectively install or update to a specific sub folders of an addon.
    • Saved Variable Scrubber - This will be on demand clean up, it will NEVER run automatically.
    • Automated and Manual Backups - We will keep an automatic backup of addons on update. And you'll be able to manually backup and restore a full backup on command.
    • Real Configuration Box
    • Deletion before upgrade - This will probably be enabled by default, I'm open to feedback though. Keep in mind that with the new fingerprint system (outlined below) a dirty upgrade could break future updates.
    • Uninstalled Package Listing - We'll be showing you a new tab of all Unrecognized packs. Limited management will be available via this listing. You'll be able to remove them, and try to identify them.

    Several of these above features are considered to be advanced features and we will be labeling them as such.

    Changed Behaviors & Methods

    One of the larger problems we've faced is about it auto detecting the wrong addons and/or downgrading or otherwise installing things wrongly.

    We're taking a few steps to fixing these problems.

    Discovery and Detection of versions

    First, we're changing our auto detection code. In the next major release we're switching away from toc name based matching to instead use unique version fingerprints. We will both be fingerprinting individual files and packages as a whole in order to know for sure what version you're using.

    Because of the fact that this will allow us to know within a very high level of accuracy in identifying exactly what version of a addon you're using we'll be able to reliably recommend upgrades.

    The question shifted at that point to knowing what to do when we don't recognize the files. So we're changing the behavior some. For unrecognized packages we'll be displaying a special Unrecognized status. From that point on we won't update the addon until either a) you tell the client to or b) we learn for sure what version that is.

    This does have one potential issue, or in some cases a feature, for auto discovery. If you go in and edit an addon, add a file, remove a file, etc the fingerprint of the file will change and then the fingerprint of the whole package will change.

    In the case of initial discovery we won't be able to auto detect what project the files belong to. If we do know what project the file belongs to it becomes an Unrecognized version and will no longer be updated until you tell the client to do so. Down side, if you have some zombie files in your directory from unclean upgrades you'll need to manually match the project or tell it to upgrade.

    The current toc name based scanner will still be available for suggesting matches in the new Uninstalled Package Listings.

    Changes to Defaults

    We're changing a few default behaviors. We'll no longer be defaulting to fully automatic addons update as this seems to be counter to the majority of our users usage patterns. We'll be shifting the defaults throughout the client to match the default behaviors of our users.

    Popup Questions

    These annoying repetitive popup questions will be streamlined out of the client. Anytime we find ourselves saying "well we could ask the user...." we're going to smack ourselves and find away to do it without that.


    As a result of the above changes, if anything we'll be overly cautious about doing the wrong thing.

    The Mac Version

    Having a fully functional Client under Mac is very important to us. We know that it does not follow many of the standard conventions on macs at this time. We will be addressing as many of those as possible, however our first focus is on having a solid product with all the needed features. After we get there we will then focus on asethetics and the macesqueness of the client (is that a word?).

    Conclusion

    I'm very happy to be stepping up my participation with the Client. I hope that this massive wall of text I've posted has helped you realize just HOW serious we are about delivering the best possible updater.

    We will be continuing the free premium preview until we've gotten most of the things in this announcement out the way. We hope to have everything in this missive out to you guys in just a few short weeks.

    And as always, please give me as much feedback as possible. Any and all constructive feedback on the things outlined in this announcement is most certainly welcomed.

    It's a lot of work to do. We're making daily progress. And I'll keep you posted.


    Posted in: NewsFlash: Incoming Improvements to the Curse Client
  • published the article Warning: Another Trojan on wowui.worldofwar.net
    That's right three viruses in two days. Looks like the same people this time pretending to be the Curse Updater. Please don't be fooled into downloading this one either. F-Secure Client Security says:
    22 October 2008 16:28:25 - 16:28:28
    Computer name: ----
    Scanning type: Scan target
    Target: Addons\30000\CurseUpdaterzip-1224675514.zip
    Result: 1 malware found
    
    Trojan-Spy.Win32.Ardamax.n (virus)
    
    The relevant forum thread here is http://forums.wowace.com/showthread.php?t=14710...
    Just to clarify: NO ONE from Curse had anything to do with this, I've reported it to have it taken down.
    Posted in: Warning: Another Trojan on wowui.worldofwar.net
  • published the article Warning Trojan on WowUI.worldofwar.net

    Someone has uploaded a trojan on WoWUI.IncGamers.com masking it as a resurrected WowAceUpdater.

    Do Not DOWNLOAD!

    This file was in no way authorized by me or this site, and is a keylogger trojan.

    I repeat, DO NOT DOWNLOAD OR EXECUTE!

    This is a blatant attempt to steal passwords, please people don't fall ploy to it.

    People tried to upload this to our servers earlier and we blocked them. I've petitioned for WOWUI to take it down, however so far they have not.


    Posted in: Warning Trojan on WowUI.worldofwar.net
  • published the article Today's Site Issues Recap

    Ok guys, I'm sure many of you have noticed a few outages.

    The first one was due to maxing out our rack's outbound trunk connection. We scrambled to have them run more capacity and now we're doing much better.

    The second was due to some cables being knocked loose during the fix for the first....

    We're sorry about them but I'm happy to say that things are looking good overall. I hope that tomorrow goes well. Wish us luck!

    Posted in: Today's Site Issues Recap
  • published the article Downtime is over!

    We're back up!

    Posted in: Downtime is over!
  • published the article File upload limitations, No more Rars(and a few others)

    We've been having a lot of issues with the curse client not supporting non zip files. The lack of support for the other various compression formats is a simple matter of not wanting to bloat the client with libs to handle them.

    So for WoW and WAR we've decided to start blocking the uploads of the following file types.

    • rar
    • ace
    • 7z
    • tar
    • gz
    • bz2

    This means that if you want to upload a compressed file it should be a .zip file.

    We're sorry for any inconveniences this may cause and we may reexamine at this to figure out a better solution in the future. But for now please re-upload file of the disallowed types if you wish for them to be the main file for your project.

    Posted in: File upload limitations, No more Rars(and a few others)
  • published the article UI Packs on CurseForge

    UI Packs are no longer supported as projects on CurseForge. We will have a proper system for UI Packs sometime soon. Thank you for your patience.

    We are also going to be removing existing UI Packs from CurseForge.

    If you are the author of an affected project, you'll receive an e-mail about this.

    If for some reason your legitimate project is removed, or you feel your project meets the Project Acceptance Policy, please send in a report (link will be provided in the email) or join us on IRC. Someone will be more than happy to assist you.

    There are legal issues surrounding UI Packs, mostly revolving around whether the author of the addons in question approves of his or her addon(s) being in the UI Pack in question. We want to preserve everyone's rights, including the original addon creators.

    The new UI Packs system that we'll be unrolling soon will have the following benefits:

    1. You'll always point to the latest version of the addons you want.
    2. No need to create packages manually and upload them.
    3. Authors will be properly attributed for their hard work.
    4. Lack of legal issues
    5. Optional glue code addition and/or Saved Variables

    We're wiping the slate clean, so please bear with us as we go through this transition and forgive us for any inconveniences this may cause.

    Posted in: UI Packs on CurseForge
  • published the article Missing WoW Addons

    Ok, so I've managed to import an additional 150 or so wow addons that where skipped during the initial import.

    I apologize for missing these the first time around. Just so you know there are a handful (read one or two) addons who's data was fairly convoluted and my importer couldn't grab them.

    I'm going to be preparing to grab the addons for other games soon as well as the compilations from curse.com. In the meantime those projects are editable on curse.com.

    Posted in: Missing WoW Addons
  • published the article Maintenance Over!

    Alright guys we're back up. There may be a few remaining dns records that need to be propagated out there, but by morning I expect just about everyone to be sorted out.

    Thanks for your patience guys :)

    Posted in: Maintenance Over!
  • published the article Maintenance Downtime on 7/1/08

    We're going to have a downtime tonight that may cause the servers to be unreachable for a short amount of time.

    I apologize for this inconvenience, and will make an announcement after it is over. We will try to minimize the downtime, but it may last for several hours.

    Posted in: Maintenance Downtime on 7/1/08