On 17th October 2011 there was a security issue regarding the official LOTRO forums and community web applications. It was officially recognised by Turbine who stated that they had taken the forums offline and subsequently resolved the matter. This generated a great deal of debate within the community, with some players of a technical disposition, claiming that the problem was a lot worse. Data was posted on the unofficial LOTRO forums, that allegedly verified this. Since then, Turbine have regularly stated that they will be upgrading the existing suite of sites and applications. However, one year later, these services still remain in beta status.
At the beginning of February a thread appeared on the official forums under the title of “Turbine, when are you going to fix the forums”. It soon developed into a technical debate and once again the subject of security raised its head. It was claimed that “the forum login also uses completely unencrypted forms, leaking your password (which is the game password) to everybody listening on the network”. There then followed some interesting technical exchanges, until eventually Sapience interceded and made the following statement. “As much of this thread seems to be devolving into an attempt to pass false statements off as fact, we’re done here. That said, I’ll restate what I have said several times now. The community sites are slated for a major overhaul. We’re talking a ground up rethink and some functions will be carried forward and others will not. In fact, it is probably the larger portion that will not be carried forward”. The Thread was then closed.
As a result of this, the debate simply transferred to the unofficial LOTRO forums, where further data was posted regarding the matter. Once again the discussion is mainly of a technical nature from individuals with a technical background. The main bone of contention seems to be regarding levels of encryption and potential vulnerabilities. It is also noted that this matter was raised originally last October and that the information was communicated to Turbine.
As a customer of Turbine and a fan of LOTRO, I am legitimately and appropriately concerned about this issue. I am not advocating that we jump to any erroneous conclusions but I do not feel comfortable with Turbines position of simply writing off such claims as “false statements”. A cry of “fire” does not always prove to be true but it would be foolish not to check. Therefore I would like to suggest the following. If you are a LOTRO player with IT skills or better still, direct expertise in this field, please read the thread on the unofficial forums. Then leave some feedback at the as to whether you think the claims are valid or not.
I would also urge all parties to put aside any partisan views they may have and not to indulge in any mudslinging and petty bickering. Simply put, this matter is too important to be trivialised. If the assertions that have been made are proven to be true then there is a serious matter to be addressed. If these concerns can be legitimately assuaged then that too will be beneficial. Finally, I would ask Turbine to respect the concerns of players and recognise that this is not some attempt by malcontents to malign them. Please do not confuse legitimate concern with trolling.
It would appear that the performance on the official forums is being questioned by players yet again. A further post has been made inferring that the site is still insecure. However, people are very reticent to directly approach the subject for fear of getting an infraction and the thread being locked or deleted. It really is time that Turbine made a clear and definitive statement regarding this matter and announced a timetable for repairing the forums.