Here's a thought. Can we actually "screen" these ads before we run them and then, if the advertiser slips in maleware, they lose their ad and their payment and we make this clear up front when payment for the ad is taken.
Because this is getting ridiculous. It's getting so that I'm afraid to come here. If the advertisements drive your members away, what good are the advertisements?
Some kind of strict policy needs to be put in place to keep this from happening or to seriously deter advertisers from pulling this crap.
Curse doesn't serve 99% of the ads, ads networks do. This is a full time job/company activity
Malware warnings are usually worse than they appear, they're here to protect users and that's a good thing but they will be triggered by a lot of secondary issues.
For example, let's say someone uses a random hosting site to host their signature and that site gets compromised, any page where the guys' signature is will be flagged as "compromised" even if his signature is safe. Google bans work on a domain level.
This is what happened this morning, we got a reply from the ad network a couple minutes ago.
Netseer, a demand partner, has been flagged by Google for malware. What is happening through our tags is that we are making a call to a cookie synch with them on many of our tags. We are disabling that cookie synch which will solve the problem. Importantly, this is NOT exposing your users to malware. We will notify you when the solution has been pushed to all of our servers.
This is the last time I'm adressing this, because this is not the point of the thread.
You don't "infect" addons with ".exe files replaced to look like .lua files". Even if you did that, they would just be extracted in the addon folder and WoW wouldn't execute them.
@fnord: it would require a lot of extremely complex code and would be unreliable. It's an interesting idea tho, will add it to my list of "insane JS project we could investigate".
@FaheyUSMC: Revenue is pretty much everyone's goal, if you can make a living out of a hobby you're very likely to say "yes". Even if you're not interested that much in money, it will allow you to grow your site and make it better. Saying it only applies to corporation is kind of weird.
Ads are served by ad networks, not Curse. This is why we need detailed reports, we need to work with 3rd party to see if there's an actual threat and narrow it down, it's not as simple as "oh yeah we forgot to do a virus scan on our server". The last weird malware we had on the network was because an ad network used by sites as large as match.com or the new york post got compromised. It's not really targeted at Curse, I just assume we communicate a lot more about it due to the community-centric nature of the business.
As for the 2009, if Curse had been serving viruses for weeks it would be dead by now. A crushing majority (99%) of these cases got tricked into downloading fake curse clients because of random hackers/gold sellers buying google ads to advertise infected clients/site clones. Once again, the problem was out of their hands (I wasn't with the company back then, I was a mean competitor) and it mostly relied on how fast Google could tackle those. Actual infection on WoW addon would be extremely hard since it's basically just .lua/wtf files that cannot really do anything to your computer.
If Curse was pushing ads for revenue generation, you would already have tons of nasty **** such as text links, interstitial ads between page loads, extra posts in forum threads containing only ads, and pretty much tons of other things you can do to monetize forums that we do not do to keep users happy. You can't really go all "CURSE IS MAXIMIZING ALL THE ADS" when you're doing it from a page where there's basically just one single ad.
As for ads being compromised, yep, it can happen, you can either admit it and work with users to track it down or just try to hide it and wait until someone else on the ad network reports it. The only difference is communication. Curse doesn't host 99% of the ads you see and if something gets compromised we usually have no control over it, this is just how ads work.
You can't really say that we don't care, I have my PHP lead dev trying to get more info in the threads, me also trying to get that, and I got admins to spin up a new thread dedicated to ads report to make everything easier in the future. However, we're pretty limited with no screenshots or URLs to work with so far.
Also Fahey, if you keep posting just for the sake of stirring up drama, it just compromises the chances that people will report things here. I don't really care about it, but I do think it can harm the community in the long run so if you have a (real) problem with something feel free to send me a PM or even create your own happy thread where you can hate things.
For people complaining about alerts, any chance we could get screenshots of those with actual addresses and stuff to see if we can figure out if it's on our side.
Is it possible to get a technical heads up on this? I'm the author of Scry and it's keyed to particular elements for user content script injection. After the last upgrade by Hannes I had to push out a few revisions to get things working again. Some sort of HTML preview would help big time.
Won't go live without a public beta probably to be honest. Ultimately we'll probably just have our own script running, but I can't guarantee it will be in the first version of the new site
From the OP, you have mentioned that the in-house (i.e. MTGS, not Curse) administrators have been given the contact for the Curse techs should something like this occur again. I just want to clarify that my understanding is correct and that I did not misinterpret.
Not yet, waiting on monday to figure out how to do things properly but yes, that's the plan. The sale happened right before the holidays and made the transition a tiny bit chaotic, still a lot of procedures to put in place. I flew to our dev office this week to discuss most of this stuff (ironically we also mentioned the whole downtime thing. ><)
I'm not sure if what I'm about to say lines up with what you've just said or not, but is there any way that if the site should go down, there can be some filler page inserted that says something to the effect of "MTGS is currently down for [insert reason], we expect the site to be up again at [insert time]".
If nothing else, it makes it so it's not a guessing match to find out when the site will be live again.
The problem wasn't the site being down, the problem was the site being down with none of our alerts going off. (When they worked just fine in the past)
It took literally 10 mins to bring it back up after I jumped in, if the downtime had been 12 hours intentionally you would have had a temporary page, etc.
you can say hey, forums are down for a bit due to all kinds of bad juju on some sort of twitter/facebook page/redirect to a 'hey, guys sorry bad things are happening page.'
Like other people pointed out, it was completely unnoticed (which is still unacceptable, really). Otherwise yes, we'd have provided information on what's happening, but yeah the whole thing was a combination of multiple things that made it really bad.
We used to have instability issues (to be honest, I doubt we had more than any other company) but we have a pretty efficient sysops team when it comes to being on call these days. That 12 hours downtime was insanely unacceptable tho, by like, super far.
As for an IM oriented thing, I don't know, we might want to go the Facebook way at some point but it would be a lot of engineering. I'll look into it.
Can't really say much more, the guys literally went to zdnet and told the world it's fixed when it's not, I guess we'll hear more soon.
Curse doesn't serve 99% of the ads, ads networks do. This is a full time job/company activity
Malware warnings are usually worse than they appear, they're here to protect users and that's a good thing but they will be triggered by a lot of secondary issues.
For example, let's say someone uses a random hosting site to host their signature and that site gets compromised, any page where the guys' signature is will be flagged as "compromised" even if his signature is safe. Google bans work on a domain level.
This is what happened this morning, we got a reply from the ad network a couple minutes ago.
Netseer, a demand partner, has been flagged by Google for malware. What is happening through our tags is that we are making a call to a cookie synch with them on many of our tags. We are disabling that cookie synch which will solve the problem. Importantly, this is NOT exposing your users to malware. We will notify you when the solution has been pushed to all of our servers.
For now yeah, let's try to not screw up the main site before we try new things.
Down the road, if we can improve on that, we might switch, but there's no plan for it right now.
You don't "infect" addons with ".exe files replaced to look like .lua files". Even if you did that, they would just be extracted in the addon folder and WoW wouldn't execute them.
@FaheyUSMC: Revenue is pretty much everyone's goal, if you can make a living out of a hobby you're very likely to say "yes". Even if you're not interested that much in money, it will allow you to grow your site and make it better. Saying it only applies to corporation is kind of weird.
Ads are served by ad networks, not Curse. This is why we need detailed reports, we need to work with 3rd party to see if there's an actual threat and narrow it down, it's not as simple as "oh yeah we forgot to do a virus scan on our server". The last weird malware we had on the network was because an ad network used by sites as large as match.com or the new york post got compromised. It's not really targeted at Curse, I just assume we communicate a lot more about it due to the community-centric nature of the business.
As for the 2009, if Curse had been serving viruses for weeks it would be dead by now. A crushing majority (99%) of these cases got tricked into downloading fake curse clients because of random hackers/gold sellers buying google ads to advertise infected clients/site clones. Once again, the problem was out of their hands (I wasn't with the company back then, I was a mean competitor) and it mostly relied on how fast Google could tackle those. Actual infection on WoW addon would be extremely hard since it's basically just .lua/wtf files that cannot really do anything to your computer.
As for ads being compromised, yep, it can happen, you can either admit it and work with users to track it down or just try to hide it and wait until someone else on the ad network reports it. The only difference is communication. Curse doesn't host 99% of the ads you see and if something gets compromised we usually have no control over it, this is just how ads work.
You can't really say that we don't care, I have my PHP lead dev trying to get more info in the threads, me also trying to get that, and I got admins to spin up a new thread dedicated to ads report to make everything easier in the future. However, we're pretty limited with no screenshots or URLs to work with so far.
Also Fahey, if you keep posting just for the sake of stirring up drama, it just compromises the chances that people will report things here. I don't really care about it, but I do think it can harm the community in the long run so if you have a (real) problem with something feel free to send me a PM or even create your own happy thread where you can hate things.
For people complaining about alerts, any chance we could get screenshots of those with actual addresses and stuff to see if we can figure out if it's on our side.
Won't go live without a public beta probably to be honest. Ultimately we'll probably just have our own script running, but I can't guarantee it will be in the first version of the new site
Not yet, waiting on monday to figure out how to do things properly but yes, that's the plan. The sale happened right before the holidays and made the transition a tiny bit chaotic, still a lot of procedures to put in place. I flew to our dev office this week to discuss most of this stuff (ironically we also mentioned the whole downtime thing. ><)
But yeah, will be done tomorrow.
The problem wasn't the site being down, the problem was the site being down with none of our alerts going off. (When they worked just fine in the past)
It took literally 10 mins to bring it back up after I jumped in, if the downtime had been 12 hours intentionally you would have had a temporary page, etc.
Like other people pointed out, it was completely unnoticed (which is still unacceptable, really). Otherwise yes, we'd have provided information on what's happening, but yeah the whole thing was a combination of multiple things that made it really bad.
See http://forums.mtgsalvation.com/showthread.php?t=478910