Alert: Repackaged Modified Rawr Release

Topics: Rawr.Base
Dec 23, 2009 at 10:30 PM

Just an FYI, someone going around with the name of RawrGwindor is posting links to a repackaged Rawr on a lot of the fansites. The exe file is modified (probably a keylogger). The posts reference Rawr 2.3.3. Once again, just an FYI.

Dec 23, 2009 at 10:45 PM

Is it time to start strong name signing Rawr, or providing a PGP / whatever hash of the downloads?

Coordinator
Dec 24, 2009 at 12:31 AM

Please send me links asap. Everyone, do not download Rawr from anywhere besides THIS site.

Dec 24, 2009 at 12:46 AM

I sent you a PM with the download link. Most of the threads have been taken down because they were spammed across the forums. I sent a heads up to WoR just in case, they removed the threads as spam-related but didn't seem too concerned about the download link.

Dec 24, 2009 at 3:53 AM
Edited Dec 24, 2009 at 3:59 AM

Well, thats very much not me.  Said user has created a profile on the MMO-Champ forums, Levva, can you destroy it before it gets a chance to post anything?

 

Link to the MMO champ forum profile. http://www.mmo-champion.com/profile/?u=121027

The following site looks pretty shady in itself: http://wowinfoboard.com/?p=13798

WoR seems to have taken down the posts made (as did MMO Champ) but I'd like to see the actual accounts deleted.  Does anyone have a contact at WoR that I could speak with about that?

Dec 24, 2009 at 4:30 AM
Edited Dec 24, 2009 at 4:32 AM

Hey Gwindor,

I just emailed community@curse.com when I saw the posts. Here is the reply I got if you want to reference it:

"Thanks ****. Luckily this is a legitimate post by RawrGwindor, but I'm deleting the threads anyway because the way they've gone about promoting it is simply spam and nothing else."

I kinda laughed, seeing as the profile had just been created yesterday, and only made 4 total posts.

Developer
Dec 24, 2009 at 5:47 AM

wow...

Dec 24, 2009 at 7:46 AM

Obviously it would suck if it was a keylogger, but otherwise is it an issue if someone decides to release their own version of Rawr?

 

 

Coordinator
Dec 24, 2009 at 9:07 AM
Edited Dec 24, 2009 at 9:11 AM

Well, this is obviously something malicious, otherwise they wouldn't be pretending to be us.

But to answer the more general question of others releasing their own versions of Rawr... Yes and no. Rawr is open source, and its license says that it's OK for anyone to modify and re-release. However, we strongly prefer that nobody actually does that, as long as we're still actively developing Rawr, because it creates major confusion for users, and splits the development focus. Most importantly, there's no need or reason to do so; we're very active here, and most welcoming of anyone else contributing to Rawr, so anyone who does want to modify it is welcome to just contribute their changes to the main codebase, and let us release it. Everyone benefits, that way.

 

Anyway, that's unrelated to what's going on here; this asshole is pretending to be us, posting virus-infected (probably, I haven't checked myself) copies of Rawr, trying to take advantage of our users. We're doing everything we can to stop the spread of this crap.

 

Users, please tell all your friends, only download Rawr from this site.

Dec 24, 2009 at 4:15 PM

Also, just for the sake of completeness, I'd like to mention you should always, always download open-source applications (or any other applications really) from their official download mirror. Also, don't trust a 3rd-party binary just because there's a source download next to it. You never know if they actually compiled it with that source.

On another note, I've worked on a lot of open-source software in the past, and I have to say; this is quite possibly the most enjoyable development experience I've had. The development staff is really nice here. Not once have I had to fight with people's egos just to get a simple patch even considered. (not to mention patches get applied and released extremely fast. Try filing something on X.org or Launchpad. -_-) I don't get flamed in the discussion boards for posting ideas that may be a little silly and most of the time I even get useful replies free of ego-trip ranting! You guys are going a really great job. I'm sad that I need to stop when Rawr3 comes out. :(

Oh, actually, I'm reminded. Rawr is under the Apache license? Does that have a clause about branding? If it does, you might be able to get this guy for infringing your license terms by not renaming his project to VirusRawr. ;)

Dec 24, 2009 at 8:19 PM

Here here, ZDBiohazard. I can't wait to get to play with the WPF version - which will hopefully get fixed soon. (Won't compile for me in Blend) Rawr is really fun to work on!

Coordinator
Apr 6, 2010 at 9:46 PM

Sorry to necro this thread but it appears Keyloggers are trying to get people to download unauthorized versions of RAWR on WorldofRaids.com's forum. I've already reported one of the four threads the guy (dwandurr is his username) made as well as the user himself.

Since reporting both it appears the threads were deleted. but just throwing it out there that people are still trying to add keyloggers to the source code and upload unauthorized copies of the program. The real telling point is that he was hosting the file on filebin (or something like that) website and not here.

Coordinator
Apr 7, 2010 at 2:36 AM

Indeed, those posts just went up on Curse too. Everyone please report any of those that you see. The *ONLY* place to download/use Rawr is on codeplex.com or elitistjerks.com.

Developer
Apr 7, 2010 at 7:46 AM
markdall wrote:

Is it time to start strong name signing Rawr, or providing a PGP / whatever hash of the downloads?

 A bit of a moot issue for open source unfortunately, source is available and any malicious person can just add the code they want and recompile.

They can change a binary and then sign it also, it wouldn't be signed with the actual Rawr key (it doesn't even have to be signed), but they can make it appear that way, the bad part is that the very same people that would be most vulnerable to download the hijacked copy would also not know how to verify the files legitimacy.  People that have been long time users of Rawr will get it from here and not have a reason to even bother trying to get it from anywhere else.  The people at risk for such hijacks are the people not already using rawr, seeing the advertisement and thinking "cool, I'll try it". 

Digitally signing software is really only going to be usefull if people change their computer settings to ONLY allow digitally signed binaries (verifiable/traceable to a trusted root CA) to be installed/executed on their PC's.  But I don't see users doing this anywhere soon.

 

Editor
Aug 24, 2010 at 1:26 PM

http://www.youtube.com/watch?v=HfYiZ8J5Oug  Most dangerously, the link to an offsite download in the uploader's notes of the video.

Unfortunately I couldn't accurately reference the proper places to access Rawr, because apparently Youtube doesn't allow any non-youtube.com links in comments.  Ugh.  Anyways, please report the video, an/or uprate the comments I made.