FTB Launcher News

Magzie

Well-Known Member
Mar 26, 2014
1,395
210
78
The difference is that you already had an acct for minecraft. You did not need to create a new acct for FTB
So to be straight on this ur objection is that you have to spend 30 sec to create a new account to use the new launcher and have a safer login...yeah seem right...rofl. It really take 30 secs and if you check remember me option u never have to worry about it again.
 

SephirothWS

New Member
Jul 29, 2019
77
1
1
So to be straight on this ur objection is that you have to spend 30 sec to create a new account to use the new launcher and have a safer login...yeah seem right...rofl. It really take 30 secs and if you check remember me option u never have to worry about it again.

https://www.curse.com/terms

To create a curse account means you accept these terms.

Utilizing Your Computer or Other Device
Some of the benefits of the Service require such Service to access information on your computer or other applicable device. You hereby grant permission for the Service to monitor your computer or other applicable device (including, but not limited to, your device's memory) and to communicate information, including, without limitation, your account information, to Curse\'s servers for the purposes of analyzing your device's performance during use of the Service. Additionally, the Service may utilize the processor, bandwidth and hard drive (or other memory or storage hardware) and/or cache of your computer or other applicable device for the limited purpose of facilitating the communication between, and the transmittal of data, content, services or features to, you and other users, and to facilitate the operation of the network of computers running instances of the Service.

I do not wish for the client to be permitted to monitor my system's memory. Thank you.
 

egor66

New Member
Jul 29, 2019
1,235
0
0
I Use Curse for the only reason that I must for some games I play, but & here is the rub, I hate Curse & use it grudgingly as little as possible, yes I know that some (most) features are still in development, mho is its bloated, slow, ugly (aimed at 10 year olds) & issues with voice form day one.
 

RavynousHunter

New Member
Jul 29, 2019
2,784
-3
1
https://www.curse.com/terms

To create a curse account means you accept these terms.



I do not wish for the client to be permitted to monitor my system's memory. Thank you.
Whoa whoa whoa, hold the phone. Its in the fucking EULA? Okay, yeah, my vote has gone from "irritated, but accepting" to a flat out "hell no." That is a security hole big enough to drive an aircraft carrier through. One DLL injection hack, one dangling pointer in just the wrong location, and it opens up my entire system's memory to any asshole who wants it. This is not some small-fry thing, this is a critical and deeply alarming security flaw. Until Curse fixes this bug, I'm not going anywhere near that fucker. It could store my Mojang account beneath Cheyenne Mountain, and I still wouldn't use it because that bug opens up literally all my other data to any crackhead who wants to exploit this glaring oversight.
 
  • Like
Reactions: Padfoote

Scottly318

New Member
Jul 29, 2019
797
0
0
No, but you DID have to create a separate account to post on the Forums here...

But I wasn't REQUIRED to.

So to be straight on this ur objection is that you have to spend 30 sec to create a new account to use the new launcher and have a safer login...yeah seem right...rofl. It really take 30 secs and if you check remember me option u never have to worry about it again.

It's not the time. It's not the safety. My issue is being forced to create a new acct when the one I have works fine.
 

FyberOptic

New Member
Jul 29, 2019
524
0
0
Whoa whoa whoa, hold the phone. Its in the fucking EULA? Okay, yeah, my vote has gone from "irritated, but accepting" to a flat out "hell no." That is a security hole big enough to drive an aircraft carrier through. One DLL injection hack, one dangling pointer in just the wrong location, and it opens up my entire system's memory to any asshole who wants it. This is not some small-fry thing, this is a critical and deeply alarming security flaw. Until Curse fixes this bug, I'm not going anywhere near that fucker. It could store my Mojang account beneath Cheyenne Mountain, and I still wouldn't use it because that bug opens up literally all my other data to any crackhead who wants to exploit this glaring oversight.

I don't think there's an exploitable factor here, certainly nothing that any so-called hacker wouldn't already know how to do. I haven't noticed anything in particular that spies on you, though take that with a grain of salt since I haven't looked deeply through everything. It's more likely just more overreach of their EULA. Most big companies go too far with their EULAs.

Mods are still a more possible source of malware than CurseVoice.
 

SephirothWS

New Member
Jul 29, 2019
77
1
1
Anyways, we keep devolving the issue at hand; and I would like some sort of official response. I will ask once again; Is there a way to utilize the "Minecraft Plugin" without needing the bloated voice & social media portion of the app, thus eliminating the need for a third party account to use it? Or am I just sitting here barking up the wrong tree as the almighty Curse corporation could care-less about the vocal minority of their users?
 

RavynousHunter

New Member
Jul 29, 2019
2,784
-3
1
I don't think there's an exploitable factor here, certainly nothing that any so-called hacker wouldn't already know how to do. I haven't noticed anything in particular that spies on you, though take that with a grain of salt since I haven't looked deeply through everything. It's more likely just more overreach of their EULA. Most big companies go too far with their EULAs.

Mods are still a more possible source of malware than CurseVoice.

Typically, processes don't have access to one another's memory; a process can invoke another, but communication across the two requires special code to facilitate such an interaction. Even monitoring memory is a serious violation of this compartmentalization, which is there specifically for security reasons. Lemme break down just one possible scenario:

  • Attacker learns of Curse's ability to monitor the memory of external processes.
  • Attacker finds the signature of the method call used to monitor memory and injects a special call to it somewhere else in an otherwise innocuous method.
  • Because the memory monitoring code is already there, the attacker has a built-in window into the process memory of, say, World of Warcraft (I have no idea which game this thing actually monitors, just using it as an example). Using this window, he can monitor the goings-on of any WoW client being invoked/monitored by Curse.
  • Attacked, using the same injection method as before, takes the results of the memory monitoring method (or something inside it) and streams it to a third-party location.
  • Attacker now has access to anything that was, even temporarily, in memory for WoW.
Now, what could be in that memory? God damned anything, for all we know. If the monitor can look at the stack used for function calls, it can easily, and without much, if any, extra effort on the attacker's part, turn Curse into an impromptu keylogger. Attacker then distributes this as part of an, again, innocuous-looking modpack for Minecraft. Said pack contains something that looks perfectly harmless, looks like a library mod like CoFHLib or something, but it actually downloads this modified DLL to wherever Curse is installed. Bam, backdoor is created simply and easily. Bonus points for making the mod and pack look legit and use a lot of big-name mods on Curse to attract attention. Even if it only takes a day or two for people to catch on, that's a day or two's worth of data that the attacker now has on an arbitrary number of people, which could include account passwords for WoW. Using a username/password reuse attack, said attacker can now probe various things liked to any account on which he has the info: email accounts, forum accounts, up to and including online banking accounts.

That is why this is a glaring vulnerability. Its not just because the memory monitoring itself is painfully dubious, it is, but that's beside the point, its because it leaves a backdoor open to anyone with the know-how. Granted, they could do this kind of DLL injection attack with or without the monitoring code in place, but its presence makes it that much easier. It actually does some of the attacker's work for them. That is why, to me, this is so bloody alarming.
 

FyberOptic

New Member
Jul 29, 2019
524
0
0
Typically, processes don't have access to one another's memory; a process can invoke another, but communication across the two requires special code to facilitate such an interaction. Even monitoring memory is a serious violation of this compartmentalization, which is there specifically for security reasons.

Reading memory from another process is really not too complicated of a procedure. I would go as far as to say that it's probably more effort to try to use Curse's code to do it than to just do it yourself. If you're able to execute code on a person's machine in the first place then you're already in the "you're fucked" category anyway.

If it makes you feel any better, the only apparent instances of ReadProcessMemory being used (that I can currently see) are in the BattleNetFriendSniffer that I've already mentioned, and then in the overlays for games like LoL and World of Tanks.

Whether you're okay with them reading any process's memory at all, even for client-oriented reasons, is another story. My biggest concern was primarily in regards to doing it to a service that uses anti-cheat mechanisms (and Blizzard may not even be able to detect memory reads in the first place). But as for being an attack vector, while I can't actually say that nobody would ever use it for that, I just personally think it's probably a lesser reason out of the ones people have given to not use it.
 

RavynousHunter

New Member
Jul 29, 2019
2,784
-3
1
Yeah, the getting banned thing is a more pressing and immediate concern, I'll grant ya. Just that its...a little alarming that it goes about it in such a way.
 

Hambeau

Over-Achiever
Jul 24, 2013
2,598
1,531
213
Anyways, we keep devolving the issue at hand; and I would like some sort of official response. I will ask once again; Is there a way to utilize the "Minecraft Plugin" without needing the bloated voice & social media portion of the app, thus eliminating the need for a third party account to use it? Or am I just sitting here barking up the wrong tree as the almighty Curse corporation could care-less about the vocal minority of their users?

Unfortunately, these are not the Curse Forums, so I doubt you will find a meaningful answer here.
 

Quetzi

Jack of All Trades
Retired Staff
Aug 20, 2012
826
329
100
quetzi.tv
Anyways, we keep devolving the issue at hand; and I would like some sort of official response. I will ask once again; Is there a way to utilize the "Minecraft Plugin" without needing the bloated voice & social media portion of the app, thus eliminating the need for a third party account to use it? Or am I just sitting here barking up the wrong tree as the almighty Curse corporation could care-less about the vocal minority of their users?

This is a lot like asking whether you can play Railcraft without having to use Minecraft.
 

RavynousHunter

New Member
Jul 29, 2019
2,784
-3
1
This is a lot like asking whether you can play Railcraft without having to use Minecraft.
Alternative: would FTB be willing to supply an install of Curse that has the voice and social bloat disabled by default? I, too, have literally no use for such a thing, and having it there is simply taking up resources that could otherwise be used for playing and/or enjoying the actual game. For games like WoW and the like, that are designed with a modicum of competency, such resource tie-up isn't as much of a problem. For Minecraft, created by the ever-amateurish Mojang, you need every clock cycle you can get unless you've got some ungodly CPU or find a way to route some of the game through to the GPU just to run at an acceptable framerate when working with a pack of even a few dozen mods.
 
  • Like
Reactions: Padfoote

Quetzi

Jack of All Trades
Retired Staff
Aug 20, 2012
826
329
100
quetzi.tv
For Minecraft, created by the ever-amateurish Mojang

I know it's like some unwritten rule of being a programmer that your way is always the best way and any other approach is inferior, but throwing comments like this does nothing but weaken whatever point you are trying to make. Ignoring the fact that the Mojang code you get to see has gone through compilation, decompilation and deobfuscation the Mojang dev team have very different priorities to modders and code accordingly. You also ignore the fact that most of the PC dev team was hired from the modding community and that a large number of mods are written by inexperienced coders learning their trade while at school/college (this is a good thing btw).

I suggest if your system is so resource starved that you can't bear to keep the Curse app loaded while you play then simply close it once the Minecraft launcher opens.
 

Magzie

Well-Known Member
Mar 26, 2014
1,395
210
78
https://www.curse.com/terms

To create a curse account means you accept these terms.



I do not wish for the client to be permitted to monitor my system's memory. Thank you.
Um this s basically the same for most EULA terms for just about every game or server out there. the account info is referring to your sign in info for the app. The memory and graphics info would most commonly be used amounts used by the app it's self not account info of ur pc. Also the network stuff the app would kind of need to do as it helps with multi player and servers connection through the app.
 

SephirothWS

New Member
Jul 29, 2019
77
1
1
Um this s basically the same for most EULA terms for just about every game or server out there. the account info is referring to your sign in info for the app. The memory and graphics info would most commonly be used amounts used by the app it's self not account info of ur pc. Also the network stuff the app would kind of need to do as it helps with multi player and servers connection through the app.

While that may be true, it does have code built-in to sniff through other process' memory given that it can locate your Battle.NET friends list in memory... Regardless, we keep dancing around my question. Is there, or is there not going to be a way to run this Minecraft Plugin without the bloatware of Curse Voice? Yes or No, Curse Staff?
 

RavynousHunter

New Member
Jul 29, 2019
2,784
-3
1
I know it's like some unwritten rule of being a programmer that your way is always the best way and any other approach is inferior, but throwing comments like this does nothing but weaken whatever point you are trying to make. Ignoring the fact that the Mojang code you get to see has gone through compilation, decompilation and deobfuscation the Mojang dev team have very different priorities to modders and code accordingly. You also ignore the fact that most of the PC dev team was hired from the modding community and that a large number of mods are written by inexperienced coders learning their trade while at school/college (this is a good thing btw).

I suggest if your system is so resource starved that you can't bear to keep the Curse app loaded while you play then simply close it once the Minecraft launcher opens.
I'm sure most people here know my opinion of Mojang and their...code quality. It isn't a matter of "everyone but me sucks," its a matter of them making very, very basic mistakes. However, that's neither here nor there. For further reference, please see the #BlameMojang thread. As a further point, my system is not starved, but others' systems can be. That's the point. Extra overhead is extra overhead, whether you want to admit it or not. In my own personal experience, social applications tend to take up a good many resources, especially network bandwidth, which is limited for a great many people either by necessity or as part of whatever internet package they have from their ISP. While I could, yes, close it when Minecraft starts, the fact of the matter is that its still there and still, to many, useless. I do, however, have a question: is there a setting that auto-closes the social whatsis after a game starts? That would make things...a lot less annoying.
 

Quetzi

Jack of All Trades
Retired Staff
Aug 20, 2012
826
329
100
quetzi.tv
Regardless, we keep dancing around my question. Is there, or is there not going to be a way to run this Minecraft Plugin without the bloatware of Curse Voice? Yes or No, Curse Staff?

Nobody has danced around this question at all. Refusing to read it being answered does not mean it hasn't been answered. You can't run a plugin without the program it plugs into also being run (hence being called a plugin).

I do, however, have a question: is there a setting that auto-closes the social whatsis after a game starts? That would make things...a lot less annoying.

Not right now, have you submitted this suggestion using the feedback button? Ideas like this are exactly what it's intended for.