• 16 June 2014

    Site updates: stability, premium donations, endorsements, downloading, apostrophes and full-stops

    posted by Dark0ne Site News
    It's been a while since I last wrote about the updates we've made on the sites, of which there have been quite a few, just some have been quite subtle. For my part I've been extremely busy over the past few months (here, have a picture of my feet dangling over the edge of the grand canyon) in between trips to the US and moving home. Thankfully the Nexus to-do list is neverending so the other staff have had more than enough to keep themselves busy. As there's so much I'll just break it down into more manageable sections.

    Have you noticed? The sites seem to be up a lot more than they used to and we haven't had to use "maintenance mode" in a long time (past when we accidentally overloaded the servers last week). That's because we finally think we've cracked our database cluster issues. Since the update we made last week we haven't had a single database blip (that wasn't caused by something we did) and needless to say we are freaking happy about this, especially since one of the guys has been working on this for over a year now.

    We're currently sorting out an issue when downloading via NMM and those annoying "retries" that can occur and then we'll be all set, at least we think we will.

    Premium donations
    About a month ago we silently released an update to the "Donations" system that now allows users to donate Premium Membership to other members on the site. At the time I wanted to write a big news post about it but I just didn't have the time, so now I've got to try and be concise within this news post.

    Where before you could only donate direct money to a mod author there's now a second option to "Buy Premium membership for this user" on the user's profile and when using the "Donate" button on file pages.

    You can turn off this option if you are uninterested in being donated Premium Membership from within your preferences. A user cannot have more than 5 years of Premium Membership bought for them, or more than a life-time membership (if you try and donate life-time membership to someone who already has it the site won't let you).

    We've also incentivised this system for the donor as well. If you donate Premium Membership to another user we'll apply ~25% of the Premium time you purchased to your account as well, free of charge. For example if you buy 1 month of Premium Membership for another member you'll receive 1 week of Premium Membership for yourself as well along with all the benefits that come with that (including being a Supporter for life). The time "stacks" as well, so if you buy 4 people 1 month of Premium Membership you'll have 1 month of Premium Membership yourself.

    The Premium Membership system is an unfortunate necessary evil. Without it I just couldn't afford to pay the server bills in this day and age of adblockers and diminishing advertising revenues. I hate asking people for money, or relying on it, so when people willingly share it with me I want to make sure they're looked after as much as possible.

    I get the occasional lifetime member ask me if there's a way they can donate more money to the site. This is the way you can do that while also giving back to your favourite mod authors or users on the site. And thank you.

    Changes to the way manual downloads are served
    We've changed the way we serve manual downloads to you via the pop-up. While before when you went to download a file manually you would be presented with a list of file servers to choose from we are now moving to a quicker, more automated system that will pick the least over-loaded server from a geographic location you've specified in your preferences. If you haven't specified your preferred location then the first time you go to download a file you'll be asked to pick one.

    There are several reasons for doing this:
    • Right now we have 23 file servers. As we continue to expand the number of file servers we provide it's going to become untenable (or very ugly) to show them all to you so you can make a selection.
    • Many people seem to grow attached to a certain file server and will only ever download from that server even when it's overloaded. This causes an unnecessary load on the network we'd rather avoid.
    • It allows us to code algorithms that manage our file server network more closely, ensuring that load is evenly balanced.
    • It removes a click from the downloading operation which in turn speeds up the downloading process.

    We're monitoring this system closely to ensure it's working properly. If you set the wrong location when the system first asks you, or if you want to change locations for any reason, you can do so from your preferences area.

    Endorsement changes
    Something the mod authors talk about regularly in the mod author forums is the low endorsement to download ratio on their file pages. Mods that have millions of unique downloads can have a comparatively low amount of endorsements. There's a multitude of reasons for this, which have been discussed to death, but during the last discussion that happened a couple of months back I said I would get some things added to the site that could help to combat a few of these issues.

    To begin with we've added added an endorsement reminder pop-up to the sites. This is something we had a few years back but it never really worked brilliantly. This time around the pop-up will provide you a list of files you've downloaded recently that you have yet to endorse. You can quickly endorse the listed files from within the reminder pop-up without any page reloads and if you've endorsed all your files already you won't see this pop-up. You can change how often this reminder is shown to you, if at all, from within your preferences (I think we're having a few issues with that right now, which means a few people might be getting spammed by the reminder, which we're in the process of fixing - should be fixed).

    There's a consensus among some mod authors (probably not a majority) that if you've downloaded a mod you should endorse it. I disagree with this philosophy. Because endorsements on the site are seen as a positive rating against a file it doesn't go that just because you've downloaded a file you think it's worth endorsing the file. Because this new reminder system checks if you have any files you have not endorsed, it's not fair to you if you're reminded about files that you have no intention of endorsing. As such we've added a new option when endorsing files that is labelled as "Abstain" and indicated as either a red cross or a thumbs up symbol with a red line through it. Abstaining from a file is just that; you are refraining from endorsing the file. It is not a negative mark against a file. The amount of people who have abstained from endorsing a file is not shown anywhere on the site. So what's the point? By abstaining you are telling the site that you are aware you can endorse the file but you don't want to. It's different from before because now the system knows that you aren't planning to endorse the file and, ergo, won't remind you to do so. You can change your mind later on by going to your download history and changing your abstain to an endorsement.

    Going hand-in-hand with the download changes listed above we've also added a sort of mini-endorsement reminder to the download pop-up window. If you have unendorsed mods you will be presented a list of 5 mods from your download history that you have yet to endorse which you can quickly do from within the pop-up without affecting your current download. We hope to update this system so that the list is organised in such a way that the unendorsed mods shown to the user will also belong to the author of the file you're downloading from first. For example, if you've downloaded 3 files from the author already that you've yet to endorse then you will be shown 5 files, 3 of which will be the ones that belong to the file author. Our early attempts at getting this put in, however, overloaded our servers so we're looking in to implementing this author preference system as soon as possible. If you have endorsements turned off on your file then the endorsement list will not be shown on your downloads.

    It's my hope that by presenting users with these convenient ways in which they can quickly endorse or abstain from endorsing files we'll see an increase in endorsement ratios for files. I'd be interested to hear from authors as to whether they've noticed any sort of noticeable bump in their endorsements over the next week.

    Using apostrophes and full-stops in file names
    We've changed a lot of things since the last time I was directly involved in programming a major recoding of the sites in 2007 but one thing that's never changed is the inability to use apostrophes and full-stops in file names. We've now, finally, updated the sites so you can use proper grammar in your file names and use full-stops to denote version numbers in your uploaded files.

    Smaller updates and bug fixes
    On top of these updates there's also been a number of smaller updates and fixes applied to the sites:

    • Banned members will now be notified of why they were banned when they attempt to login to the Nexus sites.
    • Fixed the filters in the Image Share not working.
    • Fixed an issue where user uploaded images were showing on file pages before the author had verified them.
    • Implemented our IP ban list on the sites when originally it only worked on the forums. If you are getting this error and you haven't been banned in the past then please get in contact via the contact form (obviously letting me know your IP address) so I can sort it out for you.
    • Fixed an issue where the "required files" system wasn't working properly.
    • The tracked files system no longer breaks the home page.
    • Authors who upload mods for games we haven't approved yet will now be emailed when we approve the game.

    Known issues
    We are aware of two ongoing issues with the sites right now. An issue with the tracking and notification system not properly informing users of certain updates to certain files, and an issue with comments sometimes going crazy and not being posted to the proper file page thread. Our work on fixing these is ongoing but is likely tied to our continual efforts to sort out the database cluster and ensure our code is efficiently reworked to synergise with this system.
  • 11 June 2014

    Another note on site security, your security, and a malware email doing the rounds

    posted by Dark0ne Site News
    Recently we've been the target of some attacks on the site that date back to March of this year. To begin with a user was uploading a virus to the sites masquerading as other popular files. The virus was being used to gain infected user's stored usernames and passwords for the site which were then being used to login to their Nexus accounts here and continue to upload more viruses. That stopped. Now recently we had a high profile breach of one of our staff accounts that allowed a user to replace some popular files here with viruses masquerading as the popular files which is obviously more serious. I'm now getting reports that users are being spammed by a mailer which is sending out fake notifications to update to the latest version of NMM with a download link that, quite obviously, points to a location that isn't anything to do with Nexus Mods. This email doesn't even come from a email address (or any address in any way related to games!) and doesn't point to nexusmods in any way, shape or form. However it does look convincing to people who haven't got their guard up and aren't checking the email headers to see where it's coming from or the link address itself (why would I send an email telling you to download a file from anywhere other than the Nexus Mods site!?). Please don't get caught out by this pathetic attempt to gain access to your system. You should treat this email the same way you'd treat an email from a Nigerian prince, or the "Bank of America" telling you there's a problem with your account that needs to be fixed by opening a zip file, or the Swedish consort letting you know the latest penis enlargement instruments really do work...

    I have not done a bulk email to members of the sites since 2007 when TESSource became TESNexus. I hate doing it because I know how annoying it is to get unsolicited emails from sites trying to pump their product in your face. What's actually more worrying for us is how your email addresses have been obtained which is something we're looking in to much more closely. If I felt we'd had a breach of our system then I would most definately let you know (openness is obviously the best policy in these regards), however we've had no indication of that. What we cannot be certain of is a breach from before December of last year when we switched over to our new database system. Indeed, the newest account we've received a confirmation from on this topic is from April of 2013. We cannot verify that because we no longer have the original servers the databases were on. Obviously the most prudent course of action for you would be to change your password to be on the safe side.

    We've had noone come forward to lay claim to these attacks directly so we're going off the assumption this is someone who's targeting the Nexus simply because it has a large amount of members with an active userbase. What we do know is that this is a brand new virus that anti-virus firms are only just starting to recognise now. Whether it's been made specifically for us or not is unknown.

    We're no strangers to being attacked. We receive DDoS attacks regularly, you just don't notice it because as our resources have increased so have our means to combat them. We're working with our suppliers to come under the net of a new £250,000 investment in anti-DDoS measures that will continue to help us, and others, combat against this internet threat. Our servers automatically block hundreds of IP addresses daily from people trying to gain unlawful access to the servers or doing things they shouldn't be. The fact we're now being targeted more regularly is simply testament to what we have going on here and the people who want to try and exploit it for their own means.

    This isn't the first time this has happened to a gaming community, or even a modding community. I know that the folks over at Curse have had many issues with their Curse Client (Curse's version of NMM for World of Warcraft) being "faked". Only as recently as January another fake client surfaced that was used to steal user's World of Warcraft account details. In 2010 the scammers even went so far as to pay for Google advertising so that their fake Curse client would show before any other results. So we're not alone here. The only difference is this is the first time this has happened to NMM, and it's important you're vigilant.

    We pay $500 a year to buy a unique code signing certificate from Verisign that we use to certify all the versions of NMM that we provide. You can see this certificate when you go to install NMM. Here, have a picture so you can see what screen it shows on:

    As you can see the installer is signed to "Black Tree Gaming Ltd.". The name of the company I setup to handle Nexus affairs. We sign every single new release of NMM for this exact reason: so you know it has come from us and only us. If your installer does not say this or if you download NMM at some point and it doesn't say this then that's bad. VERY BAD. And you should cancel what you're doing and do a full system scan.

    We will only ever offer NMM from our download page on the main Nexus Mods site. We will not send it to you in an email attachment or link you to somewhere that isn't on the domain. Even then you should remain vigilant and check for that certificate on the installer.

    As our work on the database stability issue comes to a close (thank god for that) we are going to be directing our attention on providing you, the user, with more tools to remain secure both when on your account and when downloading from the site.

    Our login mechanism will soon be using SSL, a long over-due addition. We are looking in to implementing two factor authentication on account logins similar to how Facebook and Steam Guard work; if you login from a different location we'll send a unique code to your registered email address before you can login. We're looking in to implementing a new feature for the site that will let you explore the file structure of archives before you download them, which will not only help with spotting things that shouldn't be in the archive before you download but also help you work out whether a mod is actually compatible with NMM or not. We'll also implement a moderation system on files and archives that contain executables or other files that are potentially dangerous. If one gets uploaded we (the staff), will have to approve it before it goes public on the sites. Lastly, we'll explore our options in regards to external virus scanners to see if there's a decent online API that can handle the number of uploads we'd need to make to their servers.

    The fact we have to spend time on this sort of stuff when we'd rather be working on things that help make your modding experience better is obviously annoying, but it's also part and parcel of the world we live in. Your security is a high priority for me, as is keeping you up-to-date with the latest issues and ensuring you're informed about the times when we've let you down. It's important for me to take responsibility when we do slip up and to make sure that, while sometimes I might slip up, I will take that responsibility for it and do everything I can to get things right. At the end of the day, you guys trust me with your visits, your mods, and some of you even with your money, so your trust is very important to me. Your words of support and encouragement during these sorts of times only serve to compound what I already know about the community we belong to. It's flippin' good.
  • 09 June 2014

    Staff account compromise. What's happened and an apology.

    posted by Dark0ne Site News
    Back in March you might remember a news post written by myself titled Be Careful: Trojans masquerading as popular executables. To cut a long story short, a user was uploading a malicious file to the site that, when installed, would enable the user to find out your Nexus username and password, which was then in turn used to log in to other user's accounts with the stolen login information and continue to upload the same virus to the sites.

    Today we were alerted to a malicious change to SkyUI, one of the most popular files on the Nexus network, at around about 12.30pm GMT. Within 20 minutes the file was removed and we got to work investigating how the file was added and who removed the original SkyUI file and replaced it with a malicious executable (thank you to those people who reported the file and were clever enough not to install it!).

    Following on from that we noticed some strange actions coming from one of the staff member accounts here and, while I have not been able to get in contact with the staff member yet, we can conclude that the staff member's account has been compromised and this was how the "hacker" was able to remove files and upload new ones in their place. As part of their job the moderation team need to be able to access and edit the file pages on the site. If an unsavoury miscreant gains access to one of those accounts they can, potentially, do quite a bit of damage. Unfortunately that was the case today.

    We were able to quickly identify and remove access to the account, however, a few more files were changed by the "hacker" before we could trace things. These files, on top of SkyUI for Skyrim, were:

    ApacheiSkyHair for Skyrim
    Fallout 3 Redesigned - Formerly Project Beauty for Fallout 3
    Project Nevada for Fallout New Vegas
    Oblivion Character Overhaul version 2 for Oblivion

    It's clear the "hacker" was going for some of the most popular files for each of the main games the Nexus supports to gain maximum exposure.

    It's important to note that staff members do not have access to any personal details (they can't even see your email address) including any Premium Member details and we do not store any credit card information so that's not an issue at all. This was not a traditional "hacking". Our server's themselves weren't compromised (indeed, we think we've got things locked up pretty damn tight right now to the point where you need to be on a specific IP address before you can even gain access to the server terminals and think about user accounts and passwords). Unfortunately the computer's of one of the staff members was compromised and this is the result.

    Things have been tidied up and the threat has been removed. If you downloaded one of the compromised files listed above and ran it between the hours of 12pm and 2.30pm today then please run a full virus sweep of your system. If you did not download any of those files in that time then this breach will not have affected you. We've contacted each of the owners of the files listed above. For them, unfortunately, because their main files were removed they will need to be reuploaded and the stats will have been reset for those specific files. It's important to note that deleting an uploaded file does not reset or clear the main file's stats. It's just unfortunate that the stats for those specifically uploaded files will be lost. I'll have a word with the main database admin to see if we can't get the majority of stats for those files restored, with a bit of loss due to having to roll-back a day or two. If you're the owner of one of those files please send me a PM so we can look into that with you.

    I apologise personally for what has happened because, at the end of the day, the buck stops with me. I am highly protective of the staff here who have individually volunteered thousands of hours of their time, some of them for many years, to keep this network of sites clean and tidy. Unfortunately these things happen and I will obviously have a word with all the staff here to remind them all of best internet practises to maintain account security.

    On an unrelated note I've had a few reports from German users saying that one of the ads on the rotation is sending them to a fake java updater page. This seems to be localised to only German locations, which makes it tough for me to diagnose, but I have been in contact with the advertising supply chain to try and get to the bottom of this and hopefully the issue will be resolved shortly.
  • 05 June 2014

    NMM 0.50.0 and NMM Legacy releases

    posted by Dark0ne Site News
    We've been a bit short in the news department recently. This isn't because there's been no news to report on but simply because I've been extremely busy. I'll be reporting on all the updates we've made recently in due time but in the mean-time, today we released a new version of NMM along with a new "Legacy" version of NMM. Let me explain what's going on.

    The NMM programmers are finding that more and more of their time is being taken up by trying to support old and outdated versions of the .NET framework which is not only limiting the functionality NMM can provide but, simply put, taking an inordinate amount of time for the less than 5% of people this helps to support. The inherent issue is that Windows XP no longer supports the latest versions of .NET, specifically, version 4.5 of .NET. Statistics show that less than 5% of users who use NMM are on Windows XP. We have therefore taken the decision to branch NMM from this point on in to two releases: the normal Nexus Mod Manager and the Nexus Mod Manager - Legacy Edition.

    The Legacy Edition of NMM will be for those users who either want NMM to simply stay as it is right now or who cannot use the main version of NMM due to it now requiring the latest version of .NET in order to work. It's the fall-back to support those users who can't, won't or don't want to kept up to date with their operating systems. For us, NMM is now for Vista, Windows 7 and Windows 8, the Legacy Edition is for users of Windows XP.

    We will update the Legacy Edition with any bug fixes that can be applied but, unless a new feature doesn't make use of any .NET 4.5 features, the Legacy Edition is now feature frozen: it will not be getting any new functionality.

    In other news, a lot of people have noticed that the "Download With Manager" button is not working for them on the site. Firstly, let me say that this is nothing to do with us, in that we haven't caused this problem. The problem arises with the combination of Windows 8.1 and the Google Chrome browser, and only this combination. NMM works fine in IE and FireFox with Windows 8.1. For a slightly technical explanation of what's happening: a recent silent update to Chrome has forced the browser to no longer recognise third-party URL protocols, like the "nxm" URL the Nexus sites use to start your download in NMM. Instead, Chrome will now only accept URL protocols that are classed as "safe" by Windows 8/Microsoft, which at this time is basically just the Windows Store. Great update, Google. The fix for this issue involves editing a Google Chrome config file to tell Chrome that the Nexus Mod Manager is a safe program to accept URL requests from. Google haven't coded any sort of system (like FireFox has) to ask if you want to trust the Nexus Mod Manager protocol, it just refuses to work. That's just plain laziness on Google's part.

    Version 0.50.0 of NMM has added a button to the settings menu that will attempt to edit this Google Chrome config file so your download button will work again. It's experimental, and while it won't break anything, the worst it will do is just continue to not make the button work for you. We won't know until people use it. However, we can completely understand why you might not want NMM editing any config files unrelated to NMM, so for you guys I'm afraid the only option is to manually download then add files to NMM (very, very easy to do) or simply use a different browser. Once again, this problem hasn't been caused by us, and we're slightly miffed Google have taken this lazy approach.

    We're obviously interested to know if this button fixes it for people who've experienced this issue, so please let us know.

    Version 0.50.0 of NMM requires an uninstall of your current version of NMM before you can apply it. The process is extremely simple and NOTHING will change in your NMM so long as you reinstall NMM to the same directory. Your mods, load orders, settings and everything else won't change. If they do change then you have NOT installed NMM to the same folder, or you've changed your game folder location either physically, on your hard-drive, or within your NMM settings so they no longer point to the right location. NMM does not delete mods off your hard-drive when it is uninstalled. We needed to force an uninstall due to some of the .DLL packages changing or being removed and we didn't want people filing bug reports because they couldn't be bothered to uninstall the software like they were asked to do.

    We've released a dummy 0.49.8 release of NMM which has a tweaked update mechanism for those people updating through NMM itself from version 0.49.7. If you do it this way, you'll first have to download 0.49.8, which will then direct you to the correct version of 0.50.0 to download based off the operating system you're using. If you are using Windows XP, 0.49.8 will direct you to download the Legacy Edition of NMM. If you are using Vista or higher, 0.49.8 will direct you to download version 0.50.0 of NMM. You can skip this step (going from 0.49.7 to 0.49.8 to 0.50.0) simply by downloading the latest version from the NMM download page. This process might seem a little convoluted but you'll be all done within the space of a minute (depending on your download speed).

    Fingers crossed now we've got this task behind us the long awaited Profiling system will not be far behind.
  • 02 June 2014

    Fan Film News : Fallout Nuka Break 2014

    posted by Gopher Game News

    If you are a fan of the Fallout Nuka Break series there is good news for 2014.
  • 16 April 2014

    Introducing the new Video Share section

    posted by Dark0ne Site News
    Today we have launched our new Video Share functionality across the Nexus sites. The concept of the Video Share section is much like the Image Share section; it's an area where you can showcase the videos that you have made that relate to the games we support in some way. Interviews with modders, reviews of mods you like, story-driven machinima and so on and so forth. It's something we've had on our to-do list for two and a half years now so I'm pleased to finally get this out the door.

    First and perhaps most importantly, the Video Share section will only work with YouTube videos. We made a conscious decision to forego hosting videos ourselves for a variety of reasons:

    • Most prolific video creators are already using YouTube and a lot are entwined with their commission scheme so it seemed pointless to force them to upload their videos again, here, when a ready made and proven service is already available.
    • YouTube have a great and powerful API we can easily hook in to.
    • It's unlikely a lot of people already using YouTube would want to upload their videos here anyway as it may result in a loss of subscribers. By linking in with YouTube's API our relationship with YouTube is symbiotic, advantageous to YouTuber's and non-detrimental to prolific YouTuber's.
    • Hosting videos, that are often large files that require resource intensive encoding, is a costly investment (it can easily run in to the hundreds of thousands of dollars). It seemed more prudent to continue to direct funds towards the ongoing stability of these sites rather than on a new feature.
    • Coding a video player seemed pointless, and a waste of what would likely have been months of programmer time, when YouTube works fine.
    • More liability falls on YouTube than us if someone uploads something they shouldn't.

    While I understand some of you will not be fans of YouTube it is the most convenient service for us to hook in to. We do not have any plans to support other video services at this time.

    As a result the Video Share system becomes an indexing service for videos users upload to YouTube. You might ask, "What's the point, I might as well just go to YouTube". Well, not really. If you go to YouTube and type in "Skyrim mods" you'll get a crap-ton of results with very little filtering options past that. The idea of the Nexus Video Share is to provide a better indexing service than what YouTube can offer, specialised to what users of this site are going to be more interested in and allows authors to showcase their videos, and especially the mods showcased within those videos, more easily to users who are interested in such content.

    We've added a new feature to our video share system that I'd like to have implemented into the Image Share section at some point soon. When adding videos to our database you can specify which Nexus mods are being showcased in the video. Something I see time and time again in YouTube comments are users asking the video author what mods they're using. The idea of this system is to allow authors to quickly and easily add these mods to their video pages, providing exposure for those mods while similarly relieving the burden of continually answering the same questions for the author.

    If you're looking to add your videos to our Video Share database then we've made it easy for you. We've plugged an importer in to YouTube's API that will connect to your account (via YouTube's API servers, and not ours, for obvious security reasons!), find all your videos and provide you with an easy to use interface to choose the videos you'd like to add to our Video Share. If you're a weekly mod reviewer and you've been releasing a video every week for the past 3 years then you'll probably find it a lot quicker to use our importer than you would manually adding each new video in to our database. Alternatively you can easily add your videos to our database manually using our video adding wizard.

    The Video Share guidelines will follow the same rules as the Image Share guidelines which most importantly includes a no nudity/sex rule. I don't currently have any plans to offer a Supporter Video Share that has more liberal rules. We'll just see how it goes.

    A Video Share section has always seemed like a logical extension of our Image Share section. I've no idea how much it will be used but considering the two and a half year wait to get around to doing this work I'm just pleased we could finally release it.
  • 13 April 2014

    Skyrim Mod Sanctuary 88 : Realistic Water Two

    posted by Gopher Mod News

    A comparison of Realistic Water Two with a couple of other popular water overhaul mods.

    Mods covered in this video
    Realistic Water Two
    WATER - Water And Terrain Enhancement Redux
    Pure Waters
  • 06 April 2014

    Skyrim Mod Sanctuary 87

    posted by Gopher Mod News
  • 30 March 2014

    Skyrim Mod Sanctuary 86

    posted by Gopher Mod News
  • 19 March 2014

    Beyond skyrim

    posted by Gopher Mod News

    An ambitious project known as Beyond Skyrim aims to bring all the provinces of Tamriel to the game of Skyrim. The team has released an official trailer announcing that we will be able to play in Bruma as early as Summer 2014.

    Visit the Beyond Skyrim Forums if you want more details, or if you want to help out in any way.