Slashdot Mirror
Verant Backs Down On Drive-Scanning
fastpage writes, "Verant, the people who bring you Everquest, are backing down on scanning users' computers for anything they want to prevent cheating."
Read
the CNET story.
"I guess getting Web sites shut down to prevent the distribution of ShowEQ wasn't enough."
But Slashdot was cracked, would they tell us anymore? Most cracked companies often meet crackers demands rather than risk the public knowing they were cracked. Now that Slashdot is within Andover.net, there's the stockholders interests to consider first. The truth be damned.
There's a time and a place for hysteria over invasions of privacy, but this isn't it folks. Verant were simply trying to prevent idiots and script kiddies from spoiling the game for legitimate players. Because of knee-jerk reactions from online-privacy zealots, the online game is going to be ruined for everyone.
They were not scanning peoples hard drives, email, cookies etc. What they were doing was looking to see if you were running a process that they could ID as a hack program. While I am not entirely comfortable with that I must admit that given the state of the art it is the only way to curb blatant cheating. Cheating ruins most any game, but many insist on cheating and ruining others fun. If you don't mind people cheating I will be happy to play a little poker with you. With my special glasses and marked deck. Or if you wan to play monopoly I get to be banker.
You just have to make the right decisions on what you're sending that client. To quote Designer Dragon (original lead designer of Ultima Online): "Never put anything in the client. The client is in the hands of the enemy."
Zipwow's first corollary to that: "Never send anything to the client that you don't want them to know."
Why is the server sending the mob's hp and level to the client? If you're willing to spend the processes for it, you could also not send mob information about mobs that aren't currently visible to the client.
Its a harder job, but its possible, and it keeps you honest.
I don't know which is more depressing, that 2/3 didn't care enough to vote, or that 1/2 of those that did are crazy.
> but as much as /. likes to bash Microsoft, at
:-)
> least MS can be assured to have considered
> cryptographic protections.
> Sure, they rejected 'em, but still
Cheap shot. (Yeah, I'm responding to my own post. I'm that wrong.)
Microsoft actually has done quite a bit of work with their Authenticode system giving people a means of digitally verify their code, with a CA(Certificate Authority) backing up that signature. The keys are "only" 512 bit RSA, but that *will* stop the script kiddies.
I guess I was just expressing my annoyance that nothing's been done to handle login scripts--I've got to worry about every single desktop on campus going down to a single eight character password on our IT director's desktop because of it. Really, when it comes to validating executable content, MS has done quite a bit of good work in this regard that hasn't particularly been matched elsewhere(is there a way to sign ELF files in-band? What about RPMs, with a CA?)
Gotta remember, MS may have its technical flaws, but they do pull off some good stuff. It's their business department that's evil
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
> I dunno what cryptosystem you're talking about
> here, but this, in general, is not true... think
> about Diffie-Hellman signatures - you sign with
> a public key and verify with a private.
I'm a bit rusty on the math(and late for class!), but if x and y are made public, it's always trivial to find g^xy mod n. However, when g^xy mod n is made public, it's exceedingly difficult to find x and y.
Incidentally, you don't have signatures with DH--El Gamel is the PK variant system.
Yes, I KNOW I mucked up the math. But what I basically did was say, "OK, I'll keep the public key under wraps and anyone who can encode a message using it can issue a command to these n machine." Unfortunately, if you took control of one of those n machines and reversed the private EL Gamel key, you could then turn around and issue command to the other n-1 boxes.
Critical failure. Yeouch.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Concerning inventory duplicators, etc., I still consider those innovative. Not the actual running of one that someone else created (script kiddie style). Actually hacking the binary and/or protocol and using all your skills to determine how to get what you want is just an alternative way of playing the same game.
logan
Your analogy to a football game is a poor one. Football is more of a test of athletic ability than mental ability. The shotgun is a physical threat and action that allows one to bypass one's opponents. I suppose my cheating rhetoric only applies to less athletic games, I suppose. A good cheat is the application of mental skill to bypass arbitrary obstacles imposed by the structure of the game itself, not your opponents.
logan
I know this is tangential to the topic at hand, but neither Ultima Online nor Everquest "started" the MMORPG genre. They aren't even the first graphical MMORPGs.
Between 1993 and 1997, subscribers to online giant CIS and a little online system called AOL could play a text based, for profit, fantasy MMORPG called Gemstone III. After going flat-rate, AOL dumped it because far too many users connected for far too long to play Gemstone. Now Gemstone III players get along quite happily connecting directly via the internet. As far as I know, these were the first for-fee MMORPGs employing "gamemasters" to maintain the code, servers, and portray NPCs for the players. But there could have been even earlier ones, considering all the MU*s and MO*s out there... However, it was definitely the first to hit 1,000 simultaneously connected players. I was there. (And I was disgusted... I started playing when 30 players online was a huge crowd.)
Simutronics, the company who ran Gemstone, also offered several other games, all connected via gateways to several major online services. They're all still up and running, and quite fun, if you can harness enough of your imagination to abandon all the pretty graphics.
Then there was AOL's Neverwinter Nights. (Okay, it wasn't AOL's - they just hosted it.) I know little about this game, except it looked very similar to SSI's old Pools of Radiance series of single-player games, and it was multiplayer, and graphical... and offered no client for my platform at the time. (If someone knows more about the old NWN, please chime in.) Of course, if you've been paying attention at all for the past 10 months, you know that NWN will soon be reborn as the first networked virtual tabletop-style roleplaying environment.
Although I'm sure most players of EverQuest and Ultima Online have never heard of Gemstone or DragonRealms, and believe Neverwinter Nights is a brand-new title, the only innovations in these games are the pretty graphics, and perhaps some interesting server-side hacks... but the genre is an old one.
I can see the fnords!
Where does it end?
You should be ashamed of yourself for having so little concern about your own privacy. Since you have no problem allowing Verant to search your hard drive remotely, lets see how far you will go...
Would you agree to allow Verant to send people to search your computer in person?
Would you allow them to search your home for books and tools related to reverse engineering?
Would you allow them to search through a record of your recent purchases (looking for hacking-related products)?
Silly, you say, but once you start down that path, you can say goodbye to any privacy you think you have.
________________________________
And once you've gotten used to how UNREALISTIC and horribly coded it is, you'll get frustrated and decide to kill yourself in real life. Oh yeah, sign me UP!
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
>What I'm getting at is, most people who object to ShowEQ (and the rest of the suite) and agreed to HD scanning feel so strongly about online cheating that they'll give up their HD's privacy for an equal chance at EverQuest
And, IMHO, thats what is so scary - we are bringing up a generation that has no concept of the importance of the fundamental freedoms that they take for granted - and blithely give them up!
Its getting so bad anymore, that Im wondering if those militia loons arent at least partly right when they start slinging around quotes like "those who would give up freedom for safety will neither achieve nor deserve either" (paraphrased from Ben Franklin, I believe).
First its "bad things" like cigatettes, then the "war on (some) drugs", then priavte guns (ask Amadou Diallo's widow about the police guns). Now its privacy on the chopping block - how long until the freedoms of speech and expression are given up one slice at a time "for our own good" to a police state?
Its damned scary - generations of soldiers gave up normal life to preserve those rights, civil libertarians have stood up and put thier necks out, and even hackers have contributed [by providing the tools to set information free and preserve basic anonymity --Thanks Whitfield Diffie and Phill Zimmereman!].
But now these online ignroant lumps give all that up because they have no values other than "get me my next l33t level in this game".
"EverCrack" indeed!
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
Heh - you want to see their "encryption/decryption" routine? Its laughable!
// set data at this point
their key is a 32bit unsigned int
Their algorithm is something like the following in a semi-C layout:
decode (uint *data, uint bufferlen, uint globalkey)
tempKey = globalKey
uint reg1, reg2
uint shift1, shift2, add
uint blen = bufferlen/sizeof(uint)
for(int i=0; iblen, i++)
{
reg1 = *data
reg1 = reg1 + tempkey
reg2 = reg1 shift2
reg1 = (reg2 | (reg1 shift1)) + add
*data = reg1
reg1 = reg1 shift1
tempkey = tempkey + reg1 + add
data++;
}
Im not sure I have the sequencing right and the shifts may vary, but thats it.
How would you break something like this?
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
wow, I didn't realize questioning the ultimate power of money was flamebait. Welcome to the post IPO /.
--
+&x
This is why I switched to playing ActionQuake instead of standard Quake II. Who needs 90% of the map to be engulfed in rocket or grenade explosions at any given time.
Well, I have to say that it would suck to play a game where I was getting left behind by a bunch of guys who were running cheat programs. I'm just not a real super competative person, and when I do an RPG, I like cool stories and a group of clever and cooperative people in my party, not some gugn-ho I-have-the-most-frags ego trip. Other people like competitive things and have fun backstabbing each other. If I have read my everquest FAQs correctly, (I am not playing yet till my new hardware arrives) there are servers dedicated to competitive play where bodies can be looted and so forth, and others devoted to cooperative play.
So, why not take that a step further? Some people prize privacy above all else, while others are more interested in keeping playability and enjoyability maximized. Is there any reason that Verant can't set up some servers that scan for 'foriegn objects in the ring' and others that leave everyone on the honor system?
That way we can decide on an individual basis wether to submit to these scans, rather than having a few privacy advocates or corporate goons dictating the One True Way to run the game. After all, no one person can always understand what I want from the gaming experience or what my privacy needs are.
Except possibly me.
if ($it != $onething) {$it = $another;}
Yeah they messed up from the inception of the game apparently.
If you design an online game, you can BET 3 things will happen..
1. People will try to spoof the server with hacked packets.
2. People will tinker with whatever files you leave on their hard drives, hoping to find a kink in the armor.
3. People will sniff the packets you send them, hoping to glean a little extra info.
This is BASIC stuff folks, and it sounds like they didn't even consider it from the outset. Now they're trying to cover their own inept engineering by blaming it on the players.
All they needed to do is talk to a few MUD administrators. Any one of us could have told them that some players will do ANYTHING to gain an advantage. We deal with it by plugging the holes, not by blaming the players. Its their JOB to poke at the code to find the holes.
What they wanted to get stop was ShowEQ which is a basic packet sniffer to give a radar of the current game world.
The problem is that ShowEQ is orginally programmed to run on a second Linux box with a Windows box running the EQ client/game. There is Windows version but this would not have stopped ShowEQ usage. It just would have given more advanced users a bigger unfair advantage. The change in the EULA wouldn't have helped unless they were going to scan every machine on a local lan.
Perhaps they should have started by not send so much information in their transmissions. Its called better programming.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Sorry, you're a bit wrong on that. The changes actually effected people in-game: spells took longer to cast, heals didn't heal as much, and so forth.
It wasn't just the *evil, nasty hackers* that were hit by the "april fools joke". Anyone who played on the test server was hit.
precentable?
Couldn't you create say a random mirror image of a "clean" hd each time a call was made from the program to look at the hd?
Slashdot social engineering at it's finest
Sounds like they need to fix the protocol - if you treat every client as potentially malicious, then the only data that client should be allowed receive or know about is data that the user would normally be allowed full access to anyway (not to mention that all data being received from the client should be checked very carefully for reasonableness).
I guess with the slow bandwidth issues, it might turn out to be almost impossible to implement certain kinds of effects w/o some cooperative processing from the client.
Maybe if they port it to Linux one day (And I get my @#!@#% AGP working on my biostar athlon motherboard) I'll check it out. *shrug*
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It's too bad that so many games like this rely on security through obscurity as to their protocols (witness the massive cheating on Quake now that it's GPLed). Which means it won't ever be possible to say, create a GPLed client for Ultima Online (at least not without destroying the game with cheaters). Of course the problems of a secure exchange protocol isn't good either (higher overhead, more complexity, etc).
It's also too bad that people feel the need to cheat at something that's supposed to just be a game you play for fun, but that's another story, I suppose.
But scanning peoples hard drives doesn't seem like a very good solution to me. In fact doing it for something that is, in the long run, completely trivial makes me nervous.
Sorry to say but I am not a 'sheep' or a 'weak and obedient ass'. Yes, I play EQ. Yes, I told them it is ok to scan the computer. Why? Because I'm smart and know how to defend myself. Because I went out into the world, learned my computer skills, and now make enough money to have a seperate computer just for game playing. Scan it all you want - you won't find any useful info there. Corporations have been trying from day one to control their customers and get as much money as they can. They use legal power to protect it. The have closed door meetings that result in less than ethical decisions. You can scream and cry all you want but it's not going away. The only way to deal with it is to go around it. And that's what I did - two computers. And don't give me some weak kneed "What about all those people that can't afford two computers? Huh?" They are on their own. I'm willing to teach people but I won't do the work for them. Suvival of the fittest. You can't change the system - learn how it works and navigate around in it.
You're beginning to get into the issue of cheats vs. exploits. There is a world of a difference. Your friend's boat trick was an exploit of an existing (albeit unintentional) "feature" in the system. These undocumented features happen all the time, especially in the more complex games out there. I believe that in general, as long as a game allows something, it's fair game.
Cheats, on the other hand, involve some kind of external manipulation or modification of the game. I don't think this should be allowed, as it tends to create an uneven playing field. In the case of exploits, anyone who is clever enough to figure out the exploit (or knows about the exploit through word of mouth) can take advantage; in the case of cheats, only those who are willing to download and install the latest unauthorized hack can gain the upper hand.
One gray area comes to mind: "cheat codes". Although cheat codes are built into the game, and might thus technically be considered exploits, I don't think they should be used -- unless all participants are aware that the codes are available and can be used, and all participants want the codes available.
Should "cheat codes" be considered exploits or cheats? Well, consider their origin. In most cases, they are simply debugging aids that are left in the final game out of laziness -- or just for the hell of it.
Cheat codes are intended to be used for debugging, and not during actual gameplay; they can be seen as "external" to the game itself. In this light, a "cheat code" is really nothing more than a "trainer" that happens to be conveniently built into the game. This puts cheat codes squarely in the category of "cheats". In my book, cheats are almost always something to stay away from -- if only because they tend to ruin the fun.
begin 644
I didn't write the AC post earlier, but since you completely ignored what they wrote, I'll quote it again for you:
"current everquest users. the users
who dont mind having their hard
drives being raped. the people
who care about their privacy left
already."
Try reading the post next time before getting all indignant. He was simply stating that USERS who cared about privacy had left already. I'd say that was a pretty valid argument, wouldn't you?
Unbelievable It is absolutely unbelievable as I read most of these post that they are talking about keeping cheaters out of the game. I think the heart of the matter is that a company is wanting to scan your hard drive as a condition for installing there software. I think this is the central issue. If one company can start a trend, who will be next to try this tactic. I'll assume that we were lucky this time because the program asked if it could do the scan. Remember when Microsoft was accused of scanning a persons hard drive as part of the registration process and sending back information about their files. Consider that as part of using an mp3 player that it had to scan the pc for unlicensed songs and report the person to the RIAA?
The reason for this is probably twofold.
1. The community of users is much more reactive than the communities that represent consumers of other goods and services provided by major corporations, and is therefore prepared to make a loud fuss, in a semi-concerted way, and to use their buying decision collectively to hurt large corporations in the short term.
2. There are a large number of alternative suppliers of internet-related services, and given point 1, they have noticed that they can steal market share from competitors quite fast if they can stylize themselves as the "supplier that respects your privacy".
Another point is that companies do not exist to do what people want. Companies exist to maximize shareholder value, and in a perfect free market where Adam Smith's "Invisible hand" works as it should, that equates to supplying the goods and services in a competitive and efficient manner, such that consumers needs are satisfied to the maximum extent that they can be given limited resources. Market failure (monopoly power, certain types of goods, "non-rational" behaviour etc) means that this sometimes fails to happen, which is the economists' argument for government intervention. If companies existed solely to do what people want, we wouldn't need to call them to order like this all the time.
Salocin.com
#1 They did NOT ask their entire customer base. They asked less than 10% of it and then at a time when adults were offline.
#2 The have been far less than admirable about this. Publicly insulting people who raised privacy concerns.
I've said it before and I'll say it again: They over reached. Instead of saying we were wrong they say "A bunch of hackers, crackers and paranoids caused us to change our mind"
The Quake crowd hit this problem when their client went open-source. This was discussed on Slashdot then, and that discussion covers the game design issues better.
Verant has stated that they routinely patch their servers and the client program to try to prevent cheat programs from working. They merely thought about scanning for certain executibles to make their job a little bit easier. They thought it over, put the question to their playerbase, listened, and agreed with the well thought-out arguments of the minority. That is what brought out Verant's about face on the issue. Figure of the 15% that voted against it, 2/3 actually responded, and half of that was not flame. That would mean that Verant chose to listen to only 5% of their playerbase and found those arguments enlightned enough to change their minds. That is how the net is suppose to work, not by mindless boycots but by intelligent conversation. BTW, I was part of the 85% that had no problem with it.
Mess not in the affairs of dragons, for you are crunchy and good with ketchup.
In higher level competition, their bags are examined, they give urine and sometimes blood samples.
This isn't a violation of privacy since the atheletes are *informed* that they will be held under scrutiny.
Obviously the comparison between professional level sports and an online game isn't perfectly natural.
What about a user moderation feature? People who obviously abuse the system can be labelled as such. They are free to play the game, just not with people who don't want to cheat.
Hmmm, the implementation would be difficult, and it would take a critical mass of players who moderated fairly (IE, not labelling someone a cheater just because they don't get along).
Just my ramblings...
Greg
Blizard did that alot with Starcraft and their Battle.net servers. Every time a new hack/cheat came out for Starcraft, they patched the program and any user than wanted to use their servers had to have the latest version to play online. It won't completely protect you from cheaters, but it's not an invasion of privacy...
kwsNI
Yes it is just a game, and I would of dropped it in a heart beat if they went through with the scanning my HD plan.
I just wanted to say there is , in reality, very little competition in EQ. Many people have a precieved competition, I know I did for a while. There is, rarely, any race for anything. If you don't get something today, it will be there tomorrow.
Yes, there can be a group of people that want to be competitive with each other, and thats fine, but it doesn't effect other players.
My point is, someone can come out with a cheat tomorrow that allowed ont ot be lvl 50(current max,kinda) have a 200 in every skill, and give them a googleplex of money. That won't effect my playing at all.
The Kruger Dunning explains most post on
My younger brother, who plays EQ and Asheron's Call and others, frequently belts out long rants about how irritating these "mini-hacks" are to him. He considers them cheating.
What I'm getting at is, most people who object to ShowEQ (and the rest of the suite) and agreed to HD scanning feel so strongly about online cheating that they'll give up their HD's privacy for an equal chance at EverQuest.
***JUMP PAD ACTIVATION INITIATION START***
***TRANSPORT WHEN READY***
***JUMP PAD ACTIVATION INITIATION START***
***TRANSPORT WHEN READY***
"All it does is lets you see the REAL numbers behind the game that Verant tries to hide with handwaving and frantic knees-bent running about behavior." It DOES allow the user of ShowEQ to cheat, although its users have come up with a surprising number of rationalizations to say otherwise. For example, if a rare monsters spawns across the map, you'll be the first to know. And is that tough mob holding a great piece of rare loot, or just a couple copper? It'll tell you that too. As a matter of fact, Verant has had some success banning ShowEQ users based solely on observing for their behavior. A guy who was just standing around suddenly heads off in a beeline for that newly spawned will-o-wisp that just happens to have great loot. It IS cheating-- keep that in mind, and we can attempt to have a rational discussion.
Example: The NSA should invest in codebreaking technology. It's part of their mandate. But we shouldn't have to hand over keys, to obviate the need for the codebreaking tech.
The Mongrel Dogs Who Teach
For instance: yesterday on NPR(scroll down for RA of story) there was a story on Internet privacy and it featured a new piece of software (name escapes me now) that basically configured your browser to run through a proxy server so that all your traffic could be scanned. Why this software company is still in business after effectifely instituting a wire tap (just on digital information on port 80), I don't know. Though, their EULA does mention that your traffic will be monitored, I can't believe that people actually use their software.
This goes way beyond using cookies to track usage (hell, we have Neillson ratings for TV that do something very similar). I applaud the efforts of the userbase of Verant of taking notice and effecting change through economical means. Now, if only everyone would not use invasive products, all companies with invasive software would go out of business.
First, here's a letter from Verant CEO John Smedley regarding the new policies and security checks announced. (From EQ Vault)
Ok. We put the poll in, and with roughly 15,000 people participating the poll came up with 83% of the people being fine with us running the check for cheating.
DESPITE THIS POLL we have decided that it's the wrong thing to do. Enough people have convinced us that it's chipping away a little too much at people's privacy EVEN if they do consent for us to implement this policy.
Therefore, the change to the EULA will read as follows:
Solely for the purpose of patching and updating the Game, you hereby grant us permission to (i) upload Game file information from the Everquest directory and (ii) download Game files to you.
Now, before anyone wonders exactly what this is, let me explain. Technically speaking we probably should have had this language in there from day one for you to consent us to even download new game files to you in the first place. We apologize for not realizing that we should have gotten this consent, but live and learn.
We can admit when we make mistakes, and I believe this is a case where we owe an apology to our Player base. In our haste to try and thwart people from damaging the game we went overboard.
There will be absolutely no scanning of anyone's computer for any reason other than the normal patching process (which won't do any sort of checking on what you have running).
Regards,
John Smedley
President and CEO
Verant Interactive, Inc.
So to summarize, Verant apologized for their planned policy even though 83% of their player base supported it because they realized it was wrong to scan their computers. They even apologized for not stating previously in their UELA that they scanned and downloaded information to their users for patching (which all online games do).
Here's a posting from the EverQuest Message Boards by Gordon Wrinn, the Verant Customer Service Rep, in reply to a comment by a player.
[In Reply To: Scanning my tasklist for hack programs is not that big of a deal and if it gets rid of the hackers anyway, I say go for it. IMO it is not an invasion of privacy to do this. I give out more information, personal information, everytime I use my credit card at the store ]
Unfortunately it is a case where paranoia ended up winning out. I think that we could definitely have done a better job explaining what it was we were doing, and that would have lead to a bit more buy-in. Instead, some people decided to make up reports that we were scanning directory trees (false), internet files (false), internet history (false), cookies (false), and email (false), and unfortunately many people believed them.
The general paranoia resulted from the assumption that we (meaning: our servers) were actively collecting information from your system. This simply wasn't the case. The client simply would examine a small subset of information on your system, none of it containing information personally identifiable to a third party, and only send it to our server in the event that you were "running" an illegal program at the same time you ran EQ. We had absolutely no interest in what was installed on your system, only what you were running when you connected to ours.
I think privacy is important as well, but I don't really care about what a piece of client software is doing on my system. I only care when that piece of client software is transmitting information from my system to an outside source. In this case, the only time any data transmission was to take place was when something bad was found by the client. There was to be no server-side analysis of raw data. I'm sure that most people would agree that we do have a right to insure that our software license is being complied with.
In any case, I guess it's water under the bridge now. I'll blame Hollywood for all of the misunderstandings.
-Gordon
While I don't agree with all his views, I do see where he's coming from. His viewpoint reflects the majority of EQ players.
Hope that cleared a few things up.
"A person reveals his character by nothing so clearly as the joke he resents."
You could compare it with an anal probe. Some people are actually into that sort of thing... I just had no idea it was %80 of 'em. :-P
All I know is that I'll never be able to look at the other people on the bus the same way again.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Now Mr. Smedley claimed that no hard disk scanning would be done but as you can tell from the wording just about anything is fair game.
More disturbing is Mr. Smedley's admission that scanning and reporting was already being done. Supposedly only the task list was being scanned for an unknown list of running tasks and if one or more of them were running this information was reported back to Verant. This is disturbing because it clearly violates California Penal Code (section 502). (read the law here)
Given the unauthorised scanning that took place before the proposed change to the EULA (which I think we all can agree that unilateral EULA changes are probably unenforceable, moreso than EULA's in general =), it was pretty hard to believe them.
Verant is now in a position to be pursued for criminal prosecution and is also open for civil action according to 502. It will be interesting to watch this develop further.
The Adept -- Long distance motorcyle rider, player of video games, hacker at large, father of one
a) That's 83% of the 15,000 who logged in while the poll was up. There are 200,000 active accounts.
b) The poll was up during the day. That means they were polling children; the adults were all at work. It's pretty safe to say that most of those polled have no real appreciation of the implications of their ''yes'' answer.
c) The poll did not even include the proposed EULA modification; it asked if people ''were comfortable with Verant scanning users' machines to find hacking programs'' That sounds a whole lot less objectionable than what the mod proposed.
The very fact that they even considered such a move indicates that they have Lost It Completely. The fortress mentality has taken over.
"There's no easy way to be free" -- P. Townshend, _Slip Kid_
logan
Hey, I blew my top :)
Perhaps "incompetant management" would be a better description. Being part of the computer industry I've seen many cases where the engineers and coders want to do "the right thing", but management decides that they should do "the lazy thing" because it costs less or takes less time.
Latency is a part of internet games. It is and always will be. Giving clients extra information in an attempt to hide it is just asking for trouble. In general a game client really should just be a dumb terminal, periodically receiving state updates from a server, and never being trusted. The problem of client trust is way beyond the scope of this slashdot article, but for the purposes of a game, the basic idea is that "The Client Can Never Be Trusted".
When you assume a client is trustworthy, for whatever reason (trying to reduce the appearance of lag) you open yourself up to cheating. This is a choice Verant made when they developed the game, and one they should now accept and deal with.
________________________________
>The scanner in question did NOT scan registry, HD, browser history, etc.
But the change in the EULA would allow them to do this. With no legal restrictions, no matter what they said.
>The Verant Management has maintained a very open line of communication with their customer base,
Really? They had an "April Fools" joke recently which cause an outrage from its customers, mainly because they didn't TRUST Verant that it was a joke.
>a mandatory poll of the users asking them about allowing Verant to scan for cheating programs
There was nothing mandatory about it. The poll was only created because so many people were outraged because of it.
>(80+% agreed with the scanning).
Which question? There were two forms of questions during the poll. The first being something like "Do you agree that Verant should stop hacking programs?" Don't you think thats a bit biased?
>I'm at a loss to think of a better resolution to deal with people acting like scumbags.
As I mentioned in another post, what they wanted to get rid of is ShowEQ. They can limit its functionality greatly just by not sending so much irrelevant information.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
First off, 90% of any post I see related to EQ is always bashing Verant for one reason or another. I think a lot of these posts aren't warrented, and their authors aren't giving Verant a fair chance. But this is the same for any corporation / company... when anything goes wrong, or doesn't go the way they want it to, people scream and yell and say "SEE! *THIS* is capitalism at work!" You're all crazy.
Capitalism at work is keeping your customers happy. If they're happy, they'll keep coming back to buy your product.
When Verant annoucned they were going to scan your tasklist for cheat programs, they also put a poll in at the login screen, stating something to the nature of "Do you have a problem with Verant checking for cheat programs when you run EQ?"
That's right - they *ask* their users for thier opinions.
And *despite* the fact that 83% (out of 15000) responded they were fine with running a check for cheating, *Verant decided not to do it*. Why?
Because enough people had stated they felt it was chipping too much into their privacy.
But the worst part is that people decided to make up ways Verant was checking for these hack/cheating programs... for example, scanning directory trees (false), internet files (false), internet history (false), cookies (false), and email (false).
What was the check suppost to do? "The client simply would examine a small subset of information on your system, none of it containing information personally identifiable to a third party, and only send it to our server in the event that you were "running" an illegal program at the same time you ran EQ." I'm assuming here "illegal program" means a program designed to give a user an advantage over other users in EQ.
I understand some people would say this is an invasion of privacy. Some of those people are honestly worried about the continuous breach in our privacy in general. I'm willing to bet that the majority of people who cried "Foul!" were worried they wouldn't get to use thier cheat programs anymore.
Or, they were the people who find a reason to scream "SEE! Capitalism at work! Invasion of privacy! Invasion of privacy!" when it isn't justified.
This post is way too long already, but I've got more to say on the issue. If you disagree, or agree, post and we'll talk.
The information I used in this post can be found at EQ Stratics or The EQ Vault.
lw
Mods: Disagreeing with me != my post Offtopic / Flamebait.
World without hate or war, invaded. Tragic?
Is it Verant and the designers of EQ for being somewhat laxed in their design? It is one thing that the server has to tell the client where all of the dynamic objects in the world are position, it is something else to blantanly tell the client extra junk about them. There is no particular reason why the client needs to know the exact hit points of a creature. It should have been broadcast to the client as a percentage, which in the end is what the player ends up seeing. If they were really concerned about people "eavesdropping", they should have encrypted the data streams. Scanning the computer to see if hacker tools are employed is a weak attempt to stop this kind of exploit, at best, and, at worse, it is wrong.
In another sense, Verant and EQ are trying to act in the best interest of the game. How many people will continue to play a game of Chess against a person who is blantantly cheating? EQ should probably be no different. I want them to actively keep the game from descending into a hacker's paradise.
Is it the players are at fault for trying such junk in the first place? And please don't quote me "the players pay have a right to do what they want" because that isn't true. By agreeing to play any game, you agree to follow a certain framework of rules. If a cheater is playing someone in a game a real world Chess and the cheater is caught cheating, they really have no defense. EQ should be no different. The "neutral tool" argument doesn't really work here either(ie. 'hammer is a tool that does some good things and bad things...do we outlaw hammers?'). ShowEQ isn't a generic tool that has other applications. It was designed for one purpose and one purpose only. If ShowEQ was designed for "acedemic reason" that is one thing but I have a hard time believing so many people are interested in ShowEQ because it teaches useful programming skills.
In another sense, players should push Verant and the EQ Architecture to the limit. The only way the game will get better is if the players push on Verant to improve it. As mentioned before, the fact that you can listen to packets flying by and find out extra information indicates a weakness in their design. It should be pointed out that one of the useful things that came out of ShowEQ is that it was shown that reduntant information was coming back from the server. Verant did take note and said they would do something about it (although I'm unclear whether or not they actually fixed it. ^_^). How can the players do this without actually figuring out how some of the game works?
IMHO, both sides blew this way out of proportion. Verant didn't think things through when they wanted to stop players from packet listening and came up with the wrong solution. Instead of wasting time and effort into figuring out how to detect packet sniffing, they should be putting time and effort into fixing the real problem which: too much information is sent over the wire. Players blew this way out of proportion because because Verant basically said "We don't really care if you have hacking tools...just don't use them while playing EQ" but many read much more into it. If you are going to do something questionable, shady, etc. you probably shouldn't be doing it in "plain sight" (yes, on Windows 95/98, the hard disk is plain sight...everything in Windows 95/98 is in plain sight) especially after you've been warned.
/.ers are always willing to disregard "security through obscurity", but how would you design an open method go about this, aiming to get 100% surety that no one is cheating?
Strong data typing is for those with weak minds.
Strong data typing is for those with weak minds.
Doubleclick,the Feds and Verant all seem to be in the same business. Doubleclick for obvious reasons, the Fed this week pumping the Bill S. 2092, which will give the federal government's ``trap and trace'' authority, and now Verant. Law enforcement and now mainstream business views the Fourth Amendment as the problem. That's the piece of the Bill of Rights that protects ``persons, houses, papers and effects against unreasonable searches and seizures''-- with no mention of data and what it represents. And so now, the corporations and the government want to force manufacturers to build surveillance into technology, all but eliminating another basic right of privacy.
More race stuff in one place,
than any one place on the net.
Those who attempt 'security through obscurity' achieve 'obscurity through stupidity'. Frankly, I prefer 'security through perversity'.
I play Eq and as anyone else who plays knows EVERYTIME you log on they require you to read and agree to the license. It has been a long standng joke that they change the license regularly without telling us.
This is, while I can see there side, just the latest in turning the world of Norrath into more of a police state. Over the last few months they have recuited more guides (read police) to enforce their new play nice policy.
Basically the policy is that anyone who pisses off anyone else is up for disciplinary action that include suspension and expulsion. (sounds like high school no?) While on the one hand they have created a very nice game and are wildly successful, theat success has caused growing pains on their side.
A few examples of the pains are the fact that each server is disigned to have 1000 - 1200 people playing on it at any one time, you are hard pressed to find any server that has less than 1800 users and many are hitting 2000 during peak hours. For those that haven't experieinced once you select a server that is where your avatar lives it's life, forever. No crossing from one server to another. As your friends join up they want to hang w you so they joing your server compunding the problem.
This excess of players stresses the system on two fronts of course the technical side with zones and servers crashing sometimes for days losing the entire player database, but also the in game resources are pushed having not been designed for that many people. This causes a shortage of things to do with people camping waiting for the first enemy to appear and not only battle the enemy but argue with other players over who it belongs too. This breeds animosity among players who are NOT allowed to kill one another (except under certain mutally agreed circumstance. So now maybe you understand. While Verant has learned from the mistakes of Ultima they have still created their own special problems.
Overall though the game is so very well done and when it works the experience is so cool that we all hang out and keep playing. For the unititated all I can say is that the social aspects of the game are in my opinion what keep people playing.
daddio
http://lum.xrgaming.net scroll down a bit, its got about 6 posts with letters from Verant President John Smedley himself, + Verant lawyers.
Lets face it, people who game online like to get the edge over their opponents, and one of the ways they do this is to cheat. There is a proliferation of tools to do this for various online games, and users can easily find them on the net.
When even one person cheats it makes the entire game less fun for everyone else playing it. Instead of a test of skill it becomes a farce, with little or no skill being required to win or proceed. Verant, obviously worried about the quality and fun of their game EverQuest, were being entirely reasonable by wanting to prevent the use of cheating tools.
Given this concern, the only reasonable and effective thing for them to have done was to scan the user's hard drive for said cheating tool. This isn't a privacy issue - they're only scanning for a tool which will lessen everybody's enjoyment of their game. If you are are against this then you are letting people ruin the game by cheating, which is hardly fair to other users.
Ridiculous. I can't say I'm surprised though. A bunch of suits sitting around a board room discussing their moneymaker and saying "Hmm. we need a way to keep the game fair. I know, let's require anybody who wants to play to give us total access to their computers. They ought to go for that."
The game has YET to be invented that will make me want to trade in my privacy in order that I might keep some other guy from getting some extra HP or resources by cheating.
Not to mention that if you have to cheat at a game just to be competative -- how much fun can it possibly be?
... kinda like the problem with playing Quake online... The levels are completely unimaginative, and it comes down to ping speed & hardware to decide the winner. Adding things like LIMITED weapons, ammo & powerups would require people to conserve their ammo and to play strategically, rather than switching over to rocket launcher, putting it on autorun and holding down their fire button.
But it's all just games anyway, right? Relax, people. Have fun. Stop nosing around on my PC.
-The Reverend
-The Reverend (I am not a Nazi nor a Troll)
=(.\')=
You bring up a very good point. Customers are able to influence a big company's decisions, especially on issues like privacy. One key point I'd like to highlight is this: they can only do this if they are informed. I think it's extremely important that we try out best to make the average Joe user aware of all the potential violations of privacy that's going on today. The reason that so many users today have such poor habits online (in terms of protecting their own privacy) is because they aren't aware of it.
This may be a bit off-topic, but I think this principle can be applied to other things too. Such as things like DMCA. It went by because very few were actually aware of the threats it represents. But if the average Joe user is made aware of these issues, I'm sure the masses will be able to force the powers that be to change things. Just like this case: imagine if nobody knew that the latest Everquest upgrade scanned their computers. Nothing would be done about it, and privacy will be compromised. But once people found out about it, they took action, and things changed. I'm sure this can happen on other areas too, like DMCA, etc..
mikre he sophia he tou Mikrosophou.
The question is no longer whether Verant *ought* to rummage through its user's computers looking for whatever it feels like.
/. likes to bash Microsoft, at least MS can be assured to have considered cryptographic protections.
The question is, what prevents anyone else from doing so?
If Verant can modify Everquest such that it ships with Back Orifice 2000, and the only thing that prevented them from doing so was the (thankfully effective!) fear of inadequate liability disclaimers, what *exactly* prevents anyone else, who *doesn't* particularly worry so much about the law, from attacking any Everquest player they please with a trojan'd update?
I betcha nothing but the network, as if "well, it came from Verant's DNS name, so it *can't* be spoofable." *sigh* I'm reminded of the Genie from Alladin..."PHENOMENAL COSMIC POWERS...itty bitty security." Oh, and toss in a little bit of obscurity to be on the safe side.
I should be fair. There's an off chance that there's some cryptographic protection against such an attack being sued by Verant. That'd be nice. I'd like that, as I do cryptography. Day in, day out, it's what I've been living, breathing, thinking, and scheming. And ya know what? I had a total compromise sitting around in my design, because I forgot the (rather simple, but marginally obscure fact) that it's rather trivial to convert a private key back into its public key equivalent. (Moral of the story, folks: Possession of a public key authenticates NOTHING.) Stupid problem, easy to fix, but then, that's my *job* right now.
I doubt I have an equivalent at Verant.
At best, Verant is employing some painfully inadequate public signature verification key to make sure that an update actually came from them. Rather likely, they're using some symmetric algorithm(RC2/RC4 most likely, as they're easily exportable) with a broken key length--not that it matters, since if they're using a symmetric key to authenticate the packages, then the same key that Verant used to sign the update shipped with every copy of Everquest--*cough* itty bitty security. Same shtick if they use a MD5-signature variant--the "key" used to authenticate the package as coming from Verant and not Joe Cracker necessarily gets shipped with each box.
Of course, who am I kidding. We'd be lucky if there's an XOR in the lot. (XOR, for the non cryptographers out there, is a thoroughly broken but easy to implement logic operation that one can run on data to make it "appear" encrypted. Appearances...can be deceiving.)
Folks, this is a *real* problem. Whenever you're doing crypto, you have to separate the world into Us vs. Them. I don't have a problem trusting Verant--they've got deep pockets, they've got skittish lawyers, and if they try anything, we'll see 'em telegraph it in the licensing agreement. (And if they do things without changing the agreement, We Know Where They Live.) So, for the moment, "Us" is Verant and Me, as an Individual Gamer. Them is every *other* gamer, malcontent, and kangaroo down under.
The question to ask yourself, is: What allows Us to determine what code is executed on the client machine, and not Them?
The next question to ask yourself is, since *you're* the one at risk with the client machine, and not Verant, how likely is it that Verant even broke a sweat regarding the answer to the previous question?
Great. Verant isn't going to hack their users, out of the goodness of their lawyers paranoia. So who will?
What about other games here, folks? Am I the only one noticing that large portions of the Windows software space are suddenly becoming net enabled for no other reason but to deliver ads(at best) and trojans(over time)?
This isn't the first time I've run a company through the ringer over automatic execution of code(both Microsoft and Novell have painfully inadequate checking on their login script functionality; more at www.doxpara.com), but as much as
Sure, they rejected 'em, but still...you gotta know they at least considered 'em. Verant, on the other hand?
Does anyone know?
Email or reply if any of this concerns you. I've had some interesting reponses planned to this trend that I just haven't had the resources to implement. With some help, we might actually be able to...deal with this situation.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
For those that don't have the time or inclination to look at the whole story here's the deal as I observed it over the last little while.
First Everquest doesn't have that large of a real cheating problem, they're very good at logging any strange client behaviour and banning people the minute they're caught. However, a program was released to the public domain a while back called ShowEQ, this program is a passive sniffer that reads the data stream between the client and the server and displays data that gives the user an advantage over other players, basicly it's a realtime map of all the monsters in a zone with their hps and level.
Verant has been trying to combat this for a while by constantly changing their encryption scheme but has thus far been unsuccessful in locking the people maintaining the program out for more than a few days.
ShowEQ ran on Linux, recently someone released a Windows version and this is what verant claims they were scanning for (The passive client on linux is really impossible for them to detect)
Someone recently posted a message on the EQ message boards asking why verant was scanning the task list of their computer and uploading what was running back to the servers, this is prior to the announcement that they wanted to do this btw, Verant was extremely quiet about this thread until the announcement was made that they were changing the end user license which you have to agree to every time you start the everquest client.
All these threads are still available and it's somewhat interesting to read what Verant's reps posted in response. If you want to see check http://everquest.station.sony.com and click on the message boards link.
Part of Verant's problem is they've been fostering a real Us vs the Players attitude (Although they probably don't intend to, but anyone who's been on a MUS* before realizes that it's just part of the lifecyle of such games) By refusing to answer player questions about game mechanics and such, some people have used ShowEQ to get real answers to these questions, such as how the experience system works and such.
And its simply an RE job on the datastream. Passive, nothing more. All it does is lets you see the REAL numbers behind the game that Verant tries to hide with handwaving and frantic knees-bent running about behavior.
The reason? They have some severe design flaws in their game, as well as a piss poor and arrogant attitude toward their player base. The only reason they are raking it in is because nobody else has such a thing on the market yet. They were stomping sites until it got moved to www.hackersquest.gomp.ch, (notice the NON-us addy?) a host site that doesnt have anyone that clicked the Verant EULA, and so far seems immune to their lawyers.
And the prog runs on a separate Linux box: using NAT/ipchains and routing the win box thru the linux box is best, but it can also put the ethX device into promisc and sniff the data. So, really, there isnt jack they can do about detecting it. They seemd to live with this until... What brought this "corporate sniffing" on is that someone took the open source and did a windows port. So every little k3w3l d00d and wannebe could use it.
Verant went into Corporate panic mode - typical of their nasty anti-gamer managerial mindset. Verant went psycho trying to stop it.
But the scariest thing is: when they polled 15,000 of their users, 83% agreed to let Verant search their HD as a precondition of playing the game!!!
What kind of sheep are these? I pity the folks who will need to depend on such weak and obedient asses who will kneel down for a compny just to be allowed to play a game that they are already paying for!
EQ players who said Yes in that poll, you should be ashamed!
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
I think it's because when someone's privacy gets threatened, they feel much more quickly capable of taking significant action, to the extent that they're willing to switch provider, give up a forum or a game they enjoy, or use alternatives (sometimes of dubious legality), in order to protect it.
In terms of the influences faced by online companies today, it seems to be quite a high priority to satisfy the privacy needs of customers, even though this is not a natural consequence of their desire to make profits, but rather caused by an obsession (healthy, in my opinion) with privacy on the part of individuals.
We've seen quite a few radical reversals of policy on the part of some very large corporations (Doubleclick or Intel for example), which would seem to imply that online consumers, as a separately identifiable group, are becoming quite powerful in their own right.
Long may it last!
Salocin.com
I think it's important to note before the standard Slashdot privacy feeding frenzy starts that Verant has done their best to act responsibly on this issue. A couple things to pay attention: The scanner in question did NOT scan registry, HD, browser history, etc. It was doing latency checks (for proxy server goofiness) and running task checks. The Verant Management has maintained a very open line of communication with their customer base, including a producer letter, EULA modifications (with explanations to the users), IRC chats with Sony lawyers, and a mandatory poll of the users asking them about allowing Verant to scan for cheating programs (80+% agreed with the scanning). Admittedly, I don't like people looking at whats going on with my computer in any way shape or form, but I'm at a loss to think of a better resolution to deal with people acting like scumbags. -Matt Burch Everquest Junkie
I run a fairly large EverQuest-related humor site, so I've been following this issue since it started (even if only to make fun of it).
What's happening here is a thorny problem where individual "privacy" headbutts with everyone's best interests.
A quick background for those not in the know, Verant Interactive produces and maintains EverQuest, a massively-multiplayer online role-playing game. Thousands of players connect to Verant-administered servers and play alongside other players in a persistent world. It's the second major-market title in the MMORPG genre started by Ultima Online.
The way these games work is centralized servers store all the state information about the virtual world. To be general, nothing is stored client-side. This is required, because unlike games like Quake, the world is persistent. An early incarnation of this type of game was Diablo. The main difference between the newer games (UO and EQ) and Diablo is that with Diablo, all your character information was stored client-side. This became a major problem for the game, as it was only a matter of time before the file formats were reverse-engineered and people started modifying their characters to be super-powered.
By storing the information server-side, this type of cheating is avoided. No matter what you do, there will always be people who want to cheat, and if the information is stored server-side, people will try to exploit the server to cheat, or will "enhance" their client software in order to give them an unfair advantage in the game. Ultima Online has had a long history of dealing with this type of problem. Many security weaknesses in the UO servers were discovered (and fixed), but at the same time, these weaknesses were exploited by people, most often to do devestating things to other players of the game.
Recently, EQ has had the same things happening to it. A program known as "Show-EQ" has been around for quite some time, which simply gives a player an unfair advantage in the game. Verant has dealt with this in a subtle manner, changing their client/server data stream every so often to set back development of the utility.
In the past couple weeks, other programs for EQ have begun to pop up, with more nefarious purposes. The EverQuest servers have been crashed on more than one occasion by these programs. This is what brought Verant to suggesting drive-scanning. It's one thing if someone is just cheating, but it's another thing completely if they're maliciously trying to crash the game.
They took their first countermeasures not too long ago, by adding a feature to the client software that scans your Windows task list and looks for these "external utilities". If it finds one, it flips a "I'm a cheater" flag on your account and you end up with a cancelled EQ account.
They proposed to extend their search to the hard drive, to see if any of these programs even exist on your system... and this is where people started to get upset.
Verant has been very open and forthcoming about the proposed changes, keeping active discussions regarding the issue on the various websites dedicated to EverQuest, offering reasoning and explantions of the scanning process, and they even required all users to answer a poll question regarding the issue on login to the game (which turned up 80%+ in favor of the scanning).
Even with the overwhelming support of the scanning by their playerbase, they responsibly decided to back down on the issue.
Now granted, what they suggested could be a huge tool for abuse and privacy intrusion, but they did not try to "sneak" it past their users in any form. What they were proposing was nothing compared to some of the things that people thought they were planning on doing (there have been some heated arguments about it the past few days).
In short, its not really that they intended to intrude on people's privacy, but that they were seeking to increase the quality of their service and actually have a way to enforce their "no cheating" rules.
Verant should be commended on their responsible handling of this entire incident, not trashed in the court of public opinion based on reports that only tell half the story, like the one posted here on Slashdot.
NO CARRIER