Slashdot Mirror
Verant Backs Down On Drive-Scanning
fastpage writes, "Verant, the people who bring you Everquest, are backing down on scanning users' computers for anything they want to prevent cheating."
Read
the CNET story.
"I guess getting Web sites shut down to prevent the distribution of ShowEQ wasn't enough."
http://lum.xrgaming.net scroll down a bit, its got about 6 posts with letters from Verant President John Smedley himself, + Verant lawyers.
Lets face it, people who game online like to get the edge over their opponents, and one of the ways they do this is to cheat. There is a proliferation of tools to do this for various online games, and users can easily find them on the net.
When even one person cheats it makes the entire game less fun for everyone else playing it. Instead of a test of skill it becomes a farce, with little or no skill being required to win or proceed. Verant, obviously worried about the quality and fun of their game EverQuest, were being entirely reasonable by wanting to prevent the use of cheating tools.
Given this concern, the only reasonable and effective thing for them to have done was to scan the user's hard drive for said cheating tool. This isn't a privacy issue - they're only scanning for a tool which will lessen everybody's enjoyment of their game. If you are are against this then you are letting people ruin the game by cheating, which is hardly fair to other users.
Ridiculous. I can't say I'm surprised though. A bunch of suits sitting around a board room discussing their moneymaker and saying "Hmm. we need a way to keep the game fair. I know, let's require anybody who wants to play to give us total access to their computers. They ought to go for that."
The game has YET to be invented that will make me want to trade in my privacy in order that I might keep some other guy from getting some extra HP or resources by cheating.
Not to mention that if you have to cheat at a game just to be competative -- how much fun can it possibly be?
... kinda like the problem with playing Quake online... The levels are completely unimaginative, and it comes down to ping speed & hardware to decide the winner. Adding things like LIMITED weapons, ammo & powerups would require people to conserve their ammo and to play strategically, rather than switching over to rocket launcher, putting it on autorun and holding down their fire button.
But it's all just games anyway, right? Relax, people. Have fun. Stop nosing around on my PC.
-The Reverend
-The Reverend (I am not a Nazi nor a Troll)
=(.\')=
You bring up a very good point. Customers are able to influence a big company's decisions, especially on issues like privacy. One key point I'd like to highlight is this: they can only do this if they are informed. I think it's extremely important that we try out best to make the average Joe user aware of all the potential violations of privacy that's going on today. The reason that so many users today have such poor habits online (in terms of protecting their own privacy) is because they aren't aware of it.
This may be a bit off-topic, but I think this principle can be applied to other things too. Such as things like DMCA. It went by because very few were actually aware of the threats it represents. But if the average Joe user is made aware of these issues, I'm sure the masses will be able to force the powers that be to change things. Just like this case: imagine if nobody knew that the latest Everquest upgrade scanned their computers. Nothing would be done about it, and privacy will be compromised. But once people found out about it, they took action, and things changed. I'm sure this can happen on other areas too, like DMCA, etc..
mikre he sophia he tou Mikrosophou.
The question is no longer whether Verant *ought* to rummage through its user's computers looking for whatever it feels like.
/. likes to bash Microsoft, at least MS can be assured to have considered cryptographic protections.
The question is, what prevents anyone else from doing so?
If Verant can modify Everquest such that it ships with Back Orifice 2000, and the only thing that prevented them from doing so was the (thankfully effective!) fear of inadequate liability disclaimers, what *exactly* prevents anyone else, who *doesn't* particularly worry so much about the law, from attacking any Everquest player they please with a trojan'd update?
I betcha nothing but the network, as if "well, it came from Verant's DNS name, so it *can't* be spoofable." *sigh* I'm reminded of the Genie from Alladin..."PHENOMENAL COSMIC POWERS...itty bitty security." Oh, and toss in a little bit of obscurity to be on the safe side.
I should be fair. There's an off chance that there's some cryptographic protection against such an attack being sued by Verant. That'd be nice. I'd like that, as I do cryptography. Day in, day out, it's what I've been living, breathing, thinking, and scheming. And ya know what? I had a total compromise sitting around in my design, because I forgot the (rather simple, but marginally obscure fact) that it's rather trivial to convert a private key back into its public key equivalent. (Moral of the story, folks: Possession of a public key authenticates NOTHING.) Stupid problem, easy to fix, but then, that's my *job* right now.
I doubt I have an equivalent at Verant.
At best, Verant is employing some painfully inadequate public signature verification key to make sure that an update actually came from them. Rather likely, they're using some symmetric algorithm(RC2/RC4 most likely, as they're easily exportable) with a broken key length--not that it matters, since if they're using a symmetric key to authenticate the packages, then the same key that Verant used to sign the update shipped with every copy of Everquest--*cough* itty bitty security. Same shtick if they use a MD5-signature variant--the "key" used to authenticate the package as coming from Verant and not Joe Cracker necessarily gets shipped with each box.
Of course, who am I kidding. We'd be lucky if there's an XOR in the lot. (XOR, for the non cryptographers out there, is a thoroughly broken but easy to implement logic operation that one can run on data to make it "appear" encrypted. Appearances...can be deceiving.)
Folks, this is a *real* problem. Whenever you're doing crypto, you have to separate the world into Us vs. Them. I don't have a problem trusting Verant--they've got deep pockets, they've got skittish lawyers, and if they try anything, we'll see 'em telegraph it in the licensing agreement. (And if they do things without changing the agreement, We Know Where They Live.) So, for the moment, "Us" is Verant and Me, as an Individual Gamer. Them is every *other* gamer, malcontent, and kangaroo down under.
The question to ask yourself, is: What allows Us to determine what code is executed on the client machine, and not Them?
The next question to ask yourself is, since *you're* the one at risk with the client machine, and not Verant, how likely is it that Verant even broke a sweat regarding the answer to the previous question?
Great. Verant isn't going to hack their users, out of the goodness of their lawyers paranoia. So who will?
What about other games here, folks? Am I the only one noticing that large portions of the Windows software space are suddenly becoming net enabled for no other reason but to deliver ads(at best) and trojans(over time)?
This isn't the first time I've run a company through the ringer over automatic execution of code(both Microsoft and Novell have painfully inadequate checking on their login script functionality; more at www.doxpara.com), but as much as
Sure, they rejected 'em, but still...you gotta know they at least considered 'em. Verant, on the other hand?
Does anyone know?
Email or reply if any of this concerns you. I've had some interesting reponses planned to this trend that I just haven't had the resources to implement. With some help, we might actually be able to...deal with this situation.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
For those that don't have the time or inclination to look at the whole story here's the deal as I observed it over the last little while.
First Everquest doesn't have that large of a real cheating problem, they're very good at logging any strange client behaviour and banning people the minute they're caught. However, a program was released to the public domain a while back called ShowEQ, this program is a passive sniffer that reads the data stream between the client and the server and displays data that gives the user an advantage over other players, basicly it's a realtime map of all the monsters in a zone with their hps and level.
Verant has been trying to combat this for a while by constantly changing their encryption scheme but has thus far been unsuccessful in locking the people maintaining the program out for more than a few days.
ShowEQ ran on Linux, recently someone released a Windows version and this is what verant claims they were scanning for (The passive client on linux is really impossible for them to detect)
Someone recently posted a message on the EQ message boards asking why verant was scanning the task list of their computer and uploading what was running back to the servers, this is prior to the announcement that they wanted to do this btw, Verant was extremely quiet about this thread until the announcement was made that they were changing the end user license which you have to agree to every time you start the everquest client.
All these threads are still available and it's somewhat interesting to read what Verant's reps posted in response. If you want to see check http://everquest.station.sony.com and click on the message boards link.
Part of Verant's problem is they've been fostering a real Us vs the Players attitude (Although they probably don't intend to, but anyone who's been on a MUS* before realizes that it's just part of the lifecyle of such games) By refusing to answer player questions about game mechanics and such, some people have used ShowEQ to get real answers to these questions, such as how the experience system works and such.
And its simply an RE job on the datastream. Passive, nothing more. All it does is lets you see the REAL numbers behind the game that Verant tries to hide with handwaving and frantic knees-bent running about behavior.
The reason? They have some severe design flaws in their game, as well as a piss poor and arrogant attitude toward their player base. The only reason they are raking it in is because nobody else has such a thing on the market yet. They were stomping sites until it got moved to www.hackersquest.gomp.ch, (notice the NON-us addy?) a host site that doesnt have anyone that clicked the Verant EULA, and so far seems immune to their lawyers.
And the prog runs on a separate Linux box: using NAT/ipchains and routing the win box thru the linux box is best, but it can also put the ethX device into promisc and sniff the data. So, really, there isnt jack they can do about detecting it. They seemd to live with this until... What brought this "corporate sniffing" on is that someone took the open source and did a windows port. So every little k3w3l d00d and wannebe could use it.
Verant went into Corporate panic mode - typical of their nasty anti-gamer managerial mindset. Verant went psycho trying to stop it.
But the scariest thing is: when they polled 15,000 of their users, 83% agreed to let Verant search their HD as a precondition of playing the game!!!
What kind of sheep are these? I pity the folks who will need to depend on such weak and obedient asses who will kneel down for a compny just to be allowed to play a game that they are already paying for!
EQ players who said Yes in that poll, you should be ashamed!
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
I think it's because when someone's privacy gets threatened, they feel much more quickly capable of taking significant action, to the extent that they're willing to switch provider, give up a forum or a game they enjoy, or use alternatives (sometimes of dubious legality), in order to protect it.
In terms of the influences faced by online companies today, it seems to be quite a high priority to satisfy the privacy needs of customers, even though this is not a natural consequence of their desire to make profits, but rather caused by an obsession (healthy, in my opinion) with privacy on the part of individuals.
We've seen quite a few radical reversals of policy on the part of some very large corporations (Doubleclick or Intel for example), which would seem to imply that online consumers, as a separately identifiable group, are becoming quite powerful in their own right.
Long may it last!
Salocin.com
I think it's important to note before the standard Slashdot privacy feeding frenzy starts that Verant has done their best to act responsibly on this issue. A couple things to pay attention: The scanner in question did NOT scan registry, HD, browser history, etc. It was doing latency checks (for proxy server goofiness) and running task checks. The Verant Management has maintained a very open line of communication with their customer base, including a producer letter, EULA modifications (with explanations to the users), IRC chats with Sony lawyers, and a mandatory poll of the users asking them about allowing Verant to scan for cheating programs (80+% agreed with the scanning). Admittedly, I don't like people looking at whats going on with my computer in any way shape or form, but I'm at a loss to think of a better resolution to deal with people acting like scumbags. -Matt Burch Everquest Junkie
I run a fairly large EverQuest-related humor site, so I've been following this issue since it started (even if only to make fun of it).
What's happening here is a thorny problem where individual "privacy" headbutts with everyone's best interests.
A quick background for those not in the know, Verant Interactive produces and maintains EverQuest, a massively-multiplayer online role-playing game. Thousands of players connect to Verant-administered servers and play alongside other players in a persistent world. It's the second major-market title in the MMORPG genre started by Ultima Online.
The way these games work is centralized servers store all the state information about the virtual world. To be general, nothing is stored client-side. This is required, because unlike games like Quake, the world is persistent. An early incarnation of this type of game was Diablo. The main difference between the newer games (UO and EQ) and Diablo is that with Diablo, all your character information was stored client-side. This became a major problem for the game, as it was only a matter of time before the file formats were reverse-engineered and people started modifying their characters to be super-powered.
By storing the information server-side, this type of cheating is avoided. No matter what you do, there will always be people who want to cheat, and if the information is stored server-side, people will try to exploit the server to cheat, or will "enhance" their client software in order to give them an unfair advantage in the game. Ultima Online has had a long history of dealing with this type of problem. Many security weaknesses in the UO servers were discovered (and fixed), but at the same time, these weaknesses were exploited by people, most often to do devestating things to other players of the game.
Recently, EQ has had the same things happening to it. A program known as "Show-EQ" has been around for quite some time, which simply gives a player an unfair advantage in the game. Verant has dealt with this in a subtle manner, changing their client/server data stream every so often to set back development of the utility.
In the past couple weeks, other programs for EQ have begun to pop up, with more nefarious purposes. The EverQuest servers have been crashed on more than one occasion by these programs. This is what brought Verant to suggesting drive-scanning. It's one thing if someone is just cheating, but it's another thing completely if they're maliciously trying to crash the game.
They took their first countermeasures not too long ago, by adding a feature to the client software that scans your Windows task list and looks for these "external utilities". If it finds one, it flips a "I'm a cheater" flag on your account and you end up with a cancelled EQ account.
They proposed to extend their search to the hard drive, to see if any of these programs even exist on your system... and this is where people started to get upset.
Verant has been very open and forthcoming about the proposed changes, keeping active discussions regarding the issue on the various websites dedicated to EverQuest, offering reasoning and explantions of the scanning process, and they even required all users to answer a poll question regarding the issue on login to the game (which turned up 80%+ in favor of the scanning).
Even with the overwhelming support of the scanning by their playerbase, they responsibly decided to back down on the issue.
Now granted, what they suggested could be a huge tool for abuse and privacy intrusion, but they did not try to "sneak" it past their users in any form. What they were proposing was nothing compared to some of the things that people thought they were planning on doing (there have been some heated arguments about it the past few days).
In short, its not really that they intended to intrude on people's privacy, but that they were seeking to increase the quality of their service and actually have a way to enforce their "no cheating" rules.
Verant should be commended on their responsible handling of this entire incident, not trashed in the court of public opinion based on reports that only tell half the story, like the one posted here on Slashdot.
NO CARRIER