Slashdot Mirror
EverQuest/Sony Fights Code Wars With Latest Expansion
The most recent expansion for EverQuest (Planes of Power) adds a lot of problem-solving quests to the game, so Sony beefed up the (long-since broken) encryption that they used for the client protocol. The expansion has been a major hit, pleasing some of the most critical voices in the EverQuest world, but one week later, the anonymous development team of ShowEQ had broken the new encryption. Read on for details of the ongoing battle over keeping secrets in plain sight.
First, the skinny on the latest EverQuest expansion, Planes of Power (PoP). Because this is an expansion chock-full of content for only the highest level characters in the game, Sony added some features that everyone would want (and thus, pay for): the ability to progress to level 65 (60 was the cap before); a new zone called the Plane of Knowledge which allows characters to moved freely to all of the old game areas and a feature that allows large groups to coordinate more easily. That's the carrot for the lower-end users, but really this is the first expansion to lock out even moderately experienced players in favor of large, strong in-game guilds.
Even so, the response has been almost all positive. Some players complain about the last-minute changes (especially the changes that made monks and druids less powerful in the high-end game), but those who are taking advantage of the new game areas are happy with the reduced time required for encounters and the fact that the game rewards strategy more than ever.
Planning, attention to detail and a fanatical focus on getting past every challenge that Sony presents are important in-game, but Sony is less than pleased by programmers who are just as happy to approach those challenges from outside of the game. Using Linux and Qt, ShowEQ is a packet sniffer that watches the EverQuest client protocol and displays a map of everything that the Windows client is privy to, but may not disclose to the player. Years ago, the ShowEQ developers discovered a weakness in the encryption that the client uses, and they have been able to reliably interpret the data ever since.
With the PoP release, Sony improved the encryption so that it used a larger key which was more securely chosen. At first, the talk on the ShowEQ IRC forum was gloomy and the normally secretive developers cloistered themselves off from the the group, returning only rarely to proclaim the difficulty of breaking this new scheme. The protocol is not unlike that used by ssh or SSL. A public key is sent from Sony to the client, and the client uses that key to encrypt a random session key and send it to Sony. Theoretically, this approach is open to only a limited number of attacks, all of which run the risk of being detected by the client.
A former ShowEQ developer who was hired by Sony was reported to have said it's over, "you'll never break this"... One week later, the new version of ShowEQ was available via CVS and was working again. The new keys were vulnerable, it seems, to an even simpler form of analysis and the result was simply that ShowEQ worked significantly faster. In many ways, this seemed to simply be a "bonus quest" that Sony threw into the PoP expansion, and it had been beaten.
On Thursday, October 31 ShowEQ broke once again. The protocol now compresses key data to prevent the analysis that was limiting the keyspace that has to be searched. As of this writing, ShowEQ no longer works passively, but this escalation is not over. The latest version allows a user to input the key directly, and developers are hard at work, trying to find further weaknesses in the key generation and/or exchange. The developers are even starting to question the long-held, unwritten truce that they maintained with Sony. The idea was that if Sony did not make decryption require a Windows-side component, there would never be a Windows version, limiting the use of ShowEQ to those capable of getting ShowEQ working under Linux. Now, the party line is, "there is absolutely, positively no reason not to have a WinSEQ."
The technical details are interesting, but the social and legal details may take center-stage for a while. The seq team is trying to figure out what they could put on the client-side without being detected and that brings into question the legality of Sony scanning running processes and reporting back. There's also the matter of Sony's rather astoundingly harsh EULA that tries to preclude activities like this in every way that it can (though the legality of click-through EULAs is still a hot topic).
One problem with this escalation is that, like another product (TiVo, which is partially backed by Sony) the very people subverting the product and making it more than the creator wants it to be are the best customers. In terms of EverQuest, they are often the ones maintaining several accounts and/or spending extra money for the "Legends" service. How does a company contend with a market where your best customers are also your most resourceful? With the TiVo, there was an uneasy understanding between the company and its modders. Sony has broken that balance with EverQuest.
Now that Sony has crossed this Rubicon, it is quite likely that ShowEQ will be ported to Windows and hundreds if not thousands of new users will be introduced to it. Was that Sony's goal? Certainly Prof. Felton showed us that such a battle is ultimately futile. Why does Sony want to fight it again on yet another front (remember that they are an RIAA member)? Is there any financial justification, here? Does mapping software really threaten the game more than the many in-game exploits that the high-end encounters suffer from?
PoP is a finely crafted fantasy gaming experience, but Sony has once again chosen to spend extra time and money hurting themselves and their market. Perhaps their competition will not make the same mistakes.
Raph Koster's rule of "the client is in the hands of the enemy" seems to have been forgotten by EQ's developers- if ShowEQ is such a problem, it's time, perhaps, that they stopped telling the client all these nasty things they didn't want it to know. I mean, I first remember ShowEQ coming 'round *3 years ago*. Why they haven't simply made the client ignorant of things it shouldn't know in all this time is beyond me.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
The big advantage people get from decoding the zone information is the name, and to some extent, the position of monsters all over the zone. If Sony changed EQ to only send data about monsters that are near you (within a reasonable distance) there would no longer be a big reason to decode the zone data. 99% of what you'd be seeing you could also see by turning in place, and clicking on each monster.
:)
Due to how the servers are setup however, it seems to be more efficient for them to send out all the monsters, rather than do the range calculations and just send the nearby ones.
My prediction, if a Windows version is released and becomes widespread (and I consider the latter likely if the former occurs), is that Sony will, finally, bite the bullet and change the code. It's not quite as straight forward as I may have made it sound, as there are some other systems (such as tracking) that will have to be significantly rewritten as well. However, if they really want to stop people getting at this data, really the only way to do it is to stop sending the parts that aren't needed.
I have never understood online gamers whining about their right to cheat. This article is talking about this as though it is some brave stand against a corporation doing something bad. This is about people cheating at a game. It ruins it for everyone playing fair. I fail to see why this should be applauded or supported, and I'm fairly shocked Michael wasn't the one posting this story.
Sadly, this is why consoles are going to take over for a while: The majority of players are simply sick with the cheaters. It was amazing to watch people immediately start to whine when MS disabled modded X-Boxes from Live. Sure you can say there were "legitimate" reasons to mod the boxes, but come on.
Of course, this only lasts until some "worthy" individual hooks up a box between the cable and the X-Box to start parsing out material.
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
Surely you kid, right? ShowEQ isn't used as a security program. It is a cheating tool. Even in its most beneficent uses, it is for cheating. Period. This has got to be the most sad apologies for cheating I've ever seen.
Sony made a game. Someone made a cheat program that unbalances the playing field. Sony has every right to try and disable this cheating program. However, their rights end where ours begin. But if they want to change the encryption in their program or make a client that monitors game traffic or the use of a specific cheat program manditory for using the game, guess what? That's their right. You don't have to play the game.
And your analogy with ad programs that uninstall Ad-Aware is both faulty and inflamatory. Those programs are unistalling a security program from your computer so that their spyware will work. Sony is just not letting you play their game if you have a known cheat tool running on your computer. Huge difference.
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
One of the weird things is, maybe they didnt "want" you to know how much damage things did, and not from a balance standpoint either. I have created modifications for the game medal of honor, allied assault spearhead. and I do not want people to know all the exact values i have set for my weapons. to those who are curious and know what they are doing it is a relatively simple matter, but i feel it takes away some of my intent for everyone to know that the smg does 45 damage or such. imbalance is not a practically "bad" thing, even in a mmorpg. No you wouldnt know your singing steel boots or whatever didnt work well until you wore them for a long time, and realized that they arent purhaps as strong as your lambent whatevers. But that would be part of the interesting part of it. When you get into finding out direct stats you get to having players that are, sadly, like me. who will statisically approach the game, and quite possibly ruining the intent of the creators of the game and how the game is played. I am not decrying the fact that many things have been fixed because of SEQ, not at all, I am just saying that if it had not been around the game would be entirely different, the only way you would know things is from relative tested heresay. which might even be more interesting.
If you don't vote, you don't matter, so don't waste your time telling me your opinion
Flame me all you want. Mod me down.
But anyone who doesn't condemn the actions of this group is no better than them.
This game belongs to Sony. They make the rules, so either play the game as its creators intended the game to be played or don't play it at all.
If you think that this app is a valuable addition to the game, convince Sony to accept it and help those wankers develop it. If they say no, then just go away. It's their game.
Otherwise, you're no better than the people who exploit the in-game weaknesses. A cheater.
/. Where the truth
Yes, the right to cheat exists. Yes, the right to make and run programs that lets you cheat at games exists. All Sony is doing is preventing people who are running known cheating tools from playing on their world servers. They are not disabling the software. They are not modifying your computer in any way.
Your mp3 analogy is thought-provoking, but I think not valid. They are not taking the same forms. No one at Sony is legally going after users using the cheat tools. No cops are breaking down doors. No nastygrams are being sent to schools where the cheat tools are being run. The users right to make and use cheat tools are not being infringed. What Sony is doing is preventing people using cheating tools from playing on their servers. Seems well within their rights to me.
Your solution of playing only with friends makes sense in other online games, but not MMP games. You can't just play with your friends because there are only official servers to play on. But as a moral question, is it really okay for a minority of cheating players to ruin the entire online play experience for everyone else who doesn't want to cheat, and paid exactly the same amoun t of money for the game? That doesn't seem to add up to me.
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
The comparison to TiVo is an interesting one. TiVo's policy is that they will gladly look the other way for some hacks, and in fact even make some of the hacks as easy as possible to pull off, in exchange for being able to declare certain hacks off-limits.
Specifically, they make it easy to upgrade a TiVo with a large hard disk by designing their single-disk designs to have a place where the second disk can fit nicely in the box. They also it possible for users who want to accomplish their "daily call" over the Internet rather than a phone line by just happening to leave the server that handles those sessions at an Internet-accessable location rather than requiring that the only way into their network is through their chosen dial-up providers. The company sponsors (but does not actually run) message boards at TivoCommunity.com where hacking discussion is encuraged, and people can compare notes and share experiences.
The tradeoff is that there are certain hacks that the company does not want to see made, and will not allow the TivoCommunity.com boards to discuss. There are the hacks that would either harm the company, like any hack that would provide another source of listings, which would eliminate the need to subscribe to TiVo's listing services, or any hack that would allow content to be extracted from the device which would surely bring down the wrath of the MPAA and friends.
By allowing wide open back doors into their system, TiVo has been able to direct hacking efforts into the areas the company wants to see them go. Yes, there are a few people trying to drill through the concrete and get the "forbidden hacks" to work, but their numbers are few and they operate in obscurity compared to the company-sponsored forums.
It's a total 180 from Everquest's "Thou shalt not hack us!" perspective. TiVo's offering carrots, Everquest is using rather ineffective sticks.
So what? Sony, so far hasn't gone after people for hacking or modifying software. They've simply made your mods not function correctly.
Let me ask you this: Do you believe that you have the right to make any modifications you want to software you own, but that Sony does NOT have the right to make modifications to software THEY own? Are you advocating rights for everyone, or only for you?