Slashdot Mirror
Shadowbane Servers Hacked, Chaos Ensues
Vanguard(DC) writes "There was a major hacking incident last night on the servers of Shadowbane, a newly released MMORPG by UbiSoft/Wolfpack. The attackers wreaked havoc on at least one game server, with apparent god-like capabilities in-game. There's already an official statement on the forums - 'Ubi Soft and Wolfpack Studios are now working with law enforcement, and we promise all of you that these individuals will be prosecuted to the full extent of the law.'" There's a little more information via a post on the SBCatacombs messageboard - apparently the carnage (including many less powerful players getting killed) involved "..teleporting people all over the world, teleporting hostile guards into the safe-holds, bringing in hordes of special event monsters, and teleporting everyone to a city at the bottom of the sea."
why should anyone that found a way to compromise security for a game be prosecuted in real life?!
if that will happen, then WHO will take responsibility for all the holes in Windows?!
well, not exactly. they're not going after the people for breaking into a game, but for breaking into a server. Nor are they going after the people responsible for the lousy security on their servers (as your windows comment might suggest), but rather the ones responsible for exploiting that lousy security. This is pretty much standard in the real world. I break into a system, I get caught, I get prosecuted.
my pet machine
For those of us that have been playing this game regularly, this is only the icing on the cake for a plague of problems. This was a game that was touted for it's massive guild vs guild and player vs player capabilities. Massive warfronts and assaults utilizing seige weapons and a slew of powerful spells and powers. None of this has come to pass. The game lag is too terrible to support even the smallest of battles. PvP is almost impossible during primetime hours due to the inability of most casters to launch spells in a timely manner. (Although you -can- watch your nukes launch 45 seconds after your death)
Server downtime is extreme. Login is at times completely impossible. Rollbacks are nightly. The attrition rate among players is amazing. I've watched my guild vanish over the last few weeks as the host of problems drive out all but the most staunch of players. Ubi/Wolfpack blatantly reject petitions with no regard or consideration for the players. Every patch makes the client actually worse that it was before. This has been a nightmare for most of us. To see news like this only confirms the worst. Bad management, bad hosting, bad coding, and bad customer care have driven most from what I considered to be one of the better games to come out this spring. Just another account cancelled in a long line of departing players.
Armaggedon !!!
Gosh, I do Hope the poor admin had regular backups 8)
Well, the game was trashed by people that took the time to get WELL into the system before trashing the hell out of it.
Like an "Organized" Attack...
I'm not implying anything, but who gets benefits from this ? Competitors ?
From the forums it seems users are quite unhappy, but then possibly the editor will have another chance, and deply the same "anti-cheat" tech as in Counter Strike and Quake...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
If they only screwed around in the game world itself and left the real world alone (eg. credit cards, account data, etc) then the company should do the same. From the sound of it, they just showed that 'there is no spoon' to the rest of the game world. We love the movie and the character for doing so, but when someone does the same thing in a 'Real Life' virtual world then they get mad.
Man, this world is getting WAY too many levels to it when I have to destinguish the 'real world's' game world, and the movie world's game world and doing 'real' things in a particular game world and...Ah my brain just gave up.
Is this the end yet?...How 'bout now...how 'bout now...how 'bout now?
I remember reading a book about the history of computers... seems the old PDP computers had a 'crash' command that did exactly that. The reason it existed was to discourage hackers from trying to crash the PDP- why write a program like that when the command already exists?
So why don't game companies build this type of feature into their games? Choose a random person maybe once a week and let them stir things up a bit; and don't 'record' any of the damage that was
done (sorta like a parallel universe).
Even if someone hacks into this feature, all they'll do is cause temporary damage. Then all the other players can just roll their eyes and laugh derisively at the 'K3WL H4XX0R', and get on with their gaming after the idiot gets smacked down.
Acutally... that's kind of insightful.
Ubisoft is calling it a hack, of course they will to save face... but what if it's just a bug or flaw in the game. What if they did all this through the game client? Is exploiting one of these flaws in a game against the law?
What if I'm playing EQ, and I find a spot in a zone where mobs can't get to. Then I kill things from there. I'm exploiting a bug to become more powerful. Is that the same?
What if I'm playing, and find out if I crouch and jump at the same time I can kill anyone I want? It's obviously cheating, but is it ILLEGAL for me to exploit that?
What if these guys found out if you hit the Ctrl-alt-f3-f4 keys while running north gave them these powers? Then is what they did illegal?
What if these guys used a special piece of software that ran the game in a special mode? Is that illegal? I mean, EVERYONE uses software (your OS) to run the game in a "special" mode (namely, a mode that works properly). Is this worse than exploiting the bug through the normal game interface?
Is this only a problem because is affected other people?
(Remember... big difference between illegal, immoral, and just plain annoying)
I was a Guide (volunteer CS rep, like an Advisor in Anarchy Online or a Counselor in Ultima Online) for two years in EverQuest, and during that time, one of the other Guides on one of the other servers decided that it would be cool to go out with a bang.
/summoning them to her location, and then binding them to that location when they appeared.
/played time were affected.
So, she zoned into the Temple of Veeshan (at that time, the highest level zone in the game) and went right in front of Veeshan herself (the uber dragon.)
And then she did a "/who all 50-60" to get all of the high level players on the server.
Then she started
Well, when they appeared, Veeshan struck them down with about 2 or 3 blows. And since they were just bound there, they respawned, naked, right in front of Veeshan.
Whack, boom, dead. Reappear, whack, boom, dead.
In EverQuest, when you die, you lose experience. And in EverQuest, you can lose levels if your experience dips down too low.
Some people got deleveled from level 58 to level 53 before the GM staff came in to clear the carnage, and ban the Guide. I know they were considering persecution against this Guide, but I'm not sure if they really went through with it or not.
I believe about 25-30 high-level characters with months of
I thought it was funny, but it sure made my job as a Guide harder because the playerbase no longer trusted us to keep our cool, and they were calling for the entire Guide program to be disbanded since we were now "too powerful" all of a sudden.
Not the same as hacking the server, but it had the same effect of destroying the games of a segment of the playerbase.
Never trust anything a client gives the server.
Isolate the backend servers from the Internet.
Never trust anything a client gives the server.
Patch management isn't as trivial as one would think.
Never trust anything a client gives the server.
Lag isn't under your control so design around it.
Don't rely on a client hiding anything from the user.
Lag isn't under your control so design around it.
Never trust anything a client gives the server.
Don't include "God" tools in every client, nor accept God logins from untrusted addresses.
And most of all, never trust anything a client gives the server.
The server must be the adjudicator of everything, the data master, the sole arbiter of discrepancies. Assume the client is fully hacked or written from scratch to do anything the user wants. Assume the client sees no walls, sees all invisible objects, sees every spawn point, and can filter on anything your server tells your client.
[
And if the "break-in" was not really a server break-in but a software bug that allow a player to become GOD?
Like an undocumented bit/byte pattern in the interface.
Anyone remember the the undocumented instructions in 8085? or the Z-80? or IBM Midranges?
The computer game industry has been earning a reputation for releasing buggy code these past few years, and now it has come to a situation where what should be an internal release now costs money. Unlike retail games where occasionally Beta testers are charged, but given the full retail game later, Beta testers on MMPORPG's are not given additional months of play for the priviledge of paying to be guinea pigs. They are not compensated with reduced pay rates or additional in-game powers. In short, they pay to fill a necessary position in the production cycle, then they pay again for the retail product. Many, of course, don't pay for the retail product, and go on diatribes about how unplayable and unbalanced the game (they paid for) is.
How has it gotten so bad that we now release not only buggy games and expect to patch them later, but charge for development releases in addition to charging for final retail releases? We're giving ourselves a bad name here.
If your game is unfinished but in need of stress testing, don't charge for it or you will alienate your potential best customers. If you *must* charge for bandwidth because your manager didn't budget for such costs (and should be rightly as fired as if s/he forgot to budget for artists), then charge a bare minimum until the game is ready for prime time. Don't develop the game on the dime of your testers, or you will find that once you are ready to ship you don't have any customers.
10 dollars a month for our volunteers to do our jobs? We should be ashamed.
The ______ Agenda
As several replies have pointed out, I got the wrong zone and the wrong dragon.
The zone was Veeshan's Peak (the Luclin expansion with ToV was not out) and the dragon was whoever the end of it was.
People can still believe I'm full of shit, but I did find this:
Former Guide Tweety mentioning the incident
That was my thought too. When the Matrix Online comes out, this will give a whole new meaning to 'hacking the matrix'
-- Patience is a virtue, but impatience is an art.
The difference between your car exploding tale and this is that the people who "crashed into you" (ie hacked the server) knew what was going to happen.
If I were to spot one of the cars you mentioned, and blatantly crash into it only because I knew the gas tank would explode, I would have some liability in what I have done. Likewise, the hackers knew what was going to happen when they hacked the server and (comically, I might add - hackers tend to have a sense of humor) teleport everybody to the sea.
There's a difference in accidentally causing someone's "car" to "explode" and purposely causing it.
What if a MMORPG did this every April Fool's day? Then, on April 2nd, the admins could restore the March 31st backup and the game would continue as normal. The people who wanted to be part of WRATH OF GOD day could log on and those who didn't like the idea would stay away.
It would be like being on the receiving end of a SimCity disaster.
For further information on events as they happen, check The Shadowbane Scorn Server Board and Shadowbane Main Boards on IGN.
I think this will remind a lot of people of the last time a player had a truly drastic and unpredictable effect on an MMORPG gameworld, when Rainz, an Ultima Online Player, killed Lord British, character of Richard Garriott, when this was supposed to be impossible.
Rainz threw a firewall scroll at Lord British. Seemingly, Lord British's invulnverability flag was not on, and Rainz killed him.
If we ever figure out exactly who did this, he'll be in the running with Rainz for most notorious MMORPGer of all time.
This has nothing to do with misplaced orcs. This has to do with an invasion of private property, known as "hacking" or "criminal trespass" or even under the Homeland Security act, "cyber terrorism" ... Who knows what trade secrets they stole about the game engine or server or network or security or etc while they were inside of the system? So in reality, it could be both criminal cyber-tresspass and theft. Also harassment... also..... C'mon, use your frickin' head.
This isn't "just a fucking game"; It's a business. When a serious security flaw is discovered in an application and that flaw is made public knowledge, the application publisher's reputation takes a beating--as does its' stock. Not to mention the loss of investor confidence and the loss of the customer base and etc. Most pay-for-play subscription based MMORPGs rely upon recurring income; even if only 10% of their customers say "fuck this" in response to this hack, that's 10% of their recurring income down the drain.
The players have no recourse. For them, yes, it is just a game. The admins can roll everything back 24 hours and let the players play on. On the business side of things though, it's much more complicated; for the reasons outlined above.
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
>Or consider the result of walking up to folk playing chess in the park and overturning the board.
>In each case, legal action is both warranted and acceptable.
IANAL. This is a genuine question.
Can either criminal charges or a civil suit really be brought against you for overturning someone's chess board in a public location? Sure you're a jerk, but what law did you break?
How would you be charged or for what would you be sued?
You just need to take it a bit further...
:)
Supposed you have a game & server concept similar to this, but programmed in a way to not take game security dead-serious. In fact, as the cheats, etc. came out this would not be shunned, but instead part of the game. The people with the best cheats take the cake, can gather clanmates and share what they know. Your clan is then defined by the abilities they have aquired through manipulation of the game workings (in addition to the standard tags, skins, etc.)
I'm sure you could develop a program in a way to separate out abilities (such as speed, gravity, damage types) such that any crack wouldn't give up everything else
Which brings on two negative points:
-It sure wouldn't be appealing to newbies, who start on ground zero
-Anyone who successfully gets full access ("GOD")
may be unsurpassable and ruin the game for everyone. This can be overcome by having the game focus include things other than Power by Might (i.e. killing sprees), such as trade, etc.
If there ever was a prime canidate for an open-source friendly game, this concept would be it
- Sig
Actually you had no choice - probably something was so disturbing for you in those years that you better addicted to game and escape a real world than get some very bad things to your mind.
Addictions won't grow without some seed - you just quickly become bored, and that's all.
That's just some thoughts i came to analyzing my own habits (IANA psychoanalyst).
Anyway - that's a part of your life - live with it, and nowhere near it's because of thet stupid game.
- Arwen, I'm your father, Agent Smith.
- Well, you're just Smith, but my father is Aerosmith!
The servers were not hacked like some slashdotters tend to think, it's clearly an INGAME exploit that happened last night.
IMHO, in the case of an hacked servers, the result would be more like character loss, or character boost, stuff would tend to disappear/appear.
In that case yesterday, it was clear that someone was in control ingame... God, you should have seen that...
I heard rumors that some guild had produced a modified client that would allow them to do that kind of stuff...
That situation is more scary since it might take longer to fix if the problem lies in the code than it would take if the issue was an exploit of ssh or such...