Slashdot Mirror
Shadowbane Servers Hacked, Chaos Ensues
Vanguard(DC) writes "There was a major hacking incident last night on the servers of Shadowbane, a newly released MMORPG by UbiSoft/Wolfpack. The attackers wreaked havoc on at least one game server, with apparent god-like capabilities in-game. There's already an official statement on the forums - 'Ubi Soft and Wolfpack Studios are now working with law enforcement, and we promise all of you that these individuals will be prosecuted to the full extent of the law.'" There's a little more information via a post on the SBCatacombs messageboard - apparently the carnage (including many less powerful players getting killed) involved "..teleporting people all over the world, teleporting hostile guards into the safe-holds, bringing in hordes of special event monsters, and teleporting everyone to a city at the bottom of the sea."
...'cause that shit is funny!!!
Just roll the game back 24 hours and play on.
Shadowbane Servers Hacked, Hilarity Ensues
Man that rules. I would have loved to have seen that. Should be a feature in more MMORPGs.
"Now featuring WRATH OF GOD mode, where pissed off GM's show you what it would REALLY be like if god cared. Experience plagues, meteors, and lightning from a clear sky. Divine retribution like you've never seen it before! Just 20 dallars a month."
Heh.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
ok... this is getting ridiculous... why should anyone that found a way to compromise security for a game be prosecuted in real life?!
Why should computer game servers be exempt from the usual laws about hacking into peoples' systems? Those who break into banks are prosecuted, if caught.
This person or persons compromised security, broke in and disrupted business operations, causing damages. Seems pretty straightforward to me.
ASA
All employees must wash hands before seeking equitable relief.
why should anyone that found a way to compromise security for a game be prosecuted in real life?!
if that will happen, then WHO will take responsibility for all the holes in Windows?!
well, not exactly. they're not going after the people for breaking into a game, but for breaking into a server. Nor are they going after the people responsible for the lousy security on their servers (as your windows comment might suggest), but rather the ones responsible for exploiting that lousy security. This is pretty much standard in the real world. I break into a system, I get caught, I get prosecuted.
my pet machine
For those of us that have been playing this game regularly, this is only the icing on the cake for a plague of problems. This was a game that was touted for it's massive guild vs guild and player vs player capabilities. Massive warfronts and assaults utilizing seige weapons and a slew of powerful spells and powers. None of this has come to pass. The game lag is too terrible to support even the smallest of battles. PvP is almost impossible during primetime hours due to the inability of most casters to launch spells in a timely manner. (Although you -can- watch your nukes launch 45 seconds after your death)
Server downtime is extreme. Login is at times completely impossible. Rollbacks are nightly. The attrition rate among players is amazing. I've watched my guild vanish over the last few weeks as the host of problems drive out all but the most staunch of players. Ubi/Wolfpack blatantly reject petitions with no regard or consideration for the players. Every patch makes the client actually worse that it was before. This has been a nightmare for most of us. To see news like this only confirms the worst. Bad management, bad hosting, bad coding, and bad customer care have driven most from what I considered to be one of the better games to come out this spring. Just another account cancelled in a long line of departing players.
Armaggedon !!!
Gosh, I do Hope the poor admin had regular backups 8)
Well, the game was trashed by people that took the time to get WELL into the system before trashing the hell out of it.
Like an "Organized" Attack...
I'm not implying anything, but who gets benefits from this ? Competitors ?
From the forums it seems users are quite unhappy, but then possibly the editor will have another chance, and deply the same "anti-cheat" tech as in Counter Strike and Quake...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
"...city at the bottom of the sea."
Homer: [fearfully] Marge? Kids? Everything's going to be just fine.
No go upstairs, and pack your bags...we're going to start a new
life...under the sea.
[calypso music starts]
[Homer dances with fish as Lisa plays a seahorse saxophone,
Marge a squid harp, and Bart the xylophone clams]
Homer: [eats a dancing fish, sings]
Under the sea, under the sea,
[eats a couple more fish]
There'll be no accusations, just friendly crustaceans
Under the sea!
[eats a line of seahorses, grabs an escaping one]
[eats a live crab as though it were a shrimp]
[eats a pair of dancing fish, then a snail who tries to escape]
[stands there with fish skeletons floating about]
Marge: Homer, that's your solution to everything: to move under the sea.
It's not going to happen!
Homer: Not with _that_ attitude!
Gibble: Descriptive of an emotional state in which one's mind is scrabbling for some purchase on reality
Real simple, the in-game actions these people did caused real world finacial harm to the game developers. I saw at least one post stating that people canceled their subscriptions, in part, because of this.
Not to mention the tarnished reputation, which is also worth damages.
Not to mention that breaking a law is illegal, whether you hurt some one or not.
As one of the many people who betaed this for years; I have to say this doesn't come as surprise in the least.
This is probably just an exploit from in the game, rather than someone r00ting the server or anything remotely interesting. I had many instances where the server accidently gave me dialogs with GM powers, I imagine that's just what happened here. The culprit(s) may have figured out how to gain access to the GM dialogs dilberatly, but that's about the extent of the "hack" here.
SB was so buggy in the last few weeks of beta that I was finnaly convinced it would not be a worth while game in retail. I likened it to being slightly less bug riddled than UO, and now it appears I was correct. I will say though that OSI never prosecuted (or even remotely punished) me for exploiting their game to "House Loot", because at the time they had the sense not to sue fans for their own mistakes.
It's a good thing I've got a life, otherwise I'd be pissed.
Maybe some company should start selling some type of insurance to help people in these trying times.
Now please excuse me while I begin laughing hysterically.
Ubisoft will have to be very careful about how they handle the aftermath of this. The game is only a few months old, and many players who stream into games like this when they open will leave just as quickly if they perceive the game to be sub-par, in a number of areas. Crashes and loss of items/progress in particular seem to be real bugbears for most players. It already happened with Anarchy Online, where players quickly left in droves due to the incredibly buggy release code. How many players are going to stick around if incidents such as this can apparently happen so easily?
If they only screwed around in the game world itself and left the real world alone (eg. credit cards, account data, etc) then the company should do the same. From the sound of it, they just showed that 'there is no spoon' to the rest of the game world. We love the movie and the character for doing so, but when someone does the same thing in a 'Real Life' virtual world then they get mad.
Man, this world is getting WAY too many levels to it when I have to destinguish the 'real world's' game world, and the movie world's game world and doing 'real' things in a particular game world and...Ah my brain just gave up.
Is this the end yet?...How 'bout now...how 'bout now...how 'bout now?
ok... this is getting ridiculous... why should anyone that found a way to compromise security for a game be prosecuted in real life?!
It's not just a game, it's a service provided by a company to paying customers. The hackers disrupted a service being provided, that is a prosecutable offense right? And if US/W loses money (i.e. customers, downtime, and IT expenses) then they can claim damages right.
Shadowbane Servers Hacked, Brief Period of Actual Fun Ensues
Roll back the game 24 hours, harden the servers, and prepare a creative press release -- problem solved.
"High level characters summoned the Cthulu mythos through misintrepreting portions of the Necronomicon. Accordingly, some of the space/time contiunuum in the game world was temporarily disrupted."
"If you see a glowing green orb, please be aware that this is the Locknar and should not be approached. Unpredictable results may occur."
"Unfortunately, in Shadowbane a character named "Sauron" acquired a randomly generated treasure named "The One Ring". We are investigating the probability factor of the random treasure generator and will patch this in release 1.01."
"Our improbability drive is malfunctioning. Please stand by."
Honestly, I'd be more willing to buy this game if I realised they had a sense of humour.
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
Acutally... that's kind of insightful.
Ubisoft is calling it a hack, of course they will to save face... but what if it's just a bug or flaw in the game. What if they did all this through the game client? Is exploiting one of these flaws in a game against the law?
What if I'm playing EQ, and I find a spot in a zone where mobs can't get to. Then I kill things from there. I'm exploiting a bug to become more powerful. Is that the same?
What if I'm playing, and find out if I crouch and jump at the same time I can kill anyone I want? It's obviously cheating, but is it ILLEGAL for me to exploit that?
What if these guys found out if you hit the Ctrl-alt-f3-f4 keys while running north gave them these powers? Then is what they did illegal?
What if these guys used a special piece of software that ran the game in a special mode? Is that illegal? I mean, EVERYONE uses software (your OS) to run the game in a "special" mode (namely, a mode that works properly). Is this worse than exploiting the bug through the normal game interface?
Is this only a problem because is affected other people?
(Remember... big difference between illegal, immoral, and just plain annoying)
7 registered and 721 anonymous users are browsing this forum.
:)
Maybe that should read 'slashdot users'
I was a Guide (volunteer CS rep, like an Advisor in Anarchy Online or a Counselor in Ultima Online) for two years in EverQuest, and during that time, one of the other Guides on one of the other servers decided that it would be cool to go out with a bang.
/summoning them to her location, and then binding them to that location when they appeared.
/played time were affected.
So, she zoned into the Temple of Veeshan (at that time, the highest level zone in the game) and went right in front of Veeshan herself (the uber dragon.)
And then she did a "/who all 50-60" to get all of the high level players on the server.
Then she started
Well, when they appeared, Veeshan struck them down with about 2 or 3 blows. And since they were just bound there, they respawned, naked, right in front of Veeshan.
Whack, boom, dead. Reappear, whack, boom, dead.
In EverQuest, when you die, you lose experience. And in EverQuest, you can lose levels if your experience dips down too low.
Some people got deleveled from level 58 to level 53 before the GM staff came in to clear the carnage, and ban the Guide. I know they were considering persecution against this Guide, but I'm not sure if they really went through with it or not.
I believe about 25-30 high-level characters with months of
I thought it was funny, but it sure made my job as a Guide harder because the playerbase no longer trusted us to keep our cool, and they were calling for the entire Guide program to be disbanded since we were now "too powerful" all of a sudden.
Not the same as hacking the server, but it had the same effect of destroying the games of a segment of the playerbase.
Just because it happens to be a game doesn't mean that no one is responsible for screwing things up. Try walking into the NBA playoffs and stealing the ball.
Jack Nicholson and Calvin Klein, notwithstanding...
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
D. Hacker thought it would be funny as shit to send a boatload of users to the bottom of the ocean.
(I pick "D").
I almost died laughing when I, years later, saw The Wrath of Khan.
Plenty of hacked moby ships too.
One line blog. I hear that they're called Twitters now.
Do you also not think that anyone hacking Amazon should get prosecuted?
;)
Not if it takes more then one click to do it
Bad boys rape our young girls but Violet gives willingly.
Never trust anything a client gives the server.
Isolate the backend servers from the Internet.
Never trust anything a client gives the server.
Patch management isn't as trivial as one would think.
Never trust anything a client gives the server.
Lag isn't under your control so design around it.
Don't rely on a client hiding anything from the user.
Lag isn't under your control so design around it.
Never trust anything a client gives the server.
Don't include "God" tools in every client, nor accept God logins from untrusted addresses.
And most of all, never trust anything a client gives the server.
The server must be the adjudicator of everything, the data master, the sole arbiter of discrepancies. Assume the client is fully hacked or written from scratch to do anything the user wants. Assume the client sees no walls, sees all invisible objects, sees every spawn point, and can filter on anything your server tells your client.
[
They don't actually want their characters to be able to die. They just want to gain levels and powers at a regular rate, so that they will be more powerful than everyone who joined the game after them.
MMORPG players today are losers of the highest calibre. They consider their wasted time an "investment" in their character. I know several who don't actually enjoy playing the game at all, but they want to get the "Deluxe Two-Handed Sword of Power" before some other loser gets one.
And woe betide the day when one of them dies in combat and loses some XP or an item. -That's- when you hear about another dorm-room suicide.
I'm not trying to be flamebait, I'm just bitter. I knew a guy at RIT who pretty-much sat in his room 24/7 playing Asheron's Call. Only left to attend class and occaisionally eat (he would bring the food back with him to keep playing). He was vacant. Away from the game, he had no way of interacting with normal people. We often considered nuking his box just to push him off the deep end.
GeekNights!
Late Night Radio for Geeks!
The computer game industry has been earning a reputation for releasing buggy code these past few years, and now it has come to a situation where what should be an internal release now costs money. Unlike retail games where occasionally Beta testers are charged, but given the full retail game later, Beta testers on MMPORPG's are not given additional months of play for the priviledge of paying to be guinea pigs. They are not compensated with reduced pay rates or additional in-game powers. In short, they pay to fill a necessary position in the production cycle, then they pay again for the retail product. Many, of course, don't pay for the retail product, and go on diatribes about how unplayable and unbalanced the game (they paid for) is.
How has it gotten so bad that we now release not only buggy games and expect to patch them later, but charge for development releases in addition to charging for final retail releases? We're giving ourselves a bad name here.
If your game is unfinished but in need of stress testing, don't charge for it or you will alienate your potential best customers. If you *must* charge for bandwidth because your manager didn't budget for such costs (and should be rightly as fired as if s/he forgot to budget for artists), then charge a bare minimum until the game is ready for prime time. Don't develop the game on the dime of your testers, or you will find that once you are ready to ship you don't have any customers.
10 dollars a month for our volunteers to do our jobs? We should be ashamed.
The ______ Agenda
I think it's kind of ludicrous to make threats like the Ubi people have made, but the people who did this do deserve some comeuppance because what they did *was* in the real world--they hacked the game, destroyed a lot of people's expenditures of time, and most importantly to Ubi, trashed the hosting company's reputation. All of that is real-world, whether you think it's important or not.
That said, I think the whole thing was hilarious from descriptions, and I'd love to see the recording of the mess they made.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
They DID hack into a commercial system and disrupted business.
They DID interfere with paying customers.
Just because they are hacking into a game today and you're willing to let them get qaway with it, what will you say when they're hacking into your bank account tomorrow?
Non tam praeclarum est scire Latine, quam turpe nescire
-- Cicero
it's just a game
But imagine you're an aspiring artist who's spent several hours a day for the past two months on a painting and someone breaks into your studio and splatters paint all over it. Hey, It's just a piece of canvas after all. It's just your spare time and money down the drain, it's not like it's your job or anything.
Or, you're writing the great American novel and someone sits down at your laptop while you've stepped away to use the bathroom and someone does a search and replace and strips out all the vowels. Hey, it's just bits on a hard drive, right? It's just your time and effort wasted, it's not like it was *worth* anything.
A lot of people really get into these games and put a lot of time, effort (and money!) into building up their characters, and it absolutely sucks when through no fault of your own, all that hard work and effort (and money!) suddenly goes poof.
For those who have never played, it takes a lot of work to build up a character, collect the best equipment - usually by in-game trading which can take hours or days per item, etc.
I've played MMORPGs for years and usually when I quit playing a game it's because of something like this, I get killed by another player who steals all of my hard earned equipment, I suffer lag at the wrong moment and drop into a pit of acid causing me to die and lose all my best armor, etc. When stuff like that happens, I log out and usually never go back. I play for fun, and that stuff is not fun for me.
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
This is informative? I'm not saying that the hackers ought to be sent to a labor camp over this, but letting it go is like not prosecuting the shoplifter 'cause they're murders in the world.
No one reasonable is asking for the cops to stop chasing terrorists to do this, but we as a society prosecute any crime (even stupid ones, to even stupider lengths) as a principle.
And just because other problems exist, doesn't mean you let the little ones slide. No one's time is that hard up.
Tell that to the guys who got the pager call in the middle of the night and had to get up leave their wife and kids, go in to work and fix this. The kid should pay, not because he killed an Orc/B. He should pay because he disrupted a business, and caused them monetary damages. The kid should have least have to pay for all of the overtime he caused.
http://www.windmeadow.com/
I can understand players getting mad at this, but at the same time, it's just a game, and if individual users themselves are considering legal action, they really need to shut down the computer and go outside for a while.
Consider the reaction of thirty adults who rent a stadium to play a sport, and then have that stadium game interrupted.
Or consider the effect of disrupting the superbowl.
Or consider the result of walking up to folk playing chess in the park and overturning the board.
In each case, legal action is both warranted and acceptable. Same thing for hacking a game server which is being actively used; even moreso if it's a private server or a fee-to-play server.
As several replies have pointed out, I got the wrong zone and the wrong dragon.
The zone was Veeshan's Peak (the Luclin expansion with ToV was not out) and the dragon was whoever the end of it was.
People can still believe I'm full of shit, but I did find this:
Former Guide Tweety mentioning the incident
You sir, are an idiot.
Do you ever complain if someone's cell phone rings in a theater? Or if they talk loudly through the whole film?
Basically, if you *ever* complain about anything that someone does to make your entertainment choices less fun, you're a hypocrite.
I bet if you were in the middle of an intense game of chess and I, a complete stranger, came by and intentionally knocked the board over, you might feel like throwing a punch in my direction. How is this any different, except that the jerks are safely far away from having their asses kicked right then and there, is beyond me.
Saying it's "just games" ignores just how important a certain amount of play is to a healthy life.
.
It's a business.
The point is that if they were your servers, and they were your customers, and it was your business model you would be screaming bloody murder.
And if you wern't then you need a serious reality check about how the real world operates. This is a company with shareholders who now has to explain why they wouldn't react the way they are to their shareholders.
On another note, does anyone else notice a trend on the games.slashdot.org stories and how many of them suffer from morre thoughtless comments than a normal Slashdot storie?
Ted Tschopp
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
Yes. You break in, you get caught, you get prosecuted. By your logic, if I have a rusty lock on my door...hell, if my front door is ajar, and you break into my house, I should be prosecuted? Bullshit. You should then hypothetically fear for your life, 'cause if I'm home, there's a shotgun pointed at your chest.
Just because there is a hole doesn't mean you have the responsibility to exploit it and break in. Indeed, it's illegal to do so. UbiSoft will no doubt come down on their admins for shoddy security. But that does NOT give you carte blanche to break in, nor does it protect you from prosecution.
Protesting 'Security Through Obscurity' is not the same as 'ooo, let's a be a script kiddy and exploit this bug and wreak havoc, because they should have known better.' If that's your attitude, you'd better get used to a felony rap sheet and a large, tattooed boyfriend named Slash.
I do have the slightest understanding of how these games work. I also know that they're extremly complex pieces of software that are very hard to throughougly QA since there are SO many things that can be done in-game.
t sequence in the client to grant table-level control of the database... at least I hope not.
I didn't see anything that led me to believe the baddies didn't do anything that someone with "god" powers in the game could do. Did you read the description of what was happening? It sounded more like they got god/admin/developer/whatever access, and not that someone was manipulating the underlying database. It didn't sound like they teleported EVERYONE, just the people they happened to come accros, the slashdot story made it seem that way tho.
Nobody's stupid enough to allow an up-up-down-down-left-right-left-right-select-star
I hope not too, but it looks like something did go wrong! It doesn't matter so much WHAT the method was, but that there was a method, and since we don't know how, it could easily have been done entirely in the game client, and that was my point. If you want a more realistic flaw... Maybe they were able to overflow a chat buffer somewhere by typing in a long message.
Not only is it funny, it sounds like it might have actually been fun in a weird warped way to have been playing at the time...
After all, it is a fantasy game, why couldn't this have happened within the normal confines of the game?
"What, how the hell did I get at the bottom of the ocean? Oh, great. Now I'm in the middle of my worst enemy's keep...This is not my beautiful castle?! This is not my beautiful wench?! How did I get here?"
Well, fun to me, at least. I don't take fantasy computer games that serious
---"What did I say that sounded like 'Tell me about your day?'"---
PLAYER 2: It devoured my avatar. It was a really good avatar. Then I had to play it all again to get the skills back and I had to do it fast, and it wasn't as good. It was kind of a ...bummer.
Irene KHAAAAAAN!
I used to help run a BBS run on an Atari ST (can you believe it?), and the system was so obscure, that we developed a "DOS simulator" for those who tried to hack our BBS and its (limited) games. We faked things like "dir" and "erase" and even "edlin." It was a multiline, so if the hacker tried to "IM" himself (back then software called it "teleport"), he got through, but if he tried it to others, it went to /dev/null. When people did a "who," they got the job :
Hacker: Port 3: [Thinks he's hacking the BBS, tell his mommy!]
_________________________________________________
www.punkwalrus.com - Shift to the left, shift to the right! Stand up, sit down, byte byte byte!
What would a jury think? That people who spent 500 hours building up an imaginary character need to be compensated for their loss? I can just see some uber-gamer breaking down and crying on the stand because their elf now has to start from level 50 when it took him 3 straight months of playing 5 hours a day to get to level 55. (or whatever the terminology is) More than that, how are you going to get a jury of this person's peers to try them in court? How do you interview a jury like that? OK, what is your favorite magic spell? Have you ever spent more that 12 hours straight playing a game? Is your BMI over 40? Picard or Shatner?
My beliefs do not require that you agree with them.
That was the Velious expansion with ToV, not Luclin. Obviously, taking both your posts together, you know precisely jack shit about the game and its CS history.
Corruption and preying on players for amusement is rampant in the EQ guide program. For most people, it's a slack way to get yourself a free account. You can sneak onto the server at 3am when nobody else is there, and do whatever the hell you want. You don't even have to answer a single petition, the guide reports are on the honor system. I and many others simply made up reports and bullshit petitions to fill in for the manditory 6-hours per week. Bingo: Free account, no work, and endless hours power-tripping across the game world.
For example, a guide friend of mine would sit outside the North Freeport bank, and open the locked door at the back of the bank. This door is never opened by players, because the lock level on the door is some absurdly high level. Invariably, someone curious would wander into this back "closet" behind the door to have a look around. This is when the guide would close the door, locking the player inside. If the player was a caster, they could just gate out, but a melee-type character was stuck more-or-less forever. The guide would wait for this player to petition after a few minutes, then delete the petition, and
Don't pretend this doesn't happen to GMs also. The GM of Mithaniel Marr back in 2001, "Chaolash", was fired for doing favors for friends on his server. Making them free items, spawning mobs for his friends, and so on. Occaisionally these GMs turn abusive, Chao did it, and I'm sure other GMs have also. He wasn't the only GM "quietly" let go for abuses, and he won't be the last.
I don't know if you really were a guide, but I suspect not. If you were, You must have been one of those dumbass Apprentice guides we'd flunk out of the program within their first trial week. You know, the ones who couldn't answer a petition for free GM lewt inside of 10 minutes, and without escalating it two times for the GM to smack you down like the idiot you were for wasting his time.
The one invariable fact of MMORPGs is, in that they are just artificial social ladders to climb, there will always be people who base their entire lives on trying to climb them. They define their self-esteem from these ladders, because these games are the world to them. Generally they have no social lives, and/or are young, or are disabled/sedentary. THESE are the people who are capable of doing the things mentioned in the Shadowbane article. Coincidentally, these are also the prime market targets for the gaming companies. It's inevitable that someone would take advantage of a bug granting GM abilities, and the game companies have only themselves to blame for leaving the back door wide open.
As for the EQ Guide Program, I quit after about 16 months of service. In general, they treat(ed) their guides like small mushrooms: kept in the dark, and eating shit all day. The guide liason at the time was about as friendly and responsive as an IRS Tax clerk, and the system itself was biased to mistrust guides (perhaps justifiably) to such an extent that we couldn't do anything significant for the players besides get them unstuck from a wall. Anything of note had to be handled by a GM. It is this atmosphere that breeds reactions like the Veeshan's Peak incident (for which the person was banned from Everquest permanently, BTW). And this atmosphere, according to friends of mine still in the program, shows no signs of changing anytime soon.
Lastly. I wrote a long article about Everquest and its flaws for Slashdot. You can read it here:
http://slashdot.org/articles/02/12/27/1748252.sht
occultae nullus est respectus musicae - originally a Greek proverb
Conan the Barbarian: ... and the next morning my sword was gone, and the gold pieces, and...
/Tor
Cross-Examining Lawyer: And, if I may ask, where did you get those gold pieces in the first place...?
Conan the Barbarian: Well, I killed this dragon and...
Cross-Examining Lawyer: Murderer!! You killed, pillaged and raped to get this money and now you have the stomach of accusing the defendant, and honor student in the other end of the kingdom...
Conan the Barbarian: But it was just a dragon...
Cross-Examining Lawyer: Racist!! There we have it, honored members of the jury, Mr Barbarian here is not only a thief and a murderer, he is also a racist. That nullifies any and all of his allegations. You must aquit.