Slashdot Mirror
Eve Online Client Source Code Leaked
An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
I don't think anything major as this has happened before, and from a online game developer's perspective i will look closely to how this affects cheating and the development of the game further, as something like this is a great nightmare for any game developer, and i really want to see how this one ends.
Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents and then monitoring all IP addresses acquiring the source and then banning accounts associated with those IPs.
If they're actually seeding it themselves then I expect to hear about a lawsuit. Since that would be purely legal to download from them. If CCP is effectively giving away their src what's wrong with accepting their offer?
If i had one dollar for every brain you dont have, i would have $1.
Makes you wonder what the implications are w.r.t. copyright and trade-secret if CCP is distributing the code themselves. Sure, by seeding they'll be able to snag IP addresses and ban users. But, for down the road, I wonder if they've just given up any ability to claim copyright infringement or some such on anyone (defense: ''CCP themselves were seeding it ,your honour. So, I got it from the copyright owner with their permission.'').
Yeah, it's pretty much a non-issue, because everyone who cared to could (& possibly has) done this before. It's just people who lack the knowledge to do anything who're in a huge tizzy. That said, the extra eyes and attention have determined that you can have some fun with local-zone javascript called by a specially crafted link passed to the victim in-game.
Does this mean that someone will finally make a proper Mac and Linux build without the Transgaming garbage ;)
I wonder how Microsoft would respond to someone putting the code for Office online?
Well, that kind of happened.
I don't know... Remember the recent article RE: the FBI investigating any IP that accessed a false child pornography website that they set up? I think the powers that be have yet to realize that IPs are not exactly reliable means of identifying individuals.
Fear the penguin.
And then it just sucks if you run a tor exit node... But besides that... We're talking about an MMORPG company here. I don't think they can subpoena the ISP logs.
Fear the penguin.
Well, atleast on the tidbit shown on the article, the CCP representative sounds perfectly rational and professional. Am i missing something here?
:)
Well, the CCP rep did sound vaguely annoyed to me; I could see him rolling his eyes. But then I imagine they roll their eyes at most of the conversations they have.
And by the way, how does this guy ended up with the sourcecode on the first place?!
That's still unclear. Some say its just decompiled python that anyone could do themselves easily enough. But he almost alludes to having a source within ccp... so I'm not sure.
Its too bad he's apparently not an english speaker because that invites mockery. And obviously he's not being terrible mature which further damages his image, but at the end of the day what he is asking for is legitimate in my opinion:
All he wants is CCP to acknowledge there are specific issues and to demonstrate that there have been real fixes added. Because he is firmly convinced that people have been botting for years using known exploits and that CCP hasn't made even the slightest effort to curb them.
So he's basically saying if you've fixed it... prove it. "Show me an exploit that used to work that doesn't now. Show me something, ANYTHING, that you've actually fixed in the last year or so related to stopping botters."
"And Improve your processes, so that if we report exploits you acknowledge them, and fix them, instead of just handwaving that security improvements have been added, because I'm not seeing any."
"And if you don't, I'm releasing the source, so we can ALL see for ourselves what you've actually improved over the last year, because I'm tired of watching people bot for YEARS without having to so much as adapt to new anti-bot tactics."
If this guy is just blowing smoke, then CCP really should have no issue publishing some of the hundreds of botting related exploit scenarios that they claim to have fixed over the last several patches...and showing that they no longer worked.
That much they owe their customers. Frankly, I don't really blame CCP for not publicly acknowledging security issues and bringing additional attention to each exploit before its fixed... BUT... I -do- think that the playerbase deserves some honesty -after- the fact.
If they release an exploit fix, publish it, what used to work, and what no longer works. CCP lacks credibility, and this would go a long ways towards helping restore it.
After all we get a better level of security updates disclosure from microsoft. I think all this guy really wants is the same from CCP. And if CCP *hasn't* actually done anything in the last few years to address all the while claiming they have, well... I can see why a segment of the playerbase is boiling mad about it, and wants to blow this into the public eye where they can't sweep it under the rug anymore.
http://seashells.partyvan.fm/~januszeal/pre51200sc.rar
^ Direct link
irc.partyvan.fm
Different investigation agencies probably do things differently. I can tell you that the RIAA has just hopped on, grabbed the peer list, and then hopped off (I work for an ISP and we actually have to deal with this crap.)
Interestingly, we just ran an informal survey of ages in our corporation in EVE Online:
:P
0% [ 0 ]
Born yesterday 0% [ 0 ]
16 - 20 7% [ 13 ]
21 - 25 20% [ 36 ]
26 - 30 19% [ 35 ]
31 - 35 20% [ 36 ]
36 - 40 15% [ 28 ]
41 - 50 12% [ 23 ]
50+ 3% [ 6 ]
None of your business
Older than Dirt 0% [ 0 ]
Total Votes : 178
EVE demographics are a good bit more varied then usual.
So has anyone actually recompiled it into a working client? Is it even possible or are these just, as people have said, decompiled portions of the client?
Or needs to do validation on the server-side of all game-balance-affecting stuff--which is really the only way to ensure fairness, since clients can always be hacked.
,m
Server-side validation only captures 'illegal commands', it doesn't really capture -automated commands-.
As long as the bots don't do anything Server side validation isn't going to catch squat. It can't easily tell if its a real player at the helm. And it certainly can't tell the difference between player:
click-a, click-b, c, d, e, f, g, h, i, j, k, l, m
and player
click-X
and exploit-script tells server he: click-a, b, c, d, e, f, g, h, i, j, k, l
freeing the player some extra time to read status readouts, check the map, check his 6, etc.
nor can it tell the difference between:
player oberves condition - click-a, click-b in response and
script-bot detects condition - sends 'click-a, click-b' in response.
freeing the player to not have to issue commands at all. (Think of a bot that can farm ore by itself, return it to base, and make a rudimentary attempt to flee an attacker, even if the player is at work.)
Imagine a blob of 10-20 of these bots gate camping, assisted by just one or 2 players who can give the whole blob move/retreat/regroup/attack orders via an out-band channell like IRC.
Again server side validation isn't going to see anything in terms of invalid input.
These are the sorts of uses that hacking the client can be expected to yield, even if you assume the server is hardened and secure against 'malicious' clients.
Goon Swarm are probably the most mature group on EVE, they realize it's just a fucking game and play for casual fun. their antics happen to greatly annoy the butthurt mom's basement dwelling 35 year olds, but that is more a reflection on the basement dwellers than on goon swarm.
Snowden and Manning are heroes.
This CCP Guys are lying as usually. Why didn't they say the person who has the sources can craft the bot on Python, able to do the same as usual players can do. > CRC checks? Patch blue.dll for them or hook advapi32.dll on signature checking exports (and return result required) to avoid messing with eve files. > "and poses no threat to our customers' billing information" tell these to those, who haven't seen the telnet server which is embedded into client and gets activated by python object coming with payload from server > no advantage can be gained by manipulating the EVE client If you don't consider using a bot, resembling player's everyday in-eve activities for up to 23 hours a day an advantage........ > Access to the source code for the EVE client exposes no security vulnerabilities Are you sure? Maybe i should post a python code for your ingame browser, so people with knowledge of security could give a bit more defenite answer?
Am I the only person who thinks it somewhat wrong to post on Slashdot a link to stolen, unreleased source code?
Geez, why not just upload a GTA4 ISO while you're at it.
Kayamon
You forgot to add "Get off my lawn!".
When it costs practically nothing to produce a 1:1 copy of something, then it becomes impossible to charge much more than nothing for it. It really is as simple as that. There are huge changes coming and telling people to fuck off to North Korea won't change that.
From my experience with EVE I have the impression that their QA is a bit understaffed. There are some visible bugs in the game that have been unfixed for a while, so I presume there are exploitable security bugs to match.
Going the open source route may or may not help them, depending on how much of the data available clientside has to remain hidden from the user:
The deep dark secrets they don't want out could be something like players getting info on all objects in a solar system, and the client filtering out what should not bee seen. That would be immediately exploitable by a client that has the filter removed. It would also be poor design, but consistent with the general lagginess of EVE.
But then again, their behaviour indicates that they are not interested in going open source anyway.
C - the footgun of programming languages
This is the best attitude that I've even seen from a commercial MOG developer. It is exactly correct.
Someone just needs to tell their Banstick guys that. If they believe their own argument, then they need to act like it.
If you were blocking sigs, you wouldn't have to read this.
Give the man a cookie, for he gets it (even if he doesn't know it himself). 100% unemployment and total automation is what we should strive for. The day my job becomes automated is the day mankind is set free, for programming is something only intelligent machines can do.
How would investing more playtime into EVE give you an advantage over other players?
Simple.
Suppose you spend 80 hours a week in game.
Suppose I play 15 hours a week, but buy ISK to keep up with you in terms of in game cash.
Our characters wealth and skills would be equivalent, right.
But who is more likely to run a major alliance, control a starbase, or do anything else of real significance?
You see, the guy 'in game' has a massive advantage. He's spending 80 hours a week meeting people, building friendships, trust, networks, alliances, and has his finger on the community. You can't simply buy that.
The only thing you can get from playing a lot is more money, but if you really wanted that, there are other legit ways to acquire it without investing time.
What? Selling those time cards for ISK? Come on.
1) If the 15 hour/wk crowd decided to play keep up with the full time players there would be more time codes flooding the market than ore. Supply would outstrip demand a 1000 to 1. Its a solution for a handful of players maybe, but hardly a general solution.
2) I want to play for what I get in eve, not buy it. Its a game, first and foremost.
3) My commitment to Eve is 'several hours a week', and 15$/month or whatever. I'd like to see competitive play at this level. There are many thousands of us after all, so there's certainly no lack of opportunity for a 'league' for us.
But no, we're forced onto the hardcore server, where a chunk of the competition completely and utterly and permanently outclasses us, and we are forced to either dramatically up our committment in time or money to keep up... or come to terms with the fact that we can either remain irrelevant or become cogs in someone elses machine.
Yet if I want to race cars on the weekend, I can take the car of my choice and get into a competitive race with others in the same class of vehicle and skill, with a similiar level of commitment to the sport. I'm not put on the road with pro-drivers in F-1 cars and told that if I want to see anything remotely competitive then I'd better dedicate a lot more time and/or money to the pursuit.
That's just silly... yet that's the competition model in all MMOs to date.