Slashdot Mirror
Eve Online Client Source Code Leaked
An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
I would worry that unscrupulous players will dig through the source code to find exploits, but it's reassuring to find something that will bring them back to the real world...
If you are an active EVE player, don't use the torrent links to download the source. CCP is monitoring the torrents and banning any accounts with matching IP addresses to any of the people using the torrent.
They obviously can't watch them all, but don't download the torrent from an IP that you use to play the game.
Well, almost. http://thepiratebay.org/tor/4128183/Eve_Online_Source(client_side)_Code
Frankly, downloading this would be a stupid thing to get banned over. This is CCP's bread and butter, I don't blame them for taking this action. In their eyes, they are trying to eliminate exploiting players in hopes of making the game better for non-exploiting players. This 'policing' action is usually desired by the community. Yeah, it's unfortunate that they're not taking advantage of the security and stability of an open source coding community
Let's see if Linden Labs can make this OSS client thing work to their advantage. I sure hope so because it will give everyone else a reason to make the switch.
My work here is dung.
I don't think anything major as this has happened before, and from a online game developer's perspective i will look closely to how this affects cheating and the development of the game further, as something like this is a great nightmare for any game developer, and i really want to see how this one ends.
Unless you live in your mom's basement.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
In the lengthy and scatological exchange, the poster of the source code attempts to get some answers about CCPs much maligned security practices, particularly concerning the rife issue of bots and scripting in their flagship game. The conversation was a little less than professional.
Well, atleast on the tidbit shown on the article, the CCP representative sounds perfectly rational and professional. Am i missing something here?
And by the way, how does this guy ended up with the sourcecode on the first place?!
The major issue behind the source-code leak is the security surrounding the code. Now that it's out, there is the potential for "unscrupulous players" to find exploits. Anyone familiar with Python will be able to find at least something.
Also, since it is the client code that was released, an intrepid cheater can find ways not just to exploit functions in-game, but find ways to pull various bits of data from straight out of memory. This is a bit like third-party programs that utilize CCP's API code system, though it is a direct violation of the Terms of Service of said game, as it could provide access to information that would potentially give a select few an edge.
My eye's on GoonSwarm now; this might be their "big chance" to ruin the game they declared they would.
It's not a leak, the .pyc's have just been decompiled and distributed. Here - go do it yourself.
Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents and then monitoring all IP addresses acquiring the source and then banning accounts associated with those IPs.
If they're actually seeding it themselves then I expect to hear about a lawsuit. Since that would be purely legal to download from them. If CCP is effectively giving away their src what's wrong with accepting their offer?
If i had one dollar for every brain you dont have, i would have $1.
"I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer."
I doubt it. But this is not without a good reason.
Many, many MMORPG players are 13 year old kids. Immature kids. These people are not adults. They do not behave like adults. If the company "calmly addresses the issues", then they'll be flooded by complainers, cheaters and opportunists within no time.
I've been involved in MMORPG for several years. The immaturity in MMORPG communities in general is just sad. There doesn't seem to be any good way to handle issues other than ruling with iron fist.
I'll probably be modded down for this...
Okay, the torrent is here.
First things first - it's not the full source. In fact, it's not even 2mb big. It's not even a fraction of the source.
Secondly, from the IM conversation they had with support:
[20:18] I don\'t know HOW you work
[20:19] i see the RESULT of this work
[20:19] and UNDERPANTS of it
They see the UNDERPANTS of it. Hilarious.
What planet are you on? Gosh, I wonder how Microsoft would respond to someone putting the code for Office online? Banning would be the least of it. Open source is a good thing; software patents are bad; but EVERY company is legitimately entitled to its trade secrets.
I piss off bigots.
What they dont want is someone adding functionality to the client they avoided for a long time:
Fire all weapons on a single click. Automagically select the right ECM jammer for the target ship. And that's what came to my mind in an instant.
I bet there are many more possibilities which can unbalance tweaked clients and standard clients. It is like a free opportunity for wall hacks if other clients are allowed. It wouldnt be a problem for PvE games, but PvP needs the same client for all.
Does this mean that someone will finally make a proper Mac and Linux build without the Transgaming garbage ;)
It wouldnt be a problem for PvE games, but PvP needs the same client for all.
Or needs to do validation on the server-side of all game-balance-affecting stuff--which is really the only way to ensure fairness, since clients can always be hacked.
rage, rage against the dying of the light
For those of you asking "what's the big deal about this?" here are what people have found so far digging through the code.
EVE is a fine game, but the code is a joke. This is very likely going to lead to a lot of problems for CCP for some time to come. If they're lucky they'll only get a flood of bots, if they're not then the game may very well turn in to a wild west of hacking players looking for an edge.
Back in the day the EVE/script folder had the decompiled python in it in plain text. People did stuff like modify it to create merchant bots that would auto buy/sell stuff on the markets and whatever else they wanted to modify. Then CCP changed it to one 'compiled.code' file instead of all the uncompiled python files, which is easier to manage and check for people making changes. So you can still just take that 'compiled.code' file and decompile it to readable code. Which is what got 'leaked' It's nothing special at all really, and is only a portion of the client code. Anyone that was interested in messing with it has already seen the Python, especially people that played when it wasn't even pre-compiled. Next thing you know right clicking a web page to 'view source' will be considered leaking source code too?
Could we rephrase it to say
EVE Online Client Open Sourced
but not by choice?
WARNING: Smartphones have side effects--most of them undocumented.
You must be new here. For most of us, it's one and the same. Though the coffee's not $3 a cup.
WARNING: Smartphones have side effects--most of them undocumented.
Old: Eve Online Client Source Code Leaked
Revised: Eve Online Client now open source!
No, he just wants some of the obvious technical problems with the game to be addressed. EvE is a pretty amazing game, but it has plenty of rough edges and some glaring flaws. EvE is also an extremely competitive game, beyond pretty much anything I've ever played online. There's many examples of bots and macro-miners, and those sorts of things. In a game that's so cut-throat, and that has relatively few restrictions/rules, when someone does break the rules it tends to make many of the players very upset.
The developers are fully aware of many of these issues, yet when the players ask for them to be addressed, the devs sometimes play dumb or more often say it'll be dealt with and then never really say whether it got fixed or not.
Short version: There's lots of bots in the game. Players complain. CCP keeps saying Don't worry, we're taking care of it. But the bots never go away. Rinse and repeat that sequence for various other issues.
One time I threw a brick at a duck.
It's no wonder they tried so hard to keep this code hidden. I'm not even sure what this is supposed to do.
//The first verse
//Both people are represented by an abstract class
public abstract class Person
{
public bool StrangersToLove { get; set; }
public bool KnowTheRules { get; set; }
}
//Possible thoughts
public enum Thought
{
FullCommitment
}
//Class
public sealed class Me : Person
{
public Thought Thinking()
{
return Thought.FullCommitment;
}
}
//The target of the song, notice that GetThought can only be called by passing in an instance of Rick
//which satisfies that she can't get this from any other guy
public class You : Person
{
private Thought whatHeIsThinking;
public void GetThought(Me guy)
{
whatHeIsThinking = guy.Thinking();
}
}
class Program
{
static void Main(string[] args)
{
var Rick = new Me() { KnowTheRules = true, StrangersToLove = false };
var Girl = new You() { KnowTheRules = true, StrangersToLove = false };
Girl.GetThought(Rick);
}
}
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
CCP is aware that an individual claims to have access to the source code of the EVE client. This access is not a security risk to CCP in any way. CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding. Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers' billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to, or from the EVE system. Nothing the EVE client can do can affect the game state, no advantage can be gained by manipulating the EVE client, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP, and hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP's web site.
CCP does not confirm or deny, nor make any comment, regarding issues of internal security, and will not be doing so in this case. As a policy, CCP removes message board posts regarding violations of its EULA and Terms of Service, and CCP considers any alteration of the Client software, including decompilation, to be such violations.
--------
Ryan S. Dancey
Chief Marketing Officer
CCP
So has anyone actually recompiled it into a working client? Is it even possible or are these just, as people have said, decompiled portions of the client?
if ((KnowYourRole == yes) && (you.Location() == hotel['SmackDown'])) {
you="Roodypoo" . "Candy-Ass";
}
Or needs to do validation on the server-side of all game-balance-affecting stuff--which is really the only way to ensure fairness, since clients can always be hacked.
,m
Server-side validation only captures 'illegal commands', it doesn't really capture -automated commands-.
As long as the bots don't do anything Server side validation isn't going to catch squat. It can't easily tell if its a real player at the helm. And it certainly can't tell the difference between player:
click-a, click-b, c, d, e, f, g, h, i, j, k, l, m
and player
click-X
and exploit-script tells server he: click-a, b, c, d, e, f, g, h, i, j, k, l
freeing the player some extra time to read status readouts, check the map, check his 6, etc.
nor can it tell the difference between:
player oberves condition - click-a, click-b in response and
script-bot detects condition - sends 'click-a, click-b' in response.
freeing the player to not have to issue commands at all. (Think of a bot that can farm ore by itself, return it to base, and make a rudimentary attempt to flee an attacker, even if the player is at work.)
Imagine a blob of 10-20 of these bots gate camping, assisted by just one or 2 players who can give the whole blob move/retreat/regroup/attack orders via an out-band channell like IRC.
Again server side validation isn't going to see anything in terms of invalid input.
These are the sorts of uses that hacking the client can be expected to yield, even if you assume the server is hardened and secure against 'malicious' clients.
Abusers motivation? If CCP will not go for fixing old issues and start doing something with bots by good, releasing the sourcecode and promoting it should force them do this anyway. They refused to confirm they were ignoring bots, client security and perfomance issues, instead releasing new content. This caused source go public. If they would agree to confirm their issues, "leak" would never happen.
Fire all weapons on a single click? I do that already with my Logitech G15 gaming keyboard.
I'll call BS there.
1. Just as a counter-example: Blizzard may not be perfect on the whole, but I don't think there is even 1 documented case of anyone being banned for discussing a bug. You _can_ get banned for using bots, yes, but not discussing bots, for example.
Their internal policy, as documented repeatedly and even recently on Slashdot, is to rely on criticism and try to fix problems. It's a piss poor company who thinks that the "ban hammer" to silence bug-reports is a perfectly normal way to hold a conversation.
Heck, there's even been a whole photoshopped "yeah, well, gold can be duped in WoW too" storm in a kettle way back, and I don't think I even heard of anyone getting banned for asking about it. Turns out that shrugging and pointing out that it doesn't work, is a much better way to deal with it, than trying to cover up real bugs like some other companies do.
2. Excuse me? We're talking documented bugs and abuses, including the places in code where they happen. How about freaking just fixing them? Regardless of whether they're reported by a 13 year old, or even a 6 year old. Moaning about the age makes a piss-poor ad-hominem there.
"If the company "calmly addresses the issues", then they'll be flooded by complainers, cheaters and opportunists within no time."? Exactly how's fixing a bug going to get you flooded by those?
- Complainers: you can have the server generate statistics for you, to see if those have a point or not. (Again, it has been discussed about Blizzard fairly recently. They actually _rely_ on "complainers" and statistics to see what needs to be fixed or tweaked.) You _can_ sort out who has a legitimate complain and who doesn't. Trying to silence everyone who has a complaint, is the most piss-poor policy imaginable, especially when they're complaining about an actual provable exploit.
And how about putting things into perspective? If you get _flooded_ in reports of actual bugs you have, it's _you_ who's to blame, not the players. I'd want to see those issues fixed, not silenced.
- Cheaters. Exactly how's fixing a bug going to help those? On the contrary, if I ever actually wanted to cheat in a game, I'd rather look for a company that spent years trying to silence bug reports instead of fixing any of the exploits.
- Opportunists. Excuse me? Exactly what opportunity are we talking about there? The opportunity to help get the game fixed? Give those guys a freaking medal, then.
The opportunity to get a bit of short-lived forum fame in the process? Well, first of all, that's a very small price to pay for getting a thorough testing. Good testers are rare. So if as little as a bit of fame gets one to report the most obscure bugs to you, and do a free code review too apparently in this case, then by all means, give it to them. Post a "top 10 bug reporters" page on the official site. Give them a funny hat in the game, or a unique decal for their ship, or whatever. Whatever gets them to keep working for you for free.
Second, that fame is rather little and short lived if you have a reputation of fixing bugs promptly. You need to have quite a number of discontent players, for them to rally around the loudest guy. If they have no reason to be discontent with your handling bugs, they'll just naturally treat anyone as a troll if they raise a huge stink over some bug that's fixed in a week anyway.
In effect, if a company "calmly addresses the issues", on the contrary, that's the best way to _defuse_ any chronic complainers, cheaters and opportunists. It takes away the whole foundation for any "us vs them" movement. It says "we're on your side, we're all working together to make the game better for you." Starting banning people for just talking about you having bugs, is quite the opposite effect. Nothing says "us vs the players" as loudly as doing that.
A polar bear is a cartesian bear after a coordinate transform.
From my experience with EVE I have the impression that their QA is a bit understaffed. There are some visible bugs in the game that have been unfixed for a while, so I presume there are exploitable security bugs to match.
Going the open source route may or may not help them, depending on how much of the data available clientside has to remain hidden from the user:
The deep dark secrets they don't want out could be something like players getting info on all objects in a solar system, and the client filtering out what should not bee seen. That would be immediately exploitable by a client that has the filter removed. It would also be poor design, but consistent with the general lagginess of EVE.
But then again, their behaviour indicates that they are not interested in going open source anyway.
C - the footgun of programming languages
This is the best attitude that I've even seen from a commercial MOG developer. It is exactly correct.
Someone just needs to tell their Banstick guys that. If they believe their own argument, then they need to act like it.
If you were blocking sigs, you wouldn't have to read this.
BINGO.
This is pretty much the standard approach when dealing with software companies that have a history of ignoring well known security flaws in their products (Microsoft, for example). Basically, since they haven't proven themselves honest in dealing with known issues, and real money is on the line via software purchases or subscriptions, the line of reasoning is that they are willingly defrauding people with an inferior product. Since current law is inadequate in regards to software quality, the authorities will not prosecute them for it. Thus it is up to vigilantes to uphold "justice" by punishing the company with lost sales and lost prestige via publishing the exploits and/or source code.
Now, I don't necessarily agree with this line of thought , and I think that the BETTER approach would have been to approach CCP, let them know you obtained the source code and how you did it. Let them know you want to help improve the game by pointing out flaws and that you want nothing for your help. Give them all the info UP FRONT about the flaws and allow them time to fix them (3 to 6 months, depending on the nature of the flaws is considered standard.) While they are working on it, HOLD the source code. If, after the 3 to 6 months, the problems aren't addressed and the company in question seems unwilling to pursue the issues then release the source code to a reputable security group to address.
Unfortunately, this particular hacker doesn't appear to have done the sane thing. (although since there isn't a date listed on the conversation notes, so we have no real way of knowing how long he waited to release.) Instead he appears to be simply threatening them with the issues, and then just releasing the code. Again, we have only limited information to work on, and we don't know the time lines involved, and what the full conversation between CCP and the code holder is/was. But based on the info we do have I'd say he/she approached it in a very juvenile manner almost guaranteed to turn people against him/her and to make bots/hacks/exploits WORSE rather than better.
It's too bad. he/she could have done much good for all EVE players with that info.
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
How would investing more playtime into EVE give you an advantage over other players?
Simple.
Suppose you spend 80 hours a week in game.
Suppose I play 15 hours a week, but buy ISK to keep up with you in terms of in game cash.
Our characters wealth and skills would be equivalent, right.
But who is more likely to run a major alliance, control a starbase, or do anything else of real significance?
You see, the guy 'in game' has a massive advantage. He's spending 80 hours a week meeting people, building friendships, trust, networks, alliances, and has his finger on the community. You can't simply buy that.
The only thing you can get from playing a lot is more money, but if you really wanted that, there are other legit ways to acquire it without investing time.
What? Selling those time cards for ISK? Come on.
1) If the 15 hour/wk crowd decided to play keep up with the full time players there would be more time codes flooding the market than ore. Supply would outstrip demand a 1000 to 1. Its a solution for a handful of players maybe, but hardly a general solution.
2) I want to play for what I get in eve, not buy it. Its a game, first and foremost.
3) My commitment to Eve is 'several hours a week', and 15$/month or whatever. I'd like to see competitive play at this level. There are many thousands of us after all, so there's certainly no lack of opportunity for a 'league' for us.
But no, we're forced onto the hardcore server, where a chunk of the competition completely and utterly and permanently outclasses us, and we are forced to either dramatically up our committment in time or money to keep up... or come to terms with the fact that we can either remain irrelevant or become cogs in someone elses machine.
Yet if I want to race cars on the weekend, I can take the car of my choice and get into a competitive race with others in the same class of vehicle and skill, with a similiar level of commitment to the sport. I'm not put on the road with pro-drivers in F-1 cars and told that if I want to see anything remotely competitive then I'd better dedicate a lot more time and/or money to the pursuit.
That's just silly... yet that's the competition model in all MMOs to date.