Slashdot Mirror
Eve Online Client Source Code Leaked
An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
I would worry that unscrupulous players will dig through the source code to find exploits, but it's reassuring to find something that will bring them back to the real world...
Well, almost. http://thepiratebay.org/tor/4128183/Eve_Online_Source(client_side)_Code
Frankly, downloading this would be a stupid thing to get banned over. This is CCP's bread and butter, I don't blame them for taking this action. In their eyes, they are trying to eliminate exploiting players in hopes of making the game better for non-exploiting players. This 'policing' action is usually desired by the community. Yeah, it's unfortunate that they're not taking advantage of the security and stability of an open source coding community
Let's see if Linden Labs can make this OSS client thing work to their advantage. I sure hope so because it will give everyone else a reason to make the switch.
My work here is dung.
Unless you live in your mom's basement.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
In the lengthy and scatological exchange, the poster of the source code attempts to get some answers about CCPs much maligned security practices, particularly concerning the rife issue of bots and scripting in their flagship game. The conversation was a little less than professional.
Well, atleast on the tidbit shown on the article, the CCP representative sounds perfectly rational and professional. Am i missing something here?
And by the way, how does this guy ended up with the sourcecode on the first place?!
It's not a leak, the .pyc's have just been decompiled and distributed. Here - go do it yourself.
On a side note, I think this has happened before on a much more serious scale.
My work here is dung.
"I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer."
I doubt it. But this is not without a good reason.
Many, many MMORPG players are 13 year old kids. Immature kids. These people are not adults. They do not behave like adults. If the company "calmly addresses the issues", then they'll be flooded by complainers, cheaters and opportunists within no time.
I've been involved in MMORPG for several years. The immaturity in MMORPG communities in general is just sad. There doesn't seem to be any good way to handle issues other than ruling with iron fist.
Well that will be great for any of their users who get a dynamic IP that was previously used to download the code.
That very fact is why I think the post you were replying to is likely full of it
I'll probably be modded down for this...
The problem isn't so much that the code isn't fixable, or that the client side code will show something obviously exploitable (as this is most likely the case.) But really, it's about the fact that every developer writing code for this has been doing it under the assumption that nobody is going to look at it except their peers, now the world is staring at their dangling unmentionables. Imagine your rushed proprietary coding project was now instantly made open source against your wishes...
What they dont want is someone adding functionality to the client they avoided for a long time:
Fire all weapons on a single click. Automagically select the right ECM jammer for the target ship. And that's what came to my mind in an instant.
I bet there are many more possibilities which can unbalance tweaked clients and standard clients. It is like a free opportunity for wall hacks if other clients are allowed. It wouldnt be a problem for PvE games, but PvP needs the same client for all.
I don't know... Remember the recent article RE: the FBI investigating any IP that accessed a false child pornography website that they set up? I think the powers that be have yet to realize that IPs are not exactly reliable means of identifying individuals.
Fear the penguin.
It wouldnt be a problem for PvE games, but PvP needs the same client for all.
Or needs to do validation on the server-side of all game-balance-affecting stuff--which is really the only way to ensure fairness, since clients can always be hacked.
rage, rage against the dying of the light
For those of you asking "what's the big deal about this?" here are what people have found so far digging through the code.
EVE is a fine game, but the code is a joke. This is very likely going to lead to a lot of problems for CCP for some time to come. If they're lucky they'll only get a flood of bots, if they're not then the game may very well turn in to a wild west of hacking players looking for an edge.
The Second Life client is open source. If that can be done, why is the source code leak for this game such a bad thing?
If they just banned every IP, yes, that'd have a high number of false positives, but they could track the following:
1. A user has previously logged onto Eve Online
2. The IP linked to that user's previous session downloads the code.
3. The user logs onto Eve Online again with the same IP (i.e. the same IP/username is maintained throughout).
Put those three events together, and it'd be easy to track/ban a lot of those downloading.
Back in the day the EVE/script folder had the decompiled python in it in plain text. People did stuff like modify it to create merchant bots that would auto buy/sell stuff on the markets and whatever else they wanted to modify. Then CCP changed it to one 'compiled.code' file instead of all the uncompiled python files, which is easier to manage and check for people making changes. So you can still just take that 'compiled.code' file and decompile it to readable code. Which is what got 'leaked' It's nothing special at all really, and is only a portion of the client code. Anyone that was interested in messing with it has already seen the Python, especially people that played when it wasn't even pre-compiled. Next thing you know right clicking a web page to 'view source' will be considered leaking source code too?
Old: Eve Online Client Source Code Leaked
Revised: Eve Online Client now open source!
Let's put our hopes to the anti piracy lobby. They've been working hard for years to loosen the knots around these kind of logs, and as is evident by the article, making logs containing private data readily available to economic interest groups/firms is useful for more than just pirate hunting. Kudos to the content mafia for increasing our security and well-being!
Don't be crazy anymore!
But... but... he has a 3 digit ID! If we can't trust low /. ID's, what can we trust?
Let me give you a little history lesson.
:)
Back in the dark ages, ya know, the 90s, there was a little game called Ultima Online.
Heard of it? I hope so, it was one of the original MMORPGs.
Every client ever released for that game had all of it's packets decrypted, and the encryption scheme broken for keys, usually within 24-48 hours. Everytime they updated.
Add to that that people edited the client to do whatever they wanted, sometimes with other programs hooking in and altering packets, others by directly altering the assembly of the client.
Many people tried to exploit bugs in the game that way, but most failed, and everytime someone did find one, it was usually fixed relatively quickly. Malformed packets went from "all the rage" and the way to bug up a game to relatively worthless within a span of a month, barring a few new uses that popped up every so often from bad new code introduced.
Having the source code only simplifies this a little for the people who really care, and it doesn't really enable them to do anything they couldn't already.
Oh, also, while i'm at it. Did you know ultima online had a special client for staff characters? And that the binary for that client was leaked as well?
OH NOES! But wait! Ultima online used good security measures and correct privelege systems, so the client was worthless for anything a normal player couldn't do.
Summary: This isn't new, and it's happened before on other games. Except in the past most games were already so well understood by their communities that the source would add almost nothing except a little ease and some time saved duplicating a better version of the client when they stop upgrading.
Add to that, if this causes ANY security issue with EVE, then the people who coded the game should get in trouble, not the players. Good coding practices prevent all trouble the code could possibly do. You ARE checking for privelege levels and sanitizing your inputs, right?
You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
It's no wonder they tried so hard to keep this code hidden. I'm not even sure what this is supposed to do.
//The first verse
//Both people are represented by an abstract class
public abstract class Person
{
public bool StrangersToLove { get; set; }
public bool KnowTheRules { get; set; }
}
//Possible thoughts
public enum Thought
{
FullCommitment
}
//Class
public sealed class Me : Person
{
public Thought Thinking()
{
return Thought.FullCommitment;
}
}
//The target of the song, notice that GetThought can only be called by passing in an instance of Rick
//which satisfies that she can't get this from any other guy
public class You : Person
{
private Thought whatHeIsThinking;
public void GetThought(Me guy)
{
whatHeIsThinking = guy.Thinking();
}
}
class Program
{
static void Main(string[] args)
{
var Rick = new Me() { KnowTheRules = true, StrangersToLove = false };
var Girl = new You() { KnowTheRules = true, StrangersToLove = false };
Girl.GetThought(Rick);
}
}
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
CCP is aware that an individual claims to have access to the source code of the EVE client. This access is not a security risk to CCP in any way. CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding. Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers' billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to, or from the EVE system. Nothing the EVE client can do can affect the game state, no advantage can be gained by manipulating the EVE client, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP, and hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP's web site.
CCP does not confirm or deny, nor make any comment, regarding issues of internal security, and will not be doing so in this case. As a policy, CCP removes message board posts regarding violations of its EULA and Terms of Service, and CCP considers any alteration of the Client software, including decompilation, to be such violations.
--------
Ryan S. Dancey
Chief Marketing Officer
CCP
Me.
They don't need a lawsuit to ban accounts on their servers.
c++;