Eve Online Client Source Code Leaked

An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.

Direct link to the torrent

Well, almost. http://thepiratebay.org/tor/4128183/Eve_Online_Source(client_side)_Code

Warning! CCP Seeding, Banning Torrenters

[eldavojohn]

Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents and then monitoring all IP addresses acquiring the source and then banning accounts associated with those IPs. So if you're going to get the code just to look at it, I suggest using your mom's house or an internet cafe!

I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer. This particular user used this code to point out a few things regarding security:

From all security i saw - were ROLE permissions for logins with priviliges higher than usual player, and some minor things in relation to prevent some remote service calls (some with potentially bad payload) I'm not entirely sure if he's implying there's some exploitable permissions bug or if there are some user roles that are jacked up (you know, like a coder at CCP giving himself the keys to the game and claiming it was for debug when it was for his own account's gain). But whatever it is, CCP should fix that.

Frankly, downloading this would be a stupid thing to get banned over. This is CCP's bread and butter, I don't blame them for taking this action. In their eyes, they are trying to eliminate exploiting players in hopes of making the game better for non-exploiting players. This 'policing' action is usually desired by the community. Yeah, it's unfortunate that they're not taking advantage of the security and stability of an open source coding community ... but you have to admit it would be easy for someone to fork and go off and make their own client with. Maybe there's deep dark secrets they don't want out and since it's only a game and I don't really care for it I'm not too concerned.

Let's see if Linden Labs can make this OSS client thing work to their advantage. I sure hope so because it will give everyone else a reason to make the switch.

Not a leak

[Fweeky]

It's not a leak, the .pyc's have just been decompiled and distributed. Here - go do it yourself.

Calmly addressing issues

[FooBarWidget]

"I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer."

I doubt it. But this is not without a good reason.

Many, many MMORPG players are 13 year old kids. Immature kids. These people are not adults. They do not behave like adults. If the company "calmly addresses the issues", then they'll be flooded by complainers, cheaters and opportunists within no time.

I've been involved in MMORPG for several years. The immaturity in MMORPG communities in general is just sad. There doesn't seem to be any good way to handle issues other than ruling with iron fist.

Re:Calmly addressing issues

[brkello]

I don't understand how the maturity level of the user base has anything to do with how a company reacts. Eve has always been heavy in to banning and suppressing information. Eve also claims to boast a more "mature" player base (which I find a bit laughable). In a game with such mature players, CCP bans more than any other company. I played Eve for awhile and didn't like it very much. The corruption from within the game company made me go from thinking they made a boring game with jerks as a player base to just flat out disliking the game. Don't get me wrong, Eve has its strong points...but fun isn't a part of that.

Eve banning people and deleting forum posts isn't ruling with an iron fist. It is a desperation move to hold on to customers who may not know what is going on. If they ruled with an iron fist they would actually come down on the people who cheated with the devs. That's the problem, the game should be as cut throat as possible in game...but CCP not only plays the game, but leaks inside knowledge of the game to organizations that are already overpowered. Maybe they are totally clean now (I doubt it) but the game will forever be tainted by the past.

The reason they ban is because they have too much to hide and would rather do that than address the issue and fix their game.

What's Been Found So Far

[rsmith-mac]

For those of you asking "what's the big deal about this?" here are what people have found so far digging through the code.

• 1) Since the client logic is in Python, introducing new logic is a matter of injecting new Python code in to the game. It turns out this is very easy to do right now, there are several ways, including using the telnet server the client runs so that CCP can upload code to the client computer when it connects
• 2) The big concern is bots, EVE can be botted and this is a problem like any MMO
• 3) The other big concern is that the EVE client knows far more than it shows, a problem for a PvP game. It is possible to hack the client to the point where it will tell you exactly who and what entered a system you are in, and where they are at at all times.
• 4) It's also possible to disable the client's "anti-addiction" code required to meet China's MMO laws. Apparently the server isn't actually booting players, it's telling the client to disconnect. The Chinese government is going to love that one
• 5) Finally, the game has a custom made built-in web browser (the In Game Browser) that's extremely cruddy and isn't used very much. It's also so cruddy that it's holier than the Pope himself; it's possible to craft links to induce it to execute external applications and web browsers. Basically with a little social engineering you can be trick people in to letting you compromise their machine.

EVE is a fine game, but the code is a joke. This is very likely going to lead to a lot of problems for CCP for some time to come. If they're lucky they'll only get a flood of bots, if they're not then the game may very well turn in to a wild west of hacking players looking for an edge.

Re:this is going to be so great

[the_humeister]

The Second Life client is open source. If that can be done, why is the source code leak for this game such a bad thing?

It's not that special really

[Hachima]

Back in the day the EVE/script folder had the decompiled python in it in plain text. People did stuff like modify it to create merchant bots that would auto buy/sell stuff on the markets and whatever else they wanted to modify. Then CCP changed it to one 'compiled.code' file instead of all the uncompiled python files, which is easier to manage and check for people making changes. So you can still just take that 'compiled.code' file and decompile it to readable code. Which is what got 'leaked' It's nothing special at all really, and is only a portion of the client code. Anyone that was interested in messing with it has already seen the Python, especially people that played when it wasn't even pre-compiled. Next thing you know right clicking a web page to 'view source' will be considered leaking source code too?

Re:Don't download the source via the torrent

[guywcole]

But... but... he has a 3 digit ID! If we can't trust low /. ID's, what can we trust?

Re:this is going to be so great

[Umuri]

Let me give you a little history lesson.
Back in the dark ages, ya know, the 90s, there was a little game called Ultima Online.

Heard of it? I hope so, it was one of the original MMORPGs.

Every client ever released for that game had all of it's packets decrypted, and the encryption scheme broken for keys, usually within 24-48 hours. Everytime they updated.

Add to that that people edited the client to do whatever they wanted, sometimes with other programs hooking in and altering packets, others by directly altering the assembly of the client.
Many people tried to exploit bugs in the game that way, but most failed, and everytime someone did find one, it was usually fixed relatively quickly. Malformed packets went from "all the rage" and the way to bug up a game to relatively worthless within a span of a month, barring a few new uses that popped up every so often from bad new code introduced.

Having the source code only simplifies this a little for the people who really care, and it doesn't really enable them to do anything they couldn't already.

Oh, also, while i'm at it. Did you know ultima online had a special client for staff characters? And that the binary for that client was leaked as well?

OH NOES! But wait! Ultima online used good security measures and correct privelege systems, so the client was worthless for anything a normal player couldn't do. :)

Summary: This isn't new, and it's happened before on other games. Except in the past most games were already so well understood by their communities that the source would add almost nothing except a little ease and some time saved duplicating a better version of the client when they stop upgrading.

Add to that, if this causes ANY security issue with EVE, then the people who coded the game should get in trouble, not the players. Good coding practices prevent all trouble the code could possibly do. You ARE checking for privelege levels and sanitizing your inputs, right?

Official Communication from CCP

[Vecna!]

CCP is aware that an individual claims to have access to the source code of the EVE client. This access is not a security risk to CCP in any way. CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding. Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers' billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to, or from the EVE system. Nothing the EVE client can do can affect the game state, no advantage can be gained by manipulating the EVE client, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP, and hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP's web site.

CCP does not confirm or deny, nor make any comment, regarding issues of internal security, and will not be doing so in this case. As a policy, CCP removes message board posts regarding violations of its EULA and Terms of Service, and CCP considers any alteration of the Client software, including decompilation, to be such violations.

--------

Ryan S. Dancey
Chief Marketing Officer
CCP

Re:this is going to be so great

[I+Like+Pudding]

If that can be done, why is the source code leak for this game such a bad thing? Because nobody actually cares about Second Life.