Slashdot Mirror

← Back to Stories (view on slashdot.org)

For 20 Years, This Man Has Survived Entirely By Hacking Online Games (vice.com)

Posted by msmash on from the to-each-his-own dept.

An anonymous reader writes: A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time job. Manfred's character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion. I'm watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn't have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players. At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency. When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted to go in, give his demo, and go out "as a ghost," never to be seen or heard from again. He said he wanted to be "invisible," just like he's been for the past two decades. He said he's found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.

114 comments

  1. Invisible? by Anonymous Coward · · Score: 0

    Yet he holds a SPEECH in front of tons of people?! What? How? Wearing an elaborate mask and voice changer?

    1. Re:Invisible? by Gay+Boner+Sex · · Score: 3, Funny

      What is more astonishing is that he has actually SURVIVED entirely on hacking. No food, no water, not even any air or light.

      We should breed this guy in case we go to "nuclear war with Russia" and dust him off when all the cockroaches like Miss Mash and BeauHD scurry around in the nuclear war threatening the remaining regular humans with their mutated airborne cockroach AIDS spores. This hacker can carry his own.

    2. Re:Invisible? by PopeRatzo · · Score: 1

      That's nothing. This Indian man survived 70 years without food, water or going to the bathroom.

      http://nationalpost.com/g00/ne...

      --
      You are welcome on my lawn.
    3. Re: Invisible? by Anonymous Coward · · Score: 0

      Keep in mind his demo consisted of him telling the audience that he had just been warned that it would not be a smart move to show the demo.

      He briefly acted like he was still considering it, then decided against it.

      Or, most likely, there never was going to be any demo.

    4. Re:Invisible? by Presence+Eternal · · Score: 1

      It would seem "Off to be the Wizard" is based on a true story!

    5. Re:Invisible? by davester666 · · Score: 1

      I don't care how much you clean it, I'm not going to even touch his seat. Either of them.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Wildstar by Nidi62 · · Score: 3, Interesting

    It was actually a pretty fun game. Stopped playing it though because of hackers. Every time you tried to gather a resource a hacker would zoom in, immediately harvest it, and fly off. Just got too annoying.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    1. Re:Wildstar by Anonymous Coward · · Score: 0

      And its economy is fucked, by this arsehole alone.

    2. Re:Wildstar by Anonymous Coward · · Score: 0

      What the hell sort of "game" is this if a player has access to a debugger?

    3. Re:Wildstar by Anonymous Coward · · Score: 0

      I assumed it was something like gdb, or whatever the Windows equivalent is.

    4. Re:Wildstar by Anonymous Coward · · Score: 1

      I would say there is a point where hacking really becomes a responsibility of the developers of the game to address. Lineage 2, Darkfall, and many other MMOs bit the dust when the devs wouldn't deal with the spammers and hackers. (Lineage 2, you would get ganked before even fully loading as a new player, and Darkfall only banned people who complained about how crappy the game was.)

      It all started with Everquest, where at first with ShowEQ, it was a few people who discovered how to easily watch for mob spawns, then warp to get them, or get mob agro, warp to a rival player, let the train (group of mobs) kill the other person, and warp out. Then, guilds like Conquest formed whose whole premise was mechanic exploitation to get characters primed to be sold off at auction, this making news not just in EQ with the Sleeper, but in World of Warcraft as well, where all members one guild were banned from multiple MMOs.

      SOE (now Daybreak) finally got their rear in gear, and started being proactive in stopping stuff, or at least mitigating the damage botting and stuff could do. Blizzard started doing their best as well, chasing the makers of WowGlider to the ends of the earth and eradicating them.

      tl;dr... Developers need to be active in stopping the hackers and cheaters, or else their MMO will quickly become a ghost town. Darkfall is a good example of what happens if you don't police your game.

    5. Re:Wildstar by Anonymous Coward · · Score: 0

      hex-rays is one possibility

    6. Re:Wildstar by vivian · · Score: 1

      So now instead of spending coding hours on adding interesting game play and content, the developers have to spend the time on making it hack proof with bank-level security. Even then, banks still get hacked - so having to add ever increasing levels of security to prevent hacks hurt the game performance and game play experience, and is still not a guarantee of success of preventing hacks.
      This makes the games less fun and more expensive for all players.

      The guy should be sued into oblivion or possibly even serve jail time for having ripped off so many players and companies from the game experience they have paid for, and the resulting economic damage they have caused the companies when dissatisfied players abandon the games.

    7. Re:Wildstar by umghhh · · Score: 1

      Seems like it was real life simulation or?

    8. Re:Wildstar by Anonymous Coward · · Score: 1

      So now instead of spending coding hours on adding interesting game play and content, the developers have to spend the time on making it hack proof with bank-level security.

      Yes. Otherwise you won't play the game, as others have said. It's why I quit playing GTA online. It was ridiculous when literally half the player were cheating in some way.

      The guy should be sued into oblivion or possibly even serve jail time for having ripped off so many players and companies from the game experience they have paid for

      LOL! Are you serious? You sound like the idiots that call me at work (webhosting company) about their wordpress site that got hacked by "TuRkiSH HaCKerZ" that ask if we can pursue legal action against them. I'm like, you want us (who don't care obviously) to sue an IP address in the Netherlands, that looks like a cPanel box which was undoubtedly hacked itself?

    9. Re:Wildstar by Riceballsan · · Score: 1

      honestly if a team of one can do it... he's far from the only one... there's tens of thousands of them, and probably the majority are well outside the juristiction of what most companies can sue or track. The time and effort to take down enough exploiters to even make a dent in the games playabilty, would much better be spent on actually making it harder for them to do.

    10. Re:Wildstar by vivian · · Score: 4, Insightful

      You have missed my point.
      Game developers do spend time and effort to make the game secure. However, security is a trade off - you want to have end to end encryption of the messages and in-memory encryption of all variables? That's going to cost you lots of extra CPU cycles and reduce your framerate.
      No software is hack proof - this has been demonstrated time and time again.
      This arsehole has boasted that he has spent 20 years doing nothing but hacking and ripping off other game players. If there are no repecussions for that, it's going to only encourage a lot more doing the same.
      This is not a victimless crime. It denies honest game players enjoyment of the game, it increases development costs substantially to have to devote resources to patching hackable flaws, and it most importantly deprives the game company of customers when they get dissapointed in the game and leave.
      I have no problem with someone hacking a single player game and giving themselves a bazillion HP and max gold - it's only affecting their own game play. What I have a problem with is when they go on to ruin the game for other players, without penalty to them whatsoever.

      A car analogy: You lock your car and take reasonable precautions to secure it. If someone throws a brick through the window and steals it, you don't say "oh well - should have installed brick proof windows" - you expect that there are laws that will deter this behavior and prosecute the perps when they are caught.
      If someone boasted they have been tossing bricks through car windows for 20 years and living off the stolen cars, you'd expect some action to be taken against them.

    11. Re:Wildstar by LordWabbit2 · · Score: 1

      I would mod you up, you hit the nail right on the head. Loved your car analogy, very /.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  3. so what by Anonymous Coward · · Score: 1

    did he get 4/4/4/4 guardian jedi on swg before the village?
    no he didnt, he is a punk bitch

  4. Dumb to do a talk and interview by mattwarden · · Score: 4, Interesting

    Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview. Amazing what people will risk for a little fame.

    1. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 0

      What ethics? The guy's an arsehole.

    2. Re:Dumb to do a talk and interview by barc0001 · · Score: 4, Interesting

      I would speculate he's doing the talk because he's probably already made all the money he thinks he needs and is retiring from it. It's entirely possible that he is also a hypocrite who was troubled that what he was doing was possible, but not troubled enough to stop doing it for his own benefit but now that (speculated) he is comfortable enough to retire he wants to shine a spotlight on the practice to encourage the affected game companies to close off the holes and prevent anyone else from doing what he did.

    3. Re:Dumb to do a talk and interview by phantomfive · · Score: 1

      He's been banned over and over from multiple games. If he gets banned from a few more, he doesn't care.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 5, Insightful

      Almost certainly wrong. Humans don't work like that. Typically when someone decides to reveal their E-Z money secrets it's because it's dried up and now there's more to be gained from talking than the actual doing. Or it's total bullshit and never did work. A well known "motivational" speaker or two come to mind.

    5. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 0

      That MAY be true, but the people who are paying him to buy crap for dumb games are definitely arseholes.

    6. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 0

      Correct, we need to kill him.

    7. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 0

      Almost certainly wrong. Humans don't work like that. Typically when someone decides to reveal their E-Z money secrets it's because it's dried up and now there's more to be gained from talking than the actual doing. Or it's total bullshit and never did work. A well known "motivational" speaker or two come to mind.

      That "4-Hour Workweek" guy comes to mind, how much money did he actually have before publishing that book full of outlandish "life hacks"?

    8. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 0

      Or it's total bullshit and never did work. A well known "motivational" speaker or two come to mind.

      Jesus?

    9. Re:Dumb to do a talk and interview by barc0001 · · Score: 1

      > there's more to be gained from talking than the actual doing.

      Except DefCon is where he's talking and last I looked presenters don't really get paid. And he's planning on ghosting after the one talk so it's not like he's setting up a lecture circuit with this appearance, so I doubt that.

    10. Re:Dumb to do a talk and interview by avandesande · · Score: 3, Informative

      If you RTFA it says he is going legit.

      --
      love is just extroverted narcissism
    11. Re:Dumb to do a talk and interview by DerekLyons · · Score: 2

      Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview.

      0.o How? Do you think companies are going to magically start finally getting rid of the hackers? Or somehow suddenly become omni-competent at doing so?

    12. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 0

      Full? I just recall the one "get an indian slave" hack. Was there more?

    13. Re:Dumb to do a talk and interview by Anonymous Coward · · Score: 0

      I find something sad about making a living this way. I mean, a lot of people do jobs they don't like, but it seems like another mind wasting in the bottomless pit of gaming. Once upon a time, people with these smarts would have chosen the sciences or taken up industrial challenges. Too much brain power is being wasted on time-wasting. Smart technologies are making us dumber and more socially fragmented than ever. And easier to manage I suppose.

    14. Re:Dumb to do a talk and interview by parkinglot777 · · Score: 1

      Except DefCon is where he's talking and last I looked presenters don't really get paid. And he's planning on ghosting after the one talk so it's not like he's setting up a lecture circuit with this appearance, so I doubt that.

      I think you misunderstood the AC GP. It is about human nature. Why would he all of the sudden want to disclose the things he had been (illegally) doing for 20 years? There must be something changed in his life recently that makes him decide to come out to DefCon. If he is a bragger, he would have disclosed this long time ago because bragger can't resist to brag. Though, this isn't the case because he had kept the secret for 20 years (per what he said).

      Now he wants to brag about what he had been doing, so there should be something for him to be gained. It makes logical sense. The gain he is looking for (or seeing) may not be what you are thinking.

  5. "Gold mining" companies in Asia still around? by Anonymous Coward · · Score: 0

    They'd hire gamers to accumulate virtual steal, then sell it at a profit.

  6. Mind-numbingly boing by tgibson · · Score: 2

    There are so many software engineering jobs that offer more mental challenge, more reward in terms of mental stimulation. And when he gets older...I doubt he is even saving for retirement.

    1. Re:Mind-numbingly boing by James+Carnley · · Score: 4, Interesting

      Hacking is sort of like solving puzzles. You find the systems, analyze them, and look for loopholes and edge cases. It's mentally challenging and varied. Sure the hacks might follow a few standard techniques after a while but each specific instance is different and carries its own risks.

      I have a software engineering job that I would say is fairly challenging but I also do a whole bunch of grunt work and google pasting solutions for one off things. I wouldn't say my job is vastly better than his except for maybe the retirement plan. But even then if he got lucky he could out earn me quickly for finding a key exploit for a hot new game and milking it for a while.

    2. Re:Mind-numbingly boing by Anonymous Coward · · Score: 1

      Nope. It's the same crap you do at work (debugging, critical thinking, etc) with a much, much higher upside. Sure there are boring parts (e.g. purchasing items from the ill gotten funds) but I see no reason why this part can't be outsourced after the hard work is done.

    3. Re:Mind-numbingly boing by Anonymous Coward · · Score: 0

      Hacking against real targets for real monetary gain is "mind-numbingly boring". What an odd thing to say.

      Nonsense projection from a codemonkey in a cubicle.

    4. Re: Mind-numbingly boing by koomba · · Score: 1

      Yeah he could have definitely earned enough over 20 years to be able to save a sizeable enough amount to have some kind of "retirement" funds, if he was smart with his money.

      Because while he declined in the article to say how he's made total over the years, he does mention one specific revenue stream. He said that in Everquest, he's sold around 100 player houses-apparently a rare thing with a limit on how many can be owned-in all, with am average price of $200000. So 200k from one single game, even if it was over the full 20 years (it doesn't sound like it from the article) is 10k a year from just that game.

      He has been selling in most every big online game in the past 20 years, so if he did even half of what he did from EQ in other games, he was definitely making enough to have accumulated a pretty sizeable savings.

    5. Re: Mind-numbingly boing by koomba · · Score: 1

      Oh and also, you're definitely right about the potential for big bucks if he was doing it with whatever game was hottest at the time. I played WoW from launch until like 4 or 5 after, and during the heydays, good characters EASILY went for well over 1k, some closer to 2k. Not to mention gold farming was very profitable.

      Or like Diablo 2. Best in slot items for the closed, not widely hacked servers could sell for $150-200 easy, and there were a lot of them. It was definitely possible to make good money, if you were willing to stay dedicated to doing it, and following the crowds from hot game to hot game.

    6. Re:Mind-numbingly boing by Anonymous Coward · · Score: 0

      Perhaps he is lying. No risk there.

  7. ok by bigdavex · · Score: 1

    This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency.

    No shit, Sherlock.

    --
    -Dave
  8. Poster Child by duke_cheetah2003 · · Score: 4, Insightful

    ...For everything wrong with MMO's these days. This guy is it. Good job, you and your kind have ruined most MMO's for everyone to make a buck.

    The really sad part is they are destroying the very thing they're making money off.

    No one likes to play an MMO that obviously been hacked numerous times and that game's internal economy has been completely wrecked by this behavior.

    1. Re:Poster Child by Anonymous Coward · · Score: 0

      I'd say the people buying the currency would be just a guilty of ruining the game.

    2. Re:Poster Child by Anonymous Coward · · Score: 5, Funny

      MMOs ruin more lives than crack so this man is doing gods work and your anger pleases me.

    3. Re:Poster Child by crafoo · · Score: 1

      He's providing a public service really. If the only thing attractive about an MMO is a fake-economy and/or the grind for equipment or resources it should die.

    4. Re:Poster Child by magarity · · Score: 4, Interesting

      "and that game's internal economy has been completely wrecked by this behavior"

      Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.

    5. Re:Poster Child by Anonymous Coward · · Score: 0

      Wrong.
      This guy is everything right.
      The people spending real money in pay to win games are the problem.

    6. Re:Poster Child by tlhIngan · · Score: 1

      Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.

      Why is the central service not doling out and approving money?

      If you get a dollar, or gold, or credit, it should be because the server handed it to you.- for doing whatever you did to earn it.

      This sort of thing is supposed to be moderated by the server. If you do 10HP damage to an enemy, the server should tell you that you did 10HP damage and account for it properly. If the client said it did 100HP damage instead, the server ignores it and says 10HP damage was done. If the client says it has 18T gold, but the server says you have 10, then the server behaves like you have 10. Debuggers can do whatever the heck they want, but the truth is contained in the server.

      If you're trusting the client, you're hacked, period. There's no fixing stupid.

    7. Re:Poster Child by avandesande · · Score: 1

      How about blaming the game developers with the rotten security? If someone hacked into the federal reserve and was sending themselves money, would you blame the hackers for ruining money?

      --
      love is just extroverted narcissism
    8. Re:Poster Child by Cajun+Hell · · Score: 1

      If you're trusting the client, you're hacked, period.

      I think you've just explained how this guy does it. For every game, this guy gets on the dev team. He spends months, tirelessly persuading them to do it wrong. He doesn't shut up. Eventually, the other devs give in, often with the rationalization, "well, at least this'll fix the performance and scaling problems." H4XX K0MPL337!

      --
      "Believe me!" -- Donald Trump
    9. Re:Poster Child by Anonymous Coward · · Score: 0

      I think there was a facebook game called Lyonesse. Didn't require much time to play, maybe five minutes/day. Somebody hacked all the player stats, so that everyone had MAXINT points.

    10. Re:Poster Child by Anonymous Coward · · Score: 0

      would you blame the hackers for ruining money

      You mean counterfeiters? Yes I would blame them for ruining money.

    11. Re:Poster Child by Anonymous Coward · · Score: 0

      ...For everything wrong with MMO's these days. This guy is it. Good job, you and your kind have ruined most MMO's for everyone to make a buck.

      The really sad part is they are destroying the very thing they're making money off.

      No one likes to play an MMO that obviously been hacked numerous times and that game's internal economy has been completely wrecked by this behavior.

      Ironic that you got modded up to +5 Insightful... ... for a comment which applies just as equally to the music industry and piracy-excuse-me-copyright-infringement-obligatory-roll-eyes... ...on a site where the overwhelming majority of comments actively engage in and vehemently defend the same activities that are ruining the music industry.

    12. Re: Poster Child by Anonymous Coward · · Score: 0

      They are a real bunch of arseholes.

  9. So, emulating James T. Kirk by Anonymous Coward · · Score: 1

    In defeating the Kobayashi Maru simulation.

  10. What a loser by Anonymous Coward · · Score: 0

    What a waste of a life. He should be designated a mandatory on-demand organ donor.

    1. Re:What a loser by Anonymous Coward · · Score: 0

      ...screamed the stable boy on an internet forum

  11. Abandoned by farble1670 · · Score: 1

    Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion

    Yes, and any game that doesn't have the most basic anti-cheat mechanisms in place to detect such a thing should be summarily abandoned by it's player base.

  12. Something smells by aepervius · · Score: 1

    I can also make the client THINK it got from the server I got 18 quintillion gold, but normally for all sane MMO, the server does not trust the client, and all data are calculated server side then sent to the client. So you may change values in the client like appearing to have lot of gold with cheat engine, but the server still sees you as poor as job. I seriously doubt a MMO as old as wildstar would still have such a flaw, as this is the first thing which get exploited : trusted client data (in today's world usually limited to position, and thus speedhacked). I am extremely doubtful gold values are trusted. I think the interviewer got bamboozled.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
    1. Re:Something smells by mentil · · Score: 1

      In Everquest, there was a brief bug where one bank somewhere in the world, exchanged iirc 10 coins for 1 coin of the next highest denomination, when the official exchange rate is supposed to be 100:1. A programmer forgot the exchange rate, and miscoded that bank. People took advantage of it until the developers figured out their mistake and fixed the bank.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    2. Re:Something smells by EndlessNameless · · Score: 3, Interesting

      Or maybe he sent a bunch of garbage to the server to trick it into thinking he ought to have 18 quintillion gold, and the client was subsequently updated to reflect that value.

      I seriously doubt he could sell in-game goods if he couldn't convince the server that he had them.

      To be clear, the idea that the game is accepting a gold value directly from the client is laughable. Everyone would be exploiting it if it were that simple. But any MMO is just of series of transactions between the client and the server, and their protocols and daemons can be exploited just like web servers.

      If anything, the games are probably more vulnerable because web servers typically use standard protocols and libraries, which are audited and tested by security professionals. I doubt the net code on a random MMO is tested seriously for anything more than latency and reliability.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    3. Re:Something smells by Anonymous Coward · · Score: 0

      I can also make the client THINK it got from the server I got 18 quintillion gold, but normally for all sane MMO, the server does not trust the client, and all data are calculated server side then sent to the client. So you may change values in the client like appearing to have lot of gold with cheat engine, but the server still sees you as poor as job. I seriously doubt a MMO as old as wildstar would still have such a flaw, as this is the first thing which get exploited : trusted client data (in today's world usually limited to position, and thus speedhacked). I am extremely doubtful gold values are trusted. I think the interviewer got bamboozled.

      All depends on how well they validate commands from the client. What happens if you tell the server that you want to sell a negative amount of some item? If the server doesn't care, you might end up wrapping your gold around to the gold cap, or you might end up being able to buy an unbound number of something, end up with a negative gold balance, then hand those items off to another character and sell them back.

    4. Re:Something smells by Kaenneth · · Score: 1

      EverQuest (1) is 10:1 from copper:silver:gold:plat, always has been.

    5. Re:Something smells by mentil · · Score: 1

      Blah, knew I was right the first time. I couldn't remember, or find a reference easily which specified.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  13. "Survived" is different than "become wealthy" by Anonymous Coward · · Score: 0

    so who gives a shit about some jackass grinding away with his poopsocks to "survive"?

  14. put the x dash square in the center.. by Anonymous Coward · · Score: 0

    can we still vote on that? 0% centerers? cease fire stand down,,, there's moms & babys in every town.. that's the spirit..

  15. Business Card: by Tablizer · · Score: 1

    "Cheatalogist"

    --
    Table-ized A.I.
  16. ..and why not? by mrthoughtful · · Score: 4, Insightful

    So there are loads of people who seem to find his exploits bad or wrong. But I think - great, go for it. Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award. The games companies are not much more than modern parasites - and 'Manfred' is merely a parasite's parasite.

    Who, actually, gets harmed. The gamers want the cash - he can supply it at market rates - and the publishers are already horrendously bloated and fattened on the continual streams of micropayments.

    Maybe because his name is a reference to the Prantagonist of Accelerando, but I, for one, am in favour of Manfred's profession.

    --
    This comment was written with the intention to opt out of advertising.
    1. Re:..and why not? by CannonballHead · · Score: 4, Insightful

      Who, actually, gets harmed

      Maybe now, but if you RTA, he started out by "deleting" people's houses in Ultima Online. That would be pretty frustrating if you were one of the people who owned the scarcely available and highly in-demand house.

    2. Re:..and why not? by Anonymous Coward · · Score: 0

      MMO's have always had the back and forth opinion on the idea you're wasting vast amounts of time for a meager reward. Both sides have a point.

      One side says it's just a game and you're wasting your life pretending to be someone else.

      The other side says if you're enjoying yourself then it's not wasted time.

      Personally, as I've gotten older I find it actually is a waste of time and your life. In high school I'd have argued the other way though. Maturity is crazy isn't it?

    3. Re:..and why not? by SlaveToTheGrind · · Score: 1

      Who, actually, gets harmed. . . . the publishers are already horrendously bloated and fattened on the continual streams of micropayments.

      Wow -- way to rationalize. There are an awful lot of people in the world who make a lot less money than you do. I take it you wouldn't have a problem with them helping themselves to some of yours since, in their eyes, you have way more than you need?

    4. Re:..and why not? by Anonymous Coward · · Score: 0

      He supples cash to cheats, not gamers. Gamers play the game. And it's the game company and the gamers that are harmed.

    5. Re:..and why not? by phantomfive · · Score: 1

      Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award.

      Yeah, that's the whole reason a market for gold farmers exists in the first place. Because huge sections of the game are very, very boring.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:..and why not? by Anonymous Coward · · Score: 0

      Fuck you.

    7. Re:..and why not? by Crashmarik · · Score: 1

      He is actually doing less harm to the game than the publishers.

      The publishers put in sections that are designed to be painful enough to make you pay to avoid them. All he does is provide the means.

    8. Re:..and why not? by soccerisgod · · Score: 1

      Who, actually, gets harmed.

      Do you actually play MMOs? These guys tend to spam their godl sales any which way they can, flooding your inbox and every chat they can access. Pretty damn annoying.

      --
      If a train station is a place where a train stops, what's a workstation?
    9. Re:..and why not? by Anonymous Coward · · Score: 0

      I think it would be more of a wake-up call to take a look at your life and what you consider worthwhile.

  17. Stealing, not hacking... by Anonymous Coward · · Score: 0

    Hacking online games for a living is say, pentesting, where you make money from finding the hack. What this guys is going is hacking online games so he can steal from them. His livelihood isn't hacking. That's the enabler. What he is doing is simply theft. Compare to a house burglar. House burglars do not make their money by hacking doors, locks, and windows. That just gets them in the house. Their money is made by stealing and fencing the goods, just like this guy. The only real difference here is that he is unlikely to be shot in the act.

  18. Made $$... until he mentioned it. by wolfheart111 · · Score: 1

    Its sometimes tough to keep your mouth shut.

    --
    [($)]
  19. Survived 20 years hacking online games by Opportunist · · Score: 1

    Whether he makes it to 21st depends mostly on whether there are MMORPG players in the audience.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  20. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  21. Rule #1: Never Trust The Client by nsxdavid · · Score: 3, Interesting

    I'm amazed that software engineers work on online games and do not understand that you can never trust the client.

    I get that mistakes can be made, but this is generally a software design and architecture problem.

    Having said that, today we found a flaw in our server that let someone sneak in number that caused an overflow in one of our APIs for our online mobile game. The net result was a huge positive value in virtual currency. Of course we found it because of rule #2: Make sure you have systems that detect anomalies on anything important. The easiest of which is something like virtual currency spikes, so that stood out like a sore thumb.

    Clever game hackers know to fly under the radar, but their impact (even if they get away with it) is therefore limited. But even then you can detect exploits with more mysterious mechanisms, which I will not name. :)

    --
    David Whatley
    1. Re:Rule #1: Never Trust The Client by Anonymous Coward · · Score: 1

      It's simple. Games are not security critical applications.
      Low latency is more important to attract lots of players than making an unhackable game.

    2. Re:Rule #1: Never Trust The Client by Calydor · · Score: 1

      The source of your paycheck should always be considered a security critical application.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:Rule #1: Never Trust The Client by Kaenneth · · Score: 4, Interesting

      Eh, I once played a dial-up days online game where you could bet currency for a 50/50 chance to return 1.8 times the currency.

      You couldn't bet more than you had.

      So I bet -10,000,000,000 and lost.

      Which meant I gained 10,000,000,000 currency.

      Which overflowed the currency counter.

      Which crashed the game instance.

      Which dumped me to a remote command prompt.

      Which allowed me to download the unencrypted user password file.

    4. Re:Rule #1: Never Trust The Client by Riceballsan · · Score: 1

      Not really... yeah low latency is great and all, but when talking an online game... the average price of goods on the market suddenly spiking to 500x the amount you can earn via legitimate gameplay, or losing forms of PVP due to players that can see through walls, or move 4x the speed the game allows, or are just plain immortal etc... will pretty quickly scare off any players it attracted. In single player games it's pretty easy to shrug off cheating, because it doesn't effect non-cheating players, but online games, cheating players will burn themselves out of the fun, only after they've chased away all legitimate players.

  22. Just wait for the IRS edit and maybe CFAA changrs by Joe_Dragon · · Score: 1

    Just wait for the IRS edit and maybe CFAA changes. Each one can lead to hard fed time but at the doctors + room + board are free.

  23. This brings me back by subanark · · Score: 2

    Back in 2003 (or sometime before WoW) I was part of a hacking community that wrote RuneScape bots. I remember the day someone found an item dupe hack. This was actually the opposite, if you attempted to trade 0 of an item that wasn't stackable and you didn't actually have, your recipient would receive the item. Combine this with a spell that turned items into currency and you have a serious problem.

    Someone decided to be a complete idiot/ass and did their best to ruin the economy. The devs put a bounty of a lifetime premium subscription on anyone who could tell them of how the hack worked. The person who tried to ruin the economy was the first and only instance I know of that got an IP ban.

    1. Re:This brings me back by Anonymous Coward · · Score: 0

      The person who tried to ruin the economy was the first and only instance I know of that got an IP ban.

      An IP ban, really? How about a meaningful punishment?

      This one time I made a really dumb mistake and accidentally destroyed my own team's base. Got IP banned. Fired up a UDP proxy and joined the server again.

      IP ban? Please, get serious.

  24. Re:Just wait for the IRS edit and maybe CFAA chang by Anonymous Coward · · Score: 1

    As long as he reported the income then the IRS doesn't care about illegality.

    Taxation of illegal income

  25. Re:Never trust the client? by EndlessNameless · · Score: 3, Informative

    Why is anything in a MMO except maybe basic movement done client-side?

    Maybe movement and basic actions are all that is supposed to happen client-side.

    How is it that a debugger can affect the currency attached to an account?

    The client must interact with the server in some way to increment/decrement the currency in certain accounts. The server-side code that controls those interactions is probably riddled with security vulnerabilities. It's almost entirely custom code.

    Think of how often Apache/IIS/PHP/etc vulnerabilities are discovered, and then recall that these products have been hammered by security professionals for years. And, most of the time, those professionals disclose their findings to the developer---something which I doubt is happening with MMO developers.

    Shouldn't every transaction be started and logged serverside?

    Gold is not the basis of all transactions. Spells use resources, crafting professions use resources, and health pools fluctuate.

    Lots of things are happening 24/7, and it can be very difficult to determine what needs to be logged.

    You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease, would trigger an internal flag of some sort...

    I would expect that from a real-world bank. In a random MMO, they have no reason to bother unless there is a noticeable problem.

    In most MMOs, you can loot gold from dead NPCs, and you can spend gold to buy things from NPCs. You can often sell useless items to NPCs as well. In those cases, there are probably no accounts to send/receive money. The player's balance is simply credited/debited directly for the value of the transaction.

    If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.

    Banks have rigorous controls to detect this sort of thing, but no one is going to develop SOX-level controls on a whim. That level of auditing is seriously burdensome---in terms of both compute and personnel.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  26. Re: Never trust the client? by Anonymous Coward · · Score: 0

    You obviously have never tried breaking a mmo. Triple-A titles leave functions in client-side code for teleport, spawn, etc. (think Planetside, ARK, etc.) that not only break the gameplay, but make sure everything gets legally synced to server side. Most of latest popular titles are so easy to break that doing it for fun gets boring in 20 minutes. The only way to get detected is to use exact same (heuristically) injected binary for 100k+ active clients.
    AV scene is bad... but anti-cheat scene is years behind AV scene.

  27. Re:Never trust the client? by Anonymous Coward · · Score: 0

    Because the latency will make the game unplayable.

  28. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  29. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  30. Re:Never trust the client? by Anonymous Coward · · Score: 0

    > You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease...

    Yeah, that'd be sensible. However, it's all too easy (and entirely reasonable!) to fail to see the need to create one-off accounts for things like NPC quests from which quest rewards are deducted. Much easier to have the money appear out of thin air. And once you have _one_ way money can be added to a player's account without the source being accounted for...

  31. Sheesh by Presence+Eternal · · Score: 1

    What's a sanity check? Must be part of some Lovecraft Mmo, no need for such things in my game.

  32. rofl by Anonymous Coward · · Score: 0

    let's not pretend, he's just a fucking WOW gold farmer lol...

  33. Re:Never trust the client? by Xyrus · · Score: 1

    Simple. Bad/lazy/desperate programming. Most game houses are sweatshops, especially the so-called "free-to-play" games. Pushing out the next big money maker is much more important than fixing/designing solid code. Something seems to be slowing the server down? Push it on the client. After all, how many people know how to...wait, how did that guy manage to get a gajillion gold?

    And it's not just the Asian trash MMO's either. Home grown MMOs have this problem as well. For example, Elder Scrolls Online at one point was hackable using the PC equivalent of a game genie. Talk about trivial.

    --
    ~X~
  34. Re:Never trust the client? by Skuld-Chan · · Score: 1

    He was probably exploiting some item dupe bug. Most mmo's are server apps that sit on relatively slow databases so a lot of caching is involved. The exploit fools the app server into depositing some amount into a bank while retaining your existing currency or whatever.

    Probably an easier way to handle this long term is simply run reports on how much currency people actually have in game and where its going and close accounts based on that.

  35. Re:Never trust the client? by fafalone · · Score: 1

    Well obviously things are different in the modern age, but I can share a story on this principle from the world of an ancient AOL game, CyberStrike. Your score was controlled server side, so modifying that in the client didn't do anything. But as a young teen, eventually I discovered that a variable that effected your score (multiplier) was indeed trusted from the client. Years and years into the game, the highest legitimate score was IIRC 800,000 something that took hours of play a day for like 5 years, but adjusting this multiplier allowed you to get arbitrarily high in seconds-- and you have to be careful, because around 2.4m it actually overflowed and the server said you had points in the negative millions, and you couldn't come back positive ever.
    Fun times, but it was certainly an oversight that this piece of score data unlike all others was trusted; your # of kills, shield level, upgrades, etc were server managed. I still remember that memory address two decades later... x45baf0:74b. If anyone here played it, you might recognize my username :)

  36. This is Vice. They put out anything. by Anonymous Coward · · Score: 0

    Vice is crap. So sensationalist. It is likely this guy can't do one thing he claims. He likely proved it by changing the memory values on his local client. I'd bet money Vice didn't really look into this guy's claims.

  37. "grey market" by Anonymous Coward · · Score: 0

    Real money trading is a black market by virtue of the fact that your account, character, and all of its possessions are property of the online game's owner. At no point are you granted actual property.

  38. Capitalism by The+Evil+Atheist · · Score: 1

    Capitalism at work.

    --
    Those who do not learn from commit history are doomed to regress it.
  39. one doesn't need a gut to be a criminal by Anonymous Coward · · Score: 0

    I hope that people do realize that the person is a criminal, he does not use a gun or a crowbar, but he does steal from others. Elevating such a behavior into a celebrity status is not a right thing to do.
    Someone posted that he is going legit now - is he also going to return all the stolen money? I doubt so.

  40. Re:Never trust the client? by parkinglot777 · · Score: 1

    If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.

    This point is a possible case. If he somehow edited the value of an item which could be sold back to a NPC, then the NPC will give the money to the client and this could be done on the client side. The information of selling and gaining money would then be sent to update on the server data.

    I agree with you that the server usually does not monitor every transaction from clients because it is MMO. If a server has to verify every transaction, the game server could be easily overloaded which could cause lags and even crash. The optimization could be to verify at the login and only certain events/requests. Simple transactions with NPC are too common and/or frequent to be verified.

  41. Re:Never trust the client? by EndlessNameless · · Score: 1

    That sounds like he's just using something like Cheat Engine to change the clientside display

    If the developer is really stupid, then maybe this is the case.

    Or he could be using it to tamper with the client communication in order to exploit the underlying protocols.

    Given those two options, I assume the latter. My assumption ascribes the developers a modicum of competence, and therefore imples a greater degree of respect for the attacker's skill.

    It should be trivial to write the client to never really even understand transactions, just requests.

    I use the term transaction loosely, not necessarily in reference to SQL. I.e., a client submits an action, the server processes that action, and then server returns a status update to the client.

    Regardless of the underlying architecture, people have had trouble doing that for applications with real-world consequences. Do you seriously expect higher integrity from the MMO server?

    Maybe he just pulled up a debugger to just make a show for a clueless reporter, and that it wasn't the actual hack.

    This is possible, but he must be acquiring in-game goods and currency somehow. Legitimate acquisition is usually too slow to make a living, at least in the West.

    He refused to do the hack in front of camera, which could indicate he is a fraud. It could also indicate he is very smart, as I wouldn't do that on camera either.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  42. Re:Never trust the client? by apoc.famine · · Score: 1

    ...something which I doubt is happening with MMO developers.

    If the MMO is even paying developers any more, and if they have some bug reporting mechanism. Lots are largely abandonware, with a small core of players religiously still playing, trying to reach whatever goal they've set for themselves. Doesn't mean that those players wouldn't be willing to shell out some $$ to achieve that goal. And even if there are active developers, there's a good chance that they're being asked to develop more DLC/microtransaction stuff ahead of bug-fixes, because that's where the money is.

    --
    Velociraptor = Distiraptor / Timeraptor
  43. Stephen Bannon is Manfred by Anonymous Coward · · Score: 0

    See today's Washington Post's headlines. That is all.

  44. Re:Never trust the client? by Anonymous Coward · · Score: 0

    > Why is anything in a MMO except maybe basic movement done client-side?

    this sounds like he ends up having 2^64-1 coins, so I suppose he convinced the server that he had just spent / dropped / wasted all his coins + 1.