Verant Backs Down On Drive-Scanning 207
fastpage writes, "Verant, the people who bring you Everquest, are backing down on scanning users' computers for anything they want to prevent cheating."
Read
the CNET story.
"I guess getting Web sites shut down to prevent the distribution of ShowEQ wasn't enough."
Why doesn't anyone blame the Operating System??? (Score:1)
Why not complain a little about not having an OS that will let you control things better, and do it easily, with safe defaults? Nobody should be able to "scan your HD" without your telling the OS to allow it, nor any other i/o or activity. It should not be a matter of nice companies refraining from doing it. It should be your absolute choice, enforced by an adequate OS.
Why not design the OS and installation procedures so that admin privileges aren't needed when they're not *really* needed? Why not make it easy to execute games and untrusted whatnot in an OS-provided sand box/quarantine/jail with something better than on/off resource usage/access privileges?
You can probably configure NT to do that, but how long will it take you find the information and get from the default installation state to something you can believe is safe? (And since NT is closed, you have to believe what MS tells you about it, or be left wondering).
You can probably configure BSD to be about as safe as you can get, and maybe Linux too, but even in those the defaults are not as tight as they could be (how would you configure an account that you could log into as "gamer" to play something you didn't trust, and whose side activities you wanted to monitor? Easy if you know how? How about automating optional creation of such accounts, so all you had to worry about was choosing a password, instead of learning about groups or policies or other soporifics, when all you want to do is play safely).
Also, in general it seems that OS design does not yet deal very well with the difference between trusting someone technically with root privileges and trusting someone with business/personal information.
My .02USD. Gotta go.
Re:A quick note: (Score:1)
Say what???? (Score:1)
Anyway, I do take issue with your statement:
"(Moral of the story, folks: Possession of a public key authenticates NOTHING.)"
I dunno what cryptosystem you're talking about here, but this, in general, is not true... think about Diffie-Hellman signatures - you sign with a public key and verify with a private.
Of course, maybe you just meant that if your (private, symmetric) key is public, then you have no security. Which I think most 6th graders would realize - leave the key in the door, and you're screwed.
Let's get a few things straight here... (Score:1)
Data stream "encyption": There is a vast difference between merely masking data with a simple XOR and actually encrypting the stream. Do not confuse the two. Encryption in this case would be generally useless without an authentication scheme as well. For obvious reasons, Verant can't actually use decent encryption. However, they can play around and frequently shift masks via patches (as little as it has helped them so far).
The EULA has been changed to the point that if you want to keep receiving services (playing EQ) you consent to whatever snooping Verant deems appropriate to halt gameplay that is not "in the spirit of the game". Verant already has your genitalia in a tight little grip, so they can be as maganamious as they want to be. Go ahead and get indignant - they have your name, address, credit card number and also the capability to scan your tasklist and see what's running.
And as for online games using various tricks to get around latency: you simply cannot get around the fact that extra data must be supplied to the client. John Carmack had a very long and informative
Re:Any Word on... (Score:1)
Seriously, moderate me down all you want, but WHAT happened? You can tell us, CmdrTaco.
Three sir! Three! (Score:1)
*holy music*
:)
oh yeah i forgot the *boom* (Score:1)
Good question (Score:1)
For non-precision games, its pretty clear how to keep them from cheating, as their cheats are all about information. Don't send them anything you don't want them to know, and don't depend on any of their calculations.
For the precision games, I think the key is to stay ahead of the encryption curve. If you can generate keys (and patch them in) faster than the l33t h4x0rs can crack them, then you're secure. Fall behind just once, and you have problems. Its a heck of a problem to send a key to a cracked client without the cracker getting it.
Zipwow
Ask them to show you the "money"! (Score:1)
Ask them to show you the poll, the questions and the possible answers, as well as the point spread. Maybe the question was worded in a way such that it tries to avoid the possibility of privacy infringement. Even if a company doesn't give my info to private parties, I don't want companies using my checking computer resources to suit their internal purposes.
Besides, what vested interest does a gaming company have to actively stomp out cheats like this? Persuing legal action against cheat software costs money. Does it cost more money than fixing the bugs in their own software?
I am also curious what they do to think that they can change the licencing whenever they want without telling you. At least that's my impression.
Note, I've never played this game. Now I'm glad I don't.
UOX Programmer *grin* (Score:1)
Yes, OSI's official UO servers have about 6 or 7 subservers (about to double, as they double the world) controlling specific pieces of the map.
The key difference between UO and EQ here is that EQ sends you position info for everything in your zone. UO sends you position info for all dynamic objects within about 20 tiles (for mobiles and dynamic items) and about 32 tiles (for multis (aka houses)). As almost all of that fits on screen, the advantage to looking at the information before it appears on screen is virtually zero.
As for the protocol, I've studied it in quite a bit of detail and have worked out all but a few parts which are simply uninteresting (to me) now. The few things which were present originally that would give an advantage have been removed. Examples: The server used to send information about people who were hidden / invisible (no longer). The server used to send the exact hp/max hp info for character (gone, now it sends max hp as 25, and hp scaled to that range).
Of course, they still have insanely inefficient messages present. For example, if you press the help button, the client sends a message that is an identifier byte, followed by 256 null bytes. (That's unimportant because it's used infrequently, you say? Take a look at how much is sent any time a character other than yourself walks / moves on your screen. A bunch of stuff that isn't likely to change every step...)
Yes, the key is to do everything important server side.
There was a linux version of UO. It simply isn't updated frequently. It's currently too old a version to use... It may be updated at some point though.
Jerrith (AR Schleicher)
ars@iag.net
I clicked on YES (Score:1)
The thing that I love about everquest is that your character becomes more and more "powerful". You can be began to possess items that are more rare and vauluable.
Its the same thing that appealed to me with Zelda and Rygar on the Nintendo, except now there is the whole teamwork and social aspect thrown in.
There are items in the game that are worth hundreds of dollars on eBAY. It's a game. I play it to enjoy it, and when I stop enjoying it I put it down for a couple of days.
People who take advantage of the game (and people like me who aren't cheating or farming the items) will just ruin it for us. Verant, Sony, and Everquest are commercial entities. They exist to make money, and this was an economic decision and still is. If I, like many others, cease to have fun with the game because of this, I will stop playing, and Verant will stop getting our money.
I was one of the 83% who agreed with the scanning. I don't run ShowEQ, and I never would. I'm proud of what of I have in the game, that I have earned it, and I didn't get things by cheating or having them given to me.
that was joke was bait, friend (Score:1)
There is an Everquest server called Test where they make all of there modifications before patching the on the live servers. From what I understand, on this server, they have the spells for next ten levels of the game that will be available once they release the expansion pack called Ruins of Kunark.
The JOKE was that they nerfed (massively weakened) a major spell for every casting class. Now the spells they nerfed were not actually available in the game. The only way you would know they had changed was if you were hacking the program files.
The average player didn't know (or care) about the joke until it was well over with.
I think you have overheard generalizations from the discussion boards and made a hasty uninformed decision. The Verant Everquest boards lack moderation, unlike Slashdot - Thank god!, and are filled with people trolling and being jackasses.
Re:that joke was bait, friend (Score:1)
I play on a production server and I misread/misunderstood the posts on the verant board.
However, unless I am mistaken this time around, there are only a couple of hundred people playing on the test server at a time and it is with the understand that your character can be deleted at anytime, or other nasty things may happen.
Thanks for correcting me on that =)
Re:I clicked on YES (Score:1)
I'm more worried about my bank, college, prior places of employment, electric company, gas company, ad naseum ... and the people who work there having access to my Social Security number and other personal information.
First of all they were scanning or talking about scanning my computer's memory, and I don't really care if they know that I am running ActiveSync or Norton's Antivirus.
Amazon.com already does this to me. I get email from them when an author has published something new, and I have purchased a book of their's in the past. My recommended books get screwed up because I've bought presents for my nieces and nephews.As for the rest of what you said....
The scary thing is not that I would let them into my house, but that I may not have a choice. If they could convince a judge that I was breaking a law and come in with federal agents and warrant, how do I stop that? If there is something on my computer that I don't want someone else to see, I encrypt it. I doubt that would stop the government tho, especially after reading what's-his-names-book on the NSA. Absolutely!All we can do is hope democracy keeps it all in check.
Mock not the Masters! (Score:1)
Mock not the masters of our existence, they who have granted us this miraculous game! There are those who say they suck our essence, our very lives through this "game" of theirs, but we are willing servants to our lords!
[glares at the clock over her desk]
Move on, foul demon! Strike the five o'clock hour and free me from my torment! I am due in Lake Rathetear to deal with some giant skeletons, and will not take kindly to being delayed.
------------------
I'm one of those people who answered "no" to the question about drive scanning. I understand their motivation and have no problem with that, but their current hack-detection does not always work as planned - it concerns me when they automate banning of players, especially since there is no standard procedure for contesting a ban.
I'm also a die-hard evercrack junkie, and I think that the game (while having occasional flaws) is the best thing I've ever played on my computer. It was made by gamers to be what they wanted it to be... and they did an excellent job of it. As far as I'm concerned, it keeps improving. I think the idea of drive-scanning was a mistake, and I'm glad they decided against it. Frankly, they seem to be reasonable people who actually do listen to their player-base (no matter how much people whine that they don't) - and I have a lot of respect for them.
Leilah
(Taerma D'Estain, 26th Erudite Paladin of Quellious, serving the Blade of Enric [tsx.org], Brell Serilis [brellserilis.net])
Re:Verant and Drive Scanning (Score:1)
ANY COMPANY THAT WOULD EVEN THINK ABOUT SCANNING THEIR USERS' PROCESS LIST, REGISTRY OR HARD DRIVE, FOR ANY REASON WHATSOEVER, DESERVES TO GET TRASHED IN THE COURT OF PUBLIC OPINION.
This is a totally unacceptable solution to a problem that the game programmers brought upon themselves. If they weren't sending information that would give players an edge, they wouldnt have to worry about people "sniffing" it.
Violating a user's privacy is not an acceptable way to make up for incompetant coders.
________________________________
Re:Why is it that... (Score:1)
I heard the same report. The program was called MyZack (or something that sounds the same - this was radio, so I couldn't tell), and the guy explaining it was none other than Richard M. Smith. He's the privacy guru from Phar Lap who (among other things) exposed the Microsoft Word document IDs and the RealJukebox user information collecting.
Re:Problem with your "background" (Score:1)
Circa 1983-84, the Minnesota Educational Computing Consortium timesharing system running on a CDC Cyber machine had several interactive applications, including a persistant, multi-user RPG called Milieu and an interactive 'chat' system called XTalk.
While not the internet, it often supported 70-80 users from all over the state simultaneously. Back then, "cheating" consisted of managing to get access to a 120cps dialin account or being lucky enough to have a terminal with programmable function keys so that you could hit F1 and send a spell instead of having to type it.
Written entirely in Pascal, with perhaps some Compass glue, it was later ported as a science project to a Sage IV microcomputer as a high school project, and a VAX 11/780 at 3M's Science Research Labs where it lived a brief life as
I seem to remember variants appearing on local multiuser BBSs in the late 80s.
Why are the game accounts not checked on login? (Score:1)
I think that the real problem is ... (Score:1)
During a track meet, the race is to the finish line, along a specified path. They do not give the prize to the runner that takes a shortcut, that wasn't the contest. If you win by modifying an online game, what did you win? Certainly not the game everyone else was playing.
For those that say that the disparity in hardware and ping configurations force some to hack a game to get a "level playing field" I reply "NO!". I offer you an example. I play rugby. I am slow. My 350 pounds does not move as quickly as some(any) of the lighter players. In order for me to be a factor, I have to work harder. It means that when not playing the game, I must attempt to get faster. I cannot simply make the referee have everyone jog at my pace. What kind of game is that? Take away someone's advantage so that I can do better. It is more satisfying to find their weakness and exploit it and any and every opportunity that I can, as they run around me when afforded the chance, so must I drive them into the ground when I tackle them. For online gaming
I do not agree with companies policing hard disks, or processes, but would like to see some kind of referee system that makes sure all of the rules are abided to. It would be real nice if online games were like playground sports, where rules were agreed upon and no officiating was necessary because if a rule was broken it was well known and most of the time a result of bad luck on a hard play. If there is a disagreement, the dispute is settled quickly.
Re:This is capatalism at it's best [OT] (Score:1)
Re:This is capatalism at it's best [OT] (Score:1)
Re:Privacy Violation over EVERQUEST? (Score:1)
No, I wouldn't. They were implementing a change in policy that would affect users. They fact that some other users have already left is irrelevent, they were checking their userbase to see if they minded the intrusion. Regardless of what you, or the AC (BTW, my previous reference to AC was Asheron's Call, not Anonymous Coward), or even I think about the outcome, they asked the question to those that would be affected by the change. It was the contention that this was the wrong set of people to ask, and I have to ask, if not the people affected, then who should be asked?
-- Keith Moore
Re:Privacy Violation over EVERQUEST? (Score:1)
DESPITE this, they backed down, and the CTO put a letter on the eqnews that stated that it's just not a good idea, they made a mistake and were overzealous in protecting against cheaters.
I'm just waiting for the expansion pack, and could care less.... more EverCrack, more, MORE, MORE!!!! (Asheron's... shiver).
-- Keith Moore
Re:Patch the servers. (Score:1)
They have a lot of anti-cheating code (the patch program DOES monitor their own executable and data files), and I'm very glad that they have succeeded. I have been able to play for over 8 months without having a problem with cheaters, unlike Diablo, and Quake, and others.
When you logon to EverCrack you automatically get the latest version of the software, and optionally any new zones which have come out. (you just can't go there until you download it, but you can download it at your leasure during the day while you sleep, getting ready to play again that night. hehe).
-- Keith Moore
Re:Privacy Violation over EVERQUEST? (Score:1)
They were changing the future EULA, and EverCrack has been very forward about telling us of any changes to the software, including warning us about this proposed change. Quite honestly, if MS had come up with this idea, they would have just implemented it, not open it for discussion. (MS Update anyone?).
-- Keith Moore
Re:They were messing in the cookies files! (Score:1)
-- Keith Moore
Re:A quick note: (Score:1)
Also, what if you are trying to get a rare spawn, he finally spawns and some cheater casts a single spell doing 15000 dmg, and takes the item you were waiting for? Verant has done a lot to protect against KSing, but that all that code would be useless at that point. Not to mention the cheaters will really screw up the spawn rates.
-- Keith Moore
Re:An alternate solution... (Score:1)
-- Keith Moore
Wait a minute, let's look at this again: (Score:1)
Now don't get me wrong. I *DO NOT* want Verant to do a nice slow scan of my hard drive to find all of my nice security utilities. But looking at my task list before I log on? They should let us know that they're doing it (in a dialog or something) and give us a chance to log off first, but overall I'm fine with that. Hell, I'll email em my task list if they want. If I can actually sit down after work for a few hours and enjoy my latest addiction without being harassed by teenagers with inferiority complexes, I'll give em my measurements and shoe size for Pete's sake.
The issue here is *NOT* that I want Big Brother snooping everywhere. Down with the RIAA, MPAA, UCITA, and all the other acronyms! The issue is simply that it's just a game. A game that *I* (along with just about every other customer of Verant) want to sit and enjoy in peace. We signed a contract. We're paying for this. We should get to have fun. That's key.
-Militant Elf (A PFY for a BOFH)
andrew-galvan@sos.uiowa.edu
(remove the sos for deliverable mail)
Re:Further progress in protecting online privacy (Score:1)
"Corporations" and other 'legal entities' are secondary to the Citizen (or at least, should be).
People do not exist to do what companies want, companies exist to do what people want.
OK, Invoking Godwin's Law here. . . (Score:1)
What was it that an old German preacher said ??
"First they came for the Communists, but I wasn't a Communist, and said nothing.
Then they came for the Trade Unionists, but I wasn't a Trade Unionist, and said nothing.
By the time they came for me, there was nobody left to say anything. . . "
They were messing in the cookies files! (Score:1)
the entire thread is at:
http://www.hackersquest.gomp.ch/ubb/Forum1/HTML
here is an exceprt from the lead post by "orionX"...
I have a program that monitors all file disk activity done through the windows kernel. When I read the new patch message, this peaked my curiosity and had to check what EQ was doing. They going to scan me, I'm going to see what, well some of it anyway
Heres some odd lines.. I don't know much about this sort of thing, but maybe the more experienced can make something out of it. Of course it just might be crap that I'm making a big deal over when its nothing, but here goes
I added a * and how many lines I saw in a row for the certain command for when I saw many of the same line in a row. I did this so I didn't spam as much as I already am =)
Note: Some of the offsets/lengths changed for each of the consecutive read/seek commands but i didn't post the differences.
Eqgame FindOpen D:\EVERQUEST\MEMORY.TXT NOTFOUND
Eqgame Delete D:\EVERQUEST\MEMORY.TXT NOTFOUND
eq trying to dump memory contents to a text file then delete it? no biggie here if it is
Here comes the stuff that made me decide to post...
Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES SUCCESS GetAttributes *4 lines of this
Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\DESKTOP.INI SUCCESS GetAttributes
Eqgame Attributes C:\WINDOWS\COOKIES SUCCESS GetAttributes *2 lines
Eqgame Attributes C:\WINDOWS\HISTORY SUCCESS GetAttributes *5 lines
Eqgame Attributes C:\WINDOWS\HISTORY\DESKTOP.INI SUCCESS GetAttributes
Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5 SUCCESS GetAttributes
Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5 SUCCESS GetAttributes *3 lines
Eqgame Open C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE
Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines
Eqgame Close C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS CLOSE_FINAL
Eqgame Open C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE
Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines
Eqgame Attributes C:\WINDOWS\COOKIES SUCCESS GetAttributes
Eqgame Attributes C:\WINDOWS\COOKIES SUCCESS GetAttributes *3 lines
Eqgame Open C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE
Eqgame Attributes C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS Set Modify
Eqgame Seek C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines
Eqgame Close C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS CLOSE_FINAL
Eqgame Open C:\WINDOWS\COOKIES\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE ENYNONE
Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5 SUCCESS GetAttributes *3 lines
Eqgame Open C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE
Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS Set Modify
Eqgame Seek C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines
Eqgame Close C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS CLOSE_FINAL
Eqgame Open C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS CREATENEW OPENEXISTING READWRITE DENYNONE
Eqgame Seek C:\WINDOWS\HISTORY\HISTORY.IE5 INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *3 lines
Eqgame Read C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT SUCCESS Offset: 0 Length: 0 **20 LINES!!!
Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5 SUCCESS GetAttributes *3 lines
Eqgame Attributes C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\DESKTOP.INI SUCCESS GetAttributes
Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5 SUCCESS GetAttributes *3 lines
Eqgame Attributes C:\WINDOWS\HISTORY\HISTORY.IE5\DESKTOP.INI SUCCESS GetAttributes
Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0 *9 lines
then RIGHT after those
Eqgame Read C:\WINDOWS\SYSTEM\RASAPI32.DLL SUCCESS Offset: 131072 Length: 4096 *2 lines
Eqgame Read C:\WINDOWS\SYSTEM\TAPI32.DLL SUCCESS Offset: 106496 Length: 4096 - 2 lines
then randomly later on I keep seeing 3 lines of this here and there:
Eqgame Seek C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT SUCCESS Beginning Offset: 0 / New offset: 0
EQ reading internet history and cookie files?! Whats up with that? If theres some useful info for an Internet game in the history/cookie folders then say it here, however tiny.. I dont want to start something huge, because this might mean nothng.
I use microslop IE explorer 5 if you didn't notice. Didn't try this with netscrape yet.
I started the file monitor right before I clicked the EULA agree button.
Re:I was marginally involved in developing ShowEQ (Score:1)
What kind of bullshit is this??? What you're doing is equating allowing a person into my house with allowing the [three letter agency of choice here] to install wire taps and surveilance cameras in the same?
I'm as much for privacy as the next guy, but you're committing the typical 'slippery slope' logical fallacy of assuming that innocent action A will lead to dubious action B will lead to totalitarian mind-control facist government state Z at some point in the future. There are costs and benefits associated with every action, and in some cases the benefits outweigh the costs, depending. Online gaming is a great source of pleasure for a lot of people, providing fun and entertainment... if some fuckwit script kiddie downloads some tool that gives him unfair advantages over the rest of the online gaming community, this diminishes the sense of accomplishment for all the players that spent lots of time building up their characters through hard work and perseverance, which could in turn cause them to stop playing/let others know it's not a good game, which in turn again affects the bottom line of the company which looks at players as an income stream. The players were asked about this and a large majority agreed with the company. Just because I have the constitutional right to bear arms doesn't mean I have to go out and buy myself a 12-gauge or whatever, it's my decision whether or not I need to exercise those rights, and the same applies in this situation.
Having said that, I also have to note that this was probably not the ideal situation, and that something more akin to provding a more secure client/server channel would be a more optimal solution to the problem and hopefully one that will be given considertion by Verant. The problem is that as long as the 'cheating' remains unaddressed, the customers will be less satisfied and demand solutions, and implementing a secure communications protocol, including testing and debugging and optimization takes time, time during which there will be much bitching and moaning.
Anyways, to summarize, don't equate something petty like this with the End of Freedom In America, save your ire for something that's actually worth getting upset about.
----
Dave
Purity Of Essence
Maybe Slashdot got H4xx0R3d? (Score:2)
There's nothing wrong with this. (Score:2)
There's a time and a place for hysteria over invasions of privacy, but this isn't it folks. Verant were simply trying to prevent idiots and script kiddies from spoiling the game for legitimate players. Because of knee-jerk reactions from online-privacy zealots, the online game is going to be ruined for everyone.
Slashdot gets it all wrong again (Score:2)
GPLed client is possible (Score:2)
Zipwow's first corollary to that: "Never send anything to the client that you don't want them to know."
Why is the server sending the mob's hp and level to the client? If you're willing to spend the processes for it, you could also not send mob information about mobs that aren't currently visible to the client.
Its a harder job, but its possible, and it keeps you honest.
OK that wasn't fair. (Score:2)
> least MS can be assured to have considered
> cryptographic protections.
> Sure, they rejected 'em, but still
Cheap shot. (Yeah, I'm responding to my own post. I'm that wrong.)
Microsoft actually has done quite a bit of work with their Authenticode system giving people a means of digitally verify their code, with a CA(Certificate Authority) backing up that signature. The keys are "only" 512 bit RSA, but that *will* stop the script kiddies.
I guess I was just expressing my annoyance that nothing's been done to handle login scripts--I've got to worry about every single desktop on campus going down to a single eight character password on our IT director's desktop because of it. Really, when it comes to validating executable content, MS has done quite a bit of good work in this regard that hasn't particularly been matched elsewhere(is there a way to sign ELF files in-band? What about RPMs, with a CA?)
Gotta remember, MS may have its technical flaws, but they do pull off some good stuff. It's their business department that's evil
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Say what???? (Score:2)
> here, but this, in general, is not true... think
> about Diffie-Hellman signatures - you sign with
> a public key and verify with a private.
I'm a bit rusty on the math(and late for class!), but if x and y are made public, it's always trivial to find g^xy mod n. However, when g^xy mod n is made public, it's exceedingly difficult to find x and y.
Incidentally, you don't have signatures with DH--El Gamel is the PK variant system.
Yes, I KNOW I mucked up the math. But what I basically did was say, "OK, I'll keep the public key under wraps and anyone who can encode a message using it can issue a command to these n machine." Unfortunately, if you took control of one of those n machines and reversed the private EL Gamel key, you could then turn around and issue command to the other n-1 boxes.
Critical failure. Yeouch.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:OK that wasn't fair. (Score:2)
> genuine Bogosoft code, if Bogosoft have added
> in code to upload your netscape history file to
> find out what you're browsing.
> While authentication is important, much more
> important is the ability to restrict programs
> from doing undeseriable things. If you don't
> want a program from sending your registration
> information without asking, you should be able
> to lock that up so it can't.
This is essentially the trust assignment problem that you describe--you *do* trust a program to execute a function, but you *don't* trust it not to execute some other function. How do you isolate?
There's been some pretty effective sandboxing tools hacked together, but Microsoft and a couple thousand Slashdotters agree: Accountability dramatically reduces abuse, be it in privacy violation or in the WAVE program(but I repeat myself).
The concept--and it ain't a bad one--is Bogosoft won't last long under attack from a very pissed off FTC. Will ya look at that, it's an election year...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Cheating is fun! (Score:2)
Concerning inventory duplicators, etc., I still consider those innovative. Not the actual running of one that someone else created (script kiddie style). Actually hacking the binary and/or protocol and using all your skills to determine how to get what you want is just an alternative way of playing the same game.
logan
Re:Cheating is fun! (Score:2)
Your analogy to a football game is a poor one. Football is more of a test of athletic ability than mental ability. The shotgun is a physical threat and action that allows one to bypass one's opponents. I suppose my cheating rhetoric only applies to less athletic games, I suppose. A good cheat is the application of mental skill to bypass arbitrary obstacles imposed by the structure of the game itself, not your opponents.
logan
Problem with your "background" (Score:2)
I know this is tangential to the topic at hand, but neither Ultima Online nor Everquest "started" the MMORPG genre. They aren't even the first graphical MMORPGs.
Between 1993 and 1997, subscribers to online giant CIS and a little online system called AOL could play a text based, for profit, fantasy MMORPG called Gemstone III [gemstone.net]. After going flat-rate, AOL dumped it because far too many users connected for far too long to play Gemstone. Now Gemstone III players get along quite happily connecting directly via the internet. As far as I know, these were the first for-fee MMORPGs employing "gamemasters" to maintain the code, servers, and portray NPCs for the players. But there could have been even earlier ones, considering all the MU*s and MO*s out there... However, it was definitely the first to hit 1,000 simultaneously connected players. I was there. (And I was disgusted... I started playing when 30 players online was a huge crowd.)
Simutronics [play.net], the company who ran Gemstone, also offered several other games, all connected via gateways to several major online services. They're all still up and running, and quite fun, if you can harness enough of your imagination to abandon all the pretty graphics.
Then there was AOL's Neverwinter Nights [gamewolf.com]. (Okay, it wasn't AOL's - they just hosted it.) I know little about this game, except it looked very similar to SSI's old Pools of Radiance series of single-player games, and it was multiplayer, and graphical... and offered no client for my platform at the time. (If someone knows more about the old NWN, please chime in.) Of course, if you've been paying attention at all for the past 10 months, you know that NWN will soon be reborn as the first networked virtual tabletop-style roleplaying environment [bioware.com].
Although I'm sure most players of EverQuest and Ultima Online have never heard of Gemstone or DragonRealms, and believe Neverwinter Nights is a brand-new title, the only innovations in these games are the pretty graphics, and perhaps some interesting server-side hacks... but the genre is an old one.
Re:I clicked on YES (Score:2)
You should be ashamed of yourself for having so little concern about your own privacy. Since you have no problem allowing Verant to search your hard drive remotely, lets see how far you will go...
Would you agree to allow Verant to send people to search your computer in person?
Would you allow them to search your home for books and tools related to reverse engineering?
Would you allow them to search through a record of your recent purchases (looking for hacking-related products)?
Silly, you say, but once you start down that path, you can say goodbye to any privacy you think you have.
________________________________
Re:Counterstrike (Score:2)
Bad Mojo
Re:I was marginally involved in developing ShowEQ (Score:2)
And, IMHO, thats what is so scary - we are bringing up a generation that has no concept of the importance of the fundamental freedoms that they take for granted - and blithely give them up!
Its getting so bad anymore, that Im wondering if those militia loons arent at least partly right when they start slinging around quotes like "those who would give up freedom for safety will neither achieve nor deserve either" (paraphrased from Ben Franklin, I believe).
First its "bad things" like cigatettes, then the "war on (some) drugs", then priavte guns (ask Amadou Diallo's widow about the police guns). Now its privacy on the chopping block - how long until the freedoms of speech and expression are given up one slice at a time "for our own good" to a police state?
Its damned scary - generations of soldiers gave up normal life to preserve those rights, civil libertarians have stood up and put thier necks out, and even hackers have contributed [by providing the tools to set information free and preserve basic anonymity --Thanks Whitfield Diffie and Phill Zimmereman!].
But now these online ignroant lumps give all that up because they have no values other than "get me my next l33t level in this game".
"EverCrack" indeed!
Re:Verant Reveals Its Hand (Score:2)
their key is a 32bit unsigned int
Their algorithm is something like the following in a semi-C layout:
decode (uint *data, uint bufferlen, uint globalkey)
tempKey = globalKey
uint reg1, reg2
uint shift1, shift2, add
uint blen = bufferlen/sizeof(uint)
for(int i=0; iblen, i++)
{
reg1 = *data
reg1 = reg1 + tempkey
reg2 = reg1 shift2
reg1 = (reg2 | (reg1 shift1)) + add
*data = reg1
reg1 = reg1 shift1
tempkey = tempkey + reg1 + add
data++;
}
Im not sure I have the sequencing right and the shifts may vary, but thats it.
How would you break something like this?
Re:This is capatalism at it's best (Score:2)
--
Re:Privacy Violation over EVERQUEST? (Score:2)
This is why I switched to playing ActionQuake instead of standard Quake II. Who needs 90% of the map to be engulfed in rocket or grenade explosions at any given time.
Re:OK that wasn't fair. (Score:2)
By effective sandboxing, data tainting and appropriate logging of actions attempted. Something which is totally missing in Microsoft products, but is available in more secure OSs, such as those which have B & A level certification.
A few years ago, it seemed to me to be silly to have OS level protection to prevent data from being exported from the system, but as time goes on, it seems more and more reasonable. I guess in earlier times, it seemed silly to have file permissions, if you were logged onto the system you must have had the rights to access the data, right? The concept--and it ain't a bad one--is Bogosoft won't last long under attack from a very pissed off FTC. Will ya look at that, it's an election year...
Has there ever been any action taken against any company for privacy violations except by consumer's objecting and boycotting?
Both eTrust and the various legal bodies such as the FTC seem to be useless. If a big company wants to collect your browser habits, your hardware or anything else it feels like, then no-one seems to want to stop them except their users.
Re:OK that wasn't fair. (Score:2)
Unfortunatly, this isn't terribly useful.
The programs which are causing problems aren't generally altered versions of authentic releases, they're features added by the authors which do things which the user doesn't want them to do.
It doesn't matter if the program is 100% genuine Bogosoft code, if Bogosoft have added in code to upload your netscape history file to find out what you're browsing.
While authentication is important, much more important is the ability to restrict programs from doing undeseriable things. If you don't want a program from sending your registration information without asking, you should be able to lock that up so it can't.
Opt in / Opt out? (Score:2)
So, why not take that a step further? Some people prize privacy above all else, while others are more interested in keeping playability and enjoyability maximized. Is there any reason that Verant can't set up some servers that scan for 'foriegn objects in the ring' and others that leave everyone on the honor system?
That way we can decide on an individual basis wether to submit to these scans, rather than having a few privacy advocates or corporate goons dictating the One True Way to run the game. After all, no one person can always understand what I want from the gaming experience or what my privacy needs are.
Except possibly me.
These people screwed up. (Score:2)
If you design an online game, you can BET 3 things will happen..
1. People will try to spoof the server with hacked packets.
2. People will tinker with whatever files you leave on their hard drives, hoping to find a kink in the armor.
3. People will sniff the packets you send them, hoping to glean a little extra info.
This is BASIC stuff folks, and it sounds like they didn't even consider it from the outset. Now they're trying to cover their own inept engineering by blaming it on the players.
All they needed to do is talk to a few MUD administrators. Any one of us could have told them that some players will do ANYTHING to gain an advantage. We deal with it by plugging the holes, not by blaming the players. Its their JOB to poke at the code to find the holes.
Change to EULA wouldn't have helped anyways (Score:2)
What they wanted to get stop was ShowEQ which is a basic packet sniffer to give a radar of the current game world.
The problem is that ShowEQ is orginally programmed to run on a second Linux box with a Windows box running the EQ client/game. There is Windows version but this would not have stopped ShowEQ usage. It just would have given more advanced users a bigger unfair advantage. The change in the EULA wouldn't have helped unless they were going to scan every machine on a local lan.
Perhaps they should have started by not send so much information in their transmissions. Its called better programming.
Re:that was joke was bait, friend (Score:2)
It wasn't just the *evil, nasty hackers* that were hit by the "april fools joke". Anyone who played on the test server was hit.
What exactly is everquest and isn't this... (Score:2)
Couldn't you create say a random mirror image of a "clean" hd each time a call was made from the program to look at the hd?
Need to fix the protocol (Score:2)
I guess with the slow bandwidth issues, it might turn out to be almost impossible to implement certain kinds of effects w/o some cooperative processing from the client.
Sounds like a management call (Score:2)
Maybe if they port it to Linux one day (And I get my @#!@#% AGP working on my biostar athlon motherboard) I'll check it out. *shrug*
Too bad... (Score:2)
It's also too bad that people feel the need to cheat at something that's supposed to just be a game you play for fun, but that's another story, I suppose.
But scanning peoples hard drives doesn't seem like a very good solution to me. In fact doing it for something that is, in the long run, completely trivial makes me nervous.
Re:I was marginally involved in developing ShowEQ (Score:2)
Cheats vs. Exploits (Score:2)
Cheats, on the other hand, involve some kind of external manipulation or modification of the game. I don't think this should be allowed, as it tends to create an uneven playing field. In the case of exploits, anyone who is clever enough to figure out the exploit (or knows about the exploit through word of mouth) can take advantage; in the case of cheats, only those who are willing to download and install the latest unauthorized hack can gain the upper hand.
One gray area comes to mind: "cheat codes". Although cheat codes are built into the game, and might thus technically be considered exploits, I don't think they should be used -- unless all participants are aware that the codes are available and can be used, and all participants want the codes available.
Should "cheat codes" be considered exploits or cheats? Well, consider their origin. In most cases, they are simply debugging aids that are left in the final game out of laziness -- or just for the hell of it.
Cheat codes are intended to be used for debugging, and not during actual gameplay; they can be seen as "external" to the game itself. In this light, a "cheat code" is really nothing more than a "trainer" that happens to be conveniently built into the game. This puts cheat codes squarely in the category of "cheats". In my book, cheats are almost always something to stay away from -- if only because they tend to ruin the fun.
Re:Privacy Violation over EVERQUEST? (Score:2)
"current everquest users. the users
who dont mind having their hard
drives being raped. the people
who care about their privacy left
already."
Try reading the post next time before getting all indignant. He was simply stating that USERS who cared about privacy had left already. I'd say that was a pretty valid argument, wouldn't you?
Unbelievable (Score:2)
Re:There's nothing wrong with this. (Score:2)
No, they are not justified. I play EQ as well. I don't use the cheats and I hadn't really heard of them till this debacle. I don't know what Verant is looking for and I don't give them permission to go through my system. Would a company try to abuse my rights with this? Of course. They should make a client that makes it pretty damn hard to create a hack for. Scanning people's hard drives for cracks that are going to change all the time will do nothing.
There's a time and a place for hysteria over invasions of privacy, but this isn't it folks. Verant were simply trying to prevent idiots and script kiddies from spoiling the game for legitimate players.
The ends do not justify the means. I don't see the game getting ruined by cheaters. I see the game getting ruined by the fact that you are only as good as your equipment, and that there are not enough things to fight for a large number of players resulting in people waiting for hours on end for something to fight, or just logging off out of frustration.
Molog
So Linus, what are we doing tonight?
Re:Further progress in protecting online privacy (Score:2)
The reason for this is probably twofold.
1. The community of users is much more reactive than the communities that represent consumers of other goods and services provided by major corporations, and is therefore prepared to make a loud fuss, in a semi-concerted way, and to use their buying decision collectively to hurt large corporations in the short term.
2. There are a large number of alternative suppliers of internet-related services, and given point 1, they have noticed that they can steal market share from competitors quite fast if they can stylize themselves as the "supplier that respects your privacy".
Another point is that companies do not exist to do what people want. Companies exist to maximize shareholder value, and in a perfect free market where Adam Smith's "Invisible hand" works as it should, that equates to supplying the goods and services in a competitive and efficient manner, such that consumers needs are satisfied to the maximum extent that they can be given limited resources. Market failure (monopoly power, certain types of goods, "non-rational" behaviour etc) means that this sometimes fails to happen, which is the economists' argument for government intervention. If companies existed solely to do what people want, we wouldn't need to call them to order like this all the time.
Re:Verant and Drive Scanning (Score:2)
#2 The have been far less than admirable about this. Publicly insulting people who raised privacy concerns.
I've said it before and I'll say it again: They over reached. Instead of saying we were wrong they say "A bunch of hackers, crackers and paranoids caused us to change our mind"
Carmack's discussion of this was better (Score:2)
They already do. (Score:2)
Compare this to steroid use in sport (Score:2)
In higher level competition, their bags are examined, they give urine and sometimes blood samples.
This isn't a violation of privacy since the atheletes are *informed* that they will be held under scrutiny.
Obviously the comparison between professional level sports and an online game isn't perfectly natural.
What about a user moderation feature? People who obviously abuse the system can be labelled as such. They are free to play the game, just not with people who don't want to cheat.
Hmmm, the implementation would be difficult, and it would take a critical mass of players who moderated fairly (IE, not labelling someone a cheater just because they don't get along).
Just my ramblings...
Greg
Patch the servers. (Score:2)
Blizard did that alot with Starcraft and their Battle.net servers. Every time a new hack/cheat came out for Starcraft, they patched the program and any user than wanted to use their servers had to have the latest version to play online. It won't completely protect you from cheaters, but it's not an invasion of privacy...
kwsNI
Side note. (Score:2)
I just wanted to say there is , in reality, very little competition in EQ. Many people have a precieved competition, I know I did for a while. There is, rarely, any race for anything. If you don't get something today, it will be there tomorrow.
Yes, there can be a group of people that want to be competitive with each other, and thats fine, but it doesn't effect other players.
My point is, someone can come out with a cheat tomorrow that allowed ont ot be lvl 50(current max,kinda) have a 200 in every skill, and give them a googleplex of money. That won't effect my playing at all.
Re:I was marginally involved in developing ShowEQ (Score:2)
My younger brother, who plays EQ and Asheron's Call and others, frequently belts out long rants about how irritating these "mini-hacks" are to him. He considers them cheating.
What I'm getting at is, most people who object to ShowEQ (and the rest of the suite) and agreed to HD scanning feel so strongly about online cheating that they'll give up their HD's privacy for an equal chance at EverQuest.
***JUMP PAD ACTIVATION INITIATION START***
***TRANSPORT WHEN READY***
Re:I was marginally involved in developing ShowEQ (Score:2)
Re:Doubleclick,the Feds and Verant (Score:2)
Example: The NSA should invest in codebreaking technology. It's part of their mandate. But we shouldn't have to hand over keys, to obviate the need for the codebreaking tech.
Why is it that... (Score:2)
For instance: yesterday on NPR [npr.org](scroll down for RA of story) there was a story on Internet privacy and it featured a new piece of software (name escapes me now) that basically configured your browser to run through a proxy server so that all your traffic could be scanned. Why this software company is still in business after effectifely instituting a wire tap (just on digital information on port 80), I don't know. Though, their EULA does mention that your traffic will be monitored, I can't believe that people actually use their software.
This goes way beyond using cookies to track usage (hell, we have Neillson ratings for TV that do something very similar). I applaud the efforts of the userbase of Verant of taking notice and effecting change through economical means. Now, if only everyone would not use invasive products, all companies with invasive software would go out of business.
Straight from the Sources (Score:2)
First, here's a letter from Verant CEO John Smedley regarding the new policies and security checks announced. (From EQ Vault [ign.com])
Ok. We put the poll in, and with roughly 15,000 people participating the poll came up with 83% of the people being fine with us running the check for cheating.
DESPITE THIS POLL we have decided that it's the wrong thing to do. Enough people have convinced us that it's chipping away a little too much at people's privacy EVEN if they do consent for us to implement this policy.
Therefore, the change to the EULA will read as follows:
Solely for the purpose of patching and updating the Game, you hereby grant us permission to (i) upload Game file information from the Everquest directory and (ii) download Game files to you.
Now, before anyone wonders exactly what this is, let me explain. Technically speaking we probably should have had this language in there from day one for you to consent us to even download new game files to you in the first place. We apologize for not realizing that we should have gotten this consent, but live and learn.
We can admit when we make mistakes, and I believe this is a case where we owe an apology to our Player base. In our haste to try and thwart people from damaging the game we went overboard.
There will be absolutely no scanning of anyone's computer for any reason other than the normal patching process (which won't do any sort of checking on what you have running).
Regards,
John Smedley
President and CEO
Verant Interactive, Inc.
So to summarize, Verant apologized for their planned policy even though 83% of their player base supported it because they realized it was wrong to scan their computers. They even apologized for not stating previously in their UELA that they scanned and downloaded information to their users for patching (which all online games do).
Here's a posting from the EverQuest Message Boards [sony.com] by Gordon Wrinn, the Verant Customer Service Rep, in reply to a comment by a player.
[In Reply To: Scanning my tasklist for hack programs is not that big of a deal and if it gets rid of the hackers anyway, I say go for it. IMO it is not an invasion of privacy to do this. I give out more information, personal information, everytime I use my credit card at the store ]
Unfortunately it is a case where paranoia ended up winning out. I think that we could definitely have done a better job explaining what it was we were doing, and that would have lead to a bit more buy-in. Instead, some people decided to make up reports that we were scanning directory trees (false), internet files (false), internet history (false), cookies (false), and email (false), and unfortunately many people believed them.
The general paranoia resulted from the assumption that we (meaning: our servers) were actively collecting information from your system. This simply wasn't the case. The client simply would examine a small subset of information on your system, none of it containing information personally identifiable to a third party, and only send it to our server in the event that you were "running" an illegal program at the same time you ran EQ. We had absolutely no interest in what was installed on your system, only what you were running when you connected to ours.
I think privacy is important as well, but I don't really care about what a piece of client software is doing on my system. I only care when that piece of client software is transmitting information from my system to an outside source. In this case, the only time any data transmission was to take place was when something bad was found by the client. There was to be no server-side analysis of raw data. I'm sure that most people would agree that we do have a right to insure that our software license is being complied with.
In any case, I guess it's water under the bridge now. I'll blame Hollywood for all of the misunderstandings.
-Gordon
While I don't agree with all his views, I do see where he's coming from. His viewpoint reflects the majority of EQ players.
Hope that cleared a few things up.
"A person reveals his character by nothing so clearly as the joke he resents."
Re:There's nothing wrong with this. (Score:2)
Re:I was marginally involved in developing ShowEQ (Score:2)
All I know is that I'll never be able to look at the other people on the bus the same way again.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
The real issues (Score:2)
Now Mr. Smedley claimed that no hard disk scanning would be done but as you can tell from the wording just about anything is fair game.
More disturbing is Mr. Smedley's admission that scanning and reporting was already being done. Supposedly only the task list was being scanned for an unknown list of running tasks and if one or more of them were running this information was reported back to Verant. This is disturbing because it clearly violates California Penal Code (section 502). (read the law here [ca.gov])
Given the unauthorised scanning that took place before the proposed change to the EULA (which I think we all can agree that unilateral EULA changes are probably unenforceable, moreso than EULA's in general =), it was pretty hard to believe them.
Verant is now in a position to be pursued for criminal prosecution and is also open for civil action according to 502. It will be interesting to watch this develop further.
Verant's Poll (Score:2)
a) That's 83% of the 15,000 who logged in while the poll was up. There are 200,000 active accounts.
b) The poll was up during the day. That means they were polling children; the adults were all at work. It's pretty safe to say that most of those polled have no real appreciation of the implications of their ''yes'' answer.
c) The poll did not even include the proposed EULA modification; it asked if people ''were comfortable with Verant scanning users' machines to find hacking programs'' That sounds a whole lot less objectionable than what the mod proposed.
The very fact that they even considered such a move indicates that they have Lost It Completely. The fortress mentality has taken over.
Cheating is fun! (Score:3)
logan
Re:Verant and Drive Scanning (Score:3)
Perhaps "incompetant management" would be a better description. Being part of the computer industry I've seen many cases where the engineers and coders want to do "the right thing", but management decides that they should do "the lazy thing" because it costs less or takes less time.
Latency is a part of internet games. It is and always will be. Giving clients extra information in an attempt to hide it is just asking for trouble. In general a game client really should just be a dumb terminal, periodically receiving state updates from a server, and never being trusted. The problem of client trust is way beyond the scope of this slashdot article, but for the purposes of a game, the basic idea is that "The Client Can Never Be Trusted".
When you assume a client is trustworthy, for whatever reason (trying to reduce the appearance of lag) you open yourself up to cheating. This is a choice Verant made when they developed the game, and one they should now accept and deal with.
________________________________
Re:A quick note: (Score:3)
But the change in the EULA would allow them to do this. With no legal restrictions, no matter what they said.
>The Verant Management has maintained a very open line of communication with their customer base,
Really? They had an "April Fools" joke recently which cause an outrage from its customers, mainly because they didn't TRUST Verant that it was a joke.
>a mandatory poll of the users asking them about allowing Verant to scan for cheating programs
There was nothing mandatory about it. The poll was only created because so many people were outraged because of it.
>(80+% agreed with the scanning).
Which question? There were two forms of questions during the poll. The first being something like "Do you agree that Verant should stop hacking programs?" Don't you think thats a bit biased?
>I'm at a loss to think of a better resolution to deal with people acting like scumbags.
As I mentioned in another post, what they wanted to get rid of is ShowEQ. They can limit its functionality greatly just by not sending so much irrelevant information.
Devil's Advocate (Score:3)
Capitalism at work is keeping your customers happy. If they're happy, they'll keep coming back to buy your product.
When Verant annoucned they were going to scan your tasklist for cheat programs, they also put a poll in at the login screen, stating something to the nature of "Do you have a problem with Verant checking for cheat programs when you run EQ?"
That's right - they *ask* their users for thier opinions.
And *despite* the fact that 83% (out of 15000) responded they were fine with running a check for cheating, *Verant decided not to do it*. Why?
Because enough people had stated they felt it was chipping too much into their privacy.
But the worst part is that people decided to make up ways Verant was checking for these hack/cheating programs... for example, scanning directory trees (false), internet files (false), internet history (false), cookies (false), and email (false).
What was the check suppost to do? "The client simply would examine a small subset of information on your system, none of it containing information personally identifiable to a third party, and only send it to our server in the event that you were "running" an illegal program at the same time you ran EQ." I'm assuming here "illegal program" means a program designed to give a user an advantage over other users in EQ.
I understand some people would say this is an invasion of privacy. Some of those people are honestly worried about the continuous breach in our privacy in general. I'm willing to bet that the majority of people who cried "Foul!" were worried they wouldn't get to use thier cheat programs anymore.
Or, they were the people who find a reason to scream "SEE! Capitalism at work! Invasion of privacy! Invasion of privacy!" when it isn't justified.
This post is way too long already, but I've got more to say on the issue. If you disagree, or agree, post and we'll talk.
The information I used in this post can be found at EQ Stratics [stratics.com] or The EQ Vault [eqvault.com].
lw
Is Everyone At Fault? (Score:3)
In another sense, Verant and EQ are trying to act in the best interest of the game. How many people will continue to play a game of Chess against a person who is blantantly cheating? EQ should probably be no different. I want them to actively keep the game from descending into a hacker's paradise.
Is it the players are at fault for trying such junk in the first place? And please don't quote me "the players pay have a right to do what they want" because that isn't true. By agreeing to play any game, you agree to follow a certain framework of rules. If a cheater is playing someone in a game a real world Chess and the cheater is caught cheating, they really have no defense. EQ should be no different. The "neutral tool" argument doesn't really work here either(ie. 'hammer is a tool that does some good things and bad things...do we outlaw hammers?'). ShowEQ isn't a generic tool that has other applications. It was designed for one purpose and one purpose only. If ShowEQ was designed for "acedemic reason" that is one thing but I have a hard time believing so many people are interested in ShowEQ because it teaches useful programming skills.
In another sense, players should push Verant and the EQ Architecture to the limit. The only way the game will get better is if the players push on Verant to improve it. As mentioned before, the fact that you can listen to packets flying by and find out extra information indicates a weakness in their design. It should be pointed out that one of the useful things that came out of ShowEQ is that it was shown that reduntant information was coming back from the server. Verant did take note and said they would do something about it (although I'm unclear whether or not they actually fixed it. ^_^). How can the players do this without actually figuring out how some of the game works?
IMHO, both sides blew this way out of proportion. Verant didn't think things through when they wanted to stop players from packet listening and came up with the wrong solution. Instead of wasting time and effort into figuring out how to detect packet sniffing, they should be putting time and effort into fixing the real problem which: too much information is sent over the wire. Players blew this way out of proportion because because Verant basically said "We don't really care if you have hacking tools...just don't use them while playing EQ" but many read much more into it. If you are going to do something questionable, shady, etc. you probably shouldn't be doing it in "plain sight" (yes, on Windows 95/98, the hard disk is plain sight...everything in Windows 95/98 is in plain sight) especially after you've been warned.
Security in Online Games (Score:3)
/.ers are always willing to disregard "security through obscurity", but how would you design an open method go about this, aiming to get 100% surety that no one is cheating?
Strong data typing is for those with weak minds.
Doubleclick,the Feds and Verant (Score:3)
..in a related story.. (Score:3)
Those who attempt 'security through obscurity' achieve 'obscurity through stupidity'. Frankly, I prefer 'security through perversity'.
I play EQ (Score:3)
This is, while I can see there side, just the latest in turning the world of Norrath into more of a police state. Over the last few months they have recuited more guides (read police) to enforce their new play nice policy.
Basically the policy is that anyone who pisses off anyone else is up for disciplinary action that include suspension and expulsion. (sounds like high school no?) While on the one hand they have created a very nice game and are wildly successful, theat success has caused growing pains on their side.
A few examples of the pains are the fact that each server is disigned to have 1000 - 1200 people playing on it at any one time, you are hard pressed to find any server that has less than 1800 users and many are hitting 2000 during peak hours. For those that haven't experieinced once you select a server that is where your avatar lives it's life, forever. No crossing from one server to another. As your friends join up they want to hang w you so they joing your server compunding the problem.
This excess of players stresses the system on two fronts of course the technical side with zones and servers crashing sometimes for days losing the entire player database, but also the in game resources are pushed having not been designed for that many people. This causes a shortage of things to do with people camping waiting for the first enemy to appear and not only battle the enemy but argue with other players over who it belongs too. This breeds animosity among players who are NOT allowed to kill one another (except under certain mutally agreed circumstance. So now maybe you understand. While Verant has learned from the mistakes of Ultima they have still created their own special problems.
Overall though the game is so very well done and when it works the experience is so cool that we all hang out and keep playing. For the unititated all I can say is that the social aspects of the game are in my opinion what keep people playing.
daddio
Its covered blow by blow here (Score:4)
Why shouldn't they worry? (Score:4)
Lets face it, people who game online like to get the edge over their opponents, and one of the ways they do this is to cheat. There is a proliferation of tools to do this for various online games, and users can easily find them on the net.
When even one person cheats it makes the entire game less fun for everyone else playing it. Instead of a test of skill it becomes a farce, with little or no skill being required to win or proceed. Verant, obviously worried about the quality and fun of their game EverQuest, were being entirely reasonable by wanting to prevent the use of cheating tools.
Given this concern, the only reasonable and effective thing for them to have done was to scan the user's hard drive for said cheating tool. This isn't a privacy issue - they're only scanning for a tool which will lessen everybody's enjoyment of their game. If you are are against this then you are letting people ruin the game by cheating, which is hardly fair to other users.
Privacy Violation over EVERQUEST? (Score:4)
The game has YET to be invented that will make me want to trade in my privacy in order that I might keep some other guy from getting some extra HP or resources by cheating.
Not to mention that if you have to cheat at a game just to be competative -- how much fun can it possibly be?
... kinda like the problem with playing Quake online... The levels are completely unimaginative, and it comes down to ping speed & hardware to decide the winner. Adding things like LIMITED weapons, ammo & powerups would require people to conserve their ammo and to play strategically, rather than switching over to rocket launcher, putting it on autorun and holding down their fire button.
But it's all just games anyway, right? Relax, people. Have fun. Stop nosing around on my PC.
-The Reverend
Re:Further progress in protecting online privacy (Score:4)
You bring up a very good point. Customers are able to influence a big company's decisions, especially on issues like privacy. One key point I'd like to highlight is this: they can only do this if they are informed. I think it's extremely important that we try out best to make the average Joe user aware of all the potential violations of privacy that's going on today. The reason that so many users today have such poor habits online (in terms of protecting their own privacy) is because they aren't aware of it.
This may be a bit off-topic, but I think this principle can be applied to other things too. Such as things like DMCA. It went by because very few were actually aware of the threats it represents. But if the average Joe user is made aware of these issues, I'm sure the masses will be able to force the powers that be to change things. Just like this case: imagine if nobody knew that the latest Everquest upgrade scanned their computers. Nothing would be done about it, and privacy will be compromised. But once people found out about it, they took action, and things changed. I'm sure this can happen on other areas too, like DMCA, etc..
Verant Reveals Its Hand (Score:5)
The question is, what prevents anyone else from doing so?
If Verant can modify Everquest such that it ships with Back Orifice 2000, and the only thing that prevented them from doing so was the (thankfully effective!) fear of inadequate liability disclaimers, what *exactly* prevents anyone else, who *doesn't* particularly worry so much about the law, from attacking any Everquest player they please with a trojan'd update?
I betcha nothing but the network, as if "well, it came from Verant's DNS name, so it *can't* be spoofable." *sigh* I'm reminded of the Genie from Alladin..."PHENOMENAL COSMIC POWERS...itty bitty security." Oh, and toss in a little bit of obscurity to be on the safe side.
I should be fair. There's an off chance that there's some cryptographic protection against such an attack being sued by Verant. That'd be nice. I'd like that, as I do cryptography. Day in, day out, it's what I've been living, breathing, thinking, and scheming. And ya know what? I had a total compromise sitting around in my design, because I forgot the (rather simple, but marginally obscure fact) that it's rather trivial to convert a private key back into its public key equivalent. (Moral of the story, folks: Possession of a public key authenticates NOTHING.) Stupid problem, easy to fix, but then, that's my *job* right now.
I doubt I have an equivalent at Verant.
At best, Verant is employing some painfully inadequate public signature verification key to make sure that an update actually came from them. Rather likely, they're using some symmetric algorithm(RC2/RC4 most likely, as they're easily exportable) with a broken key length--not that it matters, since if they're using a symmetric key to authenticate the packages, then the same key that Verant used to sign the update shipped with every copy of Everquest--*cough* itty bitty security. Same shtick if they use a MD5-signature variant--the "key" used to authenticate the package as coming from Verant and not Joe Cracker necessarily gets shipped with each box.
Of course, who am I kidding. We'd be lucky if there's an XOR in the lot. (XOR, for the non cryptographers out there, is a thoroughly broken but easy to implement logic operation that one can run on data to make it "appear" encrypted. Appearances...can be deceiving.)
Folks, this is a *real* problem. Whenever you're doing crypto, you have to separate the world into Us vs. Them. I don't have a problem trusting Verant--they've got deep pockets, they've got skittish lawyers, and if they try anything, we'll see 'em telegraph it in the licensing agreement. (And if they do things without changing the agreement, We Know Where They Live.) So, for the moment, "Us" is Verant and Me, as an Individual Gamer. Them is every *other* gamer, malcontent, and kangaroo down under.
The question to ask yourself, is: What allows Us to determine what code is executed on the client machine, and not Them?
The next question to ask yourself is, since *you're* the one at risk with the client machine, and not Verant, how likely is it that Verant even broke a sweat regarding the answer to the previous question?
Great. Verant isn't going to hack their users, out of the goodness of their lawyers paranoia. So who will?
What about other games here, folks? Am I the only one noticing that large portions of the Windows software space are suddenly becoming net enabled for no other reason but to deliver ads(at best) and trojans(over time)?
This isn't the first time I've run a company through the ringer over automatic execution of code(both Microsoft and Novell have painfully inadequate checking on their login script functionality; more at www.doxpara.com), but as much as
Sure, they rejected 'em, but still...you gotta know they at least considered 'em. Verant, on the other hand?
Does anyone know?
Email or reply if any of this concerns you. I've had some interesting reponses planned to this trend that I just haven't had the resources to implement. With some help, we might actually be able to...deal with this situation.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The real story... (Score:5)
First Everquest doesn't have that large of a real cheating problem, they're very good at logging any strange client behaviour and banning people the minute they're caught. However, a program was released to the public domain a while back called ShowEQ, this program is a passive sniffer that reads the data stream between the client and the server and displays data that gives the user an advantage over other players, basicly it's a realtime map of all the monsters in a zone with their hps and level.
Verant has been trying to combat this for a while by constantly changing their encryption scheme but has thus far been unsuccessful in locking the people maintaining the program out for more than a few days.
ShowEQ ran on Linux, recently someone released a Windows version and this is what verant claims they were scanning for (The passive client on linux is really impossible for them to detect)
Someone recently posted a message on the EQ message boards asking why verant was scanning the task list of their computer and uploading what was running back to the servers, this is prior to the announcement that they wanted to do this btw, Verant was extremely quiet about this thread until the announcement was made that they were changing the end user license which you have to agree to every time you start the everquest client.
All these threads are still available and it's somewhat interesting to read what Verant's reps posted in response. If you want to see check http://everquest.station.sony.com and click on the message boards link.
Part of Verant's problem is they've been fostering a real Us vs the Players attitude (Although they probably don't intend to, but anyone who's been on a MUS* before realizes that it's just part of the lifecyle of such games) By refusing to answer player questions about game mechanics and such, some people have used ShowEQ to get real answers to these questions, such as how the experience system works and such.
I was marginally involved in developing ShowEQ (Score:5)
The reason? They have some severe design flaws in their game, as well as a piss poor and arrogant attitude toward their player base. The only reason they are raking it in is because nobody else has such a thing on the market yet. They were stomping sites until it got moved to www.hackersquest.gomp.ch, (notice the NON-us addy?) a host site that doesnt have anyone that clicked the Verant EULA, and so far seems immune to their lawyers.
And the prog runs on a separate Linux box: using NAT/ipchains and routing the win box thru the linux box is best, but it can also put the ethX device into promisc and sniff the data. So, really, there isnt jack they can do about detecting it. They seemd to live with this until... What brought this "corporate sniffing" on is that someone took the open source and did a windows port. So every little k3w3l d00d and wannebe could use it.
Verant went into Corporate panic mode - typical of their nasty anti-gamer managerial mindset. Verant went psycho trying to stop it.
But the scariest thing is: when they polled 15,000 of their users, 83% agreed to let Verant search their HD as a precondition of playing the game!!!
What kind of sheep are these? I pity the folks who will need to depend on such weak and obedient asses who will kneel down for a compny just to be allowed to play a game that they are already paying for!
EQ players who said Yes in that poll, you should be ashamed!
Further progress in protecting online privacy (Score:5)
I think it's because when someone's privacy gets threatened, they feel much more quickly capable of taking significant action, to the extent that they're willing to switch provider, give up a forum or a game they enjoy, or use alternatives (sometimes of dubious legality), in order to protect it.
In terms of the influences faced by online companies today, it seems to be quite a high priority to satisfy the privacy needs of customers, even though this is not a natural consequence of their desire to make profits, but rather caused by an obsession (healthy, in my opinion) with privacy on the part of individuals.
We've seen quite a few radical reversals of policy on the part of some very large corporations (Doubleclick or Intel for example), which would seem to imply that online consumers, as a separately identifiable group, are becoming quite powerful in their own right.
Long may it last!
A quick note: (Score:5)
Verant and Drive Scanning (Score:5)
What's happening here is a thorny problem where individual "privacy" headbutts with everyone's best interests.
A quick background for those not in the know, Verant Interactive [verant.com] produces and maintains EverQuest [everquest.com], a massively-multiplayer online role-playing game. Thousands of players connect to Verant-administered servers and play alongside other players in a persistent world. It's the second major-market title in the MMORPG genre started by Ultima Online [uo.com].
The way these games work is centralized servers store all the state information about the virtual world. To be general, nothing is stored client-side. This is required, because unlike games like Quake [idsoftware.com], the world is persistent. An early incarnation of this type of game was Diablo [blizzard.com]. The main difference between the newer games (UO and EQ) and Diablo is that with Diablo, all your character information was stored client-side. This became a major problem for the game, as it was only a matter of time before the file formats were reverse-engineered and people started modifying their characters to be super-powered.
By storing the information server-side, this type of cheating is avoided. No matter what you do, there will always be people who want to cheat, and if the information is stored server-side, people will try to exploit the server to cheat, or will "enhance" their client software in order to give them an unfair advantage in the game. Ultima Online has had a long history of dealing with this type of problem. Many security weaknesses in the UO servers were discovered (and fixed), but at the same time, these weaknesses were exploited by people, most often to do devestating things to other players of the game.
Recently, EQ has had the same things happening to it. A program known as "Show-EQ" has been around for quite some time, which simply gives a player an unfair advantage in the game. Verant has dealt with this in a subtle manner, changing their client/server data stream every so often to set back development of the utility.
In the past couple weeks, other programs for EQ have begun to pop up, with more nefarious purposes. The EverQuest servers have been crashed on more than one occasion by these programs. This is what brought Verant to suggesting drive-scanning. It's one thing if someone is just cheating, but it's another thing completely if they're maliciously trying to crash the game.
They took their first countermeasures not too long ago, by adding a feature to the client software that scans your Windows task list and looks for these "external utilities". If it finds one, it flips a "I'm a cheater" flag on your account and you end up with a cancelled EQ account.
They proposed to extend their search to the hard drive, to see if any of these programs even exist on your system... and this is where people started to get upset.
Verant has been very open and forthcoming about the proposed changes, keeping active discussions regarding the issue on the various websites dedicated to EverQuest, offering reasoning and explantions of the scanning process, and they even required all users to answer a poll question regarding the issue on login to the game (which turned up 80%+ in favor of the scanning).
Even with the overwhelming support of the scanning by their playerbase, they responsibly decided to back down on the issue.
Now granted, what they suggested could be a huge tool for abuse and privacy intrusion, but they did not try to "sneak" it past their users in any form. What they were proposing was nothing compared to some of the things that people thought they were planning on doing (there have been some heated arguments about it the past few days).
In short, its not really that they intended to intrude on people's privacy, but that they were seeking to increase the quality of their service and actually have a way to enforce their "no cheating" rules.
Verant should be commended on their responsible handling of this entire incident, not trashed in the court of public opinion based on reports that only tell half the story, like the one posted here on Slashdot.