The State of Security in MMORPGs 288
Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book,
Exploiting Online Games. McGraw
discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."
My personal feelings.. (Score:5, Insightful)
I understand that some percentage of the playing population is going to cheat, hack, or use an exploit simply because they can. But if game design didn't make it so attractive to so many people to reap the rewards that go along with it, it would be a pretty minor problem. In my opinion, as soon as you're killing the 3,000th slightly different textured mob for his toe...or running a dungeon you could do in your sleep just to make sure a fellow guild members armor is a little bit different color so you have a shot at the next dungeon, MMORPGs start losing some of their fun. I don't know of too many people that really enjoy running things that are on "farm" status, but there's a necessity to grind it out built into the games.
I know it keeps people hooked longer, but it also keeps the temptation to play...creatively...in people's mind.
Re:My personal feelings.. (Score:5, Interesting)
See, with WoW, since I was paying for it, I felt obligated to play it over other games...as a result, I missed out on a LOT of games when they came out. With Guild Wars, however, since there is no monthly fee, I'll log in for a couple hours here, a couple hours there...maybe a grand total of 5-7 hours a week out of my 25-30 hours a week spent playing video games. Since I'm not paying a monthly fee, I feel less like I HAVE to play it and more like I WANT to play it...WoW is a better game IMO, but I like not having that "second-job" feeling.
Re: (Score:2)
Re: (Score:3, Insightful)
www.mmorpg.com
Re: (Score:2)
I really feel that "I have to log in to justify my $15/month" is kind of the pinnacle of irrationality. If you're not having fun, don't log in. If
Re: (Score:3, Interesting)
A better way to describe it would be when I would sit down to play something other than WoW, my thoughts drifted towards thinking that I should log in and finish this or that quest, or head to the auction house instead. I felt pulled to it. Playing other games wh
Guild Wars is way cool (Score:2)
Re: (Score:3, Interesting)
Guild Wars cost is about $40 to buy an expansion every 6 months, or about $0.25/day.
So, the difference in dollar cost between the 2 games is about $0.30/day. I would argue that if that amount of money is a more significant factor to you than which game you enjoy playing more, then you should play neither and instead spend the time earning more money.
Re:My personal feelings.. (Score:4, Interesting)
1. Like you said, lack of persistent world.
2. Lack of gear diversity.
3. Lack of solo play options.
4. Steep learning curve.
5. No auction/market system whatsoever.
I found the single player game to be little more than a one-dimensional grind for skills. And without skills, what chance do you have to succeed in PvP?
I'd like to find a reason to play it again, as visually it is a very impressive game. It will take a lot of convincing, though, to get me to purchase the expansions and give it another shot.
Re: (Score:2, Interesting)
Re: (Score:2, Interesting)
I also like Lord of the Rings Online which doesn't have the same emphasis on gear (uber loot) as WoW, and far less PVP (pwners). When the game is about exploring, cooperation, or role playing, the need to cheat just isn't as strong.
Re:My personal feelings.. (Score:5, Funny)
1) You can grind away whatever playtime you have in order to get the cash legitimately,
2) you can buy it from someone that is grinding away (or perhaps using exploits), or
3) you can turn to exploits/hacks/whatever yourself
(enter stage left, dramatically)
NOOOObody expects the Slashish Inquisition! If you're into a MMORPG, and you "need" cash
Re:My personal feelings.. (Score:5, Interesting)
Take a player who has played the game for a while, is skilled at the game, and is very successful at completing game objectives. Now, have that player start a new game with a brand new character. He should be able to be somewhat competitive with that new character - not nearly as strong without his old level or gear, but still competitive.
Of course, there are plenty of caveats. First, I have had difficulty in imagining an RP system that would have such a large emphasis on creativity and intelligence. Second, it is unlikely that many people would actually have interest in such a game. Unfortunately, I think that most people actually like the grind; and even if they don't have the intellect to keep up in a real game, they can gain satisfaction from countless hours hording gear and currency.
Re:My personal feelings.. (Score:5, Informative)
The article touched on game dev reactions to bug reports. I've seen negative reactions to bug reports myself. In one game I was a developer for, I once did a security audit of the code and was appalled at what I found. With almost no effort, I was able to craft an in-game exploit that would wipe the hard drive of every user logged into the game who tried to bring up a URL. I had to push and push to get it fixed. Almost any bug that was security related, they didn't want to address; they were much more afraid of introducing gameplay bugs that might come as a side effect to fixing security bugs, and more afraid of having the schedule slip. Almost none of the strings in the game were checked for length or null termination when operations were done on them. It really disturbed me (and also reinforced to me why game code shouldn't be written in C; at least use C++, people...)
Re: (Score:2)
People rely on the "grinding" aspect because it's the easiest to develop and balance properly.
No doubt. If Blizzard can make obscene amounts of cash using this kind of system, why wouldn't they? But now that market penetration of griding-style MMOs is so large, I think there is significantly more opportunity for a niche intellectual-MMO to really stand out - maybe like Eaku (have you posted any information on it yet?).
and also reinforced to me why game code shouldn't be written in C; at least use C++, people...
I've never written game code, but this seems like a no-brainer to me. Honestly, I think that even higher level languages are an even better fit (managed/garbage-collected/etc) in
Re: (Score:3, Informative)
Anyone writing Massive servers in Java (or C#) should be billed the full ongoing costs of the extra iron that they require. Quite apart from the inherent overheads of VMs, those languages automagically spawn threads for network activity, rather than allowing you to perform non-blocking access from a smaller thread pool. They simply don't scale up well. A few dozen players, fine, hundreds, OK, but you hit the thousands and you're spending a significant amount of your cycles just thrashing between threads.
Re:My personal feelings.. (Score:5, Insightful)
Actually, I think there's a more insidious reason people rely on the grinding aspect: it allows developers to create the strongest reward mechanism; one that leads to behavior most closely related to addiction: random rewards at random intervals. It's convenient that it is the easiest to implement, but one reason we haven't progressed past it (and, in the case of Ultima, regressed to it) is that it is the single best way to keep players coming back for more.
Sorry for digressing, but that's the one thing that bugs me about most MMOs right now: they are designed as a massive grind fest.
Re: (Score:2)
People like to fight. In a pure RP (role play) world, the
Re: (Score:3, Insightful)
To me, MMORPGs have little to do with following a great story; it's
Re: (Score:2)
The problem is not that it's too difficult to "earn" the "money" to get the items, but with the whole paradigm of grinding away for money & stats to get things. In fact, it's not difficult at all. Just time consuming. There isn't any more depth to farming gold in WoW than there is to stringing beads in a costume jewelry factory. And, mind, stringing the beads would get you rewards in WoW significantly faster, even, if you use the
Re:My personal feelings.. (Score:4, Insightful)
RPGs are about 2 things: story, and building the power level of a character to meet some challenge.
As soon as you add the MMO part the story has to give a bit (there's not just one player (or just one small group) so the player can't be the "chosen one, saviour of the universe" and the game is long term so story is expensive to keep adding to.
The challenge part also suffers, since there is no end. In a traditional CRPG at some point you win the game. The big evil is defeated by your powered up character and the game is over. The MMO part means that never happens, on and on it goes with the power cap getting raised every so often so that there's more grinding to do.
And of course people cheat in single player games, there's even more incentive in a multiplayer game...
Re: (Score:2)
"What will we do today, Wheezenerd?"
"Well, Big Dumb Tank, today we must find the magical rutabaga that will destroy the evil gopher and save t
Re: (Score:2)
Re: (Score:3, Insightful)
Also, with more sim elements in MMORPGs, there could easily be real impact on the game world. Not every quest has to be epic, some could result in minor changes, such as new shops opening up, new cities being founded, factions gaining or losing
Re: (Score:2)
Re: (Score:2)
Yeah I gotta admit that I'm deeply disappointed that World of Warcraft seems to be so lacking in the Warcraft department. What is Warcraft without constructing new buildings, and razing those of your enemy?
There's a quest in the Barrens called
Re: (Score:2)
Can the players handle it? (Score:4, Insightful)
Download the free trial for Lotro, create a character and head to Bree. There is a quest there that starts at night, from a ghost near the southern gate, he asks you to find a ring that was lost at some baracks. Yet you don't recall any baracks even being at bree. It is suggested you ask around.
Want to guess how many people INSTANTLY upon receiving that quest ask where to find this ring? 10%? 20%? I once just parked myself for an hour at night time near that ghost, just to see how many people that came near him would next ask the question. 8 people. 6 asked in public chat, the others might very well have done the quest before or asked in private chat.
People don't want to explore.
SWG had a little exploration and most people never bothered with it until the path to Jedi required it.
On the way back from Dol Dinen to Esteldin you come across a wounded ranger, if you approach he warns of a trap and you are ambushed by 3 earthkins, fairly though critters. It isn't a quest, just a bit of color for the game. Again a bit of social experimentiation quickly showed me that most players had NEVER heard of this, quests are shown with a ring, there was no ring so people didn't explore to see what it was all about because no XP means a wast of time.
It is depressing, but I sadly think that the market has spoken and the market has said, we want more WoW, please don't make us think or give us choices. Lead us by the hand and give us our XP and levels.
And to be fair, I am not sure I entirely disagree. There is a fine line between an open-ended free form quest and sending a player out there without a clue. I remember a east european game, SS (not sure about the name, tactical turnbased squadgame in 3D enviroment that was totally destructable), it had quests/missions where on higher difficulties you weren't told what to do. You just appeared on a map and good luck finding out what your objectives were. A challenge or wasting my time?
Like many a MMO player I have thought long and hard about how you could make a better game, but I keep hitting the same old problem, can the user handle it and sadly the answer is no. If you wants millions of subscribers you got to accept that you are developing for an average IQ well below 100. Retards. Lazy retards. Lazy dyslexic retards.
Go on, come with an idea for a quest or game mechanism and then ask yourselve, how will a user who refuses to read or look at his interface deal with it. One of the biggest challenges in the endgame of MMO's comes not from the game itself, but in finding a group of people that after months of play actually managed to get a clue. It sounds amazing but as a raid leader you would be suprised how many times you get a newbie who must be playing on someones elses account because with their skill they should have died at the loading screen.
Re: (Score:2, Troll)
Most of these quests ignore the fact that other people have done them as well. YOU get to help a night elf learn that owlbears are protectors from the god Elune. YOU get to recover the lost treasure for a dwarf. That isn't even taking into account instances where the *zone* is just you and your group.
Now, there's no end. But then, traditional D&D didn't have an end either. You w
Re:My personal feelings.. (Score:5, Insightful)
If you play any game long enough, you are going to get tired of it and want to play another game. That is just being normal.
As far as cheating goes, some will do it for the challenge. Most of the others will just do it because they want to be better than their friends. It is a competition. It's a dumb place to want to be recognized...but people do it. If people hated the game, they just wouldn't play it anymore. They love the game, they just want an edge over others and will do whatever they can to get there faster. The grind is in everything...just it is just popular to bash it in here since people on here like to bash what other people enjoy instead of actually coming up with anything better.
Re:My personal feelings.. (Score:5, Insightful)
The difference here is that this isn't "grinding", this is practice.
If you play a song over and over in Guitar Hero, you get better at it, which eventually allows you to get five stars. You, the player actually get better at the game. In most MMORPGS, however, grinding is mere repitition, doing something over and over and over for experience points (or something similar), to improve the game character. The player is no better at the game, the game character is merely powered up.
Ultimately, these things differ in that the former affects the real world and the latter only affects the game world; if I play a song enough to get five stars in Guitar Hero, I can likely go to someone else's house and five-star it there, too. If I delete my character in an MMORPG, I forever lose all of the progress that was made, and getting a new character back to my old character's level requires going through all of that grinding all over again. While I may have figured out some easy ways to gain experience, I am still no better at the game itself. And really, I don't have to do anything challenging in the course of my grinding, because there is always some simple task (easy battles, for example) that can simply be done over and over to accrue easy experience.
To this extent, Guitar Hero (and Geometry Wars, and most non-RPGs, really) is no more a "grind" than any other skill-based activity that you do in the real world. Is writing code "grinding"? What about painting? Soldering? Singing? Playing cards? Cooking? Sex?
Re: (Score:2)
That, and it is an incredibly social game.
Re: (Score:2)
Re: (Score:3, Insightful)
If it's the "grind" that makes people cheat I wonder how they explain, Counterstrike, UT, etc...
Oddly enough, one common excuse for that ilk of cheater is that they have "a life" and can't spend all their time playing Counterstrike, UT, etc. Essentially they're talking about a different kind of grind - developing the skill to playing the game. Yet skill is what the "flawed grinding mechanism" meme folks seem to call for.
It seems to me what we're really dealing with is a demand for instant satisfaction. And not just any form of satisfaction; it's got to be "I'm better than everyone else" flavored.
Re: (Score:2)
When did automation become such a huge sin? The solution is simple. Write scripting into the game so everyone is on the same level, and make characters get tired after a few hours of gameplay. You coul
Re: (Score:2)
Just ask regular players.... (Score:4, Informative)
Most are regular hack fests.
Ultima Online: Scripting in the number one player complaint, but EA doesn't give a rats ass, they never ban, despide their TOS saying otherwise. Other cheats include ways to make players drop items, and using bots to monitor certain parts of the game for the sole purpose of knowing exactly when to raid, and then there is all the speed hacking (EG movement hacks) that goes on.
Lineage II: I played for 6 months, and never met another player, just about 4000 different bots.
LOTRO: Besides the game missing something, it had its share of bots.
WoW: I get spammed with cheat site URL's every time I login, regardless of realm.
Of all the above WoW seems to have it the most under control, but that doesn't mean they don't have room to improve.
Cheating is so rampant in Ultima Online anymore, that the fricken game isn't worth logging into.
Re: (Score:2)
Re: (Score:2)
I quit UO on EA's servers five years ago (making a hefty sum selling all my stuff on ebay in the process!) for the player run community ha
Economics (Score:2, Insightful)
Re: (Score:2)
I will agree that economics is one of the hardest things to "Get Right". "What is the grind worth?" is the biggest question of all of them, and along with that "How do we make it valuable enough for the advanced players, but still accessible enough for the new players" I like to think that we get it right, but we keep tweaking it.
If you play, let us know how you think we are doing
Re:Economics (Score:4, Insightful)
Raw materials + labor should always have greater value than the raw materials alone, for example.
Raw materials have more value because well-funded individuals need them to grind up their crafting skill not because they need the actual items the raw materials are being used to create. The end products don't sell well because there's too much supply for the demand - not because they're necessarily useless. You can tell this is the case because non-crafted low level items (that can't be mass produced like crafted items) will fetch premium prices if they have the right stats - as you noted.
This isn't a flaw in the various economies of WoW worlds. It is just how economies work. And the fact that a lot of people are interacting in these economies without paying much attention to what's going on.
Crafting is a great example of this. My advice to all new players is to NOT get in to crafting. Pick two gathering professions (or a profession like enchanting that gives you something akin to gathering - disenchanting items in to raw components - but ignore the crafting aspect). Spend all your up-and-coming levels selling or trading in raw supplies (either in the AH, suppling mats to crafters to make you items you want and giving the crafter a "free" skill point, or being the go-to guy for your guild's supply needs). Once you're high leveled and established, THEN it's time to decide on whether you really need to craft items. If so, you can better afford it (and you can give a financial leg-up to all the other gatherers feeding the market like you did). If not, you've saved yourself from the expense of training for a skill that's probably well represented in an already over-crowded market.
Re: (Score:2)
WOW, for instance, has player position (x,y,z) in memory, and trusts the client about it. Some time ago, when teleport hacks started to surface, Blizzard started doing what koreans/chinese have done for years: monitor the player computer for software that could alter memory, and some other hacks. I believe they also started looking server traces to see people teleporting into non-standard destinations (people can teleport to their home in once an hour).
The p
Re: (Score:2)
One thing I've found is that, unless the offense has to do with personal harassme
rootkit-like? (Score:2)
Re:rootkit-like? (Score:5, Interesting)
http://en.wikipedia.org/wiki/Warden_(software) [wikipedia.org]
--
Warden (also known as Warden Client) is an anti-cheating tool integrated in Blizzard Entertainment games such as Diablo II, StarCraft (since patch 1.15), and most notably World of Warcraft. While the game is running, Warden uses API function calls to collect data on open programs on the user's computer and sends it back to Blizzard servers as hash values to be compared to those of known cheating programs.[1] Privacy advocates consider the program to be spyware.[2]
--
Re:rootkit-like? (Score:4, Interesting)
Because, for example, Blizzard's polymorphic anti-cheat "Warden" tries to scan process lists, the memory space of other processes, window titles - and, if they want, your filesystem - and because it can be updated at any time, if you want to spend any serious time looking at the game in that way, one of the very first things you're going to need is a good stealth driver to pull the wool over its eyes.
It shouldn't be that difficult, you'd think. Both Inner Space and Glider, for example, have modules to do just that, and they're running a kernel mode driver which Warden doesn't have the advantage of, but even so, the stealth is woefully incomplete which is one reason people get massbanned.
Of course the other reason is that bots tend to look rather obvious to any other player, and get reported. The challenge there is to build a better bot, (but since there's chat involved in the game, you'd better get ready for a Turing test; since that isn't an option, discretion is the better part of valour).
Re: (Score:2)
Re: (Score:2)
Even that is easy to figure out. And, in most peoples' eyes, using a foreign language is a strike against you. They'll assume that you're a gold farmer living in another country. Unless the language is, say, French or Spanish, they're usually r
Re: (Score:2)
Re:rootkit-like? (Score:4, Interesting)
So I switched to another guild which was well known for their botting. You had to prove yourself before you got access to the bot software though, so I got stuck in what they called an 'experience chain'. Everyone would swear allegiance to someone else, and a portion of your XP would be passed up the chain. If you had good enough leadership and loyalty skills the numbers would actually multiply as it passed up. After leveling a new character to about 70 or 80 with the chain, I was allowed access to the bot software. Of course it was against the game's TOS, but we had our ways around it.
Most of us would run our bots all night farming dungeons, but the admins would show up every once and a while to figure out if we were at the keyboard at all. What we actually did was have all chat communication funneled through and IRC channel that someone was generally watching. Our characters could also be remote controlled from the IRC channel with proper authentication as well. That defeated their ban stick for a while, because it was only illegal to bot when you weren't at the keyboard.
Eventually the admins got smart and started showing objects to the characters. We were asked to describe the color or what the item was. I do believe it was possible to get around that limitation, but I never stuck around long enough to find out. At about that point I had landed my current job and couldn't devote the time to play any more. And with the botters, you needed to be able to check your character and be available 24/7... even if you weren't actually playing the game all the time.
So I guess my point is, this probably happens already since we were doing it years ago!
Re: (Score:2)
Most game companies don't care (Score:3, Insightful)
All they will do is buy external software like GameGard, whose primary function is to hob resources of the customer's PC and make it less stable.
Thus, the low-end PHB will be able to claim to his boss he is actively fighting the problem, with GameGard's monthly invoice in hand for proof.
Meanwhile the players will lament about the enormous parasitic-like farmer population, detrimental to the game itself, and in plain view of anyone who actually logs in the game.
Exploits and WOW. (Score:5, Insightful)
These two seem hell bent on FUD with Blizzard in regards to Warden. I haven't connected the dots but it appears these are either the same people who flew off the handle when Warden changed or are in the same group. Basically take something and use choice wording and catch phrases to imply sinister behaviour where none really exists. IOW - 911 conspiracy hacks read from the same play book. These guys just seem to be on some damn fool crusade against Warden that it borders on silly. The very same people probably don't blink when it comes to handing over their CC/Debit card to someone behind the counter freak out over a company that actually has to take steps to protect the data the players voluntarily entered when subscribing!
As for WOW itself, location hacks exist as the client and server are not always in synch for these actions. The biggest impact "cheaters" have on WOW is on the non-cheating players. Money transfers between accounts take an hour to complete, sales via the auction house are no longer immediate but instead take an hour, and trial accounts are so restricted that teaching someone to play with one is an exercise in frustration.
Re: (Score:2)
With a game as ubiquitous as WoW, how do you ban a dynamic IP (what most home IP addresses still are) without banning a large number of innocent subscribers? You really can't. You can ban accounts though, and require that any interaction with the game or the forums require a valid account, and that is far ea
Paradigm Shift (Score:4, Insightful)
Contrast this approach with what's seen in something like Jumpgate, where players have to actually develop their skill as a pilot in order to be successful in combat. I'd expect that gold-buying in that game is significantly lower per-capita than in your standard grind games like WoW or LotRO.
When we pray for the end of goldselling, what we're really hoping for is the beginning of an era where non-transferable capital (the skill you develop from playing the game) becomes the dominant factor in advancement.
Re: (Score:2, Insightful)
Re: (Score:2)
Re:Paradigm Shift (Score:5, Insightful)
So the "skills" you acquire are something not entirely related to the activity you are doing "in game".
Still, the comment of a previous poster to your comment here is very appropriate: If you "cheated" your way into gaining a certain position/in game skill level by virtue of a gold farmer or some other hack, you really don't understand all of the subtle methods of using all of the options at your disposal. You certainly won't be able to take on even NPC monsters that would easily be defeated by somebody at your current "in-game" skill level. At the same time, even in a "grind" game (or even more so in those kind of games), you can take somebody with considerable experience in the game and see them excel at achieving in-game ranking even with a brand new character due to their advanced knowledge of techniques used to play the game, including knowledge of various locations and when to fall back and try again some other time.
Heck, I have actually enjoyed starting out all over again from scratch on a few occasions, just to get a little bit of a challenge back into the game. But I level up oh so much faster than my contemporaries who created brand new accounts with me that they just look puzzled when I walk by a couple of days later being twice or three times their "level". In game experience does matter, and it translates across in a whole bunch of ways.
Your suggestion that player rankings (combat levels are just another way for players to compare each other) bring about a desire to push their ranking up with real-world cash is certainly something worth mentioning. But in the long run those are artificially inflated rankings anyway. It doesn't deal with the other problems associated with real-world item trading, and IMHO there will always be those who try to find ways to "cheat" the system with cash. That can be through a faster network connection, better computer/graphics card, cheat program that let's you get an attack in 1/2 second earlier, or whatever means you can think of. This has always been the case, even for games like Doom and Quake that didn't even really have levels to compare against. And I knew people who did "cheat" at Quake and were proud of it.
Re: (Score:2)
Re: (Score:2)
Saying that playing WoW well doesn't require skill is like saying driving doesn't require skill. They're both the same kind of skill: applied knowledge.
article devoid of content (Score:2)
Re: (Score:2)
I didn't have too much of a problem with the topics, but the way he gives credit to his books for changing the security world? PLEASE!
Can anyone say Narcissism? (I'm not sure if I can even spell it) Ok, how about a side helping of hubris? mmm. Mix with [troll sweat] and simmer.
Security and what I call... the "zerging effect" (Score:2)
Game companies neither have: 1) The talent or 2) The resources, to deal with this number of people effectively. Not to mention that, it only takes a few geniuses to post or sell their cheats online for them to spread to everyone else who's interested in them.
Look, that's the *idea*, people (Score:4, Insightful)
Online games (and any game in which you accumulate posessions) are just variations on a Skinner box. Put a gamer in a box, have him peck away at moving about the world, and give him possessions randomly. It's the same sort of thing that makes people sit in front of slot machines for hours. If they *did* make a hackproof game, only a few people would play it and it would fail financially.
Re: (Score:2)
Re: (Score:2)
Not trying to get personal or troll here, but I completely disagree with you... in order for your statement to be true, this would suggest that the vast majority of MMORPG players were using hacks/cheats.
Now, if you consider a web site that has maps or quest data to be a cheat, or if you consider those who use add-ons and UI Mods (legal ones) as part of that category, then yeah, I know very few fellow Warcraf
Re: (Score:3, Insightful)
The rewards are nice. But that's not why I play. I play WoW for the same reason I play any game, to have fun. If I'm not having fun *while I'm playing* it's not worth it, no matter what the reward is. As an example, I do some player vs player combat in one of the zones (Halaa) when the chance comes up. You get tokens for doing this that you can
Re:Look, that's the *idea*, people (Score:4, Funny)
Interview with Sony Online Entertainment CEO (Score:5, Interesting)
Part 1: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-1/ [massively.com]
Part 2: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-2/ [massively.com]
SOE owns and operates Everquest, Everquest 2, Star Wars Galaxies, and other MMOs.
I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card -sometimes stolen, sometimes not - to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it's getting extremely expensive for us. What's happening is that when they do this all the time, the credit card companies come back to us and say "You have a higher than normal chargeback rate, therefore we'll charge you fines on top of that."
Cheating in online games (Score:5, Interesting)
In most of these games, the main thing wasn't really "cheating" as much as it was "exploiting" flaws of characteristics of the game's design. On some maps it was possible to "fall through the world" and people could effectively position themselves so they could attack monsters but the monsters could not attack them. This was also accomplished by using creative means to get on top of structures in the game geometry that the designers had never intended to be accessible. There were places for example, where we'd often find PCs on roofs in hostile towns attacking high-level NPCs and due to the pathing, were able to not be counter-attacked. There was a constant cat-and-mouse game trying to find out how they were pulling these things off. It was more interesting than annoying usually. I was always impressed by some of the creative ways people would try to give themselves an advantage.
Midway into EQ's popularity a number of software programs started to appear. These really blew the lid off the game's integrity. I forget the name of this one utility, but it was a utility that managed to decrypt the game stream, and due to the way the game was designed, when you entered a zone, this program could identify the coordinates of and nature of every NPC and PC in a certain range. SOE's game design, which often sent more info to the client than the client needed to make available to the user, created a situation where once someone decrypted the data, they had access to what was going on. Suddenly rare NPCs were being killed within minutes of appearing, and when a GM appeared in a zone to investigate, the perps knew instantly we were there and would logoff. Again, a cat-and-mouse game erupted where the developers started routinely changing the game's encryption and eventually they curtailed much of this behavior and made it too difficult to use the software. But at its heyday, the cheats were quite impressed. You'd have your main game client, and then you'd have a second computer sniffing the traffic, decoding it and displaying a real-time map of all PCs and NPCs in the zone. Very high-tech. Also very difficult to catch. Since the cheat program wasn't even on the same PC, programs like WoW's "Warden" wouldn't help. The only way you could identify someone cheating was to watch their in-game behavior. When you'd see PCs make a beeline for a rare NPC within seconds of it spawning, you knew something was up.
Last but not least, in these games, the servers log just about everything. If they want to catch a cheater, the behavior is quite easy to spot. I think the biggest issue with security in MMORPGS isn't being able to catch people cheating, it's trying to figure out how to keep the proper balance between game integrity and profitability. Probably 90% of people playing MMORPGs have broke rules and most of this behavior is on file. The companies cannot afford to take too hard a stance unless the transgressions are creating big problems.
Re: (Score:2, Informative)
What really made things bad though was Macroquest II. Even though this required to be recompiled with every new patch, this is what made many of the exploits possible. Even SOE knew how rampant its use was but they would not go after people using MQ for its passive features (ie maps, targeting, healbot macros, etc) but people using it
Re:Cheating in online games (Score:4, Interesting)
Anyone who used SEQ could easily spot others using it. We'd have scout chars logged off in zones to regularly check on rare spawns and scripts to start EQ, and log in the right char to scan a zone. As in, I'd click an icon my desktop, EQ would start in the background in a tiny window, log in and then log out right away. This gave SEQ time to scan the zone and if the mob that was on the watch list was up, it'd pop up an alert. We tested this, and the whole thing happened quick enough that nobody would even see the char appear in the zone - unless of course they ran SEQ themselves.
I was on Mithaniel Marr, and I know for a fact that one of the top EQ guilds, Afterlife, used SEQ. It's not just 'beelining' it's that SEQ keeps track of respawn times. Not only do you know what's there, you know what's going to be there in 5 seconds or 1 minute. You see which areas in a zone are taken, where the boss of the LDON dungeon is, where someone's corpse is - even if they themselves have no idea where they died because they got lost. You could see the players without it getting surprised by spawns, making wrong turns, getting adds on their pulls, being unable to find a corpse, clearing an entire LDON dungeon to find a named etc.
Of course whenever we had unknowns in the zone we'd act deaf and dumb, bumbling about acting like we don't know what's where, run into dead ends, clear unnecessary areas of dungeons. We knew that the other guilds at the very least suspected us of using it and probably reported us for it just as much as we reported them. It was meta-gaming at it's finest an I loved every second of it.
Re: (Score:2)
For some reason I had a vision of you as a GM appearing in front of em and using your godlike powers to kick their ass and send em running away.
Wish that's actually how it worked in these games, would be pretty sweet watchin a GM kick the crap out of some Gold/Gil/Credit farmers.
Re: (Score:2)
I got zapped once to "heaven" and talked about in-game issues on more than one occasion... usually on a friendly
Re: (Score:2)
Re: (Score:2)
That vision wouldn't be unheard of. We had a spell that would literally "kick" a person violently across the end of the zone. We'd also paralyze somebody so they couldn't move. All we really needed was the ability to play very bad MP3s on their client and the cycle would have been complete.
I knew GMs that engaged in all sorts of torture-like scenarios. Later on
Re: (Score:3, Insightful)
Just the way ShowEQ was a direct result of game design flaws in EverQuest, the same way leveling bots are for other games or ingame currency selling for real life money and whatnot. Game design flaws will result in hacks, bots and currency tradi
Re: (Score:2)
Re: (Score:2)
And there are a lot of us who wouldn't have it any other way, thanks. There should be competition for major targets and progression; handing it out for free to any group of N players just cheapens the game.
Re: (Score:2)
Re: (Score:2)
1) enter instance
2) pass or fail
3) if fail, drop instance and repeat
In other words, there's no risk, there is no wait and yet the same reward. The experience has been cheapened. Back in the good ol' days, before every fricking mob was instanced like in modern MMO's, yes, there was some level of competition for the major mobs. But this required a few things:
1) teamwork - a network of friends, perhaps a guil
Re: (Score:2)
One:
Because it's not enough to win. Somebody must lose.
As in, killing uber_dragon_001 is cool and all, but preventing from doing it because your guild killed him first is way better.
We had a monopoly on Azuregos in WoW for months and drove other guilds insane. We'd kite him until we got enough people to kill him. The amount of drama and hate this caused was pretty much why we did it, most of the loot got sharded. We only stopped because we ended up not having enough time due to new content.
Two:
Re: (Score:2)
Don't tell the client "here's everything; figure out what the player can see," tell it "here's what the player can see." It's been true since before Quake wall-hacks, and it's true now.
Re: (Score:2)
Games with Hackers/Code Explorers (Score:3, Interesting)
Face it, network packets are for many software developers hardly a mystery, and trying to reverse engineer the communications protocols between a game server and a client is hardly the most challenging task in computer science. If the game publisher decides to encrypt the communication in some way, that encryption is easy to reverse engineer as well... especially if you have the software for the client on your own machine. It may crack up the skill level a little bit if the "hacker" has to decompile the client in order to find the encryption mechanism, but that just makes it all that more of a prize to win and find out.
For several of the on-line games that I play, I'll admit that I've been tempted to try this myself just to see how it was done. And there are major communities who love to do this stuff. For example, the game Runescape has a fairly good group of people who have tried to reverse engineer the communications protocols, and have gone so far as to recreate the server software itself and re-implement a client using the same protocol. One excellent example is Moparscape [moparscape.org] (Warning: click on this link at your own risk... these are real hackers here!) This is not the only server like this, I should add.
That real-world cash is also injected into the need/demand for these sort of reverse engineering efforts is really just icing on the cake for many of these individuals who get into this activity.
How you can get rid of this "game about a game" effort in terms of an arms race between the software publisher and the hacker community trying to reverse engineer the communications protocol may be something worth investigating. I'm certain that, as usual, the game industry is probably far more secure in its communication protocols than most other "real-world" activities like bank transactions and electronic voting, perhaps even military communications. This would be as a result of the vested interested of those young enough to have the patience and determination in order to hack this communications system.
I'm also certain that even the software developers who write these games have a fun time trying to come up with strategies in order to thwart the hacker community. For them, it is a fun intellectual exercise as well, especially when you are going up against people brighter than you are. So in this sense, it is a sort of chess game with slightly higher stakes on the line. And once a "hacker" has obtained all of this arcane knowledge... what are they supposed to do with that hard-won knowledge? (besides give themselves the best equipment in the game.)
"Halting State" (Score:2)
Re: (Score:2)
Quote (Score:2)
How game developers react to security warnings... (Score:2)
Security in MMORPGs? (Score:5, Funny)
Great Resources on Game Security (Score:2)
Also, the authors of Exploiting Online Games [informit.com] have a sample chapter available, and Usenix has a video of one of Gary McGraw's presentations [usenix.org] on their web
The book (Score:2, Interesting)
Now this is a good interview (Score:2, Insightful)
I'm glad I'll be able to use my modded character over an HDMI cable, and I can install a 3rd party device without a signed driver to get around this.
Who thinks up these questions?
Re: (Score:3, Informative)
SE is dropping the ball in this area though, I know a few people that got screwed and lost their accounts like this.
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Essentially, rather than validating data on their servers, they're pushing an application to the clients to report any process they feel is inappropriate. I personally felt Warden was inappropriate, and never allowed it to run.