Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Eve Online Client Source Code Leaked

Posted by ScuttleMonkey on Mon Apr 14, 2008 05:02 PM
from the shoot-first-ask-questions-later dept.
Security Entertainment Games
An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
+ -

Related Stories

Submission: CCP/EVE ONLINE suffers public source code release by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Eve Online Client Source Code Leaked 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Well... (Score:4, Funny)

    by schmidt349 (690948) on Monday April 14 2008, @05:06PM (#23070392)
    I would worry that unscrupulous players will dig through the source code to find exploits, but it's reassuring to find something that will bring them back to the real world...

  • Don't download the source via the torrent (Score:3, Informative)

    by ferat (971) on Monday April 14 2008, @05:07PM (#23070406) Homepage
    If you are an active EVE player, don't use the torrent links to download the source. CCP is monitoring the torrents and banning any accounts with matching IP addresses to any of the people using the torrent.

    They obviously can't watch them all, but don't download the torrent from an IP that you use to play the game.

  • Direct link to the torrent (Score:5, Informative)

    by Anonymous Coward on Monday April 14 2008, @05:07PM (#23070416)
    Well, almost. http://thepiratebay.org/tor/4128183/Eve_Online_Source(client_side)_Code [thepiratebay.org]

          • Re:Direct link to the torrent (Score:5, Insightful)

            by ichigo 2.0 (900288) on Tuesday April 15 2008, @03:07AM (#23074676)

            It doesn't surprise me though, slashdot is becoming more and more of a PR site for the piratebay and the pirate party. Its only a matter of time before it has a warez and torrents section :(
            It's not just slashdot, every place is starting to see imaginary property for what it is. That's what you get when near-infinite supply meets demand, prices go down.
  • Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents and then monitoring all IP addresses acquiring the source and then banning accounts associated with those IPs. So if you're going to get the code just to look at it, I suggest using your mom's house or an internet cafe!

    I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
    This particular user used this code to point out a few things regarding security:

    From all security i saw - were ROLE permissions for logins with priviliges higher than usual player, and some minor things in relation to prevent some remote service calls (some with potentially bad payload)
    I'm not entirely sure if he's implying there's some exploitable permissions bug or if there are some user roles that are jacked up (you know, like a coder at CCP giving himself the keys to the game and claiming it was for debug when it was for his own account's gain). But whatever it is, CCP should fix that.

    Frankly, downloading this would be a stupid thing to get banned over. This is CCP's bread and butter, I don't blame them for taking this action. In their eyes, they are trying to eliminate exploiting players in hopes of making the game better for non-exploiting players. This 'policing' action is usually desired by the community. Yeah, it's unfortunate that they're not taking advantage of the security and stability of an open source coding community ... but you have to admit it would be easy for someone to fork and go off and make their own client with. Maybe there's deep dark secrets they don't want out and since it's only a game and I don't really care for it I'm not too concerned.

    Let's see if Linden Labs can make this OSS client thing work to their advantage. I sure hope so because it will give everyone else a reason to make the switch.

    • So if you're going to get the code just to look at it, I suggest using your mom's house


      Unless you live in your mom's basement. :-P

    • Re: (Score:3, Interesting)

      by hcmtnbiker (925661)
      Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents and then monitoring all IP addresses acquiring the source and then banning accounts associated with those IPs.

      If they're actually seeding it themselves then I expect to hear about a lawsuit. Since that would be purely legal to download from them. If CCP is effectively giving away their src what's wrong with accepting their offer?

      • If they're actually seeding it themselves then I expect to hear about a lawsuit
        Only if they actually seed it. They could advertise as a seeder, connect and receive connections, then not give you anything.

    • So if you're going to get the code just to look at it, I suggest using your mom's house or an internet cafe!
      Or if you know an avid Eve Online player that you don't really like, you could hack into their wireless connection and download it that way. Not that I would condone it...

    • Re:Warning! CCP Seeding, Banning Torrenters (Score:4, Informative)

      by Anonymous Coward on Monday April 14 2008, @05:50PM (#23070938)
      What they dont want is someone adding functionality to the client they avoided for a long time:

      Fire all weapons on a single click. Automagically select the right ECM jammer for the target ship. And that's what came to my mind in an instant.

      I bet there are many more possibilities which can unbalance tweaked clients and standard clients. It is like a free opportunity for wall hacks if other clients are allowed. It wouldnt be a problem for PvE games, but PvP needs the same client for all.

      • Re:Warning! CCP Seeding, Banning Torrenters (Score:4, Interesting)

        by Rogerborg (306625) on Tuesday April 15 2008, @07:13AM (#23075776) Homepage

        CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding.

        This is the best attitude that I've even seen from a commercial MOG developer. It is exactly correct.

        Someone just needs to tell their Banstick guys that. If they believe their own argument, then they need to act like it.

  • this is going to be so great (Score:3, Interesting)

    by JernejL (1092807) on Monday April 14 2008, @05:08PM (#23070430) Homepage
    I don't think anything major as this has happened before, and from a online game developer's perspective i will look closely to how this affects cheating and the development of the game further, as something like this is a great nightmare for any game developer, and i really want to see how this one ends.

    • I don't think anything major as this has happened before ...
      Really? It was only the client code, they don't know how the server works (although they could reverse engineer the messaging potentially and mock a server after a lot of work and assumptions).

      On a side note, I think this has happened before on a much more serious scale [slashdot.org].

      • Re:this is going to be so great (Score:5, Funny)

        by Oriumpor (446718) on Monday April 14 2008, @05:35PM (#23070756) Homepage Journal
        The problem isn't so much that the code isn't fixable, or that the client side code will show something obviously exploitable (as this is most likely the case.) But really, it's about the fact that every developer writing code for this has been doing it under the assumption that nobody is going to look at it except their peers, now the world is staring at their dangling unmentionables. Imagine your rushed proprietary coding project was now instantly made open source against your wishes...

      • Re:this is going to be so great (Score:5, Interesting)

        by Umuri (897961) on Monday April 14 2008, @08:12PM (#23072232)
        Let me give you a little history lesson.
        Back in the dark ages, ya know, the 90s, there was a little game called Ultima Online.

        Heard of it? I hope so, it was one of the original MMORPGs.

        Every client ever released for that game had all of it's packets decrypted, and the encryption scheme broken for keys, usually within 24-48 hours. Everytime they updated.

        Add to that that people edited the client to do whatever they wanted, sometimes with other programs hooking in and altering packets, others by directly altering the assembly of the client.
        Many people tried to exploit bugs in the game that way, but most failed, and everytime someone did find one, it was usually fixed relatively quickly. Malformed packets went from "all the rage" and the way to bug up a game to relatively worthless within a span of a month, barring a few new uses that popped up every so often from bad new code introduced.

        Having the source code only simplifies this a little for the people who really care, and it doesn't really enable them to do anything they couldn't already.

        Oh, also, while i'm at it. Did you know ultima online had a special client for staff characters? And that the binary for that client was leaked as well?

        OH NOES! But wait! Ultima online used good security measures and correct privelege systems, so the client was worthless for anything a normal player couldn't do. :)

        Summary: This isn't new, and it's happened before on other games. Except in the past most games were already so well understood by their communities that the source would add almost nothing except a little ease and some time saved duplicating a better version of the client when they stop upgrading.

        Add to that, if this causes ANY security issue with EVE, then the people who coded the game should get in trouble, not the players. Good coding practices prevent all trouble the code could possibly do. You ARE checking for privelege levels and sanitizing your inputs, right?
    • There was the theft and publication of the Half-Life 2 source code a few years ago. That included the creation of an illicit version of the game, in Russia.

    • Re:this is going to be so great (Score:5, Insightful)

      by the_humeister (922869) on Monday April 14 2008, @06:46PM (#23071530)
      The Second Life client is open source. If that can be done, why is the source code leak for this game such a bad thing?

  • From TFA... (Score:5, Insightful)

    by Lisandro (799651) on Monday April 14 2008, @05:12PM (#23070480)
    In the lengthy and scatological exchange, the poster of the source code attempts to get some answers about CCPs much maligned security practices, particularly concerning the rife issue of bots and scripting in their flagship game. The conversation was a little less than professional.

    Well, atleast on the tidbit shown on the article, the CCP representative sounds perfectly rational and professional. Am i missing something here?

    And by the way, how does this guy ended up with the sourcecode on the first place?!

    • Re:From TFA... (Score:5, Interesting)

      by vux984 (928602) on Monday April 14 2008, @06:42PM (#23071498)
      Well, atleast on the tidbit shown on the article, the CCP representative sounds perfectly rational and professional. Am i missing something here?

      Well, the CCP rep did sound vaguely annoyed to me; I could see him rolling his eyes. But then I imagine they roll their eyes at most of the conversations they have. :)

      And by the way, how does this guy ended up with the sourcecode on the first place?!

      That's still unclear. Some say its just decompiled python that anyone could do themselves easily enough. But he almost alludes to having a source within ccp... so I'm not sure.

      Its too bad he's apparently not an english speaker because that invites mockery. And obviously he's not being terrible mature which further damages his image, but at the end of the day what he is asking for is legitimate in my opinion:

      All he wants is CCP to acknowledge there are specific issues and to demonstrate that there have been real fixes added. Because he is firmly convinced that people have been botting for years using known exploits and that CCP hasn't made even the slightest effort to curb them.

      So he's basically saying if you've fixed it... prove it. "Show me an exploit that used to work that doesn't now. Show me something, ANYTHING, that you've actually fixed in the last year or so related to stopping botters."

      "And Improve your processes, so that if we report exploits you acknowledge them, and fix them, instead of just handwaving that security improvements have been added, because I'm not seeing any."

      "And if you don't, I'm releasing the source, so we can ALL see for ourselves what you've actually improved over the last year, because I'm tired of watching people bot for YEARS without having to so much as adapt to new anti-bot tactics."

      If this guy is just blowing smoke, then CCP really should have no issue publishing some of the hundreds of botting related exploit scenarios that they claim to have fixed over the last several patches...and showing that they no longer worked.

      That much they owe their customers. Frankly, I don't really blame CCP for not publicly acknowledging security issues and bringing additional attention to each exploit before its fixed... BUT... I -do- think that the playerbase deserves some honesty -after- the fact.

      If they release an exploit fix, publish it, what used to work, and what no longer works. CCP lacks credibility, and this would go a long ways towards helping restore it.

      After all we get a better level of security updates disclosure from microsoft. I think all this guy really wants is the same from CCP. And if CCP *hasn't* actually done anything in the last few years to address all the while claiming they have, well... I can see why a segment of the playerbase is boiling mad about it, and wants to blow this into the public eye where they can't sweep it under the rug anymore.

  • Not a leak (Score:5, Informative)

    by Fweeky (41046) on Monday April 14 2008, @05:16PM (#23070514) Homepage
    It's not a leak, the .pyc's have just been decompiled and distributed. Here [crazy-compilers.com] - go do it yourself.

  • Calmly addressing issues (Score:5, Insightful)

    by FooBarWidget (556006) on Monday April 14 2008, @05:17PM (#23070546)
    "I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer."

    I doubt it. But this is not without a good reason.

    Many, many MMORPG players are 13 year old kids. Immature kids. These people are not adults. They do not behave like adults. If the company "calmly addresses the issues", then they'll be flooded by complainers, cheaters and opportunists within no time.

    I've been involved in MMORPG for several years. The immaturity in MMORPG communities in general is just sad. There doesn't seem to be any good way to handle issues other than ruling with iron fist.

    • Re:Calmly addressing issues (Score:5, Insightful)

      by brkello (642429) on Monday April 14 2008, @05:58PM (#23071034)
      I don't understand how the maturity level of the user base has anything to do with how a company reacts. Eve has always been heavy in to banning and suppressing information. Eve also claims to boast a more "mature" player base (which I find a bit laughable). In a game with such mature players, CCP bans more than any other company. I played Eve for awhile and didn't like it very much. The corruption from within the game company made me go from thinking they made a boring game with jerks as a player base to just flat out disliking the game. Don't get me wrong, Eve has its strong points...but fun isn't a part of that.

      Eve banning people and deleting forum posts isn't ruling with an iron fist. It is a desperation move to hold on to customers who may not know what is going on. If they ruled with an iron fist they would actually come down on the people who cheated with the devs. That's the problem, the game should be as cut throat as possible in game...but CCP not only plays the game, but leaks inside knowledge of the game to organizations that are already overpowered. Maybe they are totally clean now (I doubt it) but the game will forever be tainted by the past.

      The reason they ban is because they have too much to hide and would rather do that than address the issue and fix their game.

    • Re:Calmly addressing issues (Score:4, Insightful)

      by Morpeth (577066) on Monday April 14 2008, @05:59PM (#23071040)
      "Many, many MMORPG players are 13 year old kids. Immature kids. These people are not adults. They do not behave like adults..."

      I keep hearing people saying this, where's the proof? People just make up stats on the fly and like to blame kids -- there's PLENTY of adult players who act like complete asshats.

      Here's some actual stats --
      "Also of note is the fact that the average age of the typical gamer is 33."

      "...female gamers over the age of 18 make up 31 percent of all gamers, a larger percentage than that of male gamers under the age of 17 (20 percent), a group traditionally seen as the majority."

      http://blog.wired.com/games/2008/03/38-percent-of-g.html [wired.com]

      I will say I've seen my share of immature players in WoW - BUT that doesn't mean I actually know they're age. Also, WoW is also just ONE mmorpg, albeit the largest.

      I've played mmorpgs for about 9 yrs starting with EQ. Currently, I play EQII as well as WoW -- and the maturity level is vastly different there. Played AO, DAoC, CoH, GW and generally had good experiences with the player base. Anonymity is really the big issue with mmorpgs, it let's some people (mainly adults) act like idiots without any real repercussions.

      Most of my WoW guild is 30 and 40-somethings. One however is a 12 year old boy, and his online behavior is often much more mature/conservative than the adults.

    • Re:Calmly addressing issues (Score:4, Informative)

      by Xelios (822510) on Monday April 14 2008, @06:00PM (#23071062)
      Actually EVE is unique in that most of the player base is made up of adults. The average age of an EVE player in 2006 was 27, according to the article on Wikipedia [wikipedia.org]. And I believe it, having played the game for a few years until 2007 the vast majority of people I came across were in their late 20's or early 30's.

  • Some additional info on this (Score:4, Funny)

    by Gossi (731861) on Monday April 14 2008, @05:26PM (#23070642)
    Okay, the torrent is here [thepiratebay.org].

    First things first - it's not the full source. In fact, it's not even 2mb big. It's not even a fraction of the source.

    Secondly, from the IM conversation they had with support:

    [20:18] I don\'t know HOW you work
    [20:19] i see the RESULT of this work
    [20:19] and UNDERPANTS of it

    They see the UNDERPANTS of it. Hilarious.

  • Calmly address theft of the crown jewels? (Score:4, Insightful)

    by EWAdams (953502) on Monday April 14 2008, @05:31PM (#23070712) Homepage
    What planet are you on? Gosh, I wonder how Microsoft would respond to someone putting the code for Office online? Banning would be the least of it. Open source is a good thing; software patents are bad; but EVERY company is legitimately entitled to its trade secrets.

  • Wait a minute... (Score:3, Interesting)

    by jeffbax (905041) on Monday April 14 2008, @05:58PM (#23071032)
    Does this mean that someone will finally make a proper Mac and Linux build without the Transgaming garbage ;)

  • What's Been Found So Far (Score:5, Insightful)

    by rsmith-mac (639075) on Monday April 14 2008, @06:41PM (#23071490)

    For those of you asking "what's the big deal about this?" here are what people have found so far digging through the code.

    • 1) Since the client logic is in Python, introducing new logic is a matter of injecting new Python code in to the game. It turns out this is very easy to do right now, there are several ways, including using the telnet server the client runs so that CCP can upload code to the client computer when it connects
    • 2) The big concern is bots, EVE can be botted and this is a problem like any MMO
    • 3) The other big concern is that the EVE client knows far more than it shows, a problem for a PvP game. It is possible to hack the client to the point where it will tell you exactly who and what entered a system you are in, and where they are at at all times.
    • 4) It's also possible to disable the client's "anti-addiction" code required to meet China's MMO laws. Apparently the server isn't actually booting players, it's telling the client to disconnect. The Chinese government is going to love that one
    • 5) Finally, the game has a custom made built-in web browser (the In Game Browser) that's extremely cruddy and isn't used very much. It's also so cruddy that it's holier than the Pope himself; it's possible to craft links to induce it to execute external applications and web browsers. Basically with a little social engineering you can be trick people in to letting you compromise their machine.

    EVE is a fine game, but the code is a joke. This is very likely going to lead to a lot of problems for CCP for some time to come. If they're lucky they'll only get a flood of bots, if they're not then the game may very well turn in to a wild west of hacking players looking for an edge.

  • It's not that special really (Score:5, Informative)

    by Hachima (718971) on Monday April 14 2008, @06:53PM (#23071586)
    Back in the day the EVE/script folder had the decompiled python in it in plain text. People did stuff like modify it to create merchant bots that would auto buy/sell stuff on the markets and whatever else they wanted to modify. Then CCP changed it to one 'compiled.code' file instead of all the uncompiled python files, which is easier to manage and check for people making changes. So you can still just take that 'compiled.code' file and decompile it to readable code. Which is what got 'leaked' It's nothing special at all really, and is only a portion of the client code. Anyone that was interested in messing with it has already seen the Python, especially people that played when it wasn't even pre-compiled. Next thing you know right clicking a web page to 'view source' will be considered leaking source code too?
  • Old: Eve Online Client Source Code Leaked
    Revised: Eve Online Client now open source!
  • It's no wonder they tried so hard to keep this code hidden.  I'm not even sure what this is supposed to do.

    //Both people are represented by an abstract class
    public abstract class Person
    {
      public bool StrangersToLove { get; set; }
      public bool KnowTheRules { get; set; }
    }

    //Possible thoughts
    public enum Thought
    {
      FullCommitment
    }

    //Class
    public sealed class Me : Person
    {
      public Thought Thinking()
      {
        return Thought.FullCommitment;
      }
    }

    //The target of the song, notice that GetThought can only be called by passing in an instance of Rick
    //which satisfies that she can't get this from any other guy
    public class You : Person
    {
      private Thought whatHeIsThinking;
      public void GetThought(Me guy)
      {
        whatHeIsThinking = guy.Thinking();
      }
    }

    class Program
    {
      //The first verse
      static void Main(string[] args)
      {

        var Rick = new Me() { KnowTheRules = true, StrangersToLove = false };

        var Girl = new You() { KnowTheRules = true, StrangersToLove = false };

       Girl.GetThought(Rick);
      }
    }

  • Official Communication from CCP (Score:5, Informative)

    by Vecna! (74330) on Monday April 14 2008, @08:37PM (#23072438)
    CCP is aware that an individual claims to have access to the source code of the EVE client. This access is not a security risk to CCP in any way. CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding. Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers' billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to, or from the EVE system. Nothing the EVE client can do can affect the game state, no advantage can be gained by manipulating the EVE client, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP, and hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP's web site.

    CCP does not confirm or deny, nor make any comment, regarding issues of internal security, and will not be doing so in this case. As a policy, CCP removes message board posts regarding violations of its EULA and Terms of Service, and CCP considers any alteration of the Client software, including decompilation, to be such violations.

    --------

    Ryan S. Dancey
    Chief Marketing Officer
    CCP

    • Re:Motivation? (Score:4, Informative)

      by cowscows (103644) on Monday April 14 2008, @07:51PM (#23072088) Journal
      No, he just wants some of the obvious technical problems with the game to be addressed. EvE is a pretty amazing game, but it has plenty of rough edges and some glaring flaws. EvE is also an extremely competitive game, beyond pretty much anything I've ever played online. There's many examples of bots and macro-miners, and those sorts of things. In a game that's so cut-throat, and that has relatively few restrictions/rules, when someone does break the rules it tends to make many of the players very upset.

      The developers are fully aware of many of these issues, yet when the players ask for them to be addressed, the devs sometimes play dumb or more often say it'll be dealt with and then never really say whether it got fixed or not.

      Short version: There's lots of bots in the game. Players complain. CCP keeps saying Don't worry, we're taking care of it. But the bots never go away. Rinse and repeat that sequence for various other issues.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.