Forgot your password?
typodupeerror
Security Entertainment Games

Eve Online Client Source Code Leaked 368

Posted by ScuttleMonkey
from the shoot-first-ask-questions-later dept.
An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
This discussion has been archived. No new comments can be posted.

Eve Online Client Source Code Leaked

Comments Filter:
  • by ferat (971) on Monday April 14, 2008 @06:07PM (#23070406) Homepage
    If you are an active EVE player, don't use the torrent links to download the source. CCP is monitoring the torrents and banning any accounts with matching IP addresses to any of the people using the torrent.

    They obviously can't watch them all, but don't download the torrent from an IP that you use to play the game.
  • by Anonymous Coward on Monday April 14, 2008 @06:07PM (#23070416)
  • Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents and then monitoring all IP addresses acquiring the source and then banning accounts associated with those IPs. So if you're going to get the code just to look at it, I suggest using your mom's house or an internet cafe!

    I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.
    This particular user used this code to point out a few things regarding security:

    From all security i saw - were ROLE permissions for logins with priviliges higher than usual player, and some minor things in relation to prevent some remote service calls (some with potentially bad payload)
    I'm not entirely sure if he's implying there's some exploitable permissions bug or if there are some user roles that are jacked up (you know, like a coder at CCP giving himself the keys to the game and claiming it was for debug when it was for his own account's gain). But whatever it is, CCP should fix that.

    Frankly, downloading this would be a stupid thing to get banned over. This is CCP's bread and butter, I don't blame them for taking this action. In their eyes, they are trying to eliminate exploiting players in hopes of making the game better for non-exploiting players. This 'policing' action is usually desired by the community. Yeah, it's unfortunate that they're not taking advantage of the security and stability of an open source coding community ... but you have to admit it would be easy for someone to fork and go off and make their own client with. Maybe there's deep dark secrets they don't want out and since it's only a game and I don't really care for it I'm not too concerned.

    Let's see if Linden Labs can make this OSS client thing work to their advantage. I sure hope so because it will give everyone else a reason to make the switch.
  • Not a leak (Score:5, Informative)

    by Fweeky (41046) on Monday April 14, 2008 @06:16PM (#23070514) Homepage
    It's not a leak, the .pyc's have just been decompiled and distributed. Here [crazy-compilers.com] - go do it yourself.
  • Re:Not a leak (Score:4, Informative)

    by Fweeky (41046) on Monday April 14, 2008 @06:18PM (#23070562) Homepage
    (Or indeed, Here [debian.org], which really lets you do it yourself)
  • by bky1701 (979071) on Monday April 14, 2008 @06:29PM (#23070688) Homepage
    Well, they could, in theory, leach but not download (much, at least) and never upload. They would still be able to get peer IPs, but wouldn't have to contribute data (nor even have it).

    This is different than when the RIAA does it, as they actually upload it to unknowing downloaders to get lawsuit fuel.

    If CCP only wants to ban downloaders, they don't need any legal evidence to do so, at least as long as indiscriminate bans are covered in their TOS. Therefore, they don't need to go the RIAA road.
  • by Anonymous Coward on Monday April 14, 2008 @06:50PM (#23070938)
    What they dont want is someone adding functionality to the client they avoided for a long time:

    Fire all weapons on a single click. Automagically select the right ECM jammer for the target ship. And that's what came to my mind in an instant.

    I bet there are many more possibilities which can unbalance tweaked clients and standard clients. It is like a free opportunity for wall hacks if other clients are allowed. It wouldnt be a problem for PvE games, but PvP needs the same client for all.
  • by Xelios (822510) on Monday April 14, 2008 @07:00PM (#23071062)
    Actually EVE is unique in that most of the player base is made up of adults. The average age of an EVE player in 2006 was 27, according to the article on Wikipedia [wikipedia.org]. And I believe it, having played the game for a few years until 2007 the vast majority of people I came across were in their late 20's or early 30's.
  • Re:Not a leak (Score:3, Informative)

    by hobbesmaster (592205) on Monday April 14, 2008 @07:14PM (#23071204)
    Both the server and the client make extensive use of python and stackless python. The graphics code is in cpp. This was all detailed in some dev blogs at some point.
  • by brkello (642429) on Monday April 14, 2008 @07:23PM (#23071300)
    Not that I disagree with your point or agree with the GP's...but age often has nothing to do with maturity. Particularly in Eve.
  • Re:Not a leak (Score:1, Informative)

    by Anonymous Coward on Monday April 14, 2008 @07:24PM (#23071310)

    But there are comments in the Eve code. The decompilers in your link explicitly state that comments are not recovered, as compilers will always strip them out when compiling the code.

    So either someone went through and added them in before distributing this code, or it's the original code.
    It's not quite that simple. For one thing, part of what's included in a "compiled" Python file are doc strings. From a quick look over the torrent (I don't play EVE), that seems to be what's been included, not every comment in the file.

    I think the "pyc_dis" and the relatively limited nature of the source code release to just what was part of the client in Python also points out to disassembly. I doubt anyone's hacked any servers over this.
  • Re:Not a leak (Score:3, Informative)

    by KermodeBear (738243) on Monday April 14, 2008 @07:26PM (#23071328) Homepage
    A lot of the server code is written in Python [eve-online.com] as well. They use a Python variant called Stackless Python [stackless.com].
  • by Hachima (718971) on Monday April 14, 2008 @07:53PM (#23071586)
    Back in the day the EVE/script folder had the decompiled python in it in plain text. People did stuff like modify it to create merchant bots that would auto buy/sell stuff on the markets and whatever else they wanted to modify. Then CCP changed it to one 'compiled.code' file instead of all the uncompiled python files, which is easier to manage and check for people making changes. So you can still just take that 'compiled.code' file and decompile it to readable code. Which is what got 'leaked' It's nothing special at all really, and is only a portion of the client code. Anyone that was interested in messing with it has already seen the Python, especially people that played when it wasn't even pre-compiled. Next thing you know right clicking a web page to 'view source' will be considered leaking source code too?
  • Re:Motivation? (Score:4, Informative)

    by cowscows (103644) on Monday April 14, 2008 @08:51PM (#23072088) Journal
    No, he just wants some of the obvious technical problems with the game to be addressed. EvE is a pretty amazing game, but it has plenty of rough edges and some glaring flaws. EvE is also an extremely competitive game, beyond pretty much anything I've ever played online. There's many examples of bots and macro-miners, and those sorts of things. In a game that's so cut-throat, and that has relatively few restrictions/rules, when someone does break the rules it tends to make many of the players very upset.

    The developers are fully aware of many of these issues, yet when the players ask for them to be addressed, the devs sometimes play dumb or more often say it'll be dealt with and then never really say whether it got fixed or not.

    Short version: There's lots of bots in the game. Players complain. CCP keeps saying Don't worry, we're taking care of it. But the bots never go away. Rinse and repeat that sequence for various other issues.
  • by Vecna! (74330) on Monday April 14, 2008 @09:37PM (#23072438)
    CCP is aware that an individual claims to have access to the source code of the EVE client. This access is not a security risk to CCP in any way. CCP does not believe in security by obscurity. The Python scripting language that is used by the client can be easily decompiled to generate human-readable code, and CCP has designed its server-side systems with that understanding. Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers' billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to, or from the EVE system. Nothing the EVE client can do can affect the game state, no advantage can be gained by manipulating the EVE client, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP, and hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP's web site.

    CCP does not confirm or deny, nor make any comment, regarding issues of internal security, and will not be doing so in this case. As a policy, CCP removes message board posts regarding violations of its EULA and Terms of Service, and CCP considers any alteration of the Client software, including decompilation, to be such violations.

    --------

    Ryan S. Dancey
    Chief Marketing Officer
    CCP
  • by jandrese (485) <kensama@vt.edu> on Monday April 14, 2008 @09:49PM (#23072516) Homepage Journal
    What's more, it's a game where the entire metagame revolves around how badly you can screw other players. If there is anybody who is going to go through the source code line by line to find some sort of exploit they can use to screw over other customers it is an Eve player.
  • Abuser's motivation (Score:2, Informative)

    by Abuser_One (1273234) on Tuesday April 15, 2008 @12:14AM (#23073624)
    Abusers motivation? If CCP will not go for fixing old issues and start doing something with bots by good, releasing the sourcecode and promoting it should force them do this anyway. They refused to confirm they were ignoring bots, client security and perfomance issues, instead releasing new content. This caused source go public. If they would agree to confirm their issues, "leak" would never happen.
  • by loxosceles (580563) on Tuesday April 15, 2008 @02:57AM (#23074394)
    You're correct, but the poster you're replying to is also correct, just not about the DB size being a problem.

    In everything from PR to coding to bug handling to system administration, CCP is a disaster. The only reason the company is viable is because the core idea of the game is awesome, which is why those of us who play get so frustrated and angry that EVE is still bugged to hell and slow as hell when there are hundreds of people in a system.

    How long would you last at any real company if:
    1. The space-MMORPG project you were working on needed on average 45-60 minutes of downtime a day
    2. It could take several minutes or more to transfer items from one container to another, and they're apparently transfered one at a time in the database, because they appear to move one at a time in the client.
    3. Players could get stuck jumping between systems or docking/undocking
    4. Overview colors and backgrounds were sometimes incorrect, and this has been the case for years.
    5. Something as simple as jumping between star systems with a non-real-space map open (the solar system map) completely screwed up the client.
    6. Pressing the "dock" button for stations didn't always dock your ship.
    7. Bugs routinely took months to get fixed, bugs introduced by a patch weren't fixed until the next major patch
    8. Your excuse for performance problems is that you're waiting for a new faster server cluster (which you call a "supercomputer" to sound cool).
    8. Meanwhile, you're working on an in-station environment (I suppose for meetings and gambling and such) instead of fixing those bugs or working on performance.

    That's pretty much what CCP does.

    It's not a matter of "CCP must get performance fixed with 500 people in a system." It's that they're actively working on other crap ("ambulation," the in-station environment) and new features (Trinity graphics are great, but does anyone honestly play the game only because of the graphics?) instead of dedicating those resources towards fixing existing bugs and working on improving performance with the hardware they already have.

    If I got the impression that CCP was doing everything they could to fix bugs and improve performance, I'd drop it. Massive amounts of evidence, including a general lack of willingness to communicate anything useful to concerned players, indicates otherwise.

    Many players I've talked to have some great ideas that might work to improve performance, but CCP is very closed about how they operate. Unless someone spends months to years as a bug tester, CCP won't take their design ideas seriously. And of course the design of the server is never talked about except in the most vague and broad terms, which makes it easy for CCP to say "you don't know what you're talking about, it's not that simple" whenever anyone offers suggestions on how to improve server-side performance.
  • by pipatron (966506) <pipatron@gmail.com> on Tuesday April 15, 2008 @03:51AM (#23074604) Homepage

    surely they have no legal grounds for a lawsuit

    They don't need a lawsuit to ban accounts on their servers.

  • Re:Well... (Score:2, Informative)

    by Loktofeit (1273560) on Tuesday April 15, 2008 @01:38PM (#23079882)
    "We are aware that an individual claims to have access to the source code of the EVE client, but this access is not a security risk to CCP or our customers in any way. The Python scripting language that is used by the client can be easily decompiled to generate readable code, and we have designed our server-side systems with that understanding. Therefore, there is no reason to believe that the code was leaked by an employee and our internal investigations confirm that. Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to or from the EVE system." - CCP Wrangler Source: http://eve.stratics.com/#27221 [stratics.com]

Never make anything simple and efficient when a way can be found to make it complex and wonderful.

Working...