Eve Online Client Source Code Leaked

An anonymous reader writes to tell us that the game client source code for the popular MMO, Eve Online, has been leaked via torrent. In addition to the source code the user also posted a lengthy chat transcript with someone from CCP customer support. While the end goal may have been to call attention to the continuing security issues within Eve (and ultimately themselves), there are probably better ways of getting through to support. Unfortunately, CCP seems to be responding with the usual knee-jerk reaction of banning everyone breathing a whisper of this incident. I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer.

From TFA...

[Lisandro]

In the lengthy and scatological exchange, the poster of the source code attempts to get some answers about CCPs much maligned security practices, particularly concerning the rife issue of bots and scripting in their flagship game. The conversation was a little less than professional.

Well, atleast on the tidbit shown on the article, the CCP representative sounds perfectly rational and professional. Am i missing something here?

And by the way, how does this guy ended up with the sourcecode on the first place?!

Potential exploit exposé?

[ZackZero]

The major issue behind the source-code leak is the security surrounding the code. Now that it's out, there is the potential for "unscrupulous players" to find exploits. Anyone familiar with Python will be able to find at least something.

Also, since it is the client code that was released, an intrepid cheater can find ways not just to exploit functions in-game, but find ways to pull various bits of data from straight out of memory. This is a bit like third-party programs that utilize CCP's API code system, though it is a direct violation of the Terms of Service of said game, as it could provide access to information that would potentially give a select few an edge.

My eye's on GoonSwarm now; this might be their "big chance" to ruin the game they declared they would.

Re:Warning! CCP Seeding, Banning Torrenters

[Anonymous Coward]

Something that the summary missed but was reiterated twice in the actual article is that CCP is accused of seeding most of the torrents...

Does that mean they are distributing the source themselves? That might cause them legal problems in the future (as in limiting what claims they can make).

Re:Don't download the source via the torrent

[Ungrounded Lightning]

If you are an active EVE player, don't use the torrent links to download the source. CCP is monitoring the torrents and banning any accounts with matching IP addresses to any of the people using the torrent.

Well that will be great for any of their users who get a dynamic IP that was previously used to download the code.

I smell corporate suicide.

Re:this is going to be so great

[eldavojohn]

I don't think anything major as this has happened before ...

Really? It was only the client code, they don't know how the server works (although they could reverse engineer the messaging potentially and mock a server after a lot of work and assumptions).

On a side note, I think this has happened before on a much more serious scale [slashdot.org].

Calmly addressing issues

[FooBarWidget]

"I wonder if any large MMO company will ever be brave enough to calmly address an issue rather than wielding the ban-hammer."

I doubt it. But this is not without a good reason.

Many, many MMORPG players are 13 year old kids. Immature kids. These people are not adults. They do not behave like adults. If the company "calmly addresses the issues", then they'll be flooded by complainers, cheaters and opportunists within no time.

I've been involved in MMORPG for several years. The immaturity in MMORPG communities in general is just sad. There doesn't seem to be any good way to handle issues other than ruling with iron fist.

Re:Warning! CCP Seeding, Banning Torrenters

[moderatorrater]

If they're actually seeding it themselves then I expect to hear about a lawsuit

Only if they actually seed it. They could advertise as a seeder, connect and receive connections, then not give you anything.

Re:Don't download the source via the torrent

[NightRain]

Well that will be great for any of their users who get a dynamic IP that was previously used to download the code.

That very fact is why I think the post you were replying to is likely full of it

Calmly address theft of the crown jewels?

[EWAdams]

What planet are you on? Gosh, I wonder how Microsoft would respond to someone putting the code for Office online? Banning would be the least of it. Open source is a good thing; software patents are bad; but EVERY company is legitimately entitled to its trade secrets.

Re:Calmly addressing issues

[brkello]

I don't understand how the maturity level of the user base has anything to do with how a company reacts. Eve has always been heavy in to banning and suppressing information. Eve also claims to boast a more "mature" player base (which I find a bit laughable). In a game with such mature players, CCP bans more than any other company. I played Eve for awhile and didn't like it very much. The corruption from within the game company made me go from thinking they made a boring game with jerks as a player base to just flat out disliking the game. Don't get me wrong, Eve has its strong points...but fun isn't a part of that.

Eve banning people and deleting forum posts isn't ruling with an iron fist. It is a desperation move to hold on to customers who may not know what is going on. If they ruled with an iron fist they would actually come down on the people who cheated with the devs. That's the problem, the game should be as cut throat as possible in game...but CCP not only plays the game, but leaks inside knowledge of the game to organizations that are already overpowered. Maybe they are totally clean now (I doubt it) but the game will forever be tainted by the past.

The reason they ban is because they have too much to hide and would rather do that than address the issue and fix their game.

Re:Calmly addressing issues

[Morpeth]

"Many, many MMORPG players are 13 year old kids. Immature kids. These people are not adults. They do not behave like adults..."

I keep hearing people saying this, where's the proof? People just make up stats on the fly and like to blame kids -- there's PLENTY of adult players who act like complete asshats.

Here's some actual stats --
"Also of note is the fact that the average age of the typical gamer is 33."

"...female gamers over the age of 18 make up 31 percent of all gamers, a larger percentage than that of male gamers under the age of 17 (20 percent), a group traditionally seen as the majority."

http://blog.wired.com/games/2008/03/38-percent-of-g.html [wired.com]

I will say I've seen my share of immature players in WoW - BUT that doesn't mean I actually know they're age. Also, WoW is also just ONE mmorpg, albeit the largest.

I've played mmorpgs for about 9 yrs starting with EQ. Currently, I play EQII as well as WoW -- and the maturity level is vastly different there. Played AO, DAoC, CoH, GW and generally had good experiences with the player base. Anonymity is really the big issue with mmorpgs, it let's some people (mainly adults) act like idiots without any real repercussions.

Most of my WoW guild is 30 and 40-somethings. One however is a 12 year old boy, and his online behavior is often much more mature/conservative than the adults.

Re:Warning! CCP Seeding, Banning Torrenters

[pthisis]

It wouldnt be a problem for PvE games, but PvP needs the same client for all.

Or needs to do validation on the server-side of all game-balance-affecting stuff--which is really the only way to ensure fairness, since clients can always be hacked.

Re:Don't download the source via the torrent

[RalphSleigh]

They don't even need to do that, all they need to do is compare the torrent and their game servers for the same IP at the same time.

What's Been Found So Far

[rsmith-mac]

For those of you asking "what's the big deal about this?" here are what people have found so far digging through the code.

• 1) Since the client logic is in Python, introducing new logic is a matter of injecting new Python code in to the game. It turns out this is very easy to do right now, there are several ways, including using the telnet server the client runs so that CCP can upload code to the client computer when it connects
• 2) The big concern is bots, EVE can be botted and this is a problem like any MMO
• 3) The other big concern is that the EVE client knows far more than it shows, a problem for a PvP game. It is possible to hack the client to the point where it will tell you exactly who and what entered a system you are in, and where they are at at all times.
• 4) It's also possible to disable the client's "anti-addiction" code required to meet China's MMO laws. Apparently the server isn't actually booting players, it's telling the client to disconnect. The Chinese government is going to love that one
• 5) Finally, the game has a custom made built-in web browser (the In Game Browser) that's extremely cruddy and isn't used very much. It's also so cruddy that it's holier than the Pope himself; it's possible to craft links to induce it to execute external applications and web browsers. Basically with a little social engineering you can be trick people in to letting you compromise their machine.

EVE is a fine game, but the code is a joke. This is very likely going to lead to a lot of problems for CCP for some time to come. If they're lucky they'll only get a flood of bots, if they're not then the game may very well turn in to a wild west of hacking players looking for an edge.

Re:Don't download the source via the torrent

[Tanktalus]

I'm not sure that many ISPs would give up their logs to just anyone asking for it. Some, sure, but not many. At the very least, a subpoena of some sort would be required, and the logs could be pruned by then.

Re:this is going to be so great

[the_humeister]

The Second Life client is open source. If that can be done, why is the source code leak for this game such a bad thing?

Re:Don't download the source via the torrent

[RonnyJ]

If they just banned every IP, yes, that'd have a high number of false positives, but they could track the following:

1. A user has previously logged onto Eve Online
2. The IP linked to that user's previous session downloads the code.
3. The user logs onto Eve Online again with the same IP (i.e. the same IP/username is maintained throughout).

Put those three events together, and it'd be easy to track/ban a lot of those downloading.

Re:this is going to be so great

[djdavetrouble]

Imagine your rushed proprietary coding project was now instantly made open source against your wishes...

I don't think availability on a warez site is exactly the same thing as "open source",
Sincerely,
RMS

Re:Don't download the source via the torrent

[goodbadorugly]

How is alienating your player base a good move? For whatever false sense of security they gain from banning curious players from their game they will lose far far more in terms of dollars and bad press.

Re:this is going to be so great

[I Like Pudding]

If that can be done, why is the source code leak for this game such a bad thing?

Because nobody actually cares about Second Life.

Re:this is going to be so great

[BitZtream]

Great nightmare? Hardly. Its embarrassing, but if they've written their code well and it isn't full of security issues, its not really a big deal.

The server code is really what matters from a security stand point. Changing the server can effectively kill any hacked client on the planet, but it can require upgrading legitimate clients as well.

Really, the content is what makes the game. Engines are important and obviously a required part, but the content is what people play. While it is to the companies advantage to have some neat tricks up its sleeve that the other games don't have in its engine, people car about the game world and its story line. And generally continue to do so long after they get tired of seeing that same old graphics effect over and over.

So unless you should me some server source code that shows a major flaw that requires the entire server to be re-designed since it was leaked, or show me that someone has a copy of all the game content and has setup a mirror server, in which they are capable of creating regular new content, then this really is nothing more than an embarrasment, not really going to hurt their business in any noticable way.

Look at the current game engines from the big companies, Valve, Rockstar and iD. The engines will have a handful of developers at most, while the 'games' have hundreds of people working on the story line and artwork. Source code isn't nearly as important as you think in a modern game, assuming they've made writing secure code a requirement of their design processes.

Re:Don't download the source via the torrent

[irc.goatse.cx troll]

They have no legal basis so they can't take legal action against you, but they're well within their rights to cease providing their service to you(i.e ban you).

They can do that for any reason they want or for no reason at all.

Also downloading is still often enough to get you passed a lot of legal threshholds. "Just because I downloaded that album doesn't mean I listened to it" wouldn't stop an RIAA copyright lawsuit.

Re:Calmly addressing issues

[thrash242]

I dunno, declaring a "jihad" and going around suicide ganking miners in the name of "Allah" like real-life suicide bombers seems rather immature to me.

Re:Warning! CCP Seeding, Banning Torrenters

[Anonymous Coward]

Fire all weapons on a single click? I do that already with my Logitech G15 gaming keyboard.

Re:Direct link to the torrent

[ichigo 2.0]

It doesn't surprise me though, slashdot is becoming more and more of a PR site for the piratebay and the pirate party. Its only a matter of time before it has a warez and torrents section :(

It's not just slashdot, every place is starting to see imaginary property for what it is. That's what you get when near-infinite supply meets demand, prices go down.

Re:this is going to be so great

[Bert64]

The ability to create flying penises is an intentional feature of secondlife. The whole premise of the system is that you can create all kinds of objects and automatons in game. It's like the Internet, an open flexible system, which ultimately means some people will try to abuse it.

I call BS

[Moraelin]

I'll call BS there.

1. Just as a counter-example: Blizzard may not be perfect on the whole, but I don't think there is even 1 documented case of anyone being banned for discussing a bug. You _can_ get banned for using bots, yes, but not discussing bots, for example.

Their internal policy, as documented repeatedly and even recently on Slashdot, is to rely on criticism and try to fix problems. It's a piss poor company who thinks that the "ban hammer" to silence bug-reports is a perfectly normal way to hold a conversation.

Heck, there's even been a whole photoshopped "yeah, well, gold can be duped in WoW too" storm in a kettle way back, and I don't think I even heard of anyone getting banned for asking about it. Turns out that shrugging and pointing out that it doesn't work, is a much better way to deal with it, than trying to cover up real bugs like some other companies do.

2. Excuse me? We're talking documented bugs and abuses, including the places in code where they happen. How about freaking just fixing them? Regardless of whether they're reported by a 13 year old, or even a 6 year old. Moaning about the age makes a piss-poor ad-hominem there.

"If the company "calmly addresses the issues", then they'll be flooded by complainers, cheaters and opportunists within no time."? Exactly how's fixing a bug going to get you flooded by those?

- Complainers: you can have the server generate statistics for you, to see if those have a point or not. (Again, it has been discussed about Blizzard fairly recently. They actually _rely_ on "complainers" and statistics to see what needs to be fixed or tweaked.) You _can_ sort out who has a legitimate complain and who doesn't. Trying to silence everyone who has a complaint, is the most piss-poor policy imaginable, especially when they're complaining about an actual provable exploit.

And how about putting things into perspective? If you get _flooded_ in reports of actual bugs you have, it's _you_ who's to blame, not the players. I'd want to see those issues fixed, not silenced.

- Cheaters. Exactly how's fixing a bug going to help those? On the contrary, if I ever actually wanted to cheat in a game, I'd rather look for a company that spent years trying to silence bug reports instead of fixing any of the exploits.

- Opportunists. Excuse me? Exactly what opportunity are we talking about there? The opportunity to help get the game fixed? Give those guys a freaking medal, then.

The opportunity to get a bit of short-lived forum fame in the process? Well, first of all, that's a very small price to pay for getting a thorough testing. Good testers are rare. So if as little as a bit of fame gets one to report the most obscure bugs to you, and do a free code review too apparently in this case, then by all means, give it to them. Post a "top 10 bug reporters" page on the official site. Give them a funny hat in the game, or a unique decal for their ship, or whatever. Whatever gets them to keep working for you for free.

Second, that fame is rather little and short lived if you have a reputation of fixing bugs promptly. You need to have quite a number of discontent players, for them to rally around the loudest guy. If they have no reason to be discontent with your handling bugs, they'll just naturally treat anyone as a troll if they raise a huge stink over some bug that's fixed in a week anyway.

In effect, if a company "calmly addresses the issues", on the contrary, that's the best way to _defuse_ any chronic complainers, cheaters and opportunists. It takes away the whole foundation for any "us vs them" movement. It says "we're on your side, we're all working together to make the game better for you." Starting banning people for just talking about you having bugs, is quite the opposite effect. Nothing says "us vs the players" as loudly as doing that.

Re:What's Been Found So Far

[Anonymous Coward]

To be fair, 99% of the ideas coming from EVE players relating to improved performance are retarded. To make matters worse, a lot of the suggestions that aren't completely idiotic basically amount to doing a complete rewrite of much of the game.

The same thing happens in every MMORPG. Players make suggestions and then proceed to get upset when their suggestions aren't implemented. The fact of the matter is that most of the players don't have any significant experience at either programming, networking or designing a large scale application. They think their ideas should be implemented immediately because they've taken some programming course at the local community college and read "Networking for Dummies."

Some of the posts in this thread, and especially on various forums around the Internet, illustrate quite clearly that most of the players are completely incapable of understanding the relevant issues. For instance, look at the post in this thread from a poster that thinks a terabyte sized database in EVE is an indication of poor database design. He's a complete and utter retard. A terabyte sized database for a game like this is absolutely nothing. It's not even a blip on the radar.

Another example are the threads all over the Internet about the player roles. Some of them merely complaining about how different roles exist, but _many_ of them thinking that they can simply recompile the bytecode with ROLE_ADMIN set in a few places to gain an advantage. This shows an incredible lack of understanding of not only the code they're reading, but also of how the client server relationship works.

I'm not suggesting that EVE is without serious flaws or that some players don't make good suggestions. I'm just saying that some of the decent player suggestions get drowned out in the overwhelming amount of noise.

Re:Official Communication from CCP

[MORB]

Nothing the EVE client can do can affect the game state, no advantage can be gained by manipulating the EVE client, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client.

While I agree with not relying on security through obscurity, there are cheats that can be created trivially with the client code.

For instance, integrating a fully automated mining bot in the client would be easy by using the auto pilot code as a starting point (it has more than likely already been done for ages too).

Altough I don't think it's a security problem as much as it is a game design problem: if mining wasn't mind numbingly stupid boring and repetitive, a bot probably wouldn't be able to do it as well (or even better as a bot never tires) as a human.

Re:Warning! CCP Seeding, Banning Torrenters

[Anonymous Coward]

What, you mean the darn game's UI might actually be USEABLE? Sheesh.

Re:Motivation?

[d3ac0n]

Probably. Make the holes visible enough for anyone to use and they'll either have to fix the hole, allow people to exploit it or lose customers (either through banning or being unwilling to play with increasing numbers of cheaters).

BINGO.

This is pretty much the standard approach when dealing with software companies that have a history of ignoring well known security flaws in their products (Microsoft, for example). Basically, since they haven't proven themselves honest in dealing with known issues, and real money is on the line via software purchases or subscriptions, the line of reasoning is that they are willingly defrauding people with an inferior product. Since current law is inadequate in regards to software quality, the authorities will not prosecute them for it. Thus it is up to vigilantes to uphold "justice" by punishing the company with lost sales and lost prestige via publishing the exploits and/or source code.

Now, I don't necessarily agree with this line of thought , and I think that the BETTER approach would have been to approach CCP, let them know you obtained the source code and how you did it. Let them know you want to help improve the game by pointing out flaws and that you want nothing for your help. Give them all the info UP FRONT about the flaws and allow them time to fix them (3 to 6 months, depending on the nature of the flaws is considered standard.) While they are working on it, HOLD the source code. If, after the 3 to 6 months, the problems aren't addressed and the company in question seems unwilling to pursue the issues then release the source code to a reputable security group to address.

Unfortunately, this particular hacker doesn't appear to have done the sane thing. (although since there isn't a date listed on the conversation notes, so we have no real way of knowing how long he waited to release.) Instead he appears to be simply threatening them with the issues, and then just releasing the code. Again, we have only limited information to work on, and we don't know the time lines involved, and what the full conversation between CCP and the code holder is/was. But based on the info we do have I'd say he/she approached it in a very juvenile manner almost guaranteed to turn people against him/her and to make bots/hacks/exploits WORSE rather than better.

It's too bad. he/she could have done much good for all EVE players with that info.